2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: Bv9ARM.ch06.html,v 1.5 2015/09/03 07:33:34 christos Exp $ -->
20 <meta http-equiv=
"Content-Type" content=
"text/html; charset=ISO-8859-1">
21 <title>Chapter
6. BIND
9 Configuration Reference
</title>
22 <meta name=
"generator" content=
"DocBook XSL Stylesheets V1.71.1">
23 <link rel=
"start" href=
"Bv9ARM.html" title=
"BIND 9 Administrator Reference Manual">
24 <link rel=
"up" href=
"Bv9ARM.html" title=
"BIND 9 Administrator Reference Manual">
25 <link rel=
"prev" href=
"Bv9ARM.ch05.html" title=
"Chapter 5. The BIND 9 Lightweight Resolver">
26 <link rel=
"next" href=
"Bv9ARM.ch07.html" title=
"Chapter 7. BIND 9 Security Considerations">
28 <body bgcolor=
"white" text=
"black" link=
"#0000FF" vlink=
"#840084" alink=
"#0000FF">
29 <div class=
"navheader">
30 <table width=
"100%" summary=
"Navigation header">
31 <tr><th colspan=
"3" align=
"center">Chapter
6.
<acronym class=
"acronym">BIND
</acronym> 9 Configuration Reference
</th></tr>
33 <td width=
"20%" align=
"left">
34 <a accesskey=
"p" href=
"Bv9ARM.ch05.html">Prev
</a> </td>
35 <th width=
"60%" align=
"center"> </th>
36 <td width=
"20%" align=
"right"> <a accesskey=
"n" href=
"Bv9ARM.ch07.html">Next
</a>
42 <div class=
"chapter" lang=
"en">
43 <div class=
"titlepage"><div><div><h2 class=
"title">
44 <a name=
"Bv9ARM.ch06"></a>Chapter
6.
<acronym class=
"acronym">BIND
</acronym> 9 Configuration Reference
</h2></div></div></div>
46 <p><b>Table of Contents
</b></p>
48 <dt><span class=
"sect1"><a href=
"Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements
</a></span></dt>
50 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#address_match_lists">Address Match Lists
</a></span></dt>
51 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2573281">Comment Syntax
</a></span></dt>
53 <dt><span class=
"sect1"><a href=
"Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar
</a></span></dt>
55 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574009"><span><strong class=
"command">acl
</strong></span> Statement Grammar
</a></span></dt>
56 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#acl"><span><strong class=
"command">acl
</strong></span> Statement Definition and
58 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574321"><span><strong class=
"command">controls
</strong></span> Statement Grammar
</a></span></dt>
59 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class=
"command">controls
</strong></span> Statement Definition and
61 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574748"><span><strong class=
"command">include
</strong></span> Statement Grammar
</a></span></dt>
62 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574765"><span><strong class=
"command">include
</strong></span> Statement Definition and
64 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574789"><span><strong class=
"command">key
</strong></span> Statement Grammar
</a></span></dt>
65 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574812"><span><strong class=
"command">key
</strong></span> Statement Definition and Usage
</a></span></dt>
66 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2574903"><span><strong class=
"command">logging
</strong></span> Statement Grammar
</a></span></dt>
67 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2575029"><span><strong class=
"command">logging
</strong></span> Statement Definition and
69 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2577252"><span><strong class=
"command">lwres
</strong></span> Statement Grammar
</a></span></dt>
70 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2577336"><span><strong class=
"command">lwres
</strong></span> Statement Definition and Usage
</a></span></dt>
71 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2577400"><span><strong class=
"command">masters
</strong></span> Statement Grammar
</a></span></dt>
72 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2577517"><span><strong class=
"command">masters
</strong></span> Statement Definition and
74 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2577539"><span><strong class=
"command">options
</strong></span> Statement Grammar
</a></span></dt>
75 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#options"><span><strong class=
"command">options
</strong></span> Statement Definition and
77 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#server_statement_grammar"><span><strong class=
"command">server
</strong></span> Statement Grammar
</a></span></dt>
78 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class=
"command">server
</strong></span> Statement Definition and
80 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#statschannels"><span><strong class=
"command">statistics-channels
</strong></span> Statement Grammar
</a></span></dt>
81 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2591758"><span><strong class=
"command">statistics-channels
</strong></span> Statement Definition and
83 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#trusted-keys"><span><strong class=
"command">trusted-keys
</strong></span> Statement Grammar
</a></span></dt>
84 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2592176"><span><strong class=
"command">trusted-keys
</strong></span> Statement Definition
85 and Usage
</a></span></dt>
86 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2592222"><span><strong class=
"command">managed-keys
</strong></span> Statement Grammar
</a></span></dt>
87 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#managed-keys"><span><strong class=
"command">managed-keys
</strong></span> Statement Definition
88 and Usage
</a></span></dt>
89 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#view_statement_grammar"><span><strong class=
"command">view
</strong></span> Statement Grammar
</a></span></dt>
90 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2592589"><span><strong class=
"command">view
</strong></span> Statement Definition and Usage
</a></span></dt>
91 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class=
"command">zone
</strong></span>
92 Statement Grammar
</a></span></dt>
93 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2594602"><span><strong class=
"command">zone
</strong></span> Statement Definition and Usage
</a></span></dt>
95 <dt><span class=
"sect1"><a href=
"Bv9ARM.ch06.html#id2598289">Zone File
</a></span></dt>
97 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them
</a></span></dt>
98 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2600587">Discussion of MX Records
</a></span></dt>
99 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs
</a></span></dt>
100 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2601134">Inverse Mapping in IPv4
</a></span></dt>
101 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2601261">Other Zone File Directives
</a></span></dt>
102 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#id2601534"><acronym class=
"acronym">BIND
</acronym> Master File Extension: the
<span><strong class=
"command">$GENERATE
</strong></span> Directive
</a></span></dt>
103 <dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#zonefile_format">Additional File Formats
</a></span></dt>
105 <dt><span class=
"sect1"><a href=
"Bv9ARM.ch06.html#statistics">BIND9 Statistics
</a></span></dt>
106 <dd><dl><dt><span class=
"sect2"><a href=
"Bv9ARM.ch06.html#statistics_counters">Statistics Counters
</a></span></dt></dl></dd>
110 <acronym class=
"acronym">BIND
</acronym> 9 configuration is broadly similar
111 to
<acronym class=
"acronym">BIND
</acronym> 8; however, there are a few new
113 of configuration, such as views.
<acronym class=
"acronym">BIND
</acronym>
114 8 configuration files should work with few alterations in
<acronym class=
"acronym">BIND
</acronym>
115 9, although more complex configurations should be reviewed to check
116 if they can be more efficiently implemented using the new features
117 found in
<acronym class=
"acronym">BIND
</acronym> 9.
120 <acronym class=
"acronym">BIND
</acronym> 4 configuration files can be
121 converted to the new format
122 using the shell script
123 <code class=
"filename">contrib/named-bootconf/named-bootconf.sh
</code>.
125 <div class=
"sect1" lang=
"en">
126 <div class=
"titlepage"><div><div><h2 class=
"title" style=
"clear: both">
127 <a name=
"configuration_file_elements"></a>Configuration File Elements
</h2></div></div></div>
129 Following is a list of elements used throughout the
<acronym class=
"acronym">BIND
</acronym> configuration
132 <div class=
"informaltable"><table border=
"1">
141 <code class=
"varname">acl_name
</code>
146 The name of an
<code class=
"varname">address_match_list
</code> as
147 defined by the
<span><strong class=
"command">acl
</strong></span> statement.
154 <code class=
"varname">address_match_list
</code>
159 A list of one or more
160 <code class=
"varname">ip_addr
</code>,
161 <code class=
"varname">ip_prefix
</code>,
<code class=
"varname">key_id
</code>,
162 or
<code class=
"varname">acl_name
</code> elements, see
163 <a href=
"Bv9ARM.ch06.html#address_match_lists" title=
"Address Match Lists">the section called
“Address Match Lists
”</a>.
170 <code class=
"varname">masters_list
</code>
175 A named list of one or more
<code class=
"varname">ip_addr
</code>
176 with optional
<code class=
"varname">key_id
</code> and/or
177 <code class=
"varname">ip_port
</code>.
178 A
<code class=
"varname">masters_list
</code> may include other
179 <code class=
"varname">masters_lists
</code>.
186 <code class=
"varname">domain_name
</code>
191 A quoted string which will be used as
192 a DNS name, for example
"<code class="literal
">my.test.domain</code>".
199 <code class=
"varname">namelist
</code>
204 A list of one or more
<code class=
"varname">domain_name
</code>
212 <code class=
"varname">dotted_decimal
</code>
217 One to four integers valued
0 through
218 255 separated by dots (`.'), such as
<span><strong class=
"command">123</strong></span>,
219 <span><strong class=
"command">45.67</strong></span> or
<span><strong class=
"command">89.123.45.67</strong></span>.
226 <code class=
"varname">ip4_addr
</code>
231 An IPv4 address with exactly four elements
232 in
<code class=
"varname">dotted_decimal
</code> notation.
239 <code class=
"varname">ip6_addr
</code>
244 An IPv6 address, such as
<span><strong class=
"command">2001:db8::
1234</strong></span>.
245 IPv6 scoped addresses that have ambiguity on their
246 scope zones must be disambiguated by an appropriate
247 zone ID with the percent character (`%') as
248 delimiter. It is strongly recommended to use
249 string zone names rather than numeric identifiers,
250 in order to be robust against system configuration
251 changes. However, since there is no standard
252 mapping for such names and identifier values,
253 currently only interface names as link identifiers
254 are supported, assuming one-to-one mapping between
255 interfaces and links. For example, a link-local
256 address
<span><strong class=
"command">fe80::
1</strong></span> on the link
257 attached to the interface
<span><strong class=
"command">ne0
</strong></span>
258 can be specified as
<span><strong class=
"command">fe80::
1%ne0
</strong></span>.
259 Note that on most systems link-local addresses
260 always have the ambiguity, and need to be
268 <code class=
"varname">ip_addr
</code>
273 An
<code class=
"varname">ip4_addr
</code> or
<code class=
"varname">ip6_addr
</code>.
280 <code class=
"varname">ip_dscp
</code>
285 A
<code class=
"varname">number
</code> between
0 and
63, used
286 to select a differentiated services code point (DSCP)
287 value for use with outgoing traffic on operating systems
295 <code class=
"varname">ip_port
</code>
300 An IP port
<code class=
"varname">number
</code>.
301 The
<code class=
"varname">number
</code> is limited to
0
302 through
65535, with values
303 below
1024 typically restricted to use by processes running
305 In some cases, an asterisk (`*') character can be used as a
307 select a random high-numbered port.
314 <code class=
"varname">ip_prefix
</code>
319 An IP network specified as an
<code class=
"varname">ip_addr
</code>,
320 followed by a slash (`/') and then the number of bits in the
322 Trailing zeros in a
<code class=
"varname">ip_addr
</code>
324 For example,
<span><strong class=
"command">127/
8</strong></span> is the
325 network
<span><strong class=
"command">127.0.0.0</strong></span> with
326 netmask
<span><strong class=
"command">255.0.0.0</strong></span> and
<span><strong class=
"command">1.2.3.0/
28</strong></span> is
327 network
<span><strong class=
"command">1.2.3.0</strong></span> with netmask
<span><strong class=
"command">255.255.255.240</strong></span>.
330 When specifying a prefix involving a IPv6 scoped address
331 the scope may be omitted. In that case the prefix will
332 match packets from any scope.
339 <code class=
"varname">key_id
</code>
344 A
<code class=
"varname">domain_name
</code> representing
345 the name of a shared key, to be used for transaction
353 <code class=
"varname">key_list
</code>
358 A list of one or more
359 <code class=
"varname">key_id
</code>s,
360 separated by semicolons and ending with a semicolon.
367 <code class=
"varname">number
</code>
372 A non-negative
32-bit integer
373 (i.e., a number between
0 and
4294967295, inclusive).
374 Its acceptable value might further
375 be limited by the context in which it is used.
382 <code class=
"varname">path_name
</code>
387 A quoted string which will be used as
388 a pathname, such as
<code class=
"filename">zones/master/my.test.domain
</code>.
395 <code class=
"varname">port_list
</code>
400 A list of an
<code class=
"varname">ip_port
</code> or a port
402 A port range is specified in the form of
403 <strong class=
"userinput"><code>range
</code></strong> followed by
404 two
<code class=
"varname">ip_port
</code>s,
405 <code class=
"varname">port_low
</code> and
406 <code class=
"varname">port_high
</code>, which represents
407 port numbers from
<code class=
"varname">port_low
</code> through
408 <code class=
"varname">port_high
</code>, inclusive.
409 <code class=
"varname">port_low
</code> must not be larger than
410 <code class=
"varname">port_high
</code>.
412 <strong class=
"userinput"><code>range
1024 65535</code></strong> represents
413 ports from
1024 through
65535.
414 In either case an asterisk (`*') character is not
415 allowed as a valid
<code class=
"varname">ip_port
</code>.
422 <code class=
"varname">size_spec
</code>
427 A
64-bit unsigned integer, or the keywords
428 <strong class=
"userinput"><code>unlimited
</code></strong> or
429 <strong class=
"userinput"><code>default
</code></strong>.
432 Integers may take values
433 0 <= value
<=
18446744073709551615, though
435 (such as
<span><strong class=
"command">max-journal-size
</strong></span>) may
436 use a more limited range within these extremes.
437 In most cases, setting a value to
0 does not
438 literally mean zero; it means
"undefined" or
439 "as big as possible", depending on the context.
440 See the explanations of particular parameters
441 that use
<code class=
"varname">size_spec
</code>
442 for details on how they interpret its use.
445 Numeric values can optionally be followed by a
447 <strong class=
"userinput"><code>K
</code></strong> or
<strong class=
"userinput"><code>k
</code></strong>
449 <strong class=
"userinput"><code>M
</code></strong> or
<strong class=
"userinput"><code>m
</code></strong>
451 <strong class=
"userinput"><code>G
</code></strong> or
<strong class=
"userinput"><code>g
</code></strong>
452 for gigabytes, which scale by
1024,
1024*
1024, and
453 1024*
1024*
1024 respectively.
456 <code class=
"varname">unlimited
</code> generally means
457 "as big as possible", and is usually the best
458 way to safely set a very large number.
461 <code class=
"varname">default
</code>
462 uses the limit that was in force when the server was started.
469 <code class=
"varname">yes_or_no
</code>
474 Either
<strong class=
"userinput"><code>yes
</code></strong> or
<strong class=
"userinput"><code>no
</code></strong>.
475 The words
<strong class=
"userinput"><code>true
</code></strong> and
<strong class=
"userinput"><code>false
</code></strong> are
476 also accepted, as are the numbers
<strong class=
"userinput"><code>1</code></strong>
477 and
<strong class=
"userinput"><code>0</code></strong>.
484 <code class=
"varname">dialup_option
</code>
489 One of
<strong class=
"userinput"><code>yes
</code></strong>,
490 <strong class=
"userinput"><code>no
</code></strong>,
<strong class=
"userinput"><code>notify
</code></strong>,
491 <strong class=
"userinput"><code>notify-passive
</code></strong>,
<strong class=
"userinput"><code>refresh
</code></strong> or
492 <strong class=
"userinput"><code>passive
</code></strong>.
493 When used in a zone,
<strong class=
"userinput"><code>notify-passive
</code></strong>,
494 <strong class=
"userinput"><code>refresh
</code></strong>, and
<strong class=
"userinput"><code>passive
</code></strong>
495 are restricted to slave and stub zones.
501 <div class=
"sect2" lang=
"en">
502 <div class=
"titlepage"><div><div><h3 class=
"title">
503 <a name=
"address_match_lists"></a>Address Match Lists
</h3></div></div></div>
504 <div class=
"sect3" lang=
"en">
505 <div class=
"titlepage"><div><div><h4 class=
"title">
506 <a name=
"id2573115"></a>Syntax
</h4></div></div></div>
507 <pre class=
"programlisting"><code class=
"varname">address_match_list
</code> = address_match_list_element ;
508 [
<span class=
"optional"> address_match_list_element; ...
</span>]
509 <code class=
"varname">address_match_list_element
</code> = [
<span class=
"optional"> !
</span>] (ip_address [
<span class=
"optional">/length
</span>] |
510 key key_id | acl_name | { address_match_list } )
513 <div class=
"sect3" lang=
"en">
514 <div class=
"titlepage"><div><div><h4 class=
"title">
515 <a name=
"id2573143"></a>Definition and Usage
</h4></div></div></div>
517 Address match lists are primarily used to determine access
518 control for various server operations. They are also used in
519 the
<span><strong class=
"command">listen-on
</strong></span> and
<span><strong class=
"command">sortlist
</strong></span>
520 statements. The elements which constitute an address match
521 list can be any of the following:
523 <div class=
"itemizedlist"><ul type=
"disc">
524 <li>an IP address (IPv4 or IPv6)
</li>
525 <li>an IP prefix (in `/' notation)
</li>
527 a key ID, as defined by the
<span><strong class=
"command">key
</strong></span>
530 <li>the name of an address match list defined with
531 the
<span><strong class=
"command">acl
</strong></span> statement
533 <li>a nested address match list enclosed in braces
</li>
536 Elements can be negated with a leading exclamation mark (`!'),
537 and the match list names
"any",
"none",
"localhost", and
538 "localnets" are predefined. More information on those names
539 can be found in the description of the acl statement.
542 The addition of the key clause made the name of this syntactic
543 element something of a misnomer, since security keys can be used
544 to validate access without regard to a host or network address.
545 Nonetheless, the term
"address match list" is still used
546 throughout the documentation.
549 When a given IP address or prefix is compared to an address
550 match list, the comparison takes place in approximately O(
1)
551 time. However, key comparisons require that the list of keys
552 be traversed until a matching key is found, and therefore may
556 The interpretation of a match depends on whether the list is being
557 used for access control, defining
<span><strong class=
"command">listen-on
</strong></span> ports, or in a
558 <span><strong class=
"command">sortlist
</strong></span>, and whether the element was negated.
561 When used as an access control list, a non-negated match
562 allows access and a negated match denies access. If
563 there is no match, access is denied. The clauses
564 <span><strong class=
"command">allow-notify
</strong></span>,
565 <span><strong class=
"command">allow-recursion
</strong></span>,
566 <span><strong class=
"command">allow-recursion-on
</strong></span>,
567 <span><strong class=
"command">allow-query
</strong></span>,
568 <span><strong class=
"command">allow-query-on
</strong></span>,
569 <span><strong class=
"command">allow-query-cache
</strong></span>,
570 <span><strong class=
"command">allow-query-cache-on
</strong></span>,
571 <span><strong class=
"command">allow-transfer
</strong></span>,
572 <span><strong class=
"command">allow-update
</strong></span>,
573 <span><strong class=
"command">allow-update-forwarding
</strong></span>, and
574 <span><strong class=
"command">blackhole
</strong></span> all use address match
575 lists. Similarly, the
<span><strong class=
"command">listen-on
</strong></span> option will cause the
576 server to refuse queries on any of the machine's
577 addresses which do not match the list.
580 Order of insertion is significant. If more than one element
581 in an ACL is found to match a given IP address or prefix,
582 preference will be given to the one that came
583 <span class=
"emphasis"><em>first
</em></span> in the ACL definition.
584 Because of this first-match behavior, an element that
585 defines a subset of another element in the list should
586 come before the broader element, regardless of whether
587 either is negated. For example, in
588 <span><strong class=
"command">1.2.3/
24; !
1.2.3.13;
</strong></span>
589 the
1.2.3.13 element is completely useless because the
590 algorithm will match any lookup for
1.2.3.13 to the
1.2.3/
24
591 element. Using
<span><strong class=
"command">!
1.2.3.13;
1.2.3/
24</strong></span> fixes
592 that problem by having
1.2.3.13 blocked by the negation, but
593 all other
1.2.3.* hosts fall through.
597 <div class=
"sect2" lang=
"en">
598 <div class=
"titlepage"><div><div><h3 class=
"title">
599 <a name=
"id2573281"></a>Comment Syntax
</h3></div></div></div>
601 The
<acronym class=
"acronym">BIND
</acronym> 9 comment syntax allows for
603 anywhere that whitespace may appear in a
<acronym class=
"acronym">BIND
</acronym> configuration
604 file. To appeal to programmers of all kinds, they can be written
605 in the C, C++, or shell/perl style.
607 <div class=
"sect3" lang=
"en">
608 <div class=
"titlepage"><div><div><h4 class=
"title">
609 <a name=
"id2573296"></a>Syntax
</h4></div></div></div>
612 <pre class=
"programlisting">/* This is a
<acronym class=
"acronym">BIND
</acronym> comment as in C */
</pre>
615 <pre class=
"programlisting">// This is a
<acronym class=
"acronym">BIND
</acronym> comment as in C++
</pre>
618 <pre class=
"programlisting"># This is a
<acronym class=
"acronym">BIND
</acronym> comment as in common UNIX shells
623 <div class=
"sect3" lang=
"en">
624 <div class=
"titlepage"><div><div><h4 class=
"title">
625 <a name=
"id2573394"></a>Definition and Usage
</h4></div></div></div>
627 Comments may appear anywhere that whitespace may appear in
628 a
<acronym class=
"acronym">BIND
</acronym> configuration file.
631 C-style comments start with the two characters /* (slash,
632 star) and end with */ (star, slash). Because they are completely
633 delimited with these characters, they can be used to comment only
634 a portion of a line or to span multiple lines.
637 C-style comments cannot be nested. For example, the following
638 is not valid because the entire comment ends with the first */:
643 <pre class=
"programlisting">/* This is the start of a comment.
644 This is still part of the comment.
645 /* This is an incorrect attempt at nesting a comment. */
646 This is no longer in any comment. */
652 C++-style comments start with the two characters // (slash,
653 slash) and continue to the end of the physical line. They cannot
654 be continued across multiple physical lines; to have one logical
655 comment span multiple lines, each line must use the // pair.
661 <pre class=
"programlisting">// This is the start of a comment. The next line
662 // is a new comment, even though it is logically
663 // part of the previous comment.
669 Shell-style (or perl-style, if you prefer) comments start
670 with the character
<code class=
"literal">#
</code> (number sign)
671 and continue to the end of the
672 physical line, as in C++ comments.
678 <pre class=
"programlisting"># This is the start of a comment. The next line
679 # is a new comment, even though it is logically
680 # part of the previous comment.
685 <div class=
"warning" style=
"margin-left: 0.5in; margin-right: 0.5in;">
686 <h3 class=
"title">Warning
</h3>
688 You cannot use the semicolon (`;') character
689 to start a comment such as you would in a zone file. The
690 semicolon indicates the end of a configuration
697 <div class=
"sect1" lang=
"en">
698 <div class=
"titlepage"><div><div><h2 class=
"title" style=
"clear: both">
699 <a name=
"Configuration_File_Grammar"></a>Configuration File Grammar
</h2></div></div></div>
701 A
<acronym class=
"acronym">BIND
</acronym> 9 configuration consists of
702 statements and comments.
703 Statements end with a semicolon. Statements and comments are the
704 only elements that can appear without enclosing braces. Many
705 statements contain a block of sub-statements, which are also
706 terminated with a semicolon.
709 The following statements are supported:
711 <div class=
"informaltable"><table border=
"1">
719 <p><span><strong class=
"command">acl
</strong></span></p>
723 defines a named IP address
724 matching list, for access control and other uses.
730 <p><span><strong class=
"command">controls
</strong></span></p>
734 declares control channels to be used
735 by the
<span><strong class=
"command">rndc
</strong></span> utility.
741 <p><span><strong class=
"command">include
</strong></span></p>
751 <p><span><strong class=
"command">key
</strong></span></p>
755 specifies key information for use in
756 authentication and authorization using TSIG.
762 <p><span><strong class=
"command">logging
</strong></span></p>
766 specifies what the server logs, and where
767 the log messages are sent.
773 <p><span><strong class=
"command">lwres
</strong></span></p>
777 configures
<span><strong class=
"command">named
</strong></span> to
778 also act as a light-weight resolver daemon (
<span><strong class=
"command">lwresd
</strong></span>).
784 <p><span><strong class=
"command">masters
</strong></span></p>
788 defines a named masters list for
789 inclusion in stub and slave zones'
790 <span><strong class=
"command">masters
</strong></span> or
791 <span><strong class=
"command">also-notify
</strong></span> lists.
797 <p><span><strong class=
"command">options
</strong></span></p>
801 controls global server configuration
802 options and sets defaults for other statements.
808 <p><span><strong class=
"command">server
</strong></span></p>
812 sets certain configuration options on
819 <p><span><strong class=
"command">statistics-channels
</strong></span></p>
823 declares communication channels to get access to
824 <span><strong class=
"command">named
</strong></span> statistics.
830 <p><span><strong class=
"command">trusted-keys
</strong></span></p>
834 defines trusted DNSSEC keys.
840 <p><span><strong class=
"command">managed-keys
</strong></span></p>
844 lists DNSSEC keys to be kept up to date
845 using RFC
5011 trust anchor maintenance.
851 <p><span><strong class=
"command">view
</strong></span></p>
861 <p><span><strong class=
"command">zone
</strong></span></p>
872 The
<span><strong class=
"command">logging
</strong></span> and
873 <span><strong class=
"command">options
</strong></span> statements may only occur once
877 <div class=
"sect2" lang=
"en">
878 <div class=
"titlepage"><div><div><h3 class=
"title">
879 <a name=
"id2574009"></a><span><strong class=
"command">acl
</strong></span> Statement Grammar
</h3></div></div></div>
880 <pre class=
"programlisting"><span><strong class=
"command">acl
</strong></span> acl-name {
885 <div class=
"sect2" lang=
"en">
886 <div class=
"titlepage"><div><div><h3 class=
"title">
887 <a name=
"acl"></a><span><strong class=
"command">acl
</strong></span> Statement Definition and
888 Usage
</h3></div></div></div>
890 The
<span><strong class=
"command">acl
</strong></span> statement assigns a symbolic
891 name to an address match list. It gets its name from a primary
892 use of address match lists: Access Control Lists (ACLs).
895 The following ACLs are built-in:
897 <div class=
"informaltable"><table border=
"1">
905 <p><span><strong class=
"command">any
</strong></span></p>
915 <p><span><strong class=
"command">none
</strong></span></p>
925 <p><span><strong class=
"command">localhost
</strong></span></p>
929 Matches the IPv4 and IPv6 addresses of all network
930 interfaces on the system. When addresses are
931 added or removed, the
<span><strong class=
"command">localhost
</strong></span>
932 ACL element is updated to reflect the changes.
938 <p><span><strong class=
"command">localnets
</strong></span></p>
942 Matches any host on an IPv4 or IPv6 network
943 for which the system has an interface.
944 When addresses are added or removed,
945 the
<span><strong class=
"command">localnets
</strong></span>
946 ACL element is updated to reflect the changes.
947 Some systems do not provide a way to determine the prefix
949 local IPv6 addresses.
950 In such a case,
<span><strong class=
"command">localnets
</strong></span>
951 only matches the local
952 IPv6 addresses, just like
<span><strong class=
"command">localhost
</strong></span>.
959 When
<acronym class=
"acronym">BIND
</acronym> 9 is built with GeoIP support,
960 ACLs can also be used for geographic access restrictions.
961 This is done by specifying an ACL element of the form:
962 <span><strong class=
"command">geoip [
<span class=
"optional">db
<em class=
"replaceable"><code>database
</code></em></span>]
<em class=
"replaceable"><code>field
</code></em> <em class=
"replaceable"><code>value
</code></em></strong></span>
965 The
<em class=
"replaceable"><code>field
</code></em> indicates which field
966 to search for a match. Available fields are
"country",
967 "region",
"city",
"continent",
"postal" (postal code),
968 "metro" (metro code),
"area" (area code),
"tz" (timezone),
969 "isp",
"org",
"asnum",
"domain" and
"netspeed".
972 <em class=
"replaceable"><code>value
</code></em> is the value to search
973 for within the database. A string may be quoted if it
974 contains spaces or other special characters. If this is
975 an
"asnum" search, then the leading
"ASNNNN" string can be
976 used, otherwise the full description must be used (e.g.
977 "ASNNNN Example Company Name"). If this is a
"country"
978 search and the string is two characters long, then it must
979 be a standard ISO-
3166-
1 two-letter country code, and if it
980 is three characters long then it must be an ISO-
3166-
1
981 three-letter country code; otherwise it is the full name
982 of the country. Similarly, if this is a
"region" search
983 and the string is two characters long, then it must be a
984 standard two-letter state or province abbreviation;
985 otherwise it is the full name of the state or province.
988 The
<em class=
"replaceable"><code>database
</code></em> field indicates which
989 GeoIP database to search for a match. In most cases this is
990 unnecessary, because most search fields can only be found in
991 a single database. However, searches for country can be
992 answered from the
"city",
"region", or
"country" databases,
993 and searches for region (i.e., state or province) can be
994 answered from the
"city" or
"region" databases. For these
995 search types, specifying a
<em class=
"replaceable"><code>database
</code></em>
996 will force the query to be answered from that database and no
997 other. If
<em class=
"replaceable"><code>database
</code></em> is not
998 specified, then these queries will be answered from the
"city",
999 database if it is installed, or the
"region" database if it is
1000 installed, or the
"country" database, in that order.
1003 Some example GeoIP ACLs:
1005 <pre class=
"programlisting">geoip country US;
1007 geoip db country country Canada;
1008 geoip db region region WA;
1009 geoip city
"San Francisco";
1010 geoip region Oklahoma;
1012 geoip tz
"America/Los_Angeles";
1013 geoip org
"Internet Systems Consortium";
1016 <div class=
"sect2" lang=
"en">
1017 <div class=
"titlepage"><div><div><h3 class=
"title">
1018 <a name=
"id2574321"></a><span><strong class=
"command">controls
</strong></span> Statement Grammar
</h3></div></div></div>
1019 <pre class=
"programlisting"><span><strong class=
"command">controls
</strong></span> {
1020 [ inet ( ip_addr | * ) [ port ip_port ]
1021 allow {
<em class=
"replaceable"><code> address_match_list
</code></em> }
1022 keys {
<em class=
"replaceable"><code>key_list
</code></em> }; ]
1024 [ unix
<em class=
"replaceable"><code>path
</code></em> perm
<em class=
"replaceable"><code>number
</code></em> owner
<em class=
"replaceable"><code>number
</code></em> group
<em class=
"replaceable"><code>number
</code></em>
1025 keys {
<em class=
"replaceable"><code>key_list
</code></em> }; ]
1030 <div class=
"sect2" lang=
"en">
1031 <div class=
"titlepage"><div><div><h3 class=
"title">
1032 <a name=
"controls_statement_definition_and_usage"></a><span><strong class=
"command">controls
</strong></span> Statement Definition and
1033 Usage
</h3></div></div></div>
1035 The
<span><strong class=
"command">controls
</strong></span> statement declares control
1036 channels to be used by system administrators to control the
1037 operation of the name server. These control channels are
1038 used by the
<span><strong class=
"command">rndc
</strong></span> utility to send
1039 commands to and retrieve non-DNS results from a name server.
1042 An
<span><strong class=
"command">inet
</strong></span> control channel is a TCP socket
1043 listening at the specified
<span><strong class=
"command">ip_port
</strong></span> on the
1044 specified
<span><strong class=
"command">ip_addr
</strong></span>, which can be an IPv4 or IPv6
1045 address. An
<span><strong class=
"command">ip_addr
</strong></span> of
<code class=
"literal">*
</code> (asterisk) is
1046 interpreted as the IPv4 wildcard address; connections will be
1047 accepted on any of the system's IPv4 addresses.
1048 To listen on the IPv6 wildcard address,
1049 use an
<span><strong class=
"command">ip_addr
</strong></span> of
<code class=
"literal">::
</code>.
1050 If you will only use
<span><strong class=
"command">rndc
</strong></span> on the local host,
1051 using the loopback address (
<code class=
"literal">127.0.0.1</code>
1052 or
<code class=
"literal">::
1</code>) is recommended for maximum security.
1055 If no port is specified, port
953 is used. The asterisk
1056 "<code class="literal
">*</code>" cannot be used for
<span><strong class=
"command">ip_port
</strong></span>.
1059 The ability to issue commands over the control channel is
1060 restricted by the
<span><strong class=
"command">allow
</strong></span> and
1061 <span><strong class=
"command">keys
</strong></span> clauses.
1062 Connections to the control channel are permitted based on the
1063 <span><strong class=
"command">address_match_list
</strong></span>. This is for simple
1064 IP address based filtering only; any
<span><strong class=
"command">key_id
</strong></span>
1065 elements of the
<span><strong class=
"command">address_match_list
</strong></span>
1069 A
<span><strong class=
"command">unix
</strong></span> control channel is a UNIX domain
1070 socket listening at the specified path in the file system.
1071 Access to the socket is specified by the
<span><strong class=
"command">perm
</strong></span>,
1072 <span><strong class=
"command">owner
</strong></span> and
<span><strong class=
"command">group
</strong></span> clauses.
1073 Note on some platforms (SunOS and Solaris) the permissions
1074 (
<span><strong class=
"command">perm
</strong></span>) are applied to the parent directory
1075 as the permissions on the socket itself are ignored.
1078 The primary authorization mechanism of the command
1079 channel is the
<span><strong class=
"command">key_list
</strong></span>, which
1080 contains a list of
<span><strong class=
"command">key_id
</strong></span>s.
1081 Each
<span><strong class=
"command">key_id
</strong></span> in the
<span><strong class=
"command">key_list
</strong></span>
1082 is authorized to execute commands over the control channel.
1083 See
<a href=
"Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application
</a> in
<a href=
"Bv9ARM.ch03.html#admin_tools" title=
"Administrative Tools">the section called
“Administrative Tools
”</a>)
1084 for information about configuring keys in
<span><strong class=
"command">rndc
</strong></span>.
1087 If no
<span><strong class=
"command">controls
</strong></span> statement is present,
1088 <span><strong class=
"command">named
</strong></span> will set up a default
1089 control channel listening on the loopback address
127.0.0.1
1090 and its IPv6 counterpart ::
1.
1091 In this case, and also when the
<span><strong class=
"command">controls
</strong></span> statement
1092 is present but does not have a
<span><strong class=
"command">keys
</strong></span> clause,
1093 <span><strong class=
"command">named
</strong></span> will attempt to load the command channel key
1094 from the file
<code class=
"filename">rndc.key
</code> in
1095 <code class=
"filename">/etc
</code> (or whatever
<code class=
"varname">sysconfdir
</code>
1096 was specified as when
<acronym class=
"acronym">BIND
</acronym> was built).
1097 To create a
<code class=
"filename">rndc.key
</code> file, run
1098 <strong class=
"userinput"><code>rndc-confgen -a
</code></strong>.
1101 The
<code class=
"filename">rndc.key
</code> feature was created to
1102 ease the transition of systems from
<acronym class=
"acronym">BIND
</acronym> 8,
1103 which did not have digital signatures on its command channel
1104 messages and thus did not have a
<span><strong class=
"command">keys
</strong></span> clause.
1106 It makes it possible to use an existing
<acronym class=
"acronym">BIND
</acronym> 8
1107 configuration file in
<acronym class=
"acronym">BIND
</acronym> 9 unchanged,
1108 and still have
<span><strong class=
"command">rndc
</strong></span> work the same way
1109 <span><strong class=
"command">ndc
</strong></span> worked in BIND
8, simply by executing the
1110 command
<strong class=
"userinput"><code>rndc-confgen -a
</code></strong> after BIND
9 is
1114 Since the
<code class=
"filename">rndc.key
</code> feature
1115 is only intended to allow the backward-compatible usage of
1116 <acronym class=
"acronym">BIND
</acronym> 8 configuration files, this
1118 have a high degree of configurability. You cannot easily change
1119 the key name or the size of the secret, so you should make a
1120 <code class=
"filename">rndc.conf
</code> with your own key if you
1122 those things. The
<code class=
"filename">rndc.key
</code> file
1124 permissions set such that only the owner of the file (the user that
1125 <span><strong class=
"command">named
</strong></span> is running as) can access it.
1127 desire greater flexibility in allowing other users to access
1128 <span><strong class=
"command">rndc
</strong></span> commands, then you need to create
1130 <code class=
"filename">rndc.conf
</code> file and make it group
1132 that contains the users who should have access.
1135 To disable the command channel, use an empty
1136 <span><strong class=
"command">controls
</strong></span> statement:
1137 <span><strong class=
"command">controls { };
</strong></span>.
1140 <div class=
"sect2" lang=
"en">
1141 <div class=
"titlepage"><div><div><h3 class=
"title">
1142 <a name=
"id2574748"></a><span><strong class=
"command">include
</strong></span> Statement Grammar
</h3></div></div></div>
1143 <pre class=
"programlisting"><span><strong class=
"command">include
</strong></span> <em class=
"replaceable"><code>filename
</code></em>;
</pre>
1145 <div class=
"sect2" lang=
"en">
1146 <div class=
"titlepage"><div><div><h3 class=
"title">
1147 <a name=
"id2574765"></a><span><strong class=
"command">include
</strong></span> Statement Definition and
1148 Usage
</h3></div></div></div>
1150 The
<span><strong class=
"command">include
</strong></span> statement inserts the
1151 specified file at the point where the
<span><strong class=
"command">include
</strong></span>
1152 statement is encountered. The
<span><strong class=
"command">include
</strong></span>
1153 statement facilitates the administration of configuration
1155 by permitting the reading or writing of some things but not
1156 others. For example, the statement could include private keys
1157 that are readable only by the name server.
1160 <div class=
"sect2" lang=
"en">
1161 <div class=
"titlepage"><div><div><h3 class=
"title">
1162 <a name=
"id2574789"></a><span><strong class=
"command">key
</strong></span> Statement Grammar
</h3></div></div></div>
1163 <pre class=
"programlisting"><span><strong class=
"command">key
</strong></span> <em class=
"replaceable"><code>key_id
</code></em> {
1164 algorithm
<em class=
"replaceable"><code>string
</code></em>;
1165 secret
<em class=
"replaceable"><code>string
</code></em>;
1169 <div class=
"sect2" lang=
"en">
1170 <div class=
"titlepage"><div><div><h3 class=
"title">
1171 <a name=
"id2574812"></a><span><strong class=
"command">key
</strong></span> Statement Definition and Usage
</h3></div></div></div>
1173 The
<span><strong class=
"command">key
</strong></span> statement defines a shared
1174 secret key for use with TSIG (see
<a href=
"Bv9ARM.ch04.html#tsig" title=
"TSIG">the section called
“TSIG
”</a>)
1175 or the command channel
1176 (see
<a href=
"Bv9ARM.ch06.html#controls_statement_definition_and_usage" title=
"controls Statement Definition and
1177 Usage">the section called
“<span><strong class=
"command">controls
</strong></span> Statement Definition and
1181 The
<span><strong class=
"command">key
</strong></span> statement can occur at the
1183 of the configuration file or inside a
<span><strong class=
"command">view
</strong></span>
1184 statement. Keys defined in top-level
<span><strong class=
"command">key
</strong></span>
1185 statements can be used in all views. Keys intended for use in
1186 a
<span><strong class=
"command">controls
</strong></span> statement
1187 (see
<a href=
"Bv9ARM.ch06.html#controls_statement_definition_and_usage" title=
"controls Statement Definition and
1188 Usage">the section called
“<span><strong class=
"command">controls
</strong></span> Statement Definition and
1190 must be defined at the top level.
1193 The
<em class=
"replaceable"><code>key_id
</code></em>, also known as the
1194 key name, is a domain name uniquely identifying the key. It can
1195 be used in a
<span><strong class=
"command">server
</strong></span>
1196 statement to cause requests sent to that
1197 server to be signed with this key, or in address match lists to
1198 verify that incoming requests have been signed with a key
1199 matching this name, algorithm, and secret.
1202 The
<em class=
"replaceable"><code>algorithm_id
</code></em> is a string
1203 that specifies a security/authentication algorithm. Named
1204 supports
<code class=
"literal">hmac-md5
</code>,
1205 <code class=
"literal">hmac-sha1
</code>,
<code class=
"literal">hmac-sha224
</code>,
1206 <code class=
"literal">hmac-sha256
</code>,
<code class=
"literal">hmac-sha384
</code>
1207 and
<code class=
"literal">hmac-sha512
</code> TSIG authentication.
1208 Truncated hashes are supported by appending the minimum
1209 number of required bits preceded by a dash, e.g.
1210 <code class=
"literal">hmac-sha1-
80</code>. The
1211 <em class=
"replaceable"><code>secret_string
</code></em> is the secret
1212 to be used by the algorithm, and is treated as a base-
64
1216 <div class=
"sect2" lang=
"en">
1217 <div class=
"titlepage"><div><div><h3 class=
"title">
1218 <a name=
"id2574903"></a><span><strong class=
"command">logging
</strong></span> Statement Grammar
</h3></div></div></div>
1219 <pre class=
"programlisting"><span><strong class=
"command">logging
</strong></span> {
1220 [
<span><strong class=
"command">channel
</strong></span> <em class=
"replaceable"><code>channel_name
</code></em> {
1221 (
<span><strong class=
"command">file
</strong></span> <em class=
"replaceable"><code>path_name
</code></em>
1222 [
<span><strong class=
"command">versions
</strong></span> (
<em class=
"replaceable"><code>number
</code></em> |
<span><strong class=
"command">unlimited
</strong></span> ) ]
1223 [
<span><strong class=
"command">size
</strong></span> <em class=
"replaceable"><code>size_spec
</code></em> ]
1224 |
<span><strong class=
"command">syslog
</strong></span> <em class=
"replaceable"><code>syslog_facility
</code></em>
1225 |
<span><strong class=
"command">stderr
</strong></span>
1226 |
<span><strong class=
"command">null
</strong></span> );
1227 [
<span><strong class=
"command">severity
</strong></span> (
<code class=
"option">critical
</code> |
<code class=
"option">error
</code> |
<code class=
"option">warning
</code> |
<code class=
"option">notice
</code> |
1228 <code class=
"option">info
</code> |
<code class=
"option">debug
</code> [
<em class=
"replaceable"><code>level
</code></em> ] |
<code class=
"option">dynamic
</code> ); ]
1229 [
<span><strong class=
"command">print-category
</strong></span> <code class=
"option">yes
</code> or
<code class=
"option">no
</code>; ]
1230 [
<span><strong class=
"command">print-severity
</strong></span> <code class=
"option">yes
</code> or
<code class=
"option">no
</code>; ]
1231 [
<span><strong class=
"command">print-time
</strong></span> <code class=
"option">yes
</code> or
<code class=
"option">no
</code>; ]
1233 [
<span><strong class=
"command">category
</strong></span> <em class=
"replaceable"><code>category_name
</code></em> {
1234 <em class=
"replaceable"><code>channel_name
</code></em> ; [
<em class=
"replaceable"><code>channel_name
</code></em> ; ... ]
1240 <div class=
"sect2" lang=
"en">
1241 <div class=
"titlepage"><div><div><h3 class=
"title">
1242 <a name=
"id2575029"></a><span><strong class=
"command">logging
</strong></span> Statement Definition and
1243 Usage
</h3></div></div></div>
1245 The
<span><strong class=
"command">logging
</strong></span> statement configures a
1247 variety of logging options for the name server. Its
<span><strong class=
"command">channel
</strong></span> phrase
1248 associates output methods, format options and severity levels with
1249 a name that can then be used with the
<span><strong class=
"command">category
</strong></span> phrase
1250 to select how various classes of messages are logged.
1253 Only one
<span><strong class=
"command">logging
</strong></span> statement is used to
1255 as many channels and categories as are wanted. If there is no
<span><strong class=
"command">logging
</strong></span> statement,
1256 the logging configuration will be:
1258 <pre class=
"programlisting">logging {
1259 category default { default_syslog; default_debug; };
1260 category unmatched { null; };
1264 In
<acronym class=
"acronym">BIND
</acronym> 9, the logging configuration
1265 is only established when
1266 the entire configuration file has been parsed. In
<acronym class=
"acronym">BIND
</acronym> 8, it was
1267 established as soon as the
<span><strong class=
"command">logging
</strong></span>
1269 was parsed. When the server is starting up, all logging messages
1270 regarding syntax errors in the configuration file go to the default
1271 channels, or to standard error if the
"<code class="option
">-g</code>" option
1274 <div class=
"sect3" lang=
"en">
1275 <div class=
"titlepage"><div><div><h4 class=
"title">
1276 <a name=
"id2575081"></a>The
<span><strong class=
"command">channel
</strong></span> Phrase
</h4></div></div></div>
1278 All log output goes to one or more
<span class=
"emphasis"><em>channels
</em></span>;
1279 you can make as many of them as you want.
1282 Every channel definition must include a destination clause that
1283 says whether messages selected for the channel go to a file, to a
1284 particular syslog facility, to the standard error stream, or are
1285 discarded. It can optionally also limit the message severity level
1286 that will be accepted by the channel (the default is
1287 <span><strong class=
"command">info
</strong></span>), and whether to include a
1288 <span><strong class=
"command">named
</strong></span>-generated time stamp, the
1290 and/or severity level (the default is not to include any).
1293 The
<span><strong class=
"command">null
</strong></span> destination clause
1294 causes all messages sent to the channel to be discarded;
1295 in that case, other options for the channel are meaningless.
1298 The
<span><strong class=
"command">file
</strong></span> destination clause directs
1300 to a disk file. It can include limitations
1301 both on how large the file is allowed to become, and how many
1303 of the file will be saved each time the file is opened.
1306 If you use the
<span><strong class=
"command">versions
</strong></span> log file
1308 <span><strong class=
"command">named
</strong></span> will retain that many backup
1309 versions of the file by
1310 renaming them when opening. For example, if you choose to keep
1312 of the file
<code class=
"filename">lamers.log
</code>, then just
1314 <code class=
"filename">lamers.log
.1</code> is renamed to
1315 <code class=
"filename">lamers.log
.2</code>,
<code class=
"filename">lamers.log
.0</code> is renamed
1316 to
<code class=
"filename">lamers.log
.1</code>, and
<code class=
"filename">lamers.log
</code> is
1317 renamed to
<code class=
"filename">lamers.log
.0</code>.
1318 You can say
<span><strong class=
"command">versions unlimited
</strong></span> to
1320 the number of versions.
1321 If a
<span><strong class=
"command">size
</strong></span> option is associated with
1323 then renaming is only done when the file being opened exceeds the
1324 indicated size. No backup versions are kept by default; any
1326 log file is simply appended.
1329 The
<span><strong class=
"command">size
</strong></span> option for files is used
1331 growth. If the file ever exceeds the size, then
<span><strong class=
"command">named
</strong></span> will
1332 stop writing to the file unless it has a
<span><strong class=
"command">versions
</strong></span> option
1333 associated with it. If backup versions are kept, the files are
1335 described above and a new one begun. If there is no
1336 <span><strong class=
"command">versions
</strong></span> option, no more data will
1337 be written to the log
1338 until some out-of-band mechanism removes or truncates the log to
1340 maximum size. The default behavior is not to limit the size of
1345 Example usage of the
<span><strong class=
"command">size
</strong></span> and
1346 <span><strong class=
"command">versions
</strong></span> options:
1348 <pre class=
"programlisting">channel an_example_channel {
1349 file
"example.log" versions
3 size
20m;
1355 The
<span><strong class=
"command">syslog
</strong></span> destination clause
1357 channel to the system log. Its argument is a
1358 syslog facility as described in the
<span><strong class=
"command">syslog
</strong></span> man
1359 page. Known facilities are
<span><strong class=
"command">kern
</strong></span>,
<span><strong class=
"command">user
</strong></span>,
1360 <span><strong class=
"command">mail
</strong></span>,
<span><strong class=
"command">daemon
</strong></span>,
<span><strong class=
"command">auth
</strong></span>,
1361 <span><strong class=
"command">syslog
</strong></span>,
<span><strong class=
"command">lpr
</strong></span>,
<span><strong class=
"command">news
</strong></span>,
1362 <span><strong class=
"command">uucp
</strong></span>,
<span><strong class=
"command">cron
</strong></span>,
<span><strong class=
"command">authpriv
</strong></span>,
1363 <span><strong class=
"command">ftp
</strong></span>,
<span><strong class=
"command">local0
</strong></span>,
<span><strong class=
"command">local1
</strong></span>,
1364 <span><strong class=
"command">local2
</strong></span>,
<span><strong class=
"command">local3
</strong></span>,
<span><strong class=
"command">local4
</strong></span>,
1365 <span><strong class=
"command">local5
</strong></span>,
<span><strong class=
"command">local6
</strong></span> and
1366 <span><strong class=
"command">local7
</strong></span>, however not all facilities
1368 all operating systems.
1369 How
<span><strong class=
"command">syslog
</strong></span> will handle messages
1371 this facility is described in the
<span><strong class=
"command">syslog.conf
</strong></span> man
1372 page. If you have a system which uses a very old version of
<span><strong class=
"command">syslog
</strong></span> that
1373 only uses two arguments to the
<span><strong class=
"command">openlog()
</strong></span> function,
1374 then this clause is silently ignored.
1377 On Windows machines syslog messages are directed to the EventViewer.
1380 The
<span><strong class=
"command">severity
</strong></span> clause works like
<span><strong class=
"command">syslog
</strong></span>'s
1381 "priorities", except that they can also be used if you are writing
1382 straight to a file rather than using
<span><strong class=
"command">syslog
</strong></span>.
1383 Messages which are not at least of the severity level given will
1384 not be selected for the channel; messages of higher severity
1389 If you are using
<span><strong class=
"command">syslog
</strong></span>, then the
<span><strong class=
"command">syslog.conf
</strong></span> priorities
1390 will also determine what eventually passes through. For example,
1391 defining a channel facility and severity as
<span><strong class=
"command">daemon
</strong></span> and
<span><strong class=
"command">debug
</strong></span> but
1392 only logging
<span><strong class=
"command">daemon.warning
</strong></span> via
<span><strong class=
"command">syslog.conf
</strong></span> will
1393 cause messages of severity
<span><strong class=
"command">info
</strong></span> and
1394 <span><strong class=
"command">notice
</strong></span> to
1395 be dropped. If the situation were reversed, with
<span><strong class=
"command">named
</strong></span> writing
1396 messages of only
<span><strong class=
"command">warning
</strong></span> or higher,
1397 then
<span><strong class=
"command">syslogd
</strong></span> would
1398 print all messages it received from the channel.
1401 The
<span><strong class=
"command">stderr
</strong></span> destination clause
1403 channel to the server's standard error stream. This is intended
1405 use when the server is running as a foreground process, for
1407 when debugging a configuration.
1410 The server can supply extensive debugging information when
1411 it is in debugging mode. If the server's global debug level is
1413 than zero, then debugging mode will be active. The global debug
1414 level is set either by starting the
<span><strong class=
"command">named
</strong></span> server
1415 with the
<code class=
"option">-d
</code> flag followed by a positive integer,
1416 or by running
<span><strong class=
"command">rndc trace
</strong></span>.
1417 The global debug level
1418 can be set to zero, and debugging mode turned off, by running
<span><strong class=
"command">rndc
1419 notrace
</strong></span>. All debugging messages in the server have a debug
1420 level, and higher debug levels give more detailed output. Channels
1421 that specify a specific debug severity, for example:
1423 <pre class=
"programlisting">channel specific_debug_level {
1429 will get debugging output of level
3 or less any time the
1430 server is in debugging mode, regardless of the global debugging
1431 level. Channels with
<span><strong class=
"command">dynamic
</strong></span>
1433 server's global debug level to determine what messages to print.
1436 If
<span><strong class=
"command">print-time
</strong></span> has been turned on,
1438 the date and time will be logged.
<span><strong class=
"command">print-time
</strong></span> may
1439 be specified for a
<span><strong class=
"command">syslog
</strong></span> channel,
1441 pointless since
<span><strong class=
"command">syslog
</strong></span> also logs
1443 time. If
<span><strong class=
"command">print-category
</strong></span> is
1445 category of the message will be logged as well. Finally, if
<span><strong class=
"command">print-severity
</strong></span> is
1446 on, then the severity level of the message will be logged. The
<span><strong class=
"command">print-
</strong></span> options may
1447 be used in any combination, and will always be printed in the
1449 order: time, category, severity. Here is an example where all
1450 three
<span><strong class=
"command">print-
</strong></span> options
1454 <code class=
"computeroutput">28-Feb-
2000 15:
05:
32.863 general: notice: running
</code>
1457 There are four predefined channels that are used for
1458 <span><strong class=
"command">named
</strong></span>'s default logging as follows.
1460 used is described in
<a href=
"Bv9ARM.ch06.html#the_category_phrase" title=
"The category Phrase">the section called
“The
<span><strong class=
"command">category
</strong></span> Phrase
”</a>.
1462 <pre class=
"programlisting">channel default_syslog {
1463 // send to syslog's daemon facility
1465 // only send priority info and higher
1468 channel default_debug {
1469 // write to named.run in the working directory
1470 // Note: stderr is used instead of
"named.run" if
1471 // the server is started with the '-f' option.
1473 // log at the server's current debug level
1477 channel default_stderr {
1480 // only send priority info and higher
1485 // toss anything sent to this channel
1490 The
<span><strong class=
"command">default_debug
</strong></span> channel has the
1492 property that it only produces output when the server's debug
1494 nonzero. It normally writes to a file called
<code class=
"filename">named.run
</code>
1495 in the server's working directory.
1498 For security reasons, when the
"<code class="option
">-u</code>"
1499 command line option is used, the
<code class=
"filename">named.run
</code> file
1500 is created only after
<span><strong class=
"command">named
</strong></span> has
1502 new UID, and any debug output generated while
<span><strong class=
"command">named
</strong></span> is
1503 starting up and still running as root is discarded. If you need
1504 to capture this output, you must run the server with the
"<code class="option
">-g</code>"
1505 option and redirect standard error to a file.
1508 Once a channel is defined, it cannot be redefined. Thus you
1509 cannot alter the built-in channels directly, but you can modify
1510 the default logging by pointing categories at channels you have
1514 <div class=
"sect3" lang=
"en">
1515 <div class=
"titlepage"><div><div><h4 class=
"title">
1516 <a name=
"the_category_phrase"></a>The
<span><strong class=
"command">category
</strong></span> Phrase
</h4></div></div></div>
1518 There are many categories, so you can send the logs you want
1519 to see wherever you want, without seeing logs you don't want. If
1520 you don't specify a list of channels for a category, then log
1522 in that category will be sent to the
<span><strong class=
"command">default
</strong></span> category
1523 instead. If you don't specify a default category, the following
1524 "default default" is used:
1526 <pre class=
"programlisting">category default { default_syslog; default_debug; };
1529 As an example, let's say you want to log security events to
1530 a file, but you also want keep the default logging behavior. You'd
1531 specify the following:
1533 <pre class=
"programlisting">channel my_security_channel {
1534 file
"my_security_file";
1538 my_security_channel;
1543 To discard all messages in a category, specify the
<span><strong class=
"command">null
</strong></span> channel:
1545 <pre class=
"programlisting">category xfer-out { null; };
1546 category notify { null; };
1549 Following are the available categories and brief descriptions
1550 of the types of log information they contain. More
1551 categories may be added in future
<acronym class=
"acronym">BIND
</acronym> releases.
1553 <div class=
"informaltable"><table border=
"1">
1561 <p><span><strong class=
"command">default
</strong></span></p>
1565 The default category defines the logging
1566 options for those categories where no specific
1567 configuration has been
1574 <p><span><strong class=
"command">general
</strong></span></p>
1578 The catch-all. Many things still aren't
1579 classified into categories, and they all end up here.
1585 <p><span><strong class=
"command">database
</strong></span></p>
1589 Messages relating to the databases used
1590 internally by the name server to store zone and cache
1597 <p><span><strong class=
"command">security
</strong></span></p>
1601 Approval and denial of requests.
1607 <p><span><strong class=
"command">config
</strong></span></p>
1611 Configuration file parsing and processing.
1617 <p><span><strong class=
"command">resolver
</strong></span></p>
1621 DNS resolution, such as the recursive
1622 lookups performed on behalf of clients by a caching name
1629 <p><span><strong class=
"command">xfer-in
</strong></span></p>
1633 Zone transfers the server is receiving.
1639 <p><span><strong class=
"command">xfer-out
</strong></span></p>
1643 Zone transfers the server is sending.
1649 <p><span><strong class=
"command">notify
</strong></span></p>
1653 The NOTIFY protocol.
1659 <p><span><strong class=
"command">client
</strong></span></p>
1663 Processing of client requests.
1669 <p><span><strong class=
"command">unmatched
</strong></span></p>
1673 Messages that
<span><strong class=
"command">named
</strong></span> was unable to determine the
1674 class of or for which there was no matching
<span><strong class=
"command">view
</strong></span>.
1675 A one line summary is also logged to the
<span><strong class=
"command">client
</strong></span> category.
1676 This category is best sent to a file or stderr, by
1677 default it is sent to
1678 the
<span><strong class=
"command">null
</strong></span> channel.
1684 <p><span><strong class=
"command">network
</strong></span></p>
1694 <p><span><strong class=
"command">update
</strong></span></p>
1704 <p><span><strong class=
"command">update-security
</strong></span></p>
1708 Approval and denial of update requests.
1714 <p><span><strong class=
"command">queries
</strong></span></p>
1718 Specify where queries should be logged to.
1721 At startup, specifying the category
<span><strong class=
"command">queries
</strong></span> will also
1722 enable query logging unless
<span><strong class=
"command">querylog
</strong></span> option has been
1727 The query log entry reports the client's IP
1728 address and port number, and the query name,
1729 class and type. Next it reports whether the
1730 Recursion Desired flag was set (+ if set, -
1731 if not set), if the query was signed (S),
1732 EDNS was in use (E), if TCP was used (T), if
1733 DO (DNSSEC Ok) was set (D), or if CD (Checking
1734 Disabled) was set (C). After this the
1735 destination address the query was sent to is
1740 <code class=
"computeroutput">client
127.0.0.1#
62536 (www.example.com): query: www.example.com IN AAAA +SE
</code>
1743 <code class=
"computeroutput">client ::
1#
62537 (www.example.net): query: www.example.net IN AAAA -SE
</code>
1746 (The first part of this log message, showing the
1747 client address/port number and query name, is
1748 repeated in all subsequent log messages related
1755 <p><span><strong class=
"command">query-errors
</strong></span></p>
1759 Information about queries that resulted in some
1766 <p><span><strong class=
"command">dispatch
</strong></span></p>
1770 Dispatching of incoming packets to the
1771 server modules where they are to be processed.
1777 <p><span><strong class=
"command">dnssec
</strong></span></p>
1781 DNSSEC and TSIG protocol processing.
1787 <p><span><strong class=
"command">lame-servers
</strong></span></p>
1791 Lame servers. These are misconfigurations
1792 in remote servers, discovered by BIND
9 when trying to
1793 query those servers during resolution.
1799 <p><span><strong class=
"command">delegation-only
</strong></span></p>
1803 Delegation only. Logs queries that have been
1804 forced to NXDOMAIN as the result of a
1805 delegation-only zone or a
1806 <span><strong class=
"command">delegation-only
</strong></span> in a
1807 forward, hint or stub zone declaration.
1813 <p><span><strong class=
"command">edns-disabled
</strong></span></p>
1817 Log queries that have been forced to use plain
1818 DNS due to timeouts. This is often due to
1819 the remote servers not being RFC
1034 compliant
1820 (not always returning FORMERR or similar to
1821 EDNS queries and other extensions to the DNS
1822 when they are not understood). In other words, this is
1823 targeted at servers that fail to respond to
1824 DNS queries that they don't understand.
1827 Note: the log message can also be due to
1828 packet loss. Before reporting servers for
1829 non-RFC
1034 compliance they should be re-tested
1830 to determine the nature of the non-compliance.
1831 This testing should prevent or reduce the
1832 number of false-positive reports.
1835 Note: eventually
<span><strong class=
"command">named
</strong></span> will have to stop
1836 treating such timeouts as due to RFC
1034 non
1837 compliance and start treating it as plain
1838 packet loss. Falsely classifying packet
1839 loss as due to RFC
1034 non compliance impacts
1840 on DNSSEC validation which requires EDNS for
1841 the DNSSEC records to be returned.
1847 <p><span><strong class=
"command">RPZ
</strong></span></p>
1851 Information about errors in response policy zone files,
1852 rewritten responses, and at the highest
1853 <span><strong class=
"command">debug
</strong></span> levels, mere rewriting
1860 <p><span><strong class=
"command">rate-limit
</strong></span></p>
1864 The start, periodic, and final notices of the
1865 rate limiting of a stream of responses are logged at
1866 <span><strong class=
"command">info
</strong></span> severity in this category.
1867 These messages include a hash value of the domain name
1868 of the response and the name itself,
1869 except when there is insufficient memory to record
1870 the name for the final notice
1871 The final notice is normally delayed until about one
1872 minute after rate limit stops.
1873 A lack of memory can hurry the final notice,
1874 in which case it starts with an asterisk (*).
1875 Various internal events are logged at debug
1 level
1879 Rate limiting of individual requests
1880 is logged in the
<span><strong class=
"command">query-errors
</strong></span> category.
1886 <p><span><strong class=
"command">cname
</strong></span></p>
1890 Logs nameservers that are skipped due to them being
1891 a CNAME rather than A / AAAA records.
1898 <div class=
"sect3" lang=
"en">
1899 <div class=
"titlepage"><div><div><h4 class=
"title">
1900 <a name=
"id2576732"></a>The
<span><strong class=
"command">query-errors
</strong></span> Category
</h4></div></div></div>
1902 The
<span><strong class=
"command">query-errors
</strong></span> category is
1903 specifically intended for debugging purposes: To identify
1904 why and how specific queries result in responses which
1906 Messages of this category are therefore only logged
1907 with
<span><strong class=
"command">debug
</strong></span> levels.
1910 At the debug levels of
1 or higher, each response with the
1911 rcode of SERVFAIL is logged as follows:
1914 <code class=
"computeroutput">client
127.0.0.1#
61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:
3880</code>
1917 This means an error resulting in SERVFAIL was
1918 detected at line
3880 of source file
1919 <code class=
"filename">query.c
</code>.
1920 Log messages of this level will particularly
1921 help identify the cause of SERVFAIL for an
1922 authoritative server.
1925 At the debug levels of
2 or higher, detailed context
1926 information of recursive resolutions that resulted in
1928 The log message will look like as follows:
1933 <pre class=
"programlisting">
1934 fetch completed at resolver.c:
2970 for www.example.com/A
1935 in
30.000183: timed out/success [domain:example.com,
1936 referral:
2,restart:
7,qrysent:
8,timeout:
5,lame:
0,neterr:
0,
1937 badresp:
1,adberr:
0,findfail:
0,valfail:
0]
1942 The first part before the colon shows that a recursive
1943 resolution for AAAA records of www.example.com completed
1944 in
30.000183 seconds and the final result that led to the
1945 SERVFAIL was determined at line
2970 of source file
1946 <code class=
"filename">resolver.c
</code>.
1949 The following part shows the detected final result and the
1950 latest result of DNSSEC validation.
1951 The latter is always success when no validation attempt
1953 In this example, this query resulted in SERVFAIL probably
1954 because all name servers are down or unreachable, leading
1955 to a timeout in
30 seconds.
1956 DNSSEC validation was probably not attempted.
1959 The last part enclosed in square brackets shows statistics
1960 information collected for this particular resolution
1962 The
<code class=
"varname">domain
</code> field shows the deepest zone
1963 that the resolver reached;
1964 it is the zone where the error was finally detected.
1965 The meaning of the other fields is summarized in the
1968 <div class=
"informaltable"><table border=
"1">
1976 <p><code class=
"varname">referral
</code></p>
1980 The number of referrals the resolver received
1981 throughout the resolution process.
1982 In the above example this is
2, which are most
1983 likely com and example.com.
1989 <p><code class=
"varname">restart
</code></p>
1993 The number of cycles that the resolver tried
1994 remote servers at the
<code class=
"varname">domain
</code>
1996 In each cycle the resolver sends one query
1997 (possibly resending it, depending on the response)
1998 to each known name server of
1999 the
<code class=
"varname">domain
</code> zone.
2005 <p><code class=
"varname">qrysent
</code></p>
2009 The number of queries the resolver sent at the
2010 <code class=
"varname">domain
</code> zone.
2016 <p><code class=
"varname">timeout
</code></p>
2020 The number of timeouts since the resolver
2021 received the last response.
2027 <p><code class=
"varname">lame
</code></p>
2031 The number of lame servers the resolver detected
2032 at the
<code class=
"varname">domain
</code> zone.
2033 A server is detected to be lame either by an
2034 invalid response or as a result of lookup in
2035 BIND9's address database (ADB), where lame
2042 <p><code class=
"varname">neterr
</code></p>
2046 The number of erroneous results that the
2047 resolver encountered in sending queries
2048 at the
<code class=
"varname">domain
</code> zone.
2049 One common case is the remote server is
2050 unreachable and the resolver receives an ICMP
2051 unreachable error message.
2057 <p><code class=
"varname">badresp
</code></p>
2061 The number of unexpected responses (other than
2062 <code class=
"varname">lame
</code>) to queries sent by the
2063 resolver at the
<code class=
"varname">domain
</code> zone.
2069 <p><code class=
"varname">adberr
</code></p>
2073 Failures in finding remote server addresses
2074 of the
<code class=
"varname">domain
</code> zone in the ADB.
2075 One common case of this is that the remote
2076 server's name does not have any address records.
2082 <p><code class=
"varname">findfail
</code></p>
2086 Failures of resolving remote server addresses.
2087 This is a total number of failures throughout
2088 the resolution process.
2094 <p><code class=
"varname">valfail
</code></p>
2098 Failures of DNSSEC validation.
2099 Validation failures are counted throughout
2100 the resolution process (not limited to
2101 the
<code class=
"varname">domain
</code> zone), but should
2102 only happen in
<code class=
"varname">domain
</code>.
2109 At the debug levels of
3 or higher, the same messages
2110 as those at the debug
1 level are logged for other errors
2112 Note that negative responses such as NXDOMAIN are not
2113 regarded as errors here.
2116 At the debug levels of
4 or higher, the same messages
2117 as those at the debug
2 level are logged for other errors
2119 Unlike the above case of level
3, messages are logged for
2121 This is because any unexpected results can be difficult to
2122 debug in the recursion case.
2126 <div class=
"sect2" lang=
"en">
2127 <div class=
"titlepage"><div><div><h3 class=
"title">
2128 <a name=
"id2577252"></a><span><strong class=
"command">lwres
</strong></span> Statement Grammar
</h3></div></div></div>
2130 This is the grammar of the
<span><strong class=
"command">lwres
</strong></span>
2131 statement in the
<code class=
"filename">named.conf
</code> file:
2133 <pre class=
"programlisting"><span><strong class=
"command">lwres
</strong></span> {
2134 [
<span class=
"optional"> listen-on {
<em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
2135 [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
2136 [
<span class=
"optional"> view
<em class=
"replaceable"><code>view_name
</code></em>;
</span>]
2137 [
<span class=
"optional"> search {
<em class=
"replaceable"><code>domain_name
</code></em> ; [
<span class=
"optional"> <em class=
"replaceable"><code>domain_name
</code></em> ; ...
</span>] };
</span>]
2138 [
<span class=
"optional"> ndots
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2142 <div class=
"sect2" lang=
"en">
2143 <div class=
"titlepage"><div><div><h3 class=
"title">
2144 <a name=
"id2577336"></a><span><strong class=
"command">lwres
</strong></span> Statement Definition and Usage
</h3></div></div></div>
2146 The
<span><strong class=
"command">lwres
</strong></span> statement configures the
2148 server to also act as a lightweight resolver server. (See
2149 <a href=
"Bv9ARM.ch05.html#lwresd" title=
"Running a Resolver Daemon">the section called
“Running a Resolver Daemon
”</a>.) There may be multiple
2150 <span><strong class=
"command">lwres
</strong></span> statements configuring
2151 lightweight resolver servers with different properties.
2154 The
<span><strong class=
"command">listen-on
</strong></span> statement specifies a
2156 IPv4 addresses (and ports) that this instance of a lightweight
2158 should accept requests on. If no port is specified, port
921 is
2160 If this statement is omitted, requests will be accepted on
2165 The
<span><strong class=
"command">view
</strong></span> statement binds this
2167 lightweight resolver daemon to a view in the DNS namespace, so that
2169 response will be constructed in the same manner as a normal DNS
2171 matching this view. If this statement is omitted, the default view
2173 used, and if there is no default view, an error is triggered.
2176 The
<span><strong class=
"command">search
</strong></span> statement is equivalent to
2178 <span><strong class=
"command">search
</strong></span> statement in
2179 <code class=
"filename">/etc/resolv.conf
</code>. It provides a
2181 which are appended to relative names in queries.
2184 The
<span><strong class=
"command">ndots
</strong></span> statement is equivalent to
2186 <span><strong class=
"command">ndots
</strong></span> statement in
2187 <code class=
"filename">/etc/resolv.conf
</code>. It indicates the
2189 number of dots in a relative domain name that should result in an
2190 exact match lookup before search path elements are appended.
2193 <div class=
"sect2" lang=
"en">
2194 <div class=
"titlepage"><div><div><h3 class=
"title">
2195 <a name=
"id2577400"></a><span><strong class=
"command">masters
</strong></span> Statement Grammar
</h3></div></div></div>
2196 <pre class=
"programlisting">
2197 <span><strong class=
"command">masters
</strong></span> <em class=
"replaceable"><code>name
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] { (
<em class=
"replaceable"><code>masters_list
</code></em> |
2198 <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">key
<em class=
"replaceable"><code>key
</code></em></span>] ) ; [
<span class=
"optional">...
</span>] };
2201 <div class=
"sect2" lang=
"en">
2202 <div class=
"titlepage"><div><div><h3 class=
"title">
2203 <a name=
"id2577517"></a><span><strong class=
"command">masters
</strong></span> Statement Definition and
2204 Usage
</h3></div></div></div>
2205 <p><span><strong class=
"command">masters
</strong></span>
2206 lists allow for a common set of masters to be easily used by
2207 multiple stub and slave zones in their
<span><strong class=
"command">masters
</strong></span>
2208 or
<span><strong class=
"command">also-notify
</strong></span> lists.
2211 <div class=
"sect2" lang=
"en">
2212 <div class=
"titlepage"><div><div><h3 class=
"title">
2213 <a name=
"id2577539"></a><span><strong class=
"command">options
</strong></span> Statement Grammar
</h3></div></div></div>
2215 This is the grammar of the
<span><strong class=
"command">options
</strong></span>
2216 statement in the
<code class=
"filename">named.conf
</code> file:
2218 <pre class=
"programlisting"><span><strong class=
"command">options
</strong></span> {
2219 [
<span class=
"optional"> attach-cache
<em class=
"replaceable"><code>cache_name
</code></em>;
</span>]
2220 [
<span class=
"optional"> version
<em class=
"replaceable"><code>version_string
</code></em>;
</span>]
2221 [
<span class=
"optional"> hostname
<em class=
"replaceable"><code>hostname_string
</code></em>;
</span>]
2222 [
<span class=
"optional"> server-id
<em class=
"replaceable"><code>server_id_string
</code></em>;
</span>]
2223 [
<span class=
"optional"> directory
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2224 [
<span class=
"optional"> geoip-directory
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2225 [
<span class=
"optional"> key-directory
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2226 [
<span class=
"optional"> managed-keys-directory
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2227 [
<span class=
"optional"> named-xfer
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2228 [
<span class=
"optional"> tkey-gssapi-keytab
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2229 [
<span class=
"optional"> tkey-gssapi-credential
<em class=
"replaceable"><code>principal
</code></em>;
</span>]
2230 [
<span class=
"optional"> tkey-domain
<em class=
"replaceable"><code>domainname
</code></em>;
</span>]
2231 [
<span class=
"optional"> tkey-dhkey
<em class=
"replaceable"><code>key_name
</code></em> <em class=
"replaceable"><code>key_tag
</code></em>;
</span>]
2232 [
<span class=
"optional"> cache-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2233 [
<span class=
"optional"> dump-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2234 [
<span class=
"optional"> bindkeys-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2235 [
<span class=
"optional"> secroots-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2236 [
<span class=
"optional"> session-keyfile
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2237 [
<span class=
"optional"> session-keyname
<em class=
"replaceable"><code>key_name
</code></em>;
</span>]
2238 [
<span class=
"optional"> session-keyalg
<em class=
"replaceable"><code>algorithm_id
</code></em>;
</span>]
2239 [
<span class=
"optional"> memstatistics
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2240 [
<span class=
"optional"> memstatistics-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2241 [
<span class=
"optional"> pid-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2242 [
<span class=
"optional"> recursing-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2243 [
<span class=
"optional"> statistics-file
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
2244 [
<span class=
"optional"> zone-statistics
<em class=
"replaceable"><code>full
</code></em> |
<em class=
"replaceable"><code>terse
</code></em> |
<em class=
"replaceable"><code>none
</code></em>;
</span>]
2245 [
<span class=
"optional"> auth-nxdomain
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2246 [
<span class=
"optional"> deallocate-on-exit
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2247 [
<span class=
"optional"> dialup
<em class=
"replaceable"><code>dialup_option
</code></em>;
</span>]
2248 [
<span class=
"optional"> fake-iquery
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2249 [
<span class=
"optional"> fetch-glue
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2250 [
<span class=
"optional"> flush-zones-on-shutdown
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2251 [
<span class=
"optional"> has-old-clients
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2252 [
<span class=
"optional"> host-statistics
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2253 [
<span class=
"optional"> host-statistics-max
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2254 [
<span class=
"optional"> minimal-responses
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2255 [
<span class=
"optional"> multiple-cnames
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2256 [
<span class=
"optional"> notify
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<em class=
"replaceable"><code>explicit
</code></em> |
<em class=
"replaceable"><code>master-only
</code></em>;
</span>]
2257 [
<span class=
"optional"> recursion
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2258 [
<span class=
"optional"> request-sit
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2259 [
<span class=
"optional"> request-nsid
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2260 [
<span class=
"optional"> rfc2308-type1
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2261 [
<span class=
"optional"> use-id-pool
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2262 [
<span class=
"optional"> maintain-ixfr-base
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2263 [
<span class=
"optional"> ixfr-from-differences (
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<code class=
"constant">master
</code> |
<code class=
"constant">slave
</code>);
</span>]
2264 [
<span class=
"optional"> dnssec-enable
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2265 [
<span class=
"optional"> dnssec-validation (
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<code class=
"constant">auto
</code>);
</span>]
2266 [
<span class=
"optional"> dnssec-lookaside (
<em class=
"replaceable"><code>auto
</code></em> |
2267 <em class=
"replaceable"><code>no
</code></em> |
2268 <em class=
"replaceable"><code>domain
</code></em> trust-anchor
<em class=
"replaceable"><code>domain
</code></em> );
</span>]
2269 [
<span class=
"optional"> dnssec-must-be-secure
<em class=
"replaceable"><code>domain yes_or_no
</code></em>;
</span>]
2270 [
<span class=
"optional"> dnssec-accept-expired
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2271 [
<span class=
"optional"> forward (
<em class=
"replaceable"><code>only
</code></em> |
<em class=
"replaceable"><code>first
</code></em> );
</span>]
2272 [
<span class=
"optional"> forwarders { [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
2273 [
<span class=
"optional"> dual-stack-servers [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] {
2274 (
<em class=
"replaceable"><code>domain_name
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] |
2275 <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>]) ;
2277 [
<span class=
"optional"> check-names (
<em class=
"replaceable"><code>master
</code></em> |
<em class=
"replaceable"><code>slave
</code></em> |
<em class=
"replaceable"><code>response
</code></em> )
2278 (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>fail
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
2279 [
<span class=
"optional"> check-dup-records (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>fail
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
2280 [
<span class=
"optional"> check-mx (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>fail
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
2281 [
<span class=
"optional"> check-wildcard
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2282 [
<span class=
"optional"> check-integrity
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2283 [
<span class=
"optional"> check-mx-cname (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>fail
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
2284 [
<span class=
"optional"> check-srv-cname (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>fail
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
2285 [
<span class=
"optional"> check-sibling
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2286 [
<span class=
"optional"> check-spf (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
2287 [
<span class=
"optional"> allow-new-zones {
<em class=
"replaceable"><code>yes_or_no
</code></em> };
</span>]
2288 [
<span class=
"optional"> allow-notify {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2289 [
<span class=
"optional"> allow-query {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2290 [
<span class=
"optional"> allow-query-on {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2291 [
<span class=
"optional"> allow-query-cache {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2292 [
<span class=
"optional"> allow-query-cache-on {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2293 [
<span class=
"optional"> allow-transfer {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2294 [
<span class=
"optional"> allow-recursion {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2295 [
<span class=
"optional"> allow-recursion-on {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2296 [
<span class=
"optional"> allow-update {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2297 [
<span class=
"optional"> allow-update-forwarding {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2298 [
<span class=
"optional"> update-check-ksk
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2299 [
<span class=
"optional"> dnssec-update-mode (
<em class=
"replaceable"><code>maintain
</code></em> |
<em class=
"replaceable"><code>no-resign
</code></em> );
</span>]
2300 [
<span class=
"optional"> dnssec-dnskey-kskonly
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2301 [
<span class=
"optional"> dnssec-loadkeys-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2302 [
<span class=
"optional"> dnssec-secure-to-insecure
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2303 [
<span class=
"optional"> try-tcp-refresh
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2304 [
<span class=
"optional"> allow-v6-synthesis {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2305 [
<span class=
"optional"> blackhole {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2306 [
<span class=
"optional"> no-case-compress {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2307 [
<span class=
"optional"> use-v4-udp-ports {
<em class=
"replaceable"><code>port_list
</code></em> };
</span>]
2308 [
<span class=
"optional"> avoid-v4-udp-ports {
<em class=
"replaceable"><code>port_list
</code></em> };
</span>]
2309 [
<span class=
"optional"> use-v6-udp-ports {
<em class=
"replaceable"><code>port_list
</code></em> };
</span>]
2310 [
<span class=
"optional"> avoid-v6-udp-ports {
<em class=
"replaceable"><code>port_list
</code></em> };
</span>]
2311 [
<span class=
"optional"> listen-on [
<span class=
"optional"> port
<em class=
"replaceable"><code>ip_port
</code></em> </span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2312 [
<span class=
"optional"> listen-on-v6 [
<span class=
"optional"> port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>]
2313 {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2314 [
<span class=
"optional"> query-source ( (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
2315 [
<span class=
"optional"> port (
<em class=
"replaceable"><code>ip_port
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>]
2316 [
<span class=
"optional"> dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] |
2317 [
<span class=
"optional"> address (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>]
2318 [
<span class=
"optional"> port (
<em class=
"replaceable"><code>ip_port
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>] )
2319 [
<span class=
"optional"> dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2320 [
<span class=
"optional"> query-source-v6 ( (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
2321 [
<span class=
"optional"> port (
<em class=
"replaceable"><code>ip_port
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>]
2322 [
<span class=
"optional"> dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] |
2323 [
<span class=
"optional"> address (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>]
2324 [
<span class=
"optional"> port (
<em class=
"replaceable"><code>ip_port
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>] )
2325 [
<span class=
"optional"> dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2326 [
<span class=
"optional"> use-queryport-pool
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2327 [
<span class=
"optional"> queryport-pool-ports
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2328 [
<span class=
"optional"> queryport-pool-updateinterval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2329 [
<span class=
"optional"> max-transfer-time-in
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2330 [
<span class=
"optional"> max-transfer-time-out
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2331 [
<span class=
"optional"> max-transfer-idle-in
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2332 [
<span class=
"optional"> max-transfer-idle-out
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2333 [
<span class=
"optional"> tcp-clients
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2334 [
<span class=
"optional"> reserved-sockets
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2335 [
<span class=
"optional"> recursive-clients
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2336 [
<span class=
"optional"> serial-query-rate
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2337 [
<span class=
"optional"> serial-queries
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2338 [
<span class=
"optional"> tcp-listen-queue
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2339 [
<span class=
"optional"> transfer-format
<em class=
"replaceable"><code>( one-answer | many-answers )
</code></em>;
</span>]
2340 [
<span class=
"optional"> transfers-in
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2341 [
<span class=
"optional"> transfers-out
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2342 [
<span class=
"optional"> transfers-per-ns
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2343 [
<span class=
"optional"> transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2344 [
<span class=
"optional"> transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2345 [
<span class=
"optional"> alt-transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2346 [
<span class=
"optional"> alt-transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2347 [
<span class=
"optional"> use-alt-transfer-source
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2348 [
<span class=
"optional"> notify-delay
<em class=
"replaceable"><code>seconds
</code></em> ;
</span>]
2349 [
<span class=
"optional"> notify-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2350 [
<span class=
"optional"> notify-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
2351 [
<span class=
"optional"> notify-to-soa
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2352 [
<span class=
"optional"> also-notify {
<em class=
"replaceable"><code>ip_addr
</code></em>
2353 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] [
<span class=
"optional">key
<em class=
"replaceable"><code>keyname
</code></em></span>] ;
2354 [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] [
<span class=
"optional">key
<em class=
"replaceable"><code>keyname
</code></em></span>] ; ...
</span>] };
</span>]
2355 [
<span class=
"optional"> max-ixfr-log-size
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2356 [
<span class=
"optional"> max-journal-size
<em class=
"replaceable"><code>size_spec
</code></em>;
</span>]
2357 [
<span class=
"optional"> coresize
<em class=
"replaceable"><code>size_spec
</code></em> ;
</span>]
2358 [
<span class=
"optional"> datasize
<em class=
"replaceable"><code>size_spec
</code></em> ;
</span>]
2359 [
<span class=
"optional"> files
<em class=
"replaceable"><code>size_spec
</code></em> ;
</span>]
2360 [
<span class=
"optional"> stacksize
<em class=
"replaceable"><code>size_spec
</code></em> ;
</span>]
2361 [
<span class=
"optional"> cleaning-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2362 [
<span class=
"optional"> heartbeat-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2363 [
<span class=
"optional"> interface-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2364 [
<span class=
"optional"> statistics-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2365 [
<span class=
"optional"> topology {
<em class=
"replaceable"><code>address_match_list
</code></em> }
</span>];
2366 [
<span class=
"optional"> sortlist {
<em class=
"replaceable"><code>address_match_list
</code></em> }
</span>];
2367 [
<span class=
"optional"> rrset-order {
<em class=
"replaceable"><code>order_spec
</code></em> ; [
<span class=
"optional"> <em class=
"replaceable"><code>order_spec
</code></em> ; ...
</span>]
</span>] };
2368 [
<span class=
"optional"> lame-ttl
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2369 [
<span class=
"optional"> max-ncache-ttl
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2370 [
<span class=
"optional"> max-cache-ttl
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2371 [
<span class=
"optional"> max-zone-ttl
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2372 [
<span class=
"optional"> sig-validity-interval
<em class=
"replaceable"><code>number
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>number
</code></em></span>] ;
</span>]
2373 [
<span class=
"optional"> sig-signing-nodes
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2374 [
<span class=
"optional"> sig-signing-signatures
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2375 [
<span class=
"optional"> sig-signing-type
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2376 [
<span class=
"optional"> min-roots
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2377 [
<span class=
"optional"> use-ixfr
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2378 [
<span class=
"optional"> provide-ixfr
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2379 [
<span class=
"optional"> request-ixfr
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2380 [
<span class=
"optional"> treat-cr-as-space
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2381 [
<span class=
"optional"> min-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2382 [
<span class=
"optional"> max-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2383 [
<span class=
"optional"> min-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2384 [
<span class=
"optional"> max-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2385 [
<span class=
"optional"> port
<em class=
"replaceable"><code>ip_port
</code></em>;
</span>]
2386 [
<span class=
"optional"> dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
2387 [
<span class=
"optional"> additional-from-auth
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2388 [
<span class=
"optional"> additional-from-cache
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2389 [
<span class=
"optional"> random-device
<em class=
"replaceable"><code>path_name
</code></em> ;
</span>]
2390 [
<span class=
"optional"> max-cache-size
<em class=
"replaceable"><code>size_spec
</code></em> ;
</span>]
2391 [
<span class=
"optional"> match-mapped-addresses
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2392 [
<span class=
"optional"> filter-aaaa-on-v4 (
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<em class=
"replaceable"><code>break-dnssec
</code></em> );
</span>]
2393 [
<span class=
"optional"> filter-aaaa-on-v6 (
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<em class=
"replaceable"><code>break-dnssec
</code></em> );
</span>]
2394 [
<span class=
"optional"> filter-aaaa {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2395 [
<span class=
"optional"> dns64
<em class=
"replaceable"><code>ipv6-prefix
</code></em> {
2396 [
<span class=
"optional"> clients {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2397 [
<span class=
"optional"> mapped {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2398 [
<span class=
"optional"> exclude {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
2399 [
<span class=
"optional"> suffix IPv6-address;
</span>]
2400 [
<span class=
"optional"> recursive-only
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2401 [
<span class=
"optional"> break-dnssec
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
2403 [
<span class=
"optional"> dns64-server
<em class=
"replaceable"><code>name
</code></em> </span>]
2404 [
<span class=
"optional"> dns64-contact
<em class=
"replaceable"><code>name
</code></em> </span>]
2405 [
<span class=
"optional"> preferred-glue (
<em class=
"replaceable"><code>A
</code></em> |
<em class=
"replaceable"><code>AAAA
</code></em> |
<em class=
"replaceable"><code>NONE
</code></em> );
</span>]
2406 [
<span class=
"optional"> edns-udp-size
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2407 [
<span class=
"optional"> max-udp-size
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2408 [
<span class=
"optional"> max-rsa-exponent-size
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2409 [
<span class=
"optional"> root-delegation-only [
<span class=
"optional"> exclude {
<em class=
"replaceable"><code>namelist
</code></em> }
</span>] ;
</span>]
2410 [
<span class=
"optional"> querylog
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2411 [
<span class=
"optional"> disable-algorithms
<em class=
"replaceable"><code>domain
</code></em> {
<em class=
"replaceable"><code>algorithm
</code></em>;
2412 [
<span class=
"optional"> <em class=
"replaceable"><code>algorithm
</code></em>;
</span>] };
</span>]
2413 [
<span class=
"optional"> disable-ds-digests
<em class=
"replaceable"><code>domain
</code></em> {
<em class=
"replaceable"><code>digest_type
</code></em>;
2414 [
<span class=
"optional"> <em class=
"replaceable"><code>digest_type
</code></em>;
</span>] };
</span>]
2415 [
<span class=
"optional"> acache-enable
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2416 [
<span class=
"optional"> acache-cleaning-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
2417 [
<span class=
"optional"> max-acache-size
<em class=
"replaceable"><code>size_spec
</code></em> ;
</span>]
2418 [
<span class=
"optional"> clients-per-query
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2419 [
<span class=
"optional"> max-clients-per-query
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2420 [
<span class=
"optional"> max-recursion-depth
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2421 [
<span class=
"optional"> max-recursion-queries
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2422 [
<span class=
"optional"> masterfile-format
2423 (
<code class=
"constant">text
</code>|
<code class=
"constant">raw
</code>|
<code class=
"constant">map
</code>) ;
</span>]
2424 [
<span class=
"optional"> empty-server
<em class=
"replaceable"><code>name
</code></em> ;
</span>]
2425 [
<span class=
"optional"> empty-contact
<em class=
"replaceable"><code>name
</code></em> ;
</span>]
2426 [
<span class=
"optional"> empty-zones-enable
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2427 [
<span class=
"optional"> disable-empty-zone
<em class=
"replaceable"><code>zone_name
</code></em> ;
</span>]
2428 [
<span class=
"optional"> zero-no-soa-ttl
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2429 [
<span class=
"optional"> zero-no-soa-ttl-cache
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2430 [
<span class=
"optional"> resolver-query-timeout
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2431 [
<span class=
"optional"> deny-answer-addresses {
<em class=
"replaceable"><code>address_match_list
</code></em> } [
<span class=
"optional"> except-from {
<em class=
"replaceable"><code>namelist
</code></em> }
</span>];
</span>]
2432 [
<span class=
"optional"> deny-answer-aliases {
<em class=
"replaceable"><code>namelist
</code></em> } [
<span class=
"optional"> except-from {
<em class=
"replaceable"><code>namelist
</code></em> }
</span>];
</span>]
2433 [
<span class=
"optional"> prefetch
<em class=
"replaceable"><code>number
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>number
</code></em></span>] ;
</span>]
2435 [
<span class=
"optional"> rate-limit {
2436 [
<span class=
"optional"> responses-per-second
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2437 [
<span class=
"optional"> referrals-per-second
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2438 [
<span class=
"optional"> nodata-per-second
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2439 [
<span class=
"optional"> nxdomains-per-second
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2440 [
<span class=
"optional"> errors-per-second
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2441 [
<span class=
"optional"> all-per-second
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2442 [
<span class=
"optional"> window
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2443 [
<span class=
"optional"> log-only
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
2444 [
<span class=
"optional"> qps-scale
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2445 [
<span class=
"optional"> ipv4-prefix-length
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2446 [
<span class=
"optional"> ipv6-prefix-length
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2447 [
<span class=
"optional"> slip
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2448 [
<span class=
"optional"> exempt-clients {
<em class=
"replaceable"><code>address_match_list
</code></em> } ;
</span>]
2449 [
<span class=
"optional"> max-table-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2450 [
<span class=
"optional"> min-table-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
2452 [
<span class=
"optional"> response-policy {
2453 zone
<em class=
"replaceable"><code>zone_name
</code></em>
2454 [
<span class=
"optional"> policy
<em class=
"replaceable"><code>(given | disabled | passthru | drop |
2455 nxdomain | nodata | cname domain
</code></em>)
</span>]
2456 [
<span class=
"optional"> recursive-only
<em class=
"replaceable"><code>yes_or_no
</code></em> </span>]
2457 [
<span class=
"optional"> max-policy-ttl
<em class=
"replaceable"><code>number
</code></em> </span>]
2458 ; [
<span class=
"optional">...
</span>]
2459 } [
<span class=
"optional"> recursive-only
<em class=
"replaceable"><code>yes_or_no
</code></em> </span>]
2460 [
<span class=
"optional"> max-policy-ttl
<em class=
"replaceable"><code>number
</code></em> </span>]
2461 [
<span class=
"optional"> break-dnssec
<em class=
"replaceable"><code>yes_or_no
</code></em> </span>]
2462 [
<span class=
"optional"> min-ns-dots
<em class=
"replaceable"><code>number
</code></em> </span>]
2463 [
<span class=
"optional"> qname-wait-recurse
<em class=
"replaceable"><code>yes_or_no
</code></em> </span>]
2468 <div class=
"sect2" lang=
"en">
2469 <div class=
"titlepage"><div><div><h3 class=
"title">
2470 <a name=
"options"></a><span><strong class=
"command">options
</strong></span> Statement Definition and
2471 Usage
</h3></div></div></div>
2473 The
<span><strong class=
"command">options
</strong></span> statement sets up global
2475 to be used by
<acronym class=
"acronym">BIND
</acronym>. This statement
2477 once in a configuration file. If there is no
<span><strong class=
"command">options
</strong></span>
2478 statement, an options block with each option set to its default will
2481 <div class=
"variablelist"><dl>
2482 <dt><span class=
"term"><span><strong class=
"command">attach-cache
</strong></span></span></dt>
2485 Allows multiple views to share a single cache
2487 Each view has its own cache database by default, but
2488 if multiple views have the same operational policy
2489 for name resolution and caching, those views can
2490 share a single cache to save memory and possibly
2491 improve resolution efficiency by using this option.
2494 The
<span><strong class=
"command">attach-cache
</strong></span> option
2495 may also be specified in
<span><strong class=
"command">view
</strong></span>
2496 statements, in which case it overrides the
2497 global
<span><strong class=
"command">attach-cache
</strong></span> option.
2500 The
<em class=
"replaceable"><code>cache_name
</code></em> specifies
2501 the cache to be shared.
2502 When the
<span><strong class=
"command">named
</strong></span> server configures
2503 views which are supposed to share a cache, it
2504 creates a cache with the specified name for the
2505 first view of these sharing views.
2506 The rest of the views will simply refer to the
2507 already created cache.
2510 One common configuration to share a cache would be to
2511 allow all views to share a single cache.
2512 This can be done by specifying
2513 the
<span><strong class=
"command">attach-cache
</strong></span> as a global
2514 option with an arbitrary name.
2517 Another possible operation is to allow a subset of
2518 all views to share a cache while the others to
2519 retain their own caches.
2520 For example, if there are three views A, B, and C,
2521 and only A and B should share a cache, specify the
2522 <span><strong class=
"command">attach-cache
</strong></span> option as a view A (or
2523 B)'s option, referring to the other view name:
2525 <pre class=
"programlisting">
2527 // this view has its own cache
2531 // this view refers to A's cache
2535 // this view has its own cache
2540 Views that share a cache must have the same policy
2541 on configurable parameters that may affect caching.
2542 The current implementation requires the following
2543 configurable options be consistent among these
2545 <span><strong class=
"command">check-names
</strong></span>,
2546 <span><strong class=
"command">cleaning-interval
</strong></span>,
2547 <span><strong class=
"command">dnssec-accept-expired
</strong></span>,
2548 <span><strong class=
"command">dnssec-validation
</strong></span>,
2549 <span><strong class=
"command">max-cache-ttl
</strong></span>,
2550 <span><strong class=
"command">max-ncache-ttl
</strong></span>,
2551 <span><strong class=
"command">max-cache-size
</strong></span>, and
2552 <span><strong class=
"command">zero-no-soa-ttl
</strong></span>.
2555 Note that there may be other parameters that may
2556 cause confusion if they are inconsistent for
2557 different views that share a single cache.
2558 For example, if these views define different sets of
2559 forwarders that can return different answers for the
2560 same question, sharing the answer does not make
2561 sense or could even be harmful.
2562 It is administrator's responsibility to ensure
2563 configuration differences in different views do
2564 not cause disruption with a shared cache.
2567 <dt><span class=
"term"><span><strong class=
"command">directory
</strong></span></span></dt>
2569 The working directory of the server.
2570 Any non-absolute pathnames in the configuration file will be
2572 as relative to this directory. The default location for most
2574 output files (e.g.
<code class=
"filename">named.run
</code>)
2576 If a directory is not specified, the working directory
2577 defaults to `
<code class=
"filename">.
</code>', the directory from
2579 was started. The directory specified should be an absolute
2582 <dt><span class=
"term"><span><strong class=
"command">geoip-directory
</strong></span></span></dt>
2584 Specifies the directory containing GeoIP
2585 <code class=
"filename">.dat
</code> database files for GeoIP
2586 initialization. By default, this option is unset
2587 and the GeoIP support will use libGeoIP's
2589 (For details, see
<a href=
"Bv9ARM.ch06.html#acl" title=
"acl Statement Definition and
2590 Usage">the section called
“<span><strong class=
"command">acl
</strong></span> Statement Definition and
2591 Usage
”</a> about the
2592 <span><strong class=
"command">geoip
</strong></span> ACL.)
2594 <dt><span class=
"term"><span><strong class=
"command">key-directory
</strong></span></span></dt>
2596 When performing dynamic update of secure zones, the
2597 directory where the public and private DNSSEC key files
2598 should be found, if different than the current working
2599 directory. (Note that this option has no effect on the
2600 paths for files containing non-DNSSEC keys such as
2601 <code class=
"filename">bind.keys
</code>,
2602 <code class=
"filename">rndc.key
</code> or
2603 <code class=
"filename">session.key
</code>.)
2605 <dt><span class=
"term"><span><strong class=
"command">managed-keys-directory
</strong></span></span></dt>
2608 Specifies the directory in which to store the files that
2609 track managed DNSSEC keys. By default, this is the working
2613 If
<span><strong class=
"command">named
</strong></span> is not configured to use views,
2614 then managed keys for the server will be tracked in a single
2615 file called
<code class=
"filename">managed-keys.bind
</code>.
2616 Otherwise, managed keys will be tracked in separate files,
2617 one file per view; each file name will be the SHA256 hash
2618 of the view name, followed by the extension
2619 <code class=
"filename">.mkeys
</code>.
2622 <dt><span class=
"term"><span><strong class=
"command">named-xfer
</strong></span></span></dt>
2624 <span class=
"emphasis"><em>This option is obsolete.
</em></span> It
2625 was used in
<acronym class=
"acronym">BIND
</acronym> 8 to specify
2626 the pathname to the
<span><strong class=
"command">named-xfer
</strong></span>
2627 program. In
<acronym class=
"acronym">BIND
</acronym> 9, no separate
2628 <span><strong class=
"command">named-xfer
</strong></span> program is needed;
2629 its functionality is built into the name server.
2631 <dt><span class=
"term"><span><strong class=
"command">tkey-gssapi-keytab
</strong></span></span></dt>
2633 The KRB5 keytab file to use for GSS-TSIG updates. If
2634 this option is set and tkey-gssapi-credential is not
2635 set, then updates will be allowed with any key
2636 matching a principal in the specified keytab.
2638 <dt><span class=
"term"><span><strong class=
"command">tkey-gssapi-credential
</strong></span></span></dt>
2640 The security credential with which the server should
2641 authenticate keys requested by the GSS-TSIG protocol.
2642 Currently only Kerberos
5 authentication is available
2643 and the credential is a Kerberos principal which the
2644 server can acquire through the default system key
2645 file, normally
<code class=
"filename">/etc/krb5.keytab
</code>.
2646 The location keytab file can be overridden using the
2647 tkey-gssapi-keytab option. Normally this principal is
2648 of the form
"<strong class="userinput
"><code>DNS/</code></strong><code class="varname
">server.domain</code>".
2649 To use GSS-TSIG,
<span><strong class=
"command">tkey-domain
</strong></span> must
2650 also be set if a specific keytab is not set with
2653 <dt><span class=
"term"><span><strong class=
"command">tkey-domain
</strong></span></span></dt>
2655 The domain appended to the names of all shared keys
2656 generated with
<span><strong class=
"command">TKEY
</strong></span>. When a
2657 client requests a
<span><strong class=
"command">TKEY
</strong></span> exchange,
2658 it may or may not specify the desired name for the
2659 key. If present, the name of the shared key will
2660 be
<code class=
"varname">client specified part
</code> +
2661 <code class=
"varname">tkey-domain
</code>. Otherwise, the
2662 name of the shared key will be
<code class=
"varname">random hex
2663 digits
</code> +
<code class=
"varname">tkey-domain
</code>.
2664 In most cases, the
<span><strong class=
"command">domainname
</strong></span>
2665 should be the server's domain name, or an otherwise
2666 non-existent subdomain like
2667 "_tkey.<code class="varname
">domainname</code>". If you are
2668 using GSS-TSIG, this variable must be defined, unless
2669 you specify a specific keytab using tkey-gssapi-keytab.
2671 <dt><span class=
"term"><span><strong class=
"command">tkey-dhkey
</strong></span></span></dt>
2673 The Diffie-Hellman key used by the server
2674 to generate shared keys with clients using the Diffie-Hellman
2676 of
<span><strong class=
"command">TKEY
</strong></span>. The server must be
2678 public and private keys from files in the working directory.
2680 most cases, the keyname should be the server's host name.
2682 <dt><span class=
"term"><span><strong class=
"command">cache-file
</strong></span></span></dt>
2684 This is for testing only. Do not use.
2686 <dt><span class=
"term"><span><strong class=
"command">dump-file
</strong></span></span></dt>
2688 The pathname of the file the server dumps
2689 the database to when instructed to do so with
2690 <span><strong class=
"command">rndc dumpdb
</strong></span>.
2691 If not specified, the default is
<code class=
"filename">named_dump.db
</code>.
2693 <dt><span class=
"term"><span><strong class=
"command">memstatistics-file
</strong></span></span></dt>
2695 The pathname of the file the server writes memory
2696 usage statistics to on exit. If not specified,
2697 the default is
<code class=
"filename">named.memstats
</code>.
2699 <dt><span class=
"term"><span><strong class=
"command">pid-file
</strong></span></span></dt>
2701 The pathname of the file the server writes its process ID
2702 in. If not specified, the default is
2703 <code class=
"filename">/var/run/named/named.pid
</code>.
2704 The PID file is used by programs that want to send signals to
2706 name server. Specifying
<span><strong class=
"command">pid-file none
</strong></span> disables the
2707 use of a PID file
— no file will be written and any
2708 existing one will be removed. Note that
<span><strong class=
"command">none
</strong></span>
2709 is a keyword, not a filename, and therefore is not enclosed
2713 <dt><span class=
"term"><span><strong class=
"command">recursing-file
</strong></span></span></dt>
2715 The pathname of the file the server dumps
2716 the queries that are currently recursing when instructed
2717 to do so with
<span><strong class=
"command">rndc recursing
</strong></span>.
2718 If not specified, the default is
<code class=
"filename">named.recursing
</code>.
2720 <dt><span class=
"term"><span><strong class=
"command">statistics-file
</strong></span></span></dt>
2722 The pathname of the file the server appends statistics
2723 to when instructed to do so using
<span><strong class=
"command">rndc stats
</strong></span>.
2724 If not specified, the default is
<code class=
"filename">named.stats
</code> in the
2725 server's current directory. The format of the file is
2727 in
<a href=
"Bv9ARM.ch06.html#statsfile" title=
"The Statistics File">the section called
“The Statistics File
”</a>.
2729 <dt><span class=
"term"><span><strong class=
"command">bindkeys-file
</strong></span></span></dt>
2731 The pathname of a file to override the built-in trusted
2732 keys provided by
<span><strong class=
"command">named
</strong></span>.
2733 See the discussion of
<span><strong class=
"command">dnssec-lookaside
</strong></span>
2734 and
<span><strong class=
"command">dnssec-validation
</strong></span> for details.
2735 If not specified, the default is
2736 <code class=
"filename">/etc/bind.keys
</code>.
2738 <dt><span class=
"term"><span><strong class=
"command">secroots-file
</strong></span></span></dt>
2740 The pathname of the file the server dumps
2741 security roots to when instructed to do so with
2742 <span><strong class=
"command">rndc secroots
</strong></span>.
2743 If not specified, the default is
2744 <code class=
"filename">named.secroots
</code>.
2746 <dt><span class=
"term"><span><strong class=
"command">session-keyfile
</strong></span></span></dt>
2748 The pathname of the file into which to write a TSIG
2749 session key generated by
<span><strong class=
"command">named
</strong></span> for use by
2750 <span><strong class=
"command">nsupdate -l
</strong></span>. If not specified, the
2751 default is
<code class=
"filename">/var/run/named/session.key
</code>.
2752 (See
<a href=
"Bv9ARM.ch06.html#dynamic_update_policies" title=
"Dynamic Update Policies">the section called
“Dynamic Update Policies
”</a>, and in
2753 particular the discussion of the
2754 <span><strong class=
"command">update-policy
</strong></span> statement's
2755 <strong class=
"userinput"><code>local
</code></strong> option for more
2756 information about this feature.)
2758 <dt><span class=
"term"><span><strong class=
"command">session-keyname
</strong></span></span></dt>
2760 The key name to use for the TSIG session key.
2761 If not specified, the default is
"local-ddns".
2763 <dt><span class=
"term"><span><strong class=
"command">session-keyalg
</strong></span></span></dt>
2765 The algorithm to use for the TSIG session key.
2766 Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
2767 hmac-sha384, hmac-sha512 and hmac-md5. If not
2768 specified, the default is hmac-sha256.
2770 <dt><span class=
"term"><span><strong class=
"command">port
</strong></span></span></dt>
2772 The UDP/TCP port number the server uses for
2773 receiving and sending DNS protocol traffic.
2774 The default is
53. This option is mainly intended for server
2776 a server using a port other than
53 will not be able to
2780 <dt><span class=
"term"><span><strong class=
"command">dscp
</strong></span></span></dt>
2782 The global Differentiated Services Code Point (DSCP)
2783 value to classify outgoing DNS traffic on operating
2784 systems that support DSCP. Valid values are
0 through
63.
2785 It is not configured by default.
2787 <dt><span class=
"term"><span><strong class=
"command">random-device
</strong></span></span></dt>
2789 The source of entropy to be used by the server. Entropy is
2791 for DNSSEC operations, such as TKEY transactions and dynamic
2793 zones. This options specifies the device (or file) from which
2795 entropy. If this is a file, operations requiring entropy will
2797 file has been exhausted. If not specified, the default value
2799 <code class=
"filename">/dev/random
</code>
2800 (or equivalent) when present, and none otherwise. The
2801 <span><strong class=
"command">random-device
</strong></span> option takes
2803 the initial configuration load at server startup time and
2804 is ignored on subsequent reloads.
2806 <dt><span class=
"term"><span><strong class=
"command">preferred-glue
</strong></span></span></dt>
2808 If specified, the listed type (A or AAAA) will be emitted
2810 in the additional section of a query response.
2811 The default is not to prefer any type (NONE).
2814 <a name=
"root_delegation_only"></a><span class=
"term"><span><strong class=
"command">root-delegation-only
</strong></span></span>
2818 Turn on enforcement of delegation-only in TLDs
2819 (top level domains) and root zones with an optional
2823 DS queries are expected to be made to and be answered by
2824 delegation only zones. Such queries and responses are
2825 treated as an exception to delegation-only processing
2826 and are not converted to NXDOMAIN responses provided
2827 a CNAME is not discovered at the query name.
2830 If a delegation only zone server also serves a child
2831 zone it is not always possible to determine whether
2832 an answer comes from the delegation only zone or the
2833 child zone. SOA NS and DNSKEY records are apex
2834 only records and a matching response that contains
2835 these records or DS is treated as coming from a
2836 child zone. RRSIG records are also examined to see
2837 if they are signed by a child zone or not. The
2838 authority section is also examined to see if there
2839 is evidence that the answer is from the child zone.
2840 Answers that are determined to be from a child zone
2841 are not converted to NXDOMAIN responses. Despite
2842 all these checks there is still a possibility of
2843 false negatives when a child zone is being served.
2846 Similarly false positives can arise from empty nodes
2847 (no records at the name) in the delegation only zone
2848 when the query type is not ANY.
2851 Note some TLDs are not delegation only (e.g.
"DE",
"LV",
2852 "US" and
"MUSEUM"). This list is not exhaustive.
2854 <pre class=
"programlisting">
2856 root-delegation-only exclude {
"de";
"lv";
"us";
"museum"; };
2860 <dt><span class=
"term"><span><strong class=
"command">disable-algorithms
</strong></span></span></dt>
2863 Disable the specified DNSSEC algorithms at and below the
2865 Multiple
<span><strong class=
"command">disable-algorithms
</strong></span>
2866 statements are allowed.
2867 Only the best match
<span><strong class=
"command">disable-algorithms
</strong></span>
2868 clause will be used to determine which algorithms are used.
2871 If all supported algorithms are disabled, the zones covered
2872 by the
<span><strong class=
"command">disable-algorithms
</strong></span> will be treated
2876 <dt><span class=
"term"><span><strong class=
"command">disable-ds-digests
</strong></span></span></dt>
2879 Disable the specified DS/DLV digest types at and below the
2881 Multiple
<span><strong class=
"command">disable-ds-digests
</strong></span>
2882 statements are allowed.
2883 Only the best match
<span><strong class=
"command">disable-ds-digests
</strong></span>
2884 clause will be used to determine which digest types are used.
2887 If all supported digest types are disabled, the zones covered
2888 by the
<span><strong class=
"command">disable-ds-digests
</strong></span> will be treated
2892 <dt><span class=
"term"><span><strong class=
"command">dnssec-lookaside
</strong></span></span></dt>
2895 When set,
<span><strong class=
"command">dnssec-lookaside
</strong></span> provides the
2896 validator with an alternate method to validate DNSKEY
2897 records at the top of a zone. When a DNSKEY is at or
2898 below a domain specified by the deepest
2899 <span><strong class=
"command">dnssec-lookaside
</strong></span>, and the normal DNSSEC
2900 validation has left the key untrusted, the trust-anchor
2901 will be appended to the key name and a DLV record will be
2902 looked up to see if it can validate the key. If the DLV
2903 record validates a DNSKEY (similarly to the way a DS
2904 record does) the DNSKEY RRset is deemed to be trusted.
2907 If
<span><strong class=
"command">dnssec-lookaside
</strong></span> is set to
2908 <strong class=
"userinput"><code>auto
</code></strong>, then built-in default
2909 values for the DLV domain and trust anchor will be
2910 used, along with a built-in key for validation.
2913 If
<span><strong class=
"command">dnssec-lookaside
</strong></span> is set to
2914 <strong class=
"userinput"><code>no
</code></strong>, then dnssec-lookaside
2918 The default DLV key is stored in the file
2919 <code class=
"filename">bind.keys
</code>;
2920 <span><strong class=
"command">named
</strong></span> will load that key at
2921 startup if
<span><strong class=
"command">dnssec-lookaside
</strong></span> is set to
2922 <code class=
"constant">auto
</code>. A copy of the file is
2923 installed along with
<acronym class=
"acronym">BIND
</acronym> 9, and is
2924 current as of the release date. If the DLV key expires, a
2925 new copy of
<code class=
"filename">bind.keys
</code> can be downloaded
2926 from
<a href=
"https://www.isc.org/solutions/dlv/" target=
"_top">https://www.isc.org/solutions/dlv/
</a>.
2929 (To prevent problems if
<code class=
"filename">bind.keys
</code> is
2930 not found, the current key is also compiled in to
2931 <span><strong class=
"command">named
</strong></span>. Relying on this is not
2932 recommended, however, as it requires
<span><strong class=
"command">named
</strong></span>
2933 to be recompiled with a new key when the DLV key expires.)
2936 NOTE:
<span><strong class=
"command">named
</strong></span> only loads certain specific
2937 keys from
<code class=
"filename">bind.keys
</code>: those for the
2938 DLV zone and for the DNS root zone. The file cannot be
2939 used to store keys for other zones.
2942 <dt><span class=
"term"><span><strong class=
"command">dnssec-must-be-secure
</strong></span></span></dt>
2944 Specify hierarchies which must be or may not be secure
2945 (signed and validated). If
<strong class=
"userinput"><code>yes
</code></strong>,
2946 then
<span><strong class=
"command">named
</strong></span> will only accept answers if
2947 they are secure. If
<strong class=
"userinput"><code>no
</code></strong>, then normal
2948 DNSSEC validation applies allowing for insecure answers to
2949 be accepted. The specified domain must be under a
2950 <span><strong class=
"command">trusted-keys
</strong></span> or
2951 <span><strong class=
"command">managed-keys
</strong></span> statement, or
2952 <span><strong class=
"command">dnssec-lookaside
</strong></span> must be active.
2954 <dt><span class=
"term"><span><strong class=
"command">dns64
</strong></span></span></dt>
2957 This directive instructs
<span><strong class=
"command">named
</strong></span> to
2958 return mapped IPv4 addresses to AAAA queries when
2959 there are no AAAA records. It is intended to be
2960 used in conjunction with a NAT64. Each
2961 <span><strong class=
"command">dns64
</strong></span> defines one DNS64 prefix.
2962 Multiple DNS64 prefixes can be defined.
2965 Compatible IPv6 prefixes have lengths of
32,
40,
48,
56,
2966 64 and
96 as per RFC
6052.
2969 Additionally a reverse IP6.ARPA zone will be created for
2970 the prefix to provide a mapping from the IP6.ARPA names
2971 to the corresponding IN-ADDR.ARPA names using synthesized
2972 CNAMEs.
<span><strong class=
"command">dns64-server
</strong></span> and
2973 <span><strong class=
"command">dns64-contact
</strong></span> can be used to specify
2974 the name of the server and contact for the zones. These
2975 are settable at the view / options level. These are
2976 not settable on a per-prefix basis.
2979 Each
<span><strong class=
"command">dns64
</strong></span> supports an optional
2980 <span><strong class=
"command">clients
</strong></span> ACL that determines which
2981 clients are affected by this directive. If not defined,
2982 it defaults to
<strong class=
"userinput"><code>any;
</code></strong>.
2985 Each
<span><strong class=
"command">dns64
</strong></span> supports an optional
2986 <span><strong class=
"command">mapped
</strong></span> ACL that selects which
2987 IPv4 addresses are to be mapped in the corresponding
2988 A RRset. If not defined it defaults to
2989 <strong class=
"userinput"><code>any;
</code></strong>.
2992 Normally, DNS64 won't apply to a domain name that
2993 owns one or more AAAA records; these records will
2994 simply be returned. The optional
2995 <span><strong class=
"command">exclude
</strong></span> ACL allows specification
2996 of a list of IPv6 addresses that will be ignored
2997 if they appear in a domain name's AAAA records, and
2998 DNS64 will be applied to any A records the domain
2999 name owns. If not defined,
<span><strong class=
"command">exclude
</strong></span>
3003 A optional
<span><strong class=
"command">suffix
</strong></span> can also
3004 be defined to set the bits trailing the mapped
3005 IPv4 address bits. By default these bits are
3006 set to
<strong class=
"userinput"><code>::
</code></strong>. The bits
3007 matching the prefix and mapped IPv4 address
3011 If
<span><strong class=
"command">recursive-only
</strong></span> is set to
3012 <span><strong class=
"command">yes
</strong></span> the DNS64 synthesis will
3013 only happen for recursive queries. The default
3014 is
<span><strong class=
"command">no
</strong></span>.
3017 If
<span><strong class=
"command">break-dnssec
</strong></span> is set to
3018 <span><strong class=
"command">yes
</strong></span> the DNS64 synthesis will
3019 happen even if the result, if validated, would
3020 cause a DNSSEC validation failure. If this option
3021 is set to
<span><strong class=
"command">no
</strong></span> (the default), the DO
3022 is set on the incoming query, and there are RRSIGs on
3023 the applicable records, then synthesis will not happen.
3025 <pre class=
"programlisting">
3026 acl rfc1918 {
10/
8;
192.168/
16;
172.16/
12; };
3028 dns64
64:FF9B::/
96 {
3030 mapped { !rfc1918; any; };
3031 exclude {
64:FF9B::/
96; ::ffff:
0000:
0000/
96; };
3036 <dt><span class=
"term"><span><strong class=
"command">dnssec-update-mode
</strong></span></span></dt>
3039 If this option is set to its default value of
3040 <code class=
"literal">maintain
</code> in a zone of type
3041 <code class=
"literal">master
</code> which is DNSSEC-signed
3042 and configured to allow dynamic updates (see
3043 <a href=
"Bv9ARM.ch06.html#dynamic_update_policies" title=
"Dynamic Update Policies">the section called
“Dynamic Update Policies
”</a>), and
3044 if
<span><strong class=
"command">named
</strong></span> has access to the
3045 private signing key(s) for the zone, then
3046 <span><strong class=
"command">named
</strong></span> will automatically sign all new
3047 or changed records and maintain signatures for the zone
3048 by regenerating RRSIG records whenever they approach
3049 their expiration date.
3052 If the option is changed to
<code class=
"literal">no-resign
</code>,
3053 then
<span><strong class=
"command">named
</strong></span> will sign all new or
3054 changed records, but scheduled maintenance of
3055 signatures is disabled.
3058 With either of these settings,
<span><strong class=
"command">named
</strong></span>
3059 will reject updates to a DNSSEC-signed zone when the
3060 signing keys are inactive or unavailable to
3061 <span><strong class=
"command">named
</strong></span>. (A planned third option,
3062 <code class=
"literal">external
</code>, will disable all automatic
3063 signing and allow DNSSEC data to be submitted into a zone
3064 via dynamic update; this is not yet implemented.)
3067 <dt><span class=
"term"><span><strong class=
"command">max-zone-ttl
</strong></span></span></dt>
3070 Specifies a maximum permissible TTL value.
3071 When loading a zone file using a
3072 <code class=
"option">masterfile-format
</code> of
3073 <code class=
"constant">text
</code> or
<code class=
"constant">raw
</code>,
3074 any record encountered with a TTL higher than
3075 <code class=
"option">max-zone-ttl
</code> will cause the zone to
3079 This is useful in DNSSEC-signed zones because when
3080 rolling to a new DNSKEY, the old key needs to remain
3081 available until RRSIG records have expired from
3082 caches. The
<code class=
"option">max-zone-ttl
</code> option guarantees
3083 that the largest TTL in the zone will be no higher
3087 (NOTE: Because
<code class=
"constant">map
</code>-format files
3088 load directly into memory, this option cannot be
3092 <dt><span class=
"term"><span><strong class=
"command">zone-statistics
</strong></span></span></dt>
3095 If
<strong class=
"userinput"><code>full
</code></strong>, the server will collect
3096 statistical data on all zones (unless specifically
3097 turned off on a per-zone basis by specifying
3098 <span><strong class=
"command">zone-statistics terse
</strong></span> or
3099 <span><strong class=
"command">zone-statistics none
</strong></span>
3100 in the
<span><strong class=
"command">zone
</strong></span> statement).
3101 The default is
<strong class=
"userinput"><code>terse
</code></strong>, providing
3102 minimal statistics on zones (including name and
3103 current serial number, but not query type
3107 These statistics may be accessed via the
3108 <span><strong class=
"command">statistics-channel
</strong></span> or
3109 using
<span><strong class=
"command">rndc stats
</strong></span>, which
3110 will dump them to the file listed
3111 in the
<span><strong class=
"command">statistics-file
</strong></span>. See
3112 also
<a href=
"Bv9ARM.ch06.html#statsfile" title=
"The Statistics File">the section called
“The Statistics File
”</a>.
3115 For backward compatibility with earlier versions
3116 of BIND
9, the
<span><strong class=
"command">zone-statistics
</strong></span>
3117 option can also accept
<strong class=
"userinput"><code>yes
</code></strong>
3118 or
<strong class=
"userinput"><code>no
</code></strong>;
<strong class=
"userinput"><code>yes
</code></strong>
3119 has the same meaning as
<strong class=
"userinput"><code>full
</code></strong>.
3120 As of
<acronym class=
"acronym">BIND
</acronym> 9.10,
3121 <strong class=
"userinput"><code>no
</code></strong> has the same meaning
3122 as
<strong class=
"userinput"><code>none
</code></strong>; previously, it
3123 was the same as
<strong class=
"userinput"><code>terse
</code></strong>.
3127 <div class=
"sect3" lang=
"en">
3128 <div class=
"titlepage"><div><div><h4 class=
"title">
3129 <a name=
"boolean_options"></a>Boolean Options
</h4></div></div></div>
3130 <div class=
"variablelist"><dl>
3131 <dt><span class=
"term"><span><strong class=
"command">automatic-interface-scan
</strong></span></span></dt>
3134 If
<strong class=
"userinput"><code>yes
</code></strong> and supported by the OS,
3135 automatically rescan network interfaces when the interface
3136 addresses are added or removed. The default is
3137 <strong class=
"userinput"><code>yes
</code></strong>.
3140 Currently the OS needs to support routing sockets for
3141 <span><strong class=
"command">automatic-interface-scan
</strong></span> to be
3145 <dt><span class=
"term"><span><strong class=
"command">allow-new-zones
</strong></span></span></dt>
3147 If
<strong class=
"userinput"><code>yes
</code></strong>, then zones can be
3148 added at runtime via
<span><strong class=
"command">rndc addzone
</strong></span>
3149 or deleted via
<span><strong class=
"command">rndc delzone
</strong></span>.
3150 The default is
<strong class=
"userinput"><code>no
</code></strong>.
3152 <dt><span class=
"term"><span><strong class=
"command">auth-nxdomain
</strong></span></span></dt>
3154 If
<strong class=
"userinput"><code>yes
</code></strong>, then the
<span><strong class=
"command">AA
</strong></span> bit
3155 is always set on NXDOMAIN responses, even if the server is
3157 authoritative. The default is
<strong class=
"userinput"><code>no
</code></strong>;
3159 a change from
<acronym class=
"acronym">BIND
</acronym> 8. If you
3160 are using very old DNS software, you
3161 may need to set it to
<strong class=
"userinput"><code>yes
</code></strong>.
3163 <dt><span class=
"term"><span><strong class=
"command">deallocate-on-exit
</strong></span></span></dt>
3165 This option was used in
<acronym class=
"acronym">BIND
</acronym>
3166 8 to enable checking
3167 for memory leaks on exit.
<acronym class=
"acronym">BIND
</acronym> 9 ignores the option and always performs
3170 <dt><span class=
"term"><span><strong class=
"command">memstatistics
</strong></span></span></dt>
3172 Write memory statistics to the file specified by
3173 <span><strong class=
"command">memstatistics-file
</strong></span> at exit.
3174 The default is
<strong class=
"userinput"><code>no
</code></strong> unless
3175 '-m record' is specified on the command line in
3176 which case it is
<strong class=
"userinput"><code>yes
</code></strong>.
3178 <dt><span class=
"term"><span><strong class=
"command">dialup
</strong></span></span></dt>
3181 If
<strong class=
"userinput"><code>yes
</code></strong>, then the
3182 server treats all zones as if they are doing zone transfers
3184 a dial-on-demand dialup link, which can be brought up by
3186 originating from this server. This has different effects
3188 to zone type and concentrates the zone maintenance so that
3190 happens in a short interval, once every
<span><strong class=
"command">heartbeat-interval
</strong></span> and
3191 hopefully during the one call. It also suppresses some of
3193 zone maintenance traffic. The default is
<strong class=
"userinput"><code>no
</code></strong>.
3196 The
<span><strong class=
"command">dialup
</strong></span> option
3197 may also be specified in the
<span><strong class=
"command">view
</strong></span> and
3198 <span><strong class=
"command">zone
</strong></span> statements,
3199 in which case it overrides the global
<span><strong class=
"command">dialup
</strong></span>
3203 If the zone is a master zone, then the server will send out a
3205 request to all the slaves (default). This should trigger the
3207 number check in the slave (providing it supports NOTIFY)
3209 to verify the zone while the connection is active.
3210 The set of servers to which NOTIFY is sent can be controlled
3212 <span><strong class=
"command">notify
</strong></span> and
<span><strong class=
"command">also-notify
</strong></span>.
3216 zone is a slave or stub zone, then the server will suppress
3218 "zone up to date" (refresh) queries and only perform them
3220 <span><strong class=
"command">heartbeat-interval
</strong></span> expires in
3225 Finer control can be achieved by using
3226 <strong class=
"userinput"><code>notify
</code></strong> which only sends NOTIFY
3228 <strong class=
"userinput"><code>notify-passive
</code></strong> which sends NOTIFY
3230 suppresses the normal refresh queries,
<strong class=
"userinput"><code>refresh
</code></strong>
3231 which suppresses normal refresh processing and sends refresh
3233 when the
<span><strong class=
"command">heartbeat-interval
</strong></span>
3235 <strong class=
"userinput"><code>passive
</code></strong> which just disables normal
3239 <div class=
"informaltable"><table border=
"1">
3271 <p><span><strong class=
"command">no
</strong></span> (default)
</p>
3291 <p><span><strong class=
"command">yes
</strong></span></p>
3311 <p><span><strong class=
"command">notify
</strong></span></p>
3331 <p><span><strong class=
"command">refresh
</strong></span></p>
3351 <p><span><strong class=
"command">passive
</strong></span></p>
3371 <p><span><strong class=
"command">notify-passive
</strong></span></p>
3392 Note that normal NOTIFY processing is not affected by
3393 <span><strong class=
"command">dialup
</strong></span>.
3396 <dt><span class=
"term"><span><strong class=
"command">fake-iquery
</strong></span></span></dt>
3398 In
<acronym class=
"acronym">BIND
</acronym> 8, this option
3399 enabled simulating the obsolete DNS query type
3400 IQUERY.
<acronym class=
"acronym">BIND
</acronym> 9 never does
3403 <dt><span class=
"term"><span><strong class=
"command">fetch-glue
</strong></span></span></dt>
3405 This option is obsolete.
3406 In BIND
8,
<strong class=
"userinput"><code>fetch-glue yes
</code></strong>
3407 caused the server to attempt to fetch glue resource records
3409 didn't have when constructing the additional
3410 data section of a response. This is now considered a bad
3412 and BIND
9 never does it.
3414 <dt><span class=
"term"><span><strong class=
"command">flush-zones-on-shutdown
</strong></span></span></dt>
3416 When the nameserver exits due receiving SIGTERM,
3417 flush or do not flush any pending zone writes. The default
3419 <span><strong class=
"command">flush-zones-on-shutdown
</strong></span> <strong class=
"userinput"><code>no
</code></strong>.
3421 <dt><span class=
"term"><span><strong class=
"command">has-old-clients
</strong></span></span></dt>
3423 This option was incorrectly implemented
3424 in
<acronym class=
"acronym">BIND
</acronym> 8, and is ignored by
<acronym class=
"acronym">BIND
</acronym> 9.
3425 To achieve the intended effect
3427 <span><strong class=
"command">has-old-clients
</strong></span> <strong class=
"userinput"><code>yes
</code></strong>, specify
3428 the two separate options
<span><strong class=
"command">auth-nxdomain
</strong></span> <strong class=
"userinput"><code>yes
</code></strong>
3429 and
<span><strong class=
"command">rfc2308-type1
</strong></span> <strong class=
"userinput"><code>no
</code></strong> instead.
3431 <dt><span class=
"term"><span><strong class=
"command">host-statistics
</strong></span></span></dt>
3433 In BIND
8, this enables keeping of
3434 statistics for every host that the name server interacts
3436 Not implemented in BIND
9.
3438 <dt><span class=
"term"><span><strong class=
"command">maintain-ixfr-base
</strong></span></span></dt>
3440 <span class=
"emphasis"><em>This option is obsolete
</em></span>.
3441 It was used in
<acronym class=
"acronym">BIND
</acronym> 8 to
3442 determine whether a transaction log was
3443 kept for Incremental Zone Transfer.
<acronym class=
"acronym">BIND
</acronym> 9 maintains a transaction
3444 log whenever possible. If you need to disable outgoing
3446 transfers, use
<span><strong class=
"command">provide-ixfr
</strong></span> <strong class=
"userinput"><code>no
</code></strong>.
3448 <dt><span class=
"term"><span><strong class=
"command">minimal-responses
</strong></span></span></dt>
3450 If
<strong class=
"userinput"><code>yes
</code></strong>, then when generating
3451 responses the server will only add records to the authority
3452 and additional data sections when they are required (e.g.
3453 delegations, negative responses). This may improve the
3454 performance of the server.
3455 The default is
<strong class=
"userinput"><code>no
</code></strong>.
3457 <dt><span class=
"term"><span><strong class=
"command">multiple-cnames
</strong></span></span></dt>
3459 This option was used in
<acronym class=
"acronym">BIND
</acronym> 8 to allow
3460 a domain name to have multiple CNAME records in violation of
3461 the DNS standards.
<acronym class=
"acronym">BIND
</acronym> 9.2 onwards
3462 always strictly enforces the CNAME rules both in master
3463 files and dynamic updates.
3465 <dt><span class=
"term"><span><strong class=
"command">notify
</strong></span></span></dt>
3468 If
<strong class=
"userinput"><code>yes
</code></strong> (the default),
3469 DNS NOTIFY messages are sent when a zone the server is
3471 changes, see
<a href=
"Bv9ARM.ch04.html#notify" title=
"Notify">the section called
“Notify
”</a>. The messages are
3473 servers listed in the zone's NS records (except the master
3475 in the SOA MNAME field), and to any servers listed in the
3476 <span><strong class=
"command">also-notify
</strong></span> option.
3479 If
<strong class=
"userinput"><code>master-only
</code></strong>, notifies are only
3482 If
<strong class=
"userinput"><code>explicit
</code></strong>, notifies are sent only
3484 servers explicitly listed using
<span><strong class=
"command">also-notify
</strong></span>.
3485 If
<strong class=
"userinput"><code>no
</code></strong>, no notifies are sent.
3488 The
<span><strong class=
"command">notify
</strong></span> option may also be
3489 specified in the
<span><strong class=
"command">zone
</strong></span>
3491 in which case it overrides the
<span><strong class=
"command">options notify
</strong></span> statement.
3492 It would only be necessary to turn off this option if it
3497 <dt><span class=
"term"><span><strong class=
"command">notify-to-soa
</strong></span></span></dt>
3499 If
<strong class=
"userinput"><code>yes
</code></strong> do not check the nameservers
3500 in the NS RRset against the SOA MNAME. Normally a NOTIFY
3501 message is not sent to the SOA MNAME (SOA ORIGIN) as it is
3502 supposed to contain the name of the ultimate master.
3503 Sometimes, however, a slave is listed as the SOA MNAME in
3504 hidden master configurations and in that case you would
3505 want the ultimate master to still send NOTIFY messages to
3506 all the nameservers listed in the NS RRset.
3508 <dt><span class=
"term"><span><strong class=
"command">recursion
</strong></span></span></dt>
3510 If
<strong class=
"userinput"><code>yes
</code></strong>, and a
3511 DNS query requests recursion, then the server will attempt
3513 all the work required to answer the query. If recursion is
3515 and the server does not already know the answer, it will
3517 referral response. The default is
3518 <strong class=
"userinput"><code>yes
</code></strong>.
3519 Note that setting
<span><strong class=
"command">recursion no
</strong></span> does not prevent
3520 clients from getting data from the server's cache; it only
3521 prevents new data from being cached as an effect of client
3523 Caching may still occur as an effect the server's internal
3524 operation, such as NOTIFY address lookups.
3525 See also
<span><strong class=
"command">fetch-glue
</strong></span> above.
3527 <dt><span class=
"term"><span><strong class=
"command">request-nsid
</strong></span></span></dt>
3529 If
<strong class=
"userinput"><code>yes
</code></strong>, then an empty EDNS(
0)
3530 NSID (Name Server Identifier) option is sent with all
3531 queries to authoritative name servers during iterative
3532 resolution. If the authoritative server returns an NSID
3533 option in its response, then its contents are logged in
3534 the
<span><strong class=
"command">resolver
</strong></span> category at level
3535 <span><strong class=
"command">info
</strong></span>.
3536 The default is
<strong class=
"userinput"><code>no
</code></strong>.
3538 <dt><span class=
"term"><span><strong class=
"command">request-sit
</strong></span></span></dt>
3540 If
<strong class=
"userinput"><code>yes
</code></strong>, then a SIT (Source
3541 Identity Token) EDNS option is sent along with
3542 the query. If the resolver has previously talked
3543 to the server, the SIT returned in the previous
3544 transaction is sent. This is used by the server
3545 to determine whether the resolver has talked to
3546 it before. A resolver sending the correct SIT is
3547 assumed not to be an off-path attacker sending a
3548 spoofed-source query; the query is therefore
3549 unlikely to be part of a reflection/amplification
3550 attack, so resolvers sending a correct SIT option
3551 are not subject to response rate limiting (RRL).
3552 Resolvers which do not send a correct SIT option
3553 may be limited to receiving smaller responses via
3554 the
<span><strong class=
"command">nosit-udp-size
</strong></span> option.
3556 <dt><span class=
"term"><span><strong class=
"command">sit-secret
</strong></span></span></dt>
3558 If set, this is a shared secret used for generating
3559 and verifying Source Identity Token EDNS options
3560 within a anycast cluster. If not set the system
3561 will generate a random secret at startup. The
3562 shared secret is encoded as a hex string and needs
3563 to be
128 bits for AES128,
160 bits for SHA1 and
3564 256 bits for SHA256.
3566 <dt><span class=
"term"><span><strong class=
"command">rfc2308-type1
</strong></span></span></dt>
3569 Setting this to
<strong class=
"userinput"><code>yes
</code></strong> will
3570 cause the server to send NS records along with the SOA
3572 answers. The default is
<strong class=
"userinput"><code>no
</code></strong>.
3574 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
3575 <h3 class=
"title">Note
</h3>
3577 Not yet implemented in
<acronym class=
"acronym">BIND
</acronym>
3582 <dt><span class=
"term"><span><strong class=
"command">use-id-pool
</strong></span></span></dt>
3584 <span class=
"emphasis"><em>This option is obsolete
</em></span>.
3585 <acronym class=
"acronym">BIND
</acronym> 9 always allocates query
3588 <dt><span class=
"term"><span><strong class=
"command">use-ixfr
</strong></span></span></dt>
3590 <span class=
"emphasis"><em>This option is obsolete
</em></span>.
3591 If you need to disable IXFR to a particular server or
3593 the information on the
<span><strong class=
"command">provide-ixfr
</strong></span> option
3594 in
<a href=
"Bv9ARM.ch06.html#server_statement_definition_and_usage" title=
"server Statement Definition and
3595 Usage">the section called
“<span><strong class=
"command">server
</strong></span> Statement Definition and
3598 <a href=
"Bv9ARM.ch04.html#incremental_zone_transfers" title=
"Incremental Zone Transfers (IXFR)">the section called
“Incremental Zone Transfers (IXFR)
”</a>.
3600 <dt><span class=
"term"><span><strong class=
"command">provide-ixfr
</strong></span></span></dt>
3602 See the description of
3603 <span><strong class=
"command">provide-ixfr
</strong></span> in
3604 <a href=
"Bv9ARM.ch06.html#server_statement_definition_and_usage" title=
"server Statement Definition and
3605 Usage">the section called
“<span><strong class=
"command">server
</strong></span> Statement Definition and
3608 <dt><span class=
"term"><span><strong class=
"command">request-ixfr
</strong></span></span></dt>
3610 See the description of
3611 <span><strong class=
"command">request-ixfr
</strong></span> in
3612 <a href=
"Bv9ARM.ch06.html#server_statement_definition_and_usage" title=
"server Statement Definition and
3613 Usage">the section called
“<span><strong class=
"command">server
</strong></span> Statement Definition and
3616 <dt><span class=
"term"><span><strong class=
"command">treat-cr-as-space
</strong></span></span></dt>
3618 This option was used in
<acronym class=
"acronym">BIND
</acronym>
3620 the server treat carriage return (
"<span><strong class="command
">\r</strong></span>") characters the same way
3621 as a space or tab character,
3622 to facilitate loading of zone files on a UNIX system that
3624 on an NT or DOS machine. In
<acronym class=
"acronym">BIND
</acronym> 9, both UNIX
"<span><strong class="command
">\n</strong></span>"
3625 and NT/DOS
"<span><strong class="command
">\r\n</strong></span>" newlines
3626 are always accepted,
3627 and the option is ignored.
3630 <span class=
"term"><span><strong class=
"command">additional-from-auth
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">additional-from-cache
</strong></span></span>
3634 These options control the behavior of an authoritative
3636 answering queries which have additional data, or when
3641 When both of these options are set to
<strong class=
"userinput"><code>yes
</code></strong>
3643 query is being answered from authoritative data (a zone
3644 configured into the server), the additional data section of
3646 reply will be filled in using data from other authoritative
3648 and from the cache. In some situations this is undesirable,
3650 as when there is concern over the correctness of the cache,
3652 in servers where slave zones may be added and modified by
3653 untrusted third parties. Also, avoiding
3654 the search for this additional data will speed up server
3656 at the possible expense of additional queries to resolve
3658 otherwise be provided in the additional section.
3661 For example, if a query asks for an MX record for host
<code class=
"literal">foo.example.com
</code>,
3662 and the record found is
"<code class="literal
">MX 10 mail.example.net</code>", normally the address
3663 records (A and AAAA) for
<code class=
"literal">mail.example.net
</code> will be provided as well,
3664 if known, even though they are not in the example.com zone.
3665 Setting these options to
<span><strong class=
"command">no
</strong></span>
3666 disables this behavior and makes
3667 the server only search for additional data in the zone it
3671 These options are intended for use in authoritative-only
3672 servers, or in authoritative-only views. Attempts to set
3673 them to
<span><strong class=
"command">no
</strong></span> without also
3675 <span><strong class=
"command">recursion no
</strong></span> will cause the
3677 ignore the options and log a warning message.
3680 Specifying
<span><strong class=
"command">additional-from-cache no
</strong></span> actually
3681 disables the use of the cache not only for additional data
3683 but also when looking up the answer. This is usually the
3685 behavior in an authoritative-only server where the
3687 the cached data is an issue.
3690 When a name server is non-recursively queried for a name
3692 below the apex of any served zone, it normally answers with
3694 "upwards referral" to the root servers or the servers of
3696 known parent of the query name. Since the data in an
3698 comes from the cache, the server will not be able to provide
3700 referrals when
<span><strong class=
"command">additional-from-cache no
</strong></span>
3701 has been specified. Instead, it will respond to such
3703 with REFUSED. This should not cause any problems since
3704 upwards referrals are not required for the resolution
3708 <dt><span class=
"term"><span><strong class=
"command">match-mapped-addresses
</strong></span></span></dt>
3711 If
<strong class=
"userinput"><code>yes
</code></strong>, then an
3712 IPv4-mapped IPv6 address will match any address match
3713 list entries that match the corresponding IPv4 address.
3716 This option was introduced to work around a kernel quirk
3717 in some operating systems that causes IPv4 TCP
3718 connections, such as zone transfers, to be accepted on an
3719 IPv6 socket using mapped addresses. This caused address
3720 match lists designed for IPv4 to fail to match. However,
3721 <span><strong class=
"command">named
</strong></span> now solves this problem
3722 internally. The use of this option is discouraged.
3725 <dt><span class=
"term"><span><strong class=
"command">filter-aaaa-on-v4
</strong></span></span></dt>
3728 This option is only available when
3729 <acronym class=
"acronym">BIND
</acronym> 9 is compiled with the
3730 <strong class=
"userinput"><code>--enable-filter-aaaa
</code></strong> option on the
3731 "configure" command line. It is intended to help the
3732 transition from IPv4 to IPv6 by not giving IPv6 addresses
3733 to DNS clients unless they have connections to the IPv6
3734 Internet. This is not recommended unless absolutely
3735 necessary. The default is
<strong class=
"userinput"><code>no
</code></strong>.
3736 The
<span><strong class=
"command">filter-aaaa-on-v4
</strong></span> option
3737 may also be specified in
<span><strong class=
"command">view
</strong></span> statements
3738 to override the global
<span><strong class=
"command">filter-aaaa-on-v4
</strong></span>
3742 If
<strong class=
"userinput"><code>yes
</code></strong>,
3743 the DNS client is at an IPv4 address, in
<span><strong class=
"command">filter-aaaa
</strong></span>,
3744 and if the response does not include DNSSEC signatures,
3745 then all AAAA records are deleted from the response.
3746 This filtering applies to all responses and not only
3747 authoritative responses.
3750 If
<strong class=
"userinput"><code>break-dnssec
</code></strong>,
3751 then AAAA records are deleted even when DNSSEC is enabled.
3752 As suggested by the name, this makes the response not verify,
3753 because the DNSSEC protocol is designed detect deletions.
3756 This mechanism can erroneously cause other servers to
3757 not give AAAA records to their clients.
3758 A recursing server with both IPv6 and IPv4 network connections
3759 that queries an authoritative server using this mechanism
3760 via IPv4 will be denied AAAA records even if its client is
3764 This mechanism is applied to authoritative as well as
3765 non-authoritative records.
3766 A client using IPv4 that is not allowed recursion can
3767 erroneously be given AAAA records because the server is not
3768 allowed to check for A records.
3771 Some AAAA records are given to IPv4 clients in glue records.
3772 IPv4 clients that are servers can then erroneously
3773 answer requests for AAAA records received via IPv4.
3776 <dt><span class=
"term"><span><strong class=
"command">filter-aaaa-on-v6
</strong></span></span></dt>
3778 Identical to
<span><strong class=
"command">filter-aaaa-on-v4
</strong></span>,
3779 except it filters AAAA responses to queries from IPv6
3780 clients instead of IPv4 clients. To filter all
3781 responses, set both options to
<strong class=
"userinput"><code>yes
</code></strong>.
3783 <dt><span class=
"term"><span><strong class=
"command">ixfr-from-differences
</strong></span></span></dt>
3786 When
<strong class=
"userinput"><code>yes
</code></strong> and the server loads a new
3787 version of a master zone from its zone file or receives a
3788 new version of a slave file via zone transfer, it will
3789 compare the new version to the previous one and calculate
3790 a set of differences. The differences are then logged in
3791 the zone's journal file such that the changes can be
3792 transmitted to downstream slaves as an incremental zone
3796 By allowing incremental zone transfers to be used for
3797 non-dynamic zones, this option saves bandwidth at the
3798 expense of increased CPU and memory consumption at the
3800 In particular, if the new version of a zone is completely
3801 different from the previous one, the set of differences
3802 will be of a size comparable to the combined size of the
3803 old and new zone version, and the server will need to
3804 temporarily allocate memory to hold this complete
3807 <p><span><strong class=
"command">ixfr-from-differences
</strong></span>
3808 also accepts
<span><strong class=
"command">master
</strong></span> and
3809 <span><strong class=
"command">slave
</strong></span> at the view and options
3811 <span><strong class=
"command">ixfr-from-differences
</strong></span> to be enabled for
3812 all
<span><strong class=
"command">master
</strong></span> or
3813 <span><strong class=
"command">slave
</strong></span> zones respectively.
3814 It is off by default.
3817 <dt><span class=
"term"><span><strong class=
"command">multi-master
</strong></span></span></dt>
3819 This should be set when you have multiple masters for a zone
3821 addresses refer to different machines. If
<strong class=
"userinput"><code>yes
</code></strong>,
<span><strong class=
"command">named
</strong></span> will
3823 when the serial number on the master is less than what
<span><strong class=
"command">named
</strong></span>
3825 has. The default is
<strong class=
"userinput"><code>no
</code></strong>.
3827 <dt><span class=
"term"><span><strong class=
"command">dnssec-enable
</strong></span></span></dt>
3829 Enable DNSSEC support in
<span><strong class=
"command">named
</strong></span>. Unless set to
<strong class=
"userinput"><code>yes
</code></strong>,
3830 <span><strong class=
"command">named
</strong></span> behaves as if it does not support DNSSEC.
3831 The default is
<strong class=
"userinput"><code>yes
</code></strong>.
3833 <dt><span class=
"term"><span><strong class=
"command">dnssec-validation
</strong></span></span></dt>
3835 Enable DNSSEC validation in
<span><strong class=
"command">named
</strong></span>.
3836 Note
<span><strong class=
"command">dnssec-enable
</strong></span> also needs to be
3837 set to
<strong class=
"userinput"><code>yes
</code></strong> to be effective.
3838 If set to
<strong class=
"userinput"><code>no
</code></strong>, DNSSEC validation
3839 is disabled. If set to
<strong class=
"userinput"><code>auto
</code></strong>,
3840 DNSSEC validation is enabled, and a default
3841 trust-anchor for the DNS root zone is used. If set to
3842 <strong class=
"userinput"><code>yes
</code></strong>, DNSSEC validation is enabled,
3843 but a trust anchor must be manually configured using
3844 a
<span><strong class=
"command">trusted-keys
</strong></span> or
3845 <span><strong class=
"command">managed-keys
</strong></span> statement. The default
3846 is
<strong class=
"userinput"><code>yes
</code></strong>.
3848 <dt><span class=
"term"><span><strong class=
"command">dnssec-accept-expired
</strong></span></span></dt>
3850 Accept expired signatures when verifying DNSSEC signatures.
3851 The default is
<strong class=
"userinput"><code>no
</code></strong>.
3852 Setting this option to
<strong class=
"userinput"><code>yes
</code></strong>
3853 leaves
<span><strong class=
"command">named
</strong></span> vulnerable to
3856 <dt><span class=
"term"><span><strong class=
"command">querylog
</strong></span></span></dt>
3858 Specify whether query logging should be started when
<span><strong class=
"command">named
</strong></span>
3860 If
<span><strong class=
"command">querylog
</strong></span> is not specified,
3861 then the query logging
3862 is determined by the presence of the logging category
<span><strong class=
"command">queries
</strong></span>.
3864 <dt><span class=
"term"><span><strong class=
"command">check-names
</strong></span></span></dt>
3867 This option is used to restrict the character set and syntax
3869 certain domain names in master files and/or DNS responses
3871 from the network. The default varies according to usage
3873 <span><strong class=
"command">master
</strong></span> zones the default is
<span><strong class=
"command">fail
</strong></span>.
3874 For
<span><strong class=
"command">slave
</strong></span> zones the default
3875 is
<span><strong class=
"command">warn
</strong></span>.
3876 For answers received from the network (
<span><strong class=
"command">response
</strong></span>)
3877 the default is
<span><strong class=
"command">ignore
</strong></span>.
3880 The rules for legal hostnames and mail domains are derived
3881 from RFC
952 and RFC
821 as modified by RFC
1123.
3883 <p><span><strong class=
"command">check-names
</strong></span>
3884 applies to the owner names of A, AAAA and MX records.
3885 It also applies to the domain names in the RDATA of NS, SOA,
3886 MX, and SRV records.
3887 It also applies to the RDATA of PTR records where the owner
3888 name indicated that it is a reverse lookup of a hostname
3889 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
3892 <dt><span class=
"term"><span><strong class=
"command">check-dup-records
</strong></span></span></dt>
3894 Check master zones for records that are treated as different
3895 by DNSSEC but are semantically equal in plain DNS. The
3896 default is to
<span><strong class=
"command">warn
</strong></span>. Other possible
3897 values are
<span><strong class=
"command">fail
</strong></span> and
3898 <span><strong class=
"command">ignore
</strong></span>.
3900 <dt><span class=
"term"><span><strong class=
"command">check-mx
</strong></span></span></dt>
3902 Check whether the MX record appears to refer to a IP address.
3903 The default is to
<span><strong class=
"command">warn
</strong></span>. Other possible
3904 values are
<span><strong class=
"command">fail
</strong></span> and
3905 <span><strong class=
"command">ignore
</strong></span>.
3907 <dt><span class=
"term"><span><strong class=
"command">check-wildcard
</strong></span></span></dt>
3909 This option is used to check for non-terminal wildcards.
3910 The use of non-terminal wildcards is almost always as a
3912 to understand the wildcard matching algorithm (RFC
1034).
3914 affects master zones. The default (
<span><strong class=
"command">yes
</strong></span>) is to check
3915 for non-terminal wildcards and issue a warning.
3917 <dt><span class=
"term"><span><strong class=
"command">check-integrity
</strong></span></span></dt>
3920 Perform post load zone integrity checks on master
3921 zones. This checks that MX and SRV records refer
3922 to address (A or AAAA) records and that glue
3923 address records exist for delegated zones. For
3924 MX and SRV records only in-zone hostnames are
3925 checked (for out-of-zone hostnames use
3926 <span><strong class=
"command">named-checkzone
</strong></span>).
3927 For NS records only names below top of zone are
3928 checked (for out-of-zone names and glue consistency
3929 checks use
<span><strong class=
"command">named-checkzone
</strong></span>).
3930 The default is
<span><strong class=
"command">yes
</strong></span>.
3933 The use of the SPF record for publishing Sender
3934 Policy Framework is deprecated as the migration
3935 from using TXT records to SPF records was abandoned.
3936 Enabling this option also checks that a TXT Sender
3937 Policy Framework record exists (starts with
"v=spf1")
3938 if there is an SPF record. Warnings are emitted if the
3939 TXT record does not exist and can be suppressed with
3940 <span><strong class=
"command">check-spf
</strong></span>.
3943 <dt><span class=
"term"><span><strong class=
"command">check-mx-cname
</strong></span></span></dt>
3945 If
<span><strong class=
"command">check-integrity
</strong></span> is set then
3946 fail, warn or ignore MX records that refer
3947 to CNAMES. The default is to
<span><strong class=
"command">warn
</strong></span>.
3949 <dt><span class=
"term"><span><strong class=
"command">check-srv-cname
</strong></span></span></dt>
3951 If
<span><strong class=
"command">check-integrity
</strong></span> is set then
3952 fail, warn or ignore SRV records that refer
3953 to CNAMES. The default is to
<span><strong class=
"command">warn
</strong></span>.
3955 <dt><span class=
"term"><span><strong class=
"command">check-sibling
</strong></span></span></dt>
3957 When performing integrity checks, also check that
3958 sibling glue exists. The default is
<span><strong class=
"command">yes
</strong></span>.
3960 <dt><span class=
"term"><span><strong class=
"command">check-spf
</strong></span></span></dt>
3962 If
<span><strong class=
"command">check-integrity
</strong></span> is set then
3963 check that there is a TXT Sender Policy Framework
3964 record present (starts with
"v=spf1") if there is an
3965 SPF record present. The default is
3966 <span><strong class=
"command">warn
</strong></span>.
3968 <dt><span class=
"term"><span><strong class=
"command">zero-no-soa-ttl
</strong></span></span></dt>
3970 When returning authoritative negative responses to
3971 SOA queries set the TTL of the SOA record returned in
3972 the authority section to zero.
3973 The default is
<span><strong class=
"command">yes
</strong></span>.
3975 <dt><span class=
"term"><span><strong class=
"command">zero-no-soa-ttl-cache
</strong></span></span></dt>
3977 When caching a negative response to a SOA query
3978 set the TTL to zero.
3979 The default is
<span><strong class=
"command">no
</strong></span>.
3981 <dt><span class=
"term"><span><strong class=
"command">update-check-ksk
</strong></span></span></dt>
3984 When set to the default value of
<code class=
"literal">yes
</code>,
3985 check the KSK bit in each key to determine how the key
3986 should be used when generating RRSIGs for a secure zone.
3989 Ordinarily, zone-signing keys (that is, keys without the
3990 KSK bit set) are used to sign the entire zone, while
3991 key-signing keys (keys with the KSK bit set) are only
3992 used to sign the DNSKEY RRset at the zone apex.
3993 However, if this option is set to
<code class=
"literal">no
</code>,
3994 then the KSK bit is ignored; KSKs are treated as if they
3995 were ZSKs and are used to sign the entire zone. This is
3996 similar to the
<span><strong class=
"command">dnssec-signzone -z
</strong></span>
3997 command line option.
4000 When this option is set to
<code class=
"literal">yes
</code>, there
4001 must be at least two active keys for every algorithm
4002 represented in the DNSKEY RRset: at least one KSK and one
4003 ZSK per algorithm. If there is any algorithm for which
4004 this requirement is not met, this option will be ignored
4008 <dt><span class=
"term"><span><strong class=
"command">dnssec-dnskey-kskonly
</strong></span></span></dt>
4011 When this option and
<span><strong class=
"command">update-check-ksk
</strong></span>
4012 are both set to
<code class=
"literal">yes
</code>, only key-signing
4013 keys (that is, keys with the KSK bit set) will be used
4014 to sign the DNSKEY RRset at the zone apex. Zone-signing
4015 keys (keys without the KSK bit set) will be used to sign
4016 the remainder of the zone, but not the DNSKEY RRset.
4017 This is similar to the
4018 <span><strong class=
"command">dnssec-signzone -x
</strong></span> command line option.
4021 The default is
<span><strong class=
"command">no
</strong></span>. If
4022 <span><strong class=
"command">update-check-ksk
</strong></span> is set to
4023 <code class=
"literal">no
</code>, this option is ignored.
4026 <dt><span class=
"term"><span><strong class=
"command">dnssec-loadkeys-interval
</strong></span></span></dt>
4028 When a zone is configured with
<span><strong class=
"command">auto-dnssec
4029 maintain;
</strong></span> its key repository must be checked
4030 periodically to see if any new keys have been added
4031 or any existing keys' timing metadata has been updated
4032 (see
<a href=
"man.dnssec-keygen.html" title=
"dnssec-keygen"><span class=
"refentrytitle"><span class=
"application">dnssec-keygen
</span></span>(
8)
</a> and
4033 <a href=
"man.dnssec-settime.html" title=
"dnssec-settime"><span class=
"refentrytitle"><span class=
"application">dnssec-settime
</span></span>(
8)
</a>). The
4034 <span><strong class=
"command">dnssec-loadkeys-interval
</strong></span> option
4035 sets the frequency of automatic repository checks, in
4036 minutes. The default is
<code class=
"literal">60</code> (
1 hour),
4037 the minimum is
<code class=
"literal">1</code> (
1 minute), and the
4038 maximum is
<code class=
"literal">1440</code> (
24 hours); any higher
4039 value is silently reduced.
4041 <dt><span class=
"term"><span><strong class=
"command">try-tcp-refresh
</strong></span></span></dt>
4043 Try to refresh the zone using TCP if UDP queries fail.
4044 For BIND
8 compatibility, the default is
4045 <span><strong class=
"command">yes
</strong></span>.
4047 <dt><span class=
"term"><span><strong class=
"command">dnssec-secure-to-insecure
</strong></span></span></dt>
4050 Allow a dynamic zone to transition from secure to
4051 insecure (i.e., signed to unsigned) by deleting all
4052 of the DNSKEY records. The default is
<span><strong class=
"command">no
</strong></span>.
4053 If set to
<span><strong class=
"command">yes
</strong></span>, and if the DNSKEY RRset
4054 at the zone apex is deleted, all RRSIG and NSEC records
4055 will be removed from the zone as well.
4058 If the zone uses NSEC3, then it is also necessary to
4059 delete the NSEC3PARAM RRset from the zone apex; this will
4060 cause the removal of all corresponding NSEC3 records.
4061 (It is expected that this requirement will be eliminated
4062 in a future release.)
4065 Note that if a zone has been configured with
4066 <span><strong class=
"command">auto-dnssec maintain
</strong></span> and the
4067 private keys remain accessible in the key repository,
4068 then the zone will be automatically signed again the
4069 next time
<span><strong class=
"command">named
</strong></span> is started.
4074 <div class=
"sect3" lang=
"en">
4075 <div class=
"titlepage"><div><div><h4 class=
"title">
4076 <a name=
"id2584144"></a>Forwarding
</h4></div></div></div>
4078 The forwarding facility can be used to create a large site-wide
4079 cache on a few servers, reducing traffic over links to external
4080 name servers. It can also be used to allow queries by servers that
4081 do not have direct access to the Internet, but wish to look up
4083 names anyway. Forwarding occurs only on those queries for which
4084 the server is not authoritative and does not have the answer in
4087 <div class=
"variablelist"><dl>
4088 <dt><span class=
"term"><span><strong class=
"command">forward
</strong></span></span></dt>
4090 This option is only meaningful if the
4091 forwarders list is not empty. A value of
<code class=
"varname">first
</code>,
4092 the default, causes the server to query the forwarders
4094 if that doesn't answer the question, the server will then
4096 the answer itself. If
<code class=
"varname">only
</code> is
4098 server will only query the forwarders.
4100 <dt><span class=
"term"><span><strong class=
"command">forwarders
</strong></span></span></dt>
4102 Specifies the IP addresses to be used
4103 for forwarding. The default is the empty list (no
4108 Forwarding can also be configured on a per-domain basis, allowing
4109 for the global forwarding options to be overridden in a variety
4110 of ways. You can set particular domains to use different
4112 or have a different
<span><strong class=
"command">forward only/first
</strong></span> behavior,
4113 or not forward at all, see
<a href=
"Bv9ARM.ch06.html#zone_statement_grammar" title=
"zone
4114 Statement Grammar">the section called
“<span><strong class=
"command">zone
</strong></span>
4115 Statement Grammar
”</a>.
4118 <div class=
"sect3" lang=
"en">
4119 <div class=
"titlepage"><div><div><h4 class=
"title">
4120 <a name=
"id2584202"></a>Dual-stack Servers
</h4></div></div></div>
4122 Dual-stack servers are used as servers of last resort to work
4124 problems in reachability due the lack of support for either IPv4
4126 on the host machine.
4128 <div class=
"variablelist"><dl>
4129 <dt><span class=
"term"><span><strong class=
"command">dual-stack-servers
</strong></span></span></dt>
4131 Specifies host names or addresses of machines with access to
4132 both IPv4 and IPv6 transports. If a hostname is used, the
4134 to resolve the name using only the transport it has. If the
4136 stacked, then the
<span><strong class=
"command">dual-stack-servers
</strong></span> have no effect unless
4137 access to a transport has been disabled on the command line
4138 (e.g.
<span><strong class=
"command">named -
4</strong></span>).
4142 <div class=
"sect3" lang=
"en">
4143 <div class=
"titlepage"><div><div><h4 class=
"title">
4144 <a name=
"access_control"></a>Access Control
</h4></div></div></div>
4146 Access to the server can be restricted based on the IP address
4147 of the requesting system. See
<a href=
"Bv9ARM.ch06.html#address_match_lists" title=
"Address Match Lists">the section called
“Address Match Lists
”</a> for
4148 details on how to specify IP address lists.
4150 <div class=
"variablelist"><dl>
4151 <dt><span class=
"term"><span><strong class=
"command">allow-notify
</strong></span></span></dt>
4153 Specifies which hosts are allowed to
4154 notify this server, a slave, of zone changes in addition
4155 to the zone masters.
4156 <span><strong class=
"command">allow-notify
</strong></span> may also be
4158 <span><strong class=
"command">zone
</strong></span> statement, in which case
4160 <span><strong class=
"command">options allow-notify
</strong></span>
4161 statement. It is only meaningful
4162 for a slave zone. If not specified, the default is to
4163 process notify messages
4164 only from a zone's master.
4166 <dt><span class=
"term"><span><strong class=
"command">allow-query
</strong></span></span></dt>
4169 Specifies which hosts are allowed to ask ordinary
4170 DNS questions.
<span><strong class=
"command">allow-query
</strong></span> may
4171 also be specified in the
<span><strong class=
"command">zone
</strong></span>
4172 statement, in which case it overrides the
4173 <span><strong class=
"command">options allow-query
</strong></span> statement.
4174 If not specified, the default is to allow queries
4177 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4178 <h3 class=
"title">Note
</h3>
4180 <span><strong class=
"command">allow-query-cache
</strong></span> is now
4181 used to specify access to the cache.
4185 <dt><span class=
"term"><span><strong class=
"command">allow-query-on
</strong></span></span></dt>
4188 Specifies which local addresses can accept ordinary
4189 DNS questions. This makes it possible, for instance,
4190 to allow queries on internal-facing interfaces but
4191 disallow them on external-facing ones, without
4192 necessarily knowing the internal network's addresses.
4195 Note that
<span><strong class=
"command">allow-query-on
</strong></span> is only
4196 checked for queries that are permitted by
4197 <span><strong class=
"command">allow-query
</strong></span>. A query must be
4198 allowed by both ACLs, or it will be refused.
4201 <span><strong class=
"command">allow-query-on
</strong></span> may
4202 also be specified in the
<span><strong class=
"command">zone
</strong></span>
4203 statement, in which case it overrides the
4204 <span><strong class=
"command">options allow-query-on
</strong></span> statement.
4207 If not specified, the default is to allow queries
4210 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4211 <h3 class=
"title">Note
</h3>
4213 <span><strong class=
"command">allow-query-cache
</strong></span> is
4214 used to specify access to the cache.
4218 <dt><span class=
"term"><span><strong class=
"command">allow-query-cache
</strong></span></span></dt>
4220 Specifies which hosts are allowed to get answers
4221 from the cache. If
<span><strong class=
"command">allow-query-cache
</strong></span>
4222 is not set then
<span><strong class=
"command">allow-recursion
</strong></span>
4223 is used if set, otherwise
<span><strong class=
"command">allow-query
</strong></span>
4224 is used if set unless
<span><strong class=
"command">recursion no;
</strong></span> is
4225 set in which case
<span><strong class=
"command">none;
</strong></span> is used,
4226 otherwise the default (
<span><strong class=
"command">localnets;
</strong></span>
4227 <span><strong class=
"command">localhost;
</strong></span>) is used.
4229 <dt><span class=
"term"><span><strong class=
"command">allow-query-cache-on
</strong></span></span></dt>
4231 Specifies which local addresses can give answers
4232 from the cache. If not specified, the default is
4233 to allow cache queries on any address,
4234 <span><strong class=
"command">localnets
</strong></span> and
4235 <span><strong class=
"command">localhost
</strong></span>.
4237 <dt><span class=
"term"><span><strong class=
"command">allow-recursion
</strong></span></span></dt>
4239 Specifies which hosts are allowed to make recursive
4240 queries through this server. If
4241 <span><strong class=
"command">allow-recursion
</strong></span> is not set
4242 then
<span><strong class=
"command">allow-query-cache
</strong></span> is
4243 used if set, otherwise
<span><strong class=
"command">allow-query
</strong></span>
4244 is used if set, otherwise the default
4245 (
<span><strong class=
"command">localnets;
</strong></span>
4246 <span><strong class=
"command">localhost;
</strong></span>) is used.
4248 <dt><span class=
"term"><span><strong class=
"command">allow-recursion-on
</strong></span></span></dt>
4250 Specifies which local addresses can accept recursive
4251 queries. If not specified, the default is to allow
4252 recursive queries on all addresses.
4254 <dt><span class=
"term"><span><strong class=
"command">allow-update
</strong></span></span></dt>
4256 Specifies which hosts are allowed to
4257 submit Dynamic DNS updates for master zones. The default is
4259 updates from all hosts. Note that allowing updates based
4260 on the requestor's IP address is insecure; see
4261 <a href=
"Bv9ARM.ch07.html#dynamic_update_security" title=
"Dynamic Update Security">the section called
“Dynamic Update Security
”</a> for details.
4263 <dt><span class=
"term"><span><strong class=
"command">allow-update-forwarding
</strong></span></span></dt>
4266 Specifies which hosts are allowed to
4267 submit Dynamic DNS updates to slave zones to be forwarded to
4269 master. The default is
<strong class=
"userinput"><code>{ none; }
</code></strong>,
4271 means that no update forwarding will be performed. To
4273 update forwarding, specify
4274 <strong class=
"userinput"><code>allow-update-forwarding { any; };
</code></strong>.
4275 Specifying values other than
<strong class=
"userinput"><code>{ none; }
</code></strong> or
4276 <strong class=
"userinput"><code>{ any; }
</code></strong> is usually
4277 counterproductive, since
4278 the responsibility for update access control should rest
4280 master server, not the slaves.
4283 Note that enabling the update forwarding feature on a slave
4285 may expose master servers relying on insecure IP address
4287 access control to attacks; see
<a href=
"Bv9ARM.ch07.html#dynamic_update_security" title=
"Dynamic Update Security">the section called
“Dynamic Update Security
”</a>
4291 <dt><span class=
"term"><span><strong class=
"command">allow-v6-synthesis
</strong></span></span></dt>
4293 This option was introduced for the smooth transition from
4295 to A6 and from
"nibble labels" to binary labels.
4296 However, since both A6 and binary labels were then
4298 this option was also deprecated.
4299 It is now ignored with some warning messages.
4301 <dt><span class=
"term"><span><strong class=
"command">allow-transfer
</strong></span></span></dt>
4303 Specifies which hosts are allowed to
4304 receive zone transfers from the server.
<span><strong class=
"command">allow-transfer
</strong></span> may
4305 also be specified in the
<span><strong class=
"command">zone
</strong></span>
4307 case it overrides the
<span><strong class=
"command">options allow-transfer
</strong></span> statement.
4308 If not specified, the default is to allow transfers to all
4311 <dt><span class=
"term"><span><strong class=
"command">blackhole
</strong></span></span></dt>
4313 Specifies a list of addresses that the
4314 server will not accept queries from or use to resolve a
4316 from these addresses will not be responded to. The default
4317 is
<strong class=
"userinput"><code>none
</code></strong>.
4319 <dt><span class=
"term"><span><strong class=
"command">filter-aaaa
</strong></span></span></dt>
4321 Specifies a list of addresses to which
4322 <span><strong class=
"command">filter-aaaa-on-v4
</strong></span>
4323 is applies. The default is
<strong class=
"userinput"><code>any
</code></strong>.
4325 <dt><span class=
"term"><span><strong class=
"command">no-case-compress
</strong></span></span></dt>
4328 Specifies a list of addresses which require responses
4329 to use case-insensitive compression. This ACL can be
4330 used when
<span><strong class=
"command">named
</strong></span> needs to work with
4331 clients that do not comply with the requirement in RFC
4332 1034 to use case-insensitive name comparisons when
4333 checking for matching domain names.
4336 If left undefined, the ACL defaults to
4337 <span><strong class=
"command">none
</strong></span>: case-insensitive compression
4338 will be used for all clients. If the ACL is defined and
4339 matches a client, then case will be ignored when
4340 compressing domain names in DNS responses sent to that
4344 This can result in slightly smaller responses: if
4345 a response contains the names
"example.com" and
4346 "example.COM", case-insensitive compression would treat
4347 the second one as a duplicate. It also ensures
4348 that the case of the query name exactly matches the
4349 case of the owner names of returned records, rather
4350 than matching the case of the records entered in
4351 the zone file. This allows responses to exactly
4352 match the query, which is required by some clients
4353 due to incorrect use of case-sensitive comparisons.
4356 Case-insensitive compression is
<span class=
"emphasis"><em>always
</em></span>
4357 used in AXFR and IXFR responses, regardless of whether
4358 the client matches this ACL.
4361 There are circumstances in which
<span><strong class=
"command">named
</strong></span>
4362 will not preserve the case of owner names of records:
4363 if a zone file defines records of different types with
4364 the same name, but the capitalization of the name is
4365 different (e.g.,
"www.example.com/A" and
4366 "WWW.EXAMPLE.COM/AAAA"), then all responses for that
4367 name will use the
<span class=
"emphasis"><em>first
</em></span> version
4368 of the name that was used in the zone file. This
4369 limitation may be addressed in a future release. However,
4370 domain names specified in the rdata of resource records
4371 (i.e., records of type NS, MX, CNAME, etc) will always
4372 have their case preserved unless the client matches this
4376 <dt><span class=
"term"><span><strong class=
"command">resolver-query-timeout
</strong></span></span></dt>
4378 The amount of time the resolver will spend attempting
4379 to resolve a recursive query before failing. The default
4380 and minimum is
<code class=
"literal">10</code> and the maximum is
4381 <code class=
"literal">30</code>. Setting it to
<code class=
"literal">0</code>
4382 will result in the default being used.
4386 <div class=
"sect3" lang=
"en">
4387 <div class=
"titlepage"><div><div><h4 class=
"title">
4388 <a name=
"id2584876"></a>Interfaces
</h4></div></div></div>
4390 The interfaces and ports that the server will answer queries
4391 from may be specified using the
<span><strong class=
"command">listen-on
</strong></span> option.
<span><strong class=
"command">listen-on
</strong></span> takes
4392 an optional port and an
<code class=
"varname">address_match_list
</code>
4393 of IPv4 addresses. (IPv6 addresses are ignored, with a
4395 The server will listen on all interfaces allowed by the address
4396 match list. If a port is not specified, port
53 will be used.
4399 Multiple
<span><strong class=
"command">listen-on
</strong></span> statements are
4403 <pre class=
"programlisting">listen-on {
5.6.7.8; };
4404 listen-on port
1234 { !
1.2.3.4;
1.2/
16; };
4407 will enable the name server on port
53 for the IP address
4408 5.6.7.8, and on port
1234 of an address on the machine in net
4409 1.2 that is not
1.2.3.4.
4412 If no
<span><strong class=
"command">listen-on
</strong></span> is specified, the
4413 server will listen on port
53 on all IPv4 interfaces.
4416 The
<span><strong class=
"command">listen-on-v6
</strong></span> option is used to
4417 specify the interfaces and the ports on which the server will
4418 listen for incoming queries sent using IPv6. If not specified,
4419 the server will listen on port
53 on all IPv6 interfaces.
4423 <pre class=
"programlisting">{ any; }
</pre>
4426 as the
<code class=
"varname">address_match_list
</code> for the
4427 <span><strong class=
"command">listen-on-v6
</strong></span> option,
4428 the server does not bind a separate socket to each IPv6 interface
4429 address as it does for IPv4 if the operating system has enough API
4430 support for IPv6 (specifically if it conforms to RFC
3493 and RFC
4432 Instead, it listens on the IPv6 wildcard address.
4433 If the system only has incomplete API support for IPv6, however,
4434 the behavior is the same as that for IPv4.
4437 A list of particular IPv6 addresses can also be specified, in
4439 the server listens on a separate socket for each specified
4441 regardless of whether the desired API is supported by the system.
4442 IPv4 addresses specified in
<span><strong class=
"command">listen-on-v6
</strong></span>
4443 will be ignored, with a logged warning.
4446 Multiple
<span><strong class=
"command">listen-on-v6
</strong></span> options can
4450 <pre class=
"programlisting">listen-on-v6 { any; };
4451 listen-on-v6 port
1234 { !
2001:db8::/
32; any; };
4454 will enable the name server on port
53 for any IPv6 addresses
4455 (with a single wildcard socket),
4456 and on port
1234 of IPv6 addresses that is not in the prefix
4457 2001:db8::/
32 (with separate sockets for each matched address.)
4460 To make the server not listen on any IPv6 address, use
4462 <pre class=
"programlisting">listen-on-v6 { none; };
4465 <div class=
"sect3" lang=
"en">
4466 <div class=
"titlepage"><div><div><h4 class=
"title">
4467 <a name=
"query_address"></a>Query Address
</h4></div></div></div>
4469 If the server doesn't know the answer to a question, it will
4470 query other name servers.
<span><strong class=
"command">query-source
</strong></span> specifies
4471 the address and port used for such queries. For queries sent over
4472 IPv6, there is a separate
<span><strong class=
"command">query-source-v6
</strong></span> option.
4473 If
<span><strong class=
"command">address
</strong></span> is
<span><strong class=
"command">*
</strong></span> (asterisk) or is omitted,
4474 a wildcard IP address (
<span><strong class=
"command">INADDR_ANY
</strong></span>)
4478 If
<span><strong class=
"command">port
</strong></span> is
<span><strong class=
"command">*
</strong></span> or is omitted,
4479 a random port number from a pre-configured
4480 range is picked up and will be used for each query.
4481 The port range(s) is that specified in
4482 the
<span><strong class=
"command">use-v4-udp-ports
</strong></span> (for IPv4)
4483 and
<span><strong class=
"command">use-v6-udp-ports
</strong></span> (for IPv6)
4484 options, excluding the ranges specified in
4485 the
<span><strong class=
"command">avoid-v4-udp-ports
</strong></span>
4486 and
<span><strong class=
"command">avoid-v6-udp-ports
</strong></span> options, respectively.
4489 The defaults of the
<span><strong class=
"command">query-source
</strong></span> and
4490 <span><strong class=
"command">query-source-v6
</strong></span> options
4493 <pre class=
"programlisting">query-source address * port *;
4494 query-source-v6 address * port *;
4497 If
<span><strong class=
"command">use-v4-udp-ports
</strong></span> or
4498 <span><strong class=
"command">use-v6-udp-ports
</strong></span> is unspecified,
4499 <span><strong class=
"command">named
</strong></span> will check if the operating
4500 system provides a programming interface to retrieve the
4501 system's default range for ephemeral ports.
4502 If such an interface is available,
4503 <span><strong class=
"command">named
</strong></span> will use the corresponding system
4504 default range; otherwise, it will use its own defaults:
4506 <pre class=
"programlisting">use-v4-udp-ports { range
1024 65535; };
4507 use-v6-udp-ports { range
1024 65535; };
4510 Note: make sure the ranges be sufficiently large for
4511 security. A desirable size depends on various parameters,
4512 but we generally recommend it contain at least
16384 ports
4513 (
14 bits of entropy).
4514 Note also that the system's default range when used may be
4515 too small for this purpose, and that the range may even be
4516 changed while
<span><strong class=
"command">named
</strong></span> is running; the new
4517 range will automatically be applied when
<span><strong class=
"command">named
</strong></span>
4520 configure
<span><strong class=
"command">use-v4-udp-ports
</strong></span> and
4521 <span><strong class=
"command">use-v6-udp-ports
</strong></span> explicitly so that the
4522 ranges are sufficiently large and are reasonably
4523 independent from the ranges used by other applications.
4526 Note: the operational configuration
4527 where
<span><strong class=
"command">named
</strong></span> runs may prohibit the use
4528 of some ports. For example, UNIX systems will not allow
4529 <span><strong class=
"command">named
</strong></span> running without a root privilege
4530 to use ports less than
1024.
4531 If such ports are included in the specified (or detected)
4532 set of query ports, the corresponding query attempts will
4533 fail, resulting in resolution failures or delay.
4534 It is therefore important to configure the set of ports
4535 that can be safely used in the expected operational environment.
4538 The defaults of the
<span><strong class=
"command">avoid-v4-udp-ports
</strong></span> and
4539 <span><strong class=
"command">avoid-v6-udp-ports
</strong></span> options
4542 <pre class=
"programlisting">avoid-v4-udp-ports {};
4543 avoid-v6-udp-ports {};
4546 Note: BIND
9.5.0 introduced
4547 the
<span><strong class=
"command">use-queryport-pool
</strong></span>
4548 option to support a pool of such random ports, but this
4549 option is now obsolete because reusing the same ports in
4550 the pool may not be sufficiently secure.
4551 For the same reason, it is generally strongly discouraged to
4552 specify a particular port for the
4553 <span><strong class=
"command">query-source
</strong></span> or
4554 <span><strong class=
"command">query-source-v6
</strong></span> options;
4555 it implicitly disables the use of randomized port numbers.
4557 <div class=
"variablelist"><dl>
4558 <dt><span class=
"term"><span><strong class=
"command">use-queryport-pool
</strong></span></span></dt>
4560 This option is obsolete.
4562 <dt><span class=
"term"><span><strong class=
"command">queryport-pool-ports
</strong></span></span></dt>
4564 This option is obsolete.
4566 <dt><span class=
"term"><span><strong class=
"command">queryport-pool-updateinterval
</strong></span></span></dt>
4568 This option is obsolete.
4571 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4572 <h3 class=
"title">Note
</h3>
4574 The address specified in the
<span><strong class=
"command">query-source
</strong></span> option
4575 is used for both UDP and TCP queries, but the port applies only
4576 to UDP queries. TCP queries always use a random
4580 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4581 <h3 class=
"title">Note
</h3>
4583 Solaris
2.5.1 and earlier does not support setting the source
4584 address for TCP sockets.
4587 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4588 <h3 class=
"title">Note
</h3>
4590 See also
<span><strong class=
"command">transfer-source
</strong></span> and
4591 <span><strong class=
"command">notify-source
</strong></span>.
4595 <div class=
"sect3" lang=
"en">
4596 <div class=
"titlepage"><div><div><h4 class=
"title">
4597 <a name=
"zone_transfers"></a>Zone Transfers
</h4></div></div></div>
4599 <acronym class=
"acronym">BIND
</acronym> has mechanisms in place to
4600 facilitate zone transfers
4601 and set limits on the amount of load that transfers place on the
4602 system. The following options apply to zone transfers.
4604 <div class=
"variablelist"><dl>
4605 <dt><span class=
"term"><span><strong class=
"command">also-notify
</strong></span></span></dt>
4608 Defines a global list of IP addresses of name servers
4609 that are also sent NOTIFY messages whenever a fresh copy of
4611 zone is loaded, in addition to the servers listed in the
4613 This helps to ensure that copies of the zones will
4614 quickly converge on stealth servers.
4615 Optionally, a port may be specified with each
4616 <span><strong class=
"command">also-notify
</strong></span> address to send
4617 the notify messages to a port other than the
4619 An optional TSIG key can also be specified with each
4620 address to cause the notify messages to be signed; this
4621 can be useful when sending notifies to multiple views.
4622 In place of explicit addresses, one or more named
4623 <span><strong class=
"command">masters
</strong></span> lists can be used.
4626 If an
<span><strong class=
"command">also-notify
</strong></span> list
4627 is given in a
<span><strong class=
"command">zone
</strong></span> statement,
4629 the
<span><strong class=
"command">options also-notify
</strong></span>
4630 statement. When a
<span><strong class=
"command">zone notify
</strong></span>
4632 is set to
<span><strong class=
"command">no
</strong></span>, the IP
4633 addresses in the global
<span><strong class=
"command">also-notify
</strong></span> list will
4634 not be sent NOTIFY messages for that zone. The default is
4636 list (no global notification list).
4639 <dt><span class=
"term"><span><strong class=
"command">max-transfer-time-in
</strong></span></span></dt>
4641 Inbound zone transfers running longer than
4642 this many minutes will be terminated. The default is
120
4644 (
2 hours). The maximum value is
28 days (
40320 minutes).
4646 <dt><span class=
"term"><span><strong class=
"command">max-transfer-idle-in
</strong></span></span></dt>
4648 Inbound zone transfers making no progress
4649 in this many minutes will be terminated. The default is
60
4651 (
1 hour). The maximum value is
28 days (
40320 minutes).
4653 <dt><span class=
"term"><span><strong class=
"command">max-transfer-time-out
</strong></span></span></dt>
4655 Outbound zone transfers running longer than
4656 this many minutes will be terminated. The default is
120
4658 (
2 hours). The maximum value is
28 days (
40320 minutes).
4660 <dt><span class=
"term"><span><strong class=
"command">max-transfer-idle-out
</strong></span></span></dt>
4662 Outbound zone transfers making no progress
4663 in this many minutes will be terminated. The default is
60
4665 hour). The maximum value is
28 days (
40320 minutes).
4667 <dt><span class=
"term"><span><strong class=
"command">serial-query-rate
</strong></span></span></dt>
4670 Slave servers will periodically query master
4671 servers to find out if zone serial numbers have
4672 changed. Each such query uses a minute amount of
4673 the slave server's network bandwidth. To limit
4674 the amount of bandwidth used, BIND
9 limits the
4675 rate at which queries are sent. The value of the
4676 <span><strong class=
"command">serial-query-rate
</strong></span> option, an
4677 integer, is the maximum number of queries sent
4678 per second. The default is
20 per second.
4679 The lowest possible rate is one per second; when set
4680 to zero, it will be silently raised to one.
4683 In addition to controlling the rate SOA refresh
4684 queries are issued at
4685 <span><strong class=
"command">serial-query-rate
</strong></span> also controls
4686 the rate at which NOTIFY messages are sent from
4687 both master and slave zones.
4690 <dt><span class=
"term"><span><strong class=
"command">serial-queries
</strong></span></span></dt>
4692 In BIND
8, the
<span><strong class=
"command">serial-queries
</strong></span>
4694 set the maximum number of concurrent serial number queries
4695 allowed to be outstanding at any given time.
4696 BIND
9 does not limit the number of outstanding
4697 serial queries and ignores the
<span><strong class=
"command">serial-queries
</strong></span> option.
4698 Instead, it limits the rate at which the queries are sent
4699 as defined using the
<span><strong class=
"command">serial-query-rate
</strong></span> option.
4701 <dt><span class=
"term"><span><strong class=
"command">transfer-format
</strong></span></span></dt>
4703 Zone transfers can be sent using two different formats,
4704 <span><strong class=
"command">one-answer
</strong></span> and
4705 <span><strong class=
"command">many-answers
</strong></span>.
4706 The
<span><strong class=
"command">transfer-format
</strong></span> option is used
4707 on the master server to determine which format it sends.
4708 <span><strong class=
"command">one-answer
</strong></span> uses one DNS message per
4709 resource record transferred.
4710 <span><strong class=
"command">many-answers
</strong></span> packs as many resource
4711 records as possible into a message.
4712 <span><strong class=
"command">many-answers
</strong></span> is more efficient, but is
4713 only supported by relatively new slave servers,
4714 such as
<acronym class=
"acronym">BIND
</acronym> 9,
<acronym class=
"acronym">BIND
</acronym>
4715 8.x and
<acronym class=
"acronym">BIND
</acronym> 4.9.5 onwards.
4716 The
<span><strong class=
"command">many-answers
</strong></span> format is also supported by
4717 recent Microsoft Windows nameservers.
4718 The default is
<span><strong class=
"command">many-answers
</strong></span>.
4719 <span><strong class=
"command">transfer-format
</strong></span> may be overridden on a
4720 per-server basis by using the
<span><strong class=
"command">server
</strong></span>
4723 <dt><span class=
"term"><span><strong class=
"command">transfers-in
</strong></span></span></dt>
4725 The maximum number of inbound zone transfers
4726 that can be running concurrently. The default value is
<code class=
"literal">10</code>.
4727 Increasing
<span><strong class=
"command">transfers-in
</strong></span> may
4728 speed up the convergence
4729 of slave zones, but it also may increase the load on the
4732 <dt><span class=
"term"><span><strong class=
"command">transfers-out
</strong></span></span></dt>
4734 The maximum number of outbound zone transfers
4735 that can be running concurrently. Zone transfer requests in
4737 of the limit will be refused. The default value is
<code class=
"literal">10</code>.
4739 <dt><span class=
"term"><span><strong class=
"command">transfers-per-ns
</strong></span></span></dt>
4741 The maximum number of inbound zone transfers
4742 that can be concurrently transferring from a given remote
4744 The default value is
<code class=
"literal">2</code>.
4745 Increasing
<span><strong class=
"command">transfers-per-ns
</strong></span>
4747 speed up the convergence of slave zones, but it also may
4749 the load on the remote name server.
<span><strong class=
"command">transfers-per-ns
</strong></span> may
4750 be overridden on a per-server basis by using the
<span><strong class=
"command">transfers
</strong></span> phrase
4751 of the
<span><strong class=
"command">server
</strong></span> statement.
4753 <dt><span class=
"term"><span><strong class=
"command">transfer-source
</strong></span></span></dt>
4755 <p><span><strong class=
"command">transfer-source
</strong></span>
4756 determines which local address will be bound to IPv4
4757 TCP connections used to fetch zones transferred
4758 inbound by the server. It also determines the
4759 source IPv4 address, and optionally the UDP port,
4760 used for the refresh queries and forwarded dynamic
4761 updates. If not set, it defaults to a system
4762 controlled value which will usually be the address
4763 of the interface
"closest to" the remote end. This
4764 address must appear in the remote end's
4765 <span><strong class=
"command">allow-transfer
</strong></span> option for the
4766 zone being transferred, if one is specified. This
4768 <span><strong class=
"command">transfer-source
</strong></span> for all zones,
4769 but can be overridden on a per-view or per-zone
4770 basis by including a
4771 <span><strong class=
"command">transfer-source
</strong></span> statement within
4772 the
<span><strong class=
"command">view
</strong></span> or
4773 <span><strong class=
"command">zone
</strong></span> block in the configuration
4776 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4777 <h3 class=
"title">Note
</h3>
4779 Solaris
2.5.1 and earlier does not support setting the
4780 source address for TCP sockets.
4784 <dt><span class=
"term"><span><strong class=
"command">transfer-source-v6
</strong></span></span></dt>
4786 The same as
<span><strong class=
"command">transfer-source
</strong></span>,
4787 except zone transfers are performed using IPv6.
4789 <dt><span class=
"term"><span><strong class=
"command">alt-transfer-source
</strong></span></span></dt>
4792 An alternate transfer source if the one listed in
4793 <span><strong class=
"command">transfer-source
</strong></span> fails and
4794 <span><strong class=
"command">use-alt-transfer-source
</strong></span> is
4797 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4798 <h3 class=
"title">Note
</h3>
4799 If you do not wish the alternate transfer source
4800 to be used, you should set
4801 <span><strong class=
"command">use-alt-transfer-source
</strong></span>
4802 appropriately and you should not depend upon
4803 getting an answer back to the first refresh
4807 <dt><span class=
"term"><span><strong class=
"command">alt-transfer-source-v6
</strong></span></span></dt>
4809 An alternate transfer source if the one listed in
4810 <span><strong class=
"command">transfer-source-v6
</strong></span> fails and
4811 <span><strong class=
"command">use-alt-transfer-source
</strong></span> is
4814 <dt><span class=
"term"><span><strong class=
"command">use-alt-transfer-source
</strong></span></span></dt>
4816 Use the alternate transfer sources or not. If views are
4817 specified this defaults to
<span><strong class=
"command">no
</strong></span>
4818 otherwise it defaults to
4819 <span><strong class=
"command">yes
</strong></span> (for BIND
8
4822 <dt><span class=
"term"><span><strong class=
"command">notify-source
</strong></span></span></dt>
4824 <p><span><strong class=
"command">notify-source
</strong></span>
4825 determines which local source address, and
4826 optionally UDP port, will be used to send NOTIFY
4827 messages. This address must appear in the slave
4828 server's
<span><strong class=
"command">masters
</strong></span> zone clause or
4829 in an
<span><strong class=
"command">allow-notify
</strong></span> clause. This
4830 statement sets the
<span><strong class=
"command">notify-source
</strong></span>
4831 for all zones, but can be overridden on a per-zone or
4832 per-view basis by including a
4833 <span><strong class=
"command">notify-source
</strong></span> statement within
4834 the
<span><strong class=
"command">zone
</strong></span> or
4835 <span><strong class=
"command">view
</strong></span> block in the configuration
4838 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
4839 <h3 class=
"title">Note
</h3>
4841 Solaris
2.5.1 and earlier does not support setting the
4842 source address for TCP sockets.
4846 <dt><span class=
"term"><span><strong class=
"command">notify-source-v6
</strong></span></span></dt>
4848 Like
<span><strong class=
"command">notify-source
</strong></span>,
4849 but applies to notify messages sent to IPv6 addresses.
4853 <div class=
"sect3" lang=
"en">
4854 <div class=
"titlepage"><div><div><h4 class=
"title">
4855 <a name=
"id2586147"></a>UDP Port Lists
</h4></div></div></div>
4857 <span><strong class=
"command">use-v4-udp-ports
</strong></span>,
4858 <span><strong class=
"command">avoid-v4-udp-ports
</strong></span>,
4859 <span><strong class=
"command">use-v6-udp-ports
</strong></span>, and
4860 <span><strong class=
"command">avoid-v6-udp-ports
</strong></span>
4861 specify a list of IPv4 and IPv6 UDP ports that will be
4862 used or not used as source ports for UDP messages.
4863 See
<a href=
"Bv9ARM.ch06.html#query_address" title=
"Query Address">the section called
“Query Address
”</a> about how the
4864 available ports are determined.
4865 For example, with the following configuration
4867 <pre class=
"programlisting">
4868 use-v6-udp-ports { range
32768 65535; };
4869 avoid-v6-udp-ports {
40000; range
50000 60000; };
4872 UDP ports of IPv6 messages sent
4873 from
<span><strong class=
"command">named
</strong></span> will be in one
4874 of the following ranges:
32768 to
39999,
40001 to
49999,
4878 <span><strong class=
"command">avoid-v4-udp-ports
</strong></span> and
4879 <span><strong class=
"command">avoid-v6-udp-ports
</strong></span> can be used
4880 to prevent
<span><strong class=
"command">named
</strong></span> from choosing as its random source port a
4881 port that is blocked by your firewall or a port that is
4882 used by other applications;
4883 if a query went out with a source port blocked by a
4885 answer would not get by the firewall and the name server would
4886 have to query again.
4887 Note: the desired range can also be represented only with
4888 <span><strong class=
"command">use-v4-udp-ports
</strong></span> and
4889 <span><strong class=
"command">use-v6-udp-ports
</strong></span>, and the
4890 <span><strong class=
"command">avoid-
</strong></span> options are redundant in that
4891 sense; they are provided for backward compatibility and
4892 to possibly simplify the port specification.
4895 <div class=
"sect3" lang=
"en">
4896 <div class=
"titlepage"><div><div><h4 class=
"title">
4897 <a name=
"id2586206"></a>Operating System Resource Limits
</h4></div></div></div>
4899 The server's usage of many system resources can be limited.
4900 Scaled values are allowed when specifying resource limits. For
4901 example,
<span><strong class=
"command">1G
</strong></span> can be used instead of
4902 <span><strong class=
"command">1073741824</strong></span> to specify a limit of
4904 gigabyte.
<span><strong class=
"command">unlimited
</strong></span> requests
4905 unlimited use, or the
4906 maximum available amount.
<span><strong class=
"command">default
</strong></span>
4908 that was in force when the server was started. See the description
4909 of
<span><strong class=
"command">size_spec
</strong></span> in
<a href=
"Bv9ARM.ch06.html#configuration_file_elements" title=
"Configuration File Elements">the section called
“Configuration File Elements
”</a>.
4912 The following options set operating system resource limits for
4913 the name server process. Some operating systems don't support
4915 any of the limits. On such systems, a warning will be issued if
4917 unsupported limit is used.
4919 <div class=
"variablelist"><dl>
4920 <dt><span class=
"term"><span><strong class=
"command">coresize
</strong></span></span></dt>
4922 The maximum size of a core dump. The default
4923 is
<code class=
"literal">default
</code>.
4925 <dt><span class=
"term"><span><strong class=
"command">datasize
</strong></span></span></dt>
4927 The maximum amount of data memory the server
4928 may use. The default is
<code class=
"literal">default
</code>.
4929 This is a hard limit on server memory usage.
4930 If the server attempts to allocate memory in excess of this
4931 limit, the allocation will fail, which may in turn leave
4932 the server unable to perform DNS service. Therefore,
4933 this option is rarely useful as a way of limiting the
4934 amount of memory used by the server, but it can be used
4935 to raise an operating system data size limit that is
4936 too small by default. If you wish to limit the amount
4937 of memory used by the server, use the
4938 <span><strong class=
"command">max-cache-size
</strong></span> and
4939 <span><strong class=
"command">recursive-clients
</strong></span>
4942 <dt><span class=
"term"><span><strong class=
"command">files
</strong></span></span></dt>
4944 The maximum number of files the server
4945 may have open concurrently. The default is
<code class=
"literal">unlimited
</code>.
4947 <dt><span class=
"term"><span><strong class=
"command">stacksize
</strong></span></span></dt>
4949 The maximum amount of stack memory the server
4950 may use. The default is
<code class=
"literal">default
</code>.
4954 <div class=
"sect3" lang=
"en">
4955 <div class=
"titlepage"><div><div><h4 class=
"title">
4956 <a name=
"server_resource_limits"></a>Server Resource Limits
</h4></div></div></div>
4958 The following options set limits on the server's
4959 resource consumption that are enforced internally by the
4960 server rather than the operating system.
4962 <div class=
"variablelist"><dl>
4963 <dt><span class=
"term"><span><strong class=
"command">max-ixfr-log-size
</strong></span></span></dt>
4965 This option is obsolete; it is accepted
4966 and ignored for BIND
8 compatibility. The option
4967 <span><strong class=
"command">max-journal-size
</strong></span> performs a
4968 similar function in BIND
9.
4970 <dt><span class=
"term"><span><strong class=
"command">max-journal-size
</strong></span></span></dt>
4972 Sets a maximum size for each journal file
4973 (see
<a href=
"Bv9ARM.ch04.html#journal" title=
"The journal file">the section called
“The journal file
”</a>). When the journal file
4975 the specified size, some of the oldest transactions in the
4977 will be automatically removed. The largest permitted
4978 value is
2 gigabytes. The default is
4979 <code class=
"literal">unlimited
</code>, which also
4981 This may also be set on a per-zone basis.
4983 <dt><span class=
"term"><span><strong class=
"command">host-statistics-max
</strong></span></span></dt>
4985 In BIND
8, specifies the maximum number of host statistics
4987 Not implemented in BIND
9.
4989 <dt><span class=
"term"><span><strong class=
"command">recursive-clients
</strong></span></span></dt>
4991 The maximum number of simultaneous recursive lookups
4992 the server will perform on behalf of clients. The default
4994 <code class=
"literal">1000</code>. Because each recursing
4996 bit of memory, on the order of
20 kilobytes, the value of
4998 <span><strong class=
"command">recursive-clients
</strong></span> option may
4999 have to be decreased
5000 on hosts with limited memory.
5002 <dt><span class=
"term"><span><strong class=
"command">tcp-clients
</strong></span></span></dt>
5004 The maximum number of simultaneous client TCP
5005 connections that the server will accept.
5006 The default is
<code class=
"literal">100</code>.
5008 <dt><span class=
"term"><span><strong class=
"command">reserved-sockets
</strong></span></span></dt>
5011 The number of file descriptors reserved for TCP, stdio,
5012 etc. This needs to be big enough to cover the number of
5013 interfaces
<span><strong class=
"command">named
</strong></span> listens on,
<span><strong class=
"command">tcp-clients
</strong></span> as well as
5014 to provide room for outgoing TCP queries and incoming zone
5015 transfers. The default is
<code class=
"literal">512</code>.
5016 The minimum value is
<code class=
"literal">128</code> and the
5017 maximum value is
<code class=
"literal">128</code> less than
5018 maxsockets (-S). This option may be removed in the future.
5021 This option has little effect on Windows.
5024 <dt><span class=
"term"><span><strong class=
"command">max-cache-size
</strong></span></span></dt>
5026 The maximum amount of memory to use for the
5027 server's cache, in bytes.
5028 When the amount of data in the cache
5029 reaches this limit, the server will cause records to
5030 expire prematurely based on an LRU based strategy so
5031 that the limit is not exceeded.
5032 The keyword
<strong class=
"userinput"><code>unlimited
</code></strong>,
5033 or the value
0, will place no limit on cache size;
5034 records will be purged from the cache only when their
5036 Any positive values less than
2MB will be ignored
5038 In a server with multiple views, the limit applies
5039 separately to the cache of each view.
5040 The default is
<strong class=
"userinput"><code>unlimited
</code></strong>.
5042 <dt><span class=
"term"><span><strong class=
"command">tcp-listen-queue
</strong></span></span></dt>
5044 The listen queue depth. The default and minimum is
10.
5045 If the kernel supports the accept filter
"dataready" this
5047 many TCP connections that will be queued in kernel space
5049 some data before being passed to accept. Nonzero values
5050 less than
10 will be silently raised. A value of
0 may also
5051 be used; on most platforms this sets the listen queue
5052 length to a system-defined default value.
5056 <div class=
"sect3" lang=
"en">
5057 <div class=
"titlepage"><div><div><h4 class=
"title">
5058 <a name=
"id2586632"></a>Periodic Task Intervals
</h4></div></div></div>
5059 <div class=
"variablelist"><dl>
5060 <dt><span class=
"term"><span><strong class=
"command">cleaning-interval
</strong></span></span></dt>
5062 This interval is effectively obsolete. Previously,
5063 the server would remove expired resource records
5064 from the cache every
<span><strong class=
"command">cleaning-interval
</strong></span> minutes.
5065 <acronym class=
"acronym">BIND
</acronym> 9 now manages cache
5066 memory in a more sophisticated manner and does not
5067 rely on the periodic cleaning any more.
5068 Specifying this option therefore has no effect on
5069 the server's behavior.
5071 <dt><span class=
"term"><span><strong class=
"command">heartbeat-interval
</strong></span></span></dt>
5073 The server will perform zone maintenance tasks
5074 for all zones marked as
<span><strong class=
"command">dialup
</strong></span> whenever this
5075 interval expires. The default is
60 minutes. Reasonable
5077 to
1 day (
1440 minutes). The maximum value is
28 days
5079 If set to
0, no zone maintenance for these zones will occur.
5081 <dt><span class=
"term"><span><strong class=
"command">interface-interval
</strong></span></span></dt>
5083 The server will scan the network interface list
5084 every
<span><strong class=
"command">interface-interval
</strong></span>
5085 minutes. The default
5086 is
60 minutes. The maximum value is
28 days (
40320 minutes).
5087 If set to
0, interface scanning will only occur when
5088 the configuration file is loaded. After the scan, the
5090 begin listening for queries on any newly discovered
5091 interfaces (provided they are allowed by the
5092 <span><strong class=
"command">listen-on
</strong></span> configuration), and
5094 stop listening on interfaces that have gone away.
5096 <dt><span class=
"term"><span><strong class=
"command">statistics-interval
</strong></span></span></dt>
5099 Name server statistics will be logged
5100 every
<span><strong class=
"command">statistics-interval
</strong></span>
5101 minutes. The default is
5102 60. The maximum value is
28 days (
40320 minutes).
5103 If set to
0, no statistics will be logged.
5105 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
5106 <h3 class=
"title">Note
</h3>
5108 Not yet implemented in
5109 <acronym class=
"acronym">BIND
</acronym> 9.
5115 <div class=
"sect3" lang=
"en">
5116 <div class=
"titlepage"><div><div><h4 class=
"title">
5117 <a name=
"topology"></a>Topology
</h4></div></div></div>
5119 All other things being equal, when the server chooses a name
5121 to query from a list of name servers, it prefers the one that is
5122 topologically closest to itself. The
<span><strong class=
"command">topology
</strong></span> statement
5123 takes an
<span><strong class=
"command">address_match_list
</strong></span> and
5125 in a special way. Each top-level list element is assigned a
5127 Non-negated elements get a distance based on their position in the
5128 list, where the closer the match is to the start of the list, the
5129 shorter the distance is between it and the server. A negated match
5130 will be assigned the maximum distance from the server. If there
5131 is no match, the address will get a distance which is further than
5132 any non-negated list element, and closer than any negated element.
5135 <pre class=
"programlisting">topology {
5141 will prefer servers on network
10 the most, followed by hosts
5142 on network
1.2.0.0 (netmask
255.255.0.0) and network
3, with the
5143 exception of hosts on network
1.2.3 (netmask
255.255.255.0), which
5144 is preferred least of all.
5147 The default topology is
5149 <pre class=
"programlisting"> topology { localhost; localnets; };
5151 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
5152 <h3 class=
"title">Note
</h3>
5154 The
<span><strong class=
"command">topology
</strong></span> option
5155 is not implemented in
<acronym class=
"acronym">BIND
</acronym> 9.
5159 <div class=
"sect3" lang=
"en">
5160 <div class=
"titlepage"><div><div><h4 class=
"title">
5161 <a name=
"the_sortlist_statement"></a>The
<span><strong class=
"command">sortlist
</strong></span> Statement
</h4></div></div></div>
5163 The response to a DNS query may consist of multiple resource
5164 records (RRs) forming a resource records set (RRset).
5165 The name server will normally return the
5166 RRs within the RRset in an indeterminate order
5167 (but see the
<span><strong class=
"command">rrset-order
</strong></span>
5168 statement in
<a href=
"Bv9ARM.ch06.html#rrset_ordering" title=
"RRset Ordering">the section called
“RRset Ordering
”</a>).
5169 The client resolver code should rearrange the RRs as appropriate,
5170 that is, using any addresses on the local net in preference to
5172 However, not all resolvers can do this or are correctly
5174 When a client is using a local server, the sorting can be performed
5175 in the server, based on the client's address. This only requires
5176 configuring the name servers, not all the clients.
5179 The
<span><strong class=
"command">sortlist
</strong></span> statement (see below)
5181 an
<span><strong class=
"command">address_match_list
</strong></span> and
5183 more specifically than the
<span><strong class=
"command">topology
</strong></span>
5185 does (
<a href=
"Bv9ARM.ch06.html#topology" title=
"Topology">the section called
“Topology
”</a>).
5186 Each top level statement in the
<span><strong class=
"command">sortlist
</strong></span> must
5187 itself be an explicit
<span><strong class=
"command">address_match_list
</strong></span> with
5188 one or two elements. The first element (which may be an IP
5190 an IP prefix, an ACL name or a nested
<span><strong class=
"command">address_match_list
</strong></span>)
5191 of each top level list is checked against the source address of
5192 the query until a match is found.
5195 Once the source address of the query has been matched, if
5196 the top level statement contains only one element, the actual
5198 element that matched the source address is used to select the
5200 in the response to move to the beginning of the response. If the
5201 statement is a list of two elements, then the second element is
5202 treated the same as the
<span><strong class=
"command">address_match_list
</strong></span> in
5203 a
<span><strong class=
"command">topology
</strong></span> statement. Each top
5205 is assigned a distance and the address in the response with the
5207 distance is moved to the beginning of the response.
5210 In the following example, any queries received from any of
5211 the addresses of the host itself will get responses preferring
5213 on any of the locally connected networks. Next most preferred are
5215 on the
192.168.1/
24 network, and after that either the
5218 192.168.3/
24 network with no preference shown between these two
5219 networks. Queries received from a host on the
192.168.1/
24 network
5220 will prefer other addresses on that network to the
192.168.2/
24
5222 192.168.3/
24 networks. Queries received from a host on the
5224 or the
192.168.5/
24 network will only prefer other addresses on
5225 their directly connected networks.
5227 <pre class=
"programlisting">sortlist {
5228 // IF the local host
5229 // THEN first fit on the following nets
5233 {
192.168.2/
24;
192.168.3/
24; }; }; };
5234 // IF on class C
192.168.1 THEN use
.1, or
.2 or
.3
5237 {
192.168.2/
24;
192.168.3/
24; }; }; };
5238 // IF on class C
192.168.2 THEN use
.2, or
.1 or
.3
5241 {
192.168.1/
24;
192.168.3/
24; }; }; };
5242 // IF on class C
192.168.3 THEN use
.3, or
.1 or
.2
5245 {
192.168.1/
24;
192.168.2/
24; }; }; };
5246 // IF
.4 or
.5 THEN prefer that net
5247 { {
192.168.4/
24;
192.168.5/
24; };
5251 The following example will give reasonable behavior for the
5252 local host and hosts on directly connected networks. It is similar
5253 to the behavior of the address sort in
<acronym class=
"acronym">BIND
</acronym> 4.9.x. Responses sent
5254 to queries from the local host will favor any of the directly
5256 networks. Responses sent to queries from any other hosts on a
5258 connected network will prefer addresses on that same network.
5260 to other queries will not be sorted.
5262 <pre class=
"programlisting">sortlist {
5263 { localhost; localnets; };
5268 <div class=
"sect3" lang=
"en">
5269 <div class=
"titlepage"><div><div><h4 class=
"title">
5270 <a name=
"rrset_ordering"></a>RRset Ordering
</h4></div></div></div>
5272 When multiple records are returned in an answer it may be
5273 useful to configure the order of the records placed into the
5275 The
<span><strong class=
"command">rrset-order
</strong></span> statement permits
5277 of the ordering of the records in a multiple record response.
5278 See also the
<span><strong class=
"command">sortlist
</strong></span> statement,
5279 <a href=
"Bv9ARM.ch06.html#the_sortlist_statement" title=
"The sortlist Statement">the section called
“The
<span><strong class=
"command">sortlist
</strong></span> Statement
”</a>.
5282 An
<span><strong class=
"command">order_spec
</strong></span> is defined as
5286 [
<span class=
"optional">class
<em class=
"replaceable"><code>class_name
</code></em></span>]
5287 [
<span class=
"optional">type
<em class=
"replaceable"><code>type_name
</code></em></span>]
5288 [
<span class=
"optional">name
<em class=
"replaceable"><code>"domain_name"</code></em></span>]
5289 order
<em class=
"replaceable"><code>ordering
</code></em>
5292 If no class is specified, the default is
<span><strong class=
"command">ANY
</strong></span>.
5293 If no type is specified, the default is
<span><strong class=
"command">ANY
</strong></span>.
5294 If no name is specified, the default is
"<span><strong class="command
">*</strong></span>" (asterisk).
5297 The legal values for
<span><strong class=
"command">ordering
</strong></span> are:
5299 <div class=
"informaltable"><table border=
"1">
5307 <p><span><strong class=
"command">fixed
</strong></span></p>
5311 Records are returned in the order they
5312 are defined in the zone file.
5318 <p><span><strong class=
"command">random
</strong></span></p>
5322 Records are returned in some random order.
5328 <p><span><strong class=
"command">cyclic
</strong></span></p>
5332 Records are returned in a cyclic round-robin order.
5335 If
<acronym class=
"acronym">BIND
</acronym> is configured with the
5336 "--enable-fixed-rrset" option at compile time, then
5337 the initial ordering of the RRset will match the
5338 one specified in the zone file.
5347 <pre class=
"programlisting">rrset-order {
5348 class IN type A name
"host.example.com" order random;
5353 will cause any responses for type A records in class IN that
5354 have
"<code class="literal
">host.example.com</code>" as a
5355 suffix, to always be returned
5356 in random order. All other records are returned in cyclic order.
5359 If multiple
<span><strong class=
"command">rrset-order
</strong></span> statements
5360 appear, they are not combined
— the last one applies.
5363 By default, all records are returned in random order.
5365 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
5366 <h3 class=
"title">Note
</h3>
5368 In this release of
<acronym class=
"acronym">BIND
</acronym> 9, the
5369 <span><strong class=
"command">rrset-order
</strong></span> statement does not support
5370 "fixed" ordering by default. Fixed ordering can be enabled
5371 at compile time by specifying
"--enable-fixed-rrset" on
5372 the
"configure" command line.
5376 <div class=
"sect3" lang=
"en">
5377 <div class=
"titlepage"><div><div><h4 class=
"title">
5378 <a name=
"tuning"></a>Tuning
</h4></div></div></div>
5379 <div class=
"variablelist"><dl>
5380 <dt><span class=
"term"><span><strong class=
"command">lame-ttl
</strong></span></span></dt>
5383 Sets the number of seconds to cache a
5384 lame server indication.
0 disables caching. (This is
5385 <span class=
"bold"><strong>NOT
</strong></span> recommended.)
5386 The default is
<code class=
"literal">600</code> (
10 minutes) and the
5388 <code class=
"literal">1800</code> (
30 minutes).
5391 Lame-ttl also controls the amount of time DNSSEC
5392 validation failures are cached. There is a minimum
5393 of
30 seconds applied to bad cache entries if the
5394 lame-ttl is set to less than
30 seconds.
5397 <dt><span class=
"term"><span><strong class=
"command">max-ncache-ttl
</strong></span></span></dt>
5399 To reduce network traffic and increase performance,
5400 the server stores negative answers.
<span><strong class=
"command">max-ncache-ttl
</strong></span> is
5401 used to set a maximum retention time for these answers in
5403 in seconds. The default
5404 <span><strong class=
"command">max-ncache-ttl
</strong></span> is
<code class=
"literal">10800</code> seconds (
3 hours).
5405 <span><strong class=
"command">max-ncache-ttl
</strong></span> cannot exceed
5407 be silently truncated to
7 days if set to a greater value.
5409 <dt><span class=
"term"><span><strong class=
"command">max-cache-ttl
</strong></span></span></dt>
5411 Sets the maximum time for which the server will
5412 cache ordinary (positive) answers. The default is
5414 A value of zero may cause all queries to return
5415 SERVFAIL, because of lost caches of intermediate
5416 RRsets (such as NS and glue AAAA/A records) in the
5419 <dt><span class=
"term"><span><strong class=
"command">min-roots
</strong></span></span></dt>
5422 The minimum number of root servers that
5423 is required for a request for the root servers to be
5424 accepted. The default
5425 is
<strong class=
"userinput"><code>2</code></strong>.
5427 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
5428 <h3 class=
"title">Note
</h3>
5430 Not implemented in
<acronym class=
"acronym">BIND
</acronym> 9.
5434 <dt><span class=
"term"><span><strong class=
"command">sig-validity-interval
</strong></span></span></dt>
5437 Specifies the number of days into the future when
5438 DNSSEC signatures automatically generated as a
5439 result of dynamic updates (
<a href=
"Bv9ARM.ch04.html#dynamic_update" title=
"Dynamic Update">the section called
“Dynamic Update
”</a>) will expire. There
5440 is an optional second field which specifies how
5441 long before expiry that the signatures will be
5442 regenerated. If not specified, the signatures will
5443 be regenerated at
1/
4 of base interval. The second
5444 field is specified in days if the base interval is
5445 greater than
7 days otherwise it is specified in hours.
5446 The default base interval is
<code class=
"literal">30</code> days
5447 giving a re-signing interval of
7 1/
2 days. The maximum
5448 values are
10 years (
3660 days).
5451 The signature inception time is unconditionally
5452 set to one hour before the current time to allow
5453 for a limited amount of clock skew.
5456 The
<span><strong class=
"command">sig-validity-interval
</strong></span>
5457 should be, at least, several multiples of the SOA
5458 expire interval to allow for reasonable interaction
5459 between the various timer and expiry dates.
5462 <dt><span class=
"term"><span><strong class=
"command">sig-signing-nodes
</strong></span></span></dt>
5464 Specify the maximum number of nodes to be
5465 examined in each quantum when signing a zone with
5466 a new DNSKEY. The default is
5467 <code class=
"literal">100</code>.
5469 <dt><span class=
"term"><span><strong class=
"command">sig-signing-signatures
</strong></span></span></dt>
5471 Specify a threshold number of signatures that
5472 will terminate processing a quantum when signing
5473 a zone with a new DNSKEY. The default is
5474 <code class=
"literal">10</code>.
5476 <dt><span class=
"term"><span><strong class=
"command">sig-signing-type
</strong></span></span></dt>
5479 Specify a private RDATA type to be used when generating
5480 signing state records. The default is
5481 <code class=
"literal">65534</code>.
5484 It is expected that this parameter may be removed
5485 in a future version once there is a standard type.
5488 Signing state records are used to internally by
5489 <span><strong class=
"command">named
</strong></span> to track the current state of
5490 a zone-signing process, i.e., whether it is still active
5491 or has been completed. The records can be inspected
5493 <span><strong class=
"command">rndc signing -list
<em class=
"replaceable"><code>zone
</code></em></strong></span>.
5494 Once
<span><strong class=
"command">named
</strong></span> has finished signing
5495 a zone with a particular key, the signing state
5496 record associated with that key can be removed from
5498 <span><strong class=
"command">rndc signing -clear
<em class=
"replaceable"><code>keyid/algorithm
</code></em> <em class=
"replaceable"><code>zone
</code></em></strong></span>.
5499 To clear all of the completed signing state
5500 records for a zone, use
5501 <span><strong class=
"command">rndc signing -clear all
<em class=
"replaceable"><code>zone
</code></em></strong></span>.
5505 <span class=
"term"><span><strong class=
"command">min-refresh-time
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">max-refresh-time
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">min-retry-time
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">max-retry-time
</strong></span></span>
5509 These options control the server's behavior on refreshing a
5511 (querying for SOA changes) or retrying failed transfers.
5512 Usually the SOA values for the zone are used, but these
5514 are set by the master, giving slave server administrators
5516 control over their contents.
5519 These options allow the administrator to set a minimum and
5521 refresh and retry time either per-zone, per-view, or
5523 These options are valid for slave and stub zones,
5524 and clamp the SOA refresh and retry times to the specified
5528 The following defaults apply.
5529 <span><strong class=
"command">min-refresh-time
</strong></span> 300 seconds,
5530 <span><strong class=
"command">max-refresh-time
</strong></span> 2419200 seconds
5531 (
4 weeks),
<span><strong class=
"command">min-retry-time
</strong></span> 500 seconds,
5532 and
<span><strong class=
"command">max-retry-time
</strong></span> 1209600 seconds
5536 <dt><span class=
"term"><span><strong class=
"command">edns-udp-size
</strong></span></span></dt>
5539 Sets the maximum advertised EDNS UDP buffer size in
5540 bytes, to control the size of packets received from
5541 authoritative servers in response to recursive queries.
5542 Valid values are
512 to
4096 (values outside this range
5543 will be silently adjusted to the nearest value within
5544 it). The default value is
4096.
5547 The usual reason for setting
5548 <span><strong class=
"command">edns-udp-size
</strong></span> to a non-default value
5549 is to get UDP answers to pass through broken firewalls
5550 that block fragmented packets and/or block UDP DNS
5551 packets that are greater than
512 bytes.
5554 When
<span><strong class=
"command">named
</strong></span> first queries a remote
5555 server, it will advertise a UDP buffer size of
512, as
5556 this has the greatest chance of success on the first try.
5559 If the initial response times out,
<span><strong class=
"command">named
</strong></span>
5560 will try again with plain DNS, and if that is successful,
5561 it will be taken as evidence that the server does not
5562 support EDNS. After enough failures using EDNS and
5563 successes using plain DNS,
<span><strong class=
"command">named
</strong></span>
5564 will default to plain DNS for future communications
5565 with that server. (Periodically,
<span><strong class=
"command">named
</strong></span>
5566 will send an EDNS query to see if the situation has
5570 However, if the initial query is successful with
5571 EDNS advertising a buffer size of
512, then
5572 <span><strong class=
"command">named
</strong></span> will advertise progressively
5573 larger buffer sizes on successive queries, until
5574 responses begin timing out or
5575 <span><strong class=
"command">edns-udp-size
</strong></span> is reached.
5578 The default buffer sizes used by
<span><strong class=
"command">named
</strong></span>
5579 are
512,
1232,
1432, and
4096, but never exceeding
5580 <span><strong class=
"command">edns-udp-size
</strong></span>. (The values
1232 and
5581 1432 are chosen to allow for an IPv4/IPv6 encapsulated
5582 UDP message to be sent without fragmentation at the
5583 minimum MTU sizes for Ethernet and IPv6 networks.)
5586 <dt><span class=
"term"><span><strong class=
"command">max-udp-size
</strong></span></span></dt>
5589 Sets the maximum EDNS UDP message size
5590 <span><strong class=
"command">named
</strong></span> will send in bytes.
5591 Valid values are
512 to
4096 (values outside this
5592 range will be silently adjusted to the nearest
5593 value within it). The default value is
4096.
5596 This value applies to responses sent by a server; to
5597 set the advertised buffer size in queries, see
5598 <span><strong class=
"command">edns-udp-size
</strong></span>.
5601 The usual reason for setting
5602 <span><strong class=
"command">max-udp-size
</strong></span> to a non-default
5603 value is to get UDP answers to pass through broken
5604 firewalls that block fragmented packets and/or
5605 block UDP packets that are greater than
512 bytes.
5606 This is independent of the advertised receive
5607 buffer (
<span><strong class=
"command">edns-udp-size
</strong></span>).
5610 Setting this to a low value will encourage additional
5611 TCP traffic to the nameserver.
5614 <dt><span class=
"term"><span><strong class=
"command">masterfile-format
</strong></span></span></dt>
5617 the file format of zone files (see
5618 <a href=
"Bv9ARM.ch06.html#zonefile_format" title=
"Additional File Formats">the section called
“Additional File Formats
”</a>).
5619 The default value is
<code class=
"constant">text
</code>, which is the
5620 standard textual representation, except for slave zones,
5621 in which the default value is
<code class=
"constant">raw
</code>.
5622 Files in other formats than
<code class=
"constant">text
</code> are
5623 typically expected to be generated by the
5624 <span><strong class=
"command">named-compilezone
</strong></span> tool, or dumped by
5625 <span><strong class=
"command">named
</strong></span>.
5628 Note that when a zone file in a different format than
5629 <code class=
"constant">text
</code> is loaded,
<span><strong class=
"command">named
</strong></span>
5630 may omit some of the checks which would be performed for a
5631 file in the
<code class=
"constant">text
</code> format. In particular,
5632 <span><strong class=
"command">check-names
</strong></span> checks do not apply
5633 for the
<code class=
"constant">raw
</code> format. This means
5634 a zone file in the
<code class=
"constant">raw
</code> format
5635 must be generated with the same check level as that
5636 specified in the
<span><strong class=
"command">named
</strong></span> configuration
5637 file. Also,
<code class=
"constant">map
</code> format files are
5638 loaded directly into memory via memory mapping, with only
5642 This statement sets the
5643 <span><strong class=
"command">masterfile-format
</strong></span> for all zones,
5644 but can be overridden on a per-zone or per-view basis
5645 by including a
<span><strong class=
"command">masterfile-format
</strong></span>
5646 statement within the
<span><strong class=
"command">zone
</strong></span> or
5647 <span><strong class=
"command">view
</strong></span> block in the configuration
5652 <a name=
"clients-per-query"></a><span class=
"term"><span><strong class=
"command">clients-per-query
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">max-clients-per-query
</strong></span></span>
5656 initial value (minimum) and maximum number of recursive
5657 simultaneous clients for any given query
5658 (
<qname,qtype,qclass
>) that the server will accept
5659 before dropping additional clients.
5660 <span><strong class=
"command">named
</strong></span> will attempt to
5661 self tune this value and changes will be logged. The
5662 default values are
10 and
100.
5665 This value should reflect how many queries come in for
5666 a given name in the time it takes to resolve that name.
5667 If the number of queries exceed this value,
<span><strong class=
"command">named
</strong></span> will
5668 assume that it is dealing with a non-responsive zone
5669 and will drop additional queries. If it gets a response
5670 after dropping queries, it will raise the estimate. The
5671 estimate will then be lowered in
20 minutes if it has
5675 If
<span><strong class=
"command">clients-per-query
</strong></span> is set to zero,
5676 then there is no limit on the number of clients per query
5677 and no queries will be dropped.
5680 If
<span><strong class=
"command">max-clients-per-query
</strong></span> is set to zero,
5681 then there is no upper bound other than imposed by
5682 <span><strong class=
"command">recursive-clients
</strong></span>.
5686 <a name=
"max-recursion-depth"></a><span class=
"term"><span><strong class=
"command">max-recursion-depth
</strong></span></span>
5689 Sets the maximum number of levels of recursion
5690 that are permitted at any one time while servicing
5691 a recursive query. Resolving a name may require
5692 looking up a name server address, which in turn
5693 requires resolving another name, etc; if the number
5694 of indirections exceeds this value, the recursive
5695 query is terminated and returns SERVFAIL. The
5699 <a name=
"max-recursion-queries"></a><span class=
"term"><span><strong class=
"command">max-recursion-queries
</strong></span></span>
5702 Sets the maximum number of iterative queries that
5703 may be sent while servicing a recursive query.
5704 If more queries are sent, the recursive query
5705 is terminated and returns SERVFAIL. Queries to
5706 look up top level comains such as
"com" and
"net"
5707 and the DNS root zone are exempt from this limitation.
5710 <dt><span class=
"term"><span><strong class=
"command">notify-delay
</strong></span></span></dt>
5713 The delay, in seconds, between sending sets of notify
5714 messages for a zone. The default is five (
5) seconds.
5717 The overall rate that NOTIFY messages are sent for all
5718 zones is controlled by
<span><strong class=
"command">serial-query-rate
</strong></span>.
5721 <dt><span class=
"term"><span><strong class=
"command">max-rsa-exponent-size
</strong></span></span></dt>
5723 The maximum RSA exponent size, in bits, that will
5724 be accepted when validating. Valid values are
35
5725 to
4096 bits. The default zero (
0) is also accepted
5726 and is equivalent to
4096.
5728 <dt><span class=
"term"><span><strong class=
"command">prefetch
</strong></span></span></dt>
5731 When a query is received for cached data which
5732 is to expire shortly,
<span><strong class=
"command">named
</strong></span> can
5733 refresh the data from the authoritative server
5734 immediately, ensuring that the cache always has an
5738 The
<code class=
"option">prefetch
</code> specifies the
5739 "trigger" TTL value at which prefetch of the current
5740 query will take place: when a cache record with a
5741 lower TTL value is encountered during query processing,
5742 it will be refreshed. Valid trigger TTL values are
1 to
5743 10 seconds. Values larger than
10 seconds will be silently
5745 Setting a trigger TTL to zero (
0) causes
5746 prefetch to be disabled.
5747 The default trigger TTL is
<code class=
"literal">2</code>.
5750 An optional second argument specifies the
"eligibility"
5751 TTL: the smallest
<span class=
"emphasis"><em>original
</em></span>
5752 TTL value that will be accepted for a record to be
5753 eligible for prefetching. The eligibility TTL must
5754 be at least six seconds longer than the trigger TTL;
5755 if it isn't,
<span><strong class=
"command">named
</strong></span> will silently
5757 The default eligibility TTL is
<code class=
"literal">9</code>.
5762 <div class=
"sect3" lang=
"en">
5763 <div class=
"titlepage"><div><div><h4 class=
"title">
5764 <a name=
"builtin"></a>Built-in server information zones
</h4></div></div></div>
5766 The server provides some helpful diagnostic information
5767 through a number of built-in zones under the
5768 pseudo-top-level-domain
<code class=
"literal">bind
</code> in the
5769 <span><strong class=
"command">CHAOS
</strong></span> class. These zones are part
5771 built-in view (see
<a href=
"Bv9ARM.ch06.html#view_statement_grammar" title=
"view Statement Grammar">the section called
“<span><strong class=
"command">view
</strong></span> Statement Grammar
”</a>) of
5773 <span><strong class=
"command">CHAOS
</strong></span> which is separate from the
5774 default view of class
<span><strong class=
"command">IN
</strong></span>. Most global
5775 configuration options (
<span><strong class=
"command">allow-query
</strong></span>,
5776 etc) will apply to this view, but some are locally
5777 overridden:
<span><strong class=
"command">notify
</strong></span>,
5778 <span><strong class=
"command">recursion
</strong></span> and
5779 <span><strong class=
"command">allow-new-zones
</strong></span> are
5780 always set to
<strong class=
"userinput"><code>no
</code></strong>, and
5781 <span><strong class=
"command">rate-limit
</strong></span> is set to allow
5782 three responses per second.
5785 If you need to disable these zones, use the options
5786 below, or hide the built-in
<span><strong class=
"command">CHAOS
</strong></span>
5788 defining an explicit view of class
<span><strong class=
"command">CHAOS
</strong></span>
5789 that matches all clients.
5791 <div class=
"variablelist"><dl>
5792 <dt><span class=
"term"><span><strong class=
"command">version
</strong></span></span></dt>
5794 The version the server should report
5795 via a query of the name
<code class=
"literal">version.bind
</code>
5796 with type
<span><strong class=
"command">TXT
</strong></span>, class
<span><strong class=
"command">CHAOS
</strong></span>.
5797 The default is the real version number of this server.
5798 Specifying
<span><strong class=
"command">version none
</strong></span>
5799 disables processing of the queries.
5801 <dt><span class=
"term"><span><strong class=
"command">hostname
</strong></span></span></dt>
5803 The hostname the server should report via a query of
5804 the name
<code class=
"filename">hostname.bind
</code>
5805 with type
<span><strong class=
"command">TXT
</strong></span>, class
<span><strong class=
"command">CHAOS
</strong></span>.
5806 This defaults to the hostname of the machine hosting the
5808 found by the gethostname() function. The primary purpose of such queries
5810 identify which of a group of anycast servers is actually
5811 answering your queries. Specifying
<span><strong class=
"command">hostname none;
</strong></span>
5812 disables processing of the queries.
5814 <dt><span class=
"term"><span><strong class=
"command">server-id
</strong></span></span></dt>
5816 The ID the server should report when receiving a Name
5817 Server Identifier (NSID) query, or a query of the name
5818 <code class=
"filename">ID.SERVER
</code> with type
5819 <span><strong class=
"command">TXT
</strong></span>, class
<span><strong class=
"command">CHAOS
</strong></span>.
5820 The primary purpose of such queries is to
5821 identify which of a group of anycast servers is actually
5822 answering your queries. Specifying
<span><strong class=
"command">server-id none;
</strong></span>
5823 disables processing of the queries.
5824 Specifying
<span><strong class=
"command">server-id hostname;
</strong></span> will cause
<span><strong class=
"command">named
</strong></span> to
5825 use the hostname as found by the gethostname() function.
5826 The default
<span><strong class=
"command">server-id
</strong></span> is
<span><strong class=
"command">none
</strong></span>.
5830 <div class=
"sect3" lang=
"en">
5831 <div class=
"titlepage"><div><div><h4 class=
"title">
5832 <a name=
"empty"></a>Built-in Empty Zones
</h4></div></div></div>
5834 Named has some built-in empty zones (SOA and NS records only).
5835 These are for zones that should normally be answered locally
5836 and which queries should not be sent to the Internet's root
5837 servers. The official servers which cover these namespaces
5838 return NXDOMAIN responses to these queries. In particular,
5839 these cover the reverse namespaces for addresses from
5840 RFC
1918, RFC
4193, RFC
5737 and RFC
6598. They also include the
5841 reverse namespace for IPv6 local address (locally assigned),
5842 IPv6 link local addresses, the IPv6 loopback address and the
5843 IPv6 unknown address.
5846 Named will attempt to determine if a built-in zone already exists
5847 or is active (covered by a forward-only forwarding declaration)
5848 and will not create an empty zone in that case.
5851 The current list of empty zones is:
5853 <div class=
"itemizedlist"><ul type=
"disc">
5854 <li>10.IN-ADDR.ARPA
</li>
5855 <li>16.172.IN-ADDR.ARPA
</li>
5856 <li>17.172.IN-ADDR.ARPA
</li>
5857 <li>18.172.IN-ADDR.ARPA
</li>
5858 <li>19.172.IN-ADDR.ARPA
</li>
5859 <li>20.172.IN-ADDR.ARPA
</li>
5860 <li>21.172.IN-ADDR.ARPA
</li>
5861 <li>22.172.IN-ADDR.ARPA
</li>
5862 <li>23.172.IN-ADDR.ARPA
</li>
5863 <li>24.172.IN-ADDR.ARPA
</li>
5864 <li>25.172.IN-ADDR.ARPA
</li>
5865 <li>26.172.IN-ADDR.ARPA
</li>
5866 <li>27.172.IN-ADDR.ARPA
</li>
5867 <li>28.172.IN-ADDR.ARPA
</li>
5868 <li>29.172.IN-ADDR.ARPA
</li>
5869 <li>30.172.IN-ADDR.ARPA
</li>
5870 <li>31.172.IN-ADDR.ARPA
</li>
5871 <li>168.192.IN-ADDR.ARPA
</li>
5872 <li>64.100.IN-ADDR.ARPA
</li>
5873 <li>65.100.IN-ADDR.ARPA
</li>
5874 <li>66.100.IN-ADDR.ARPA
</li>
5875 <li>67.100.IN-ADDR.ARPA
</li>
5876 <li>68.100.IN-ADDR.ARPA
</li>
5877 <li>69.100.IN-ADDR.ARPA
</li>
5878 <li>70.100.IN-ADDR.ARPA
</li>
5879 <li>71.100.IN-ADDR.ARPA
</li>
5880 <li>72.100.IN-ADDR.ARPA
</li>
5881 <li>73.100.IN-ADDR.ARPA
</li>
5882 <li>74.100.IN-ADDR.ARPA
</li>
5883 <li>75.100.IN-ADDR.ARPA
</li>
5884 <li>76.100.IN-ADDR.ARPA
</li>
5885 <li>77.100.IN-ADDR.ARPA
</li>
5886 <li>78.100.IN-ADDR.ARPA
</li>
5887 <li>79.100.IN-ADDR.ARPA
</li>
5888 <li>80.100.IN-ADDR.ARPA
</li>
5889 <li>81.100.IN-ADDR.ARPA
</li>
5890 <li>82.100.IN-ADDR.ARPA
</li>
5891 <li>83.100.IN-ADDR.ARPA
</li>
5892 <li>84.100.IN-ADDR.ARPA
</li>
5893 <li>85.100.IN-ADDR.ARPA
</li>
5894 <li>86.100.IN-ADDR.ARPA
</li>
5895 <li>87.100.IN-ADDR.ARPA
</li>
5896 <li>88.100.IN-ADDR.ARPA
</li>
5897 <li>89.100.IN-ADDR.ARPA
</li>
5898 <li>90.100.IN-ADDR.ARPA
</li>
5899 <li>91.100.IN-ADDR.ARPA
</li>
5900 <li>92.100.IN-ADDR.ARPA
</li>
5901 <li>93.100.IN-ADDR.ARPA
</li>
5902 <li>94.100.IN-ADDR.ARPA
</li>
5903 <li>95.100.IN-ADDR.ARPA
</li>
5904 <li>96.100.IN-ADDR.ARPA
</li>
5905 <li>97.100.IN-ADDR.ARPA
</li>
5906 <li>98.100.IN-ADDR.ARPA
</li>
5907 <li>99.100.IN-ADDR.ARPA
</li>
5908 <li>100.100.IN-ADDR.ARPA
</li>
5909 <li>101.100.IN-ADDR.ARPA
</li>
5910 <li>102.100.IN-ADDR.ARPA
</li>
5911 <li>103.100.IN-ADDR.ARPA
</li>
5912 <li>104.100.IN-ADDR.ARPA
</li>
5913 <li>105.100.IN-ADDR.ARPA
</li>
5914 <li>106.100.IN-ADDR.ARPA
</li>
5915 <li>107.100.IN-ADDR.ARPA
</li>
5916 <li>108.100.IN-ADDR.ARPA
</li>
5917 <li>109.100.IN-ADDR.ARPA
</li>
5918 <li>110.100.IN-ADDR.ARPA
</li>
5919 <li>111.100.IN-ADDR.ARPA
</li>
5920 <li>112.100.IN-ADDR.ARPA
</li>
5921 <li>113.100.IN-ADDR.ARPA
</li>
5922 <li>114.100.IN-ADDR.ARPA
</li>
5923 <li>115.100.IN-ADDR.ARPA
</li>
5924 <li>116.100.IN-ADDR.ARPA
</li>
5925 <li>117.100.IN-ADDR.ARPA
</li>
5926 <li>118.100.IN-ADDR.ARPA
</li>
5927 <li>119.100.IN-ADDR.ARPA
</li>
5928 <li>120.100.IN-ADDR.ARPA
</li>
5929 <li>121.100.IN-ADDR.ARPA
</li>
5930 <li>122.100.IN-ADDR.ARPA
</li>
5931 <li>123.100.IN-ADDR.ARPA
</li>
5932 <li>124.100.IN-ADDR.ARPA
</li>
5933 <li>125.100.IN-ADDR.ARPA
</li>
5934 <li>126.100.IN-ADDR.ARPA
</li>
5935 <li>127.100.IN-ADDR.ARPA
</li>
5936 <li>0.IN-ADDR.ARPA
</li>
5937 <li>127.IN-ADDR.ARPA
</li>
5938 <li>254.169.IN-ADDR.ARPA
</li>
5939 <li>2.0.192.IN-ADDR.ARPA
</li>
5940 <li>100.51.198.IN-ADDR.ARPA
</li>
5941 <li>113.0.203.IN-ADDR.ARPA
</li>
5942 <li>255.255.255.255.IN-ADDR.ARPA
</li>
5943 <li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
</li>
5944 <li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
</li>
5945 <li>8.B.D
.0.1.0.0.2.IP6.ARPA
</li>
5946 <li>D.F.IP6.ARPA
</li>
5947 <li>8.E.F.IP6.ARPA
</li>
5948 <li>9.E.F.IP6.ARPA
</li>
5949 <li>A.E.F.IP6.ARPA
</li>
5950 <li>B.E.F.IP6.ARPA
</li>
5955 Empty zones are settable at the view level and only apply to
5956 views of class IN. Disabled empty zones are only inherited
5957 from options if there are no disabled empty zones specified
5958 at the view level. To override the options list of disabled
5959 zones, you can disable the root zone at the view level, for example:
5961 <pre class=
"programlisting">
5962 disable-empty-zone
".";
5967 If you are using the address ranges covered here, you should
5968 already have reverse zones covering the addresses you use.
5969 In practice this appears to not be the case with many queries
5970 being made to the infrastructure servers for names in these
5971 spaces. So many in fact that sacrificial servers were needed
5972 to be deployed to channel the query load away from the
5973 infrastructure servers.
5975 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
5976 <h3 class=
"title">Note
</h3>
5977 The real parent servers for these zones should disable all
5978 empty zone under the parent zone they serve. For the real
5979 root servers, this is all built-in empty zones. This will
5980 enable them to return referrals to deeper in the tree.
5982 <div class=
"variablelist"><dl>
5983 <dt><span class=
"term"><span><strong class=
"command">empty-server
</strong></span></span></dt>
5985 Specify what server name will appear in the returned
5986 SOA record for empty zones. If none is specified, then
5987 the zone's name will be used.
5989 <dt><span class=
"term"><span><strong class=
"command">empty-contact
</strong></span></span></dt>
5991 Specify what contact name will appear in the returned
5992 SOA record for empty zones. If none is specified, then
5995 <dt><span class=
"term"><span><strong class=
"command">empty-zones-enable
</strong></span></span></dt>
5997 Enable or disable all empty zones. By default, they
6000 <dt><span class=
"term"><span><strong class=
"command">disable-empty-zone
</strong></span></span></dt>
6002 Disable individual empty zones. By default, none are
6003 disabled. This option can be specified multiple times.
6007 <div class=
"sect3" lang=
"en">
6008 <div class=
"titlepage"><div><div><h4 class=
"title">
6009 <a name=
"acache"></a>Additional Section Caching
</h4></div></div></div>
6011 The additional section cache, also called
<span><strong class=
"command">acache
</strong></span>,
6012 is an internal cache to improve the response performance of BIND
9.
6013 When additional section caching is enabled, BIND
9 will
6014 cache an internal short-cut to the additional section content for
6016 Note that
<span><strong class=
"command">acache
</strong></span> is an internal caching
6017 mechanism of BIND
9, and is not related to the DNS caching
6021 Additional section caching does not change the
6022 response content (except the RRsets ordering of the additional
6023 section, see below), but can improve the response performance
6025 It is particularly effective when BIND
9 acts as an authoritative
6026 server for a zone that has many delegations with many glue RRs.
6029 In order to obtain the maximum performance improvement
6030 from additional section caching, setting
6031 <span><strong class=
"command">additional-from-cache
</strong></span>
6032 to
<span><strong class=
"command">no
</strong></span> is recommended, since the current
6033 implementation of
<span><strong class=
"command">acache
</strong></span>
6034 does not short-cut of additional section information from the
6038 One obvious disadvantage of
<span><strong class=
"command">acache
</strong></span> is
6039 that it requires much more
6040 memory for the internal cached data.
6041 Thus, if the response performance does not matter and memory
6042 consumption is much more critical, the
6043 <span><strong class=
"command">acache
</strong></span> mechanism can be
6044 disabled by setting
<span><strong class=
"command">acache-enable
</strong></span> to
6045 <span><strong class=
"command">no
</strong></span>.
6046 It is also possible to specify the upper limit of memory
6048 for acache by using
<span><strong class=
"command">max-acache-size
</strong></span>.
6051 Additional section caching also has a minor effect on the
6052 RRset ordering in the additional section.
6053 Without
<span><strong class=
"command">acache
</strong></span>,
6054 <span><strong class=
"command">cyclic
</strong></span> order is effective for the additional
6055 section as well as the answer and authority sections.
6056 However, additional section caching fixes the ordering when it
6057 first caches an RRset for the additional section, and the same
6058 ordering will be kept in succeeding responses, regardless of the
6059 setting of
<span><strong class=
"command">rrset-order
</strong></span>.
6060 The effect of this should be minor, however, since an
6061 RRset in the additional section
6062 typically only contains a small number of RRs (and in many cases
6063 it only contains a single RR), in which case the
6064 ordering does not matter much.
6067 The following is a summary of options related to
6068 <span><strong class=
"command">acache
</strong></span>.
6070 <div class=
"variablelist"><dl>
6071 <dt><span class=
"term"><span><strong class=
"command">acache-enable
</strong></span></span></dt>
6073 If
<span><strong class=
"command">yes
</strong></span>, additional section caching is
6074 enabled. The default value is
<span><strong class=
"command">no
</strong></span>.
6076 <dt><span class=
"term"><span><strong class=
"command">acache-cleaning-interval
</strong></span></span></dt>
6078 The server will remove stale cache entries, based on an LRU
6080 algorithm, every
<span><strong class=
"command">acache-cleaning-interval
</strong></span> minutes.
6081 The default is
60 minutes.
6082 If set to
0, no periodic cleaning will occur.
6084 <dt><span class=
"term"><span><strong class=
"command">max-acache-size
</strong></span></span></dt>
6086 The maximum amount of memory in bytes to use for the server's acache.
6087 When the amount of data in the acache reaches this limit,
6089 will clean more aggressively so that the limit is not
6091 In a server with multiple views, the limit applies
6093 acache of each view.
6094 The default is
<code class=
"literal">16M
</code>.
6098 <div class=
"sect3" lang=
"en">
6099 <div class=
"titlepage"><div><div><h4 class=
"title">
6100 <a name=
"id2589422"></a>Content Filtering
</h4></div></div></div>
6102 <acronym class=
"acronym">BIND
</acronym> 9 provides the ability to filter
6103 out DNS responses from external DNS servers containing
6104 certain types of data in the answer section.
6105 Specifically, it can reject address (A or AAAA) records if
6106 the corresponding IPv4 or IPv6 addresses match the given
6107 <code class=
"varname">address_match_list
</code> of the
6108 <span><strong class=
"command">deny-answer-addresses
</strong></span> option.
6109 It can also reject CNAME or DNAME records if the
"alias"
6110 name (i.e., the CNAME alias or the substituted query name
6111 due to DNAME) matches the
6112 given
<code class=
"varname">namelist
</code> of the
6113 <span><strong class=
"command">deny-answer-aliases
</strong></span> option, where
6114 "match" means the alias name is a subdomain of one of
6115 the
<code class=
"varname">name_list
</code> elements.
6116 If the optional
<code class=
"varname">namelist
</code> is specified
6117 with
<span><strong class=
"command">except-from
</strong></span>, records whose query name
6118 matches the list will be accepted regardless of the filter
6120 Likewise, if the alias name is a subdomain of the
6121 corresponding zone, the
<span><strong class=
"command">deny-answer-aliases
</strong></span>
6122 filter will not apply;
6123 for example, even if
"example.com" is specified for
6124 <span><strong class=
"command">deny-answer-aliases
</strong></span>,
6126 <pre class=
"programlisting">www.example.com. CNAME xxx.example.com.
</pre>
6128 returned by an
"example.com" server will be accepted.
6131 In the
<code class=
"varname">address_match_list
</code> of the
6132 <span><strong class=
"command">deny-answer-addresses
</strong></span> option, only
6133 <code class=
"varname">ip_addr
</code>
6134 and
<code class=
"varname">ip_prefix
</code>
6136 any
<code class=
"varname">key_id
</code> will be silently ignored.
6139 If a response message is rejected due to the filtering,
6140 the entire message is discarded without being cached, and
6141 a SERVFAIL error will be returned to the client.
6144 This filtering is intended to prevent
"DNS rebinding attacks," in
6145 which an attacker, in response to a query for a domain name the
6146 attacker controls, returns an IP address within your own network or
6147 an alias name within your own domain.
6148 A naive web browser or script could then serve as an
6149 unintended proxy, allowing the attacker
6150 to get access to an internal node of your local network
6151 that couldn't be externally accessed otherwise.
6152 See the paper available at
6153 <a href=
"http://portal.acm.org/citation.cfm?id=1315245.1315298" target=
"_top">
6154 http://portal.acm.org/citation.cfm?id=
1315245.1315298
6156 for more details about the attacks.
6159 For example, if you own a domain named
"example.net" and
6160 your internal network uses an IPv4 prefix
192.0.2.0/
24,
6161 you might specify the following rules:
6163 <pre class=
"programlisting">deny-answer-addresses {
192.0.2.0/
24; } except-from {
"example.net"; };
6164 deny-answer-aliases {
"example.net"; };
6167 If an external attacker lets a web browser in your local
6168 network look up an IPv4 address of
"attacker.example.com",
6169 the attacker's DNS server would return a response like this:
6171 <pre class=
"programlisting">attacker.example.com. A
192.0.2.1</pre>
6173 in the answer section.
6174 Since the rdata of this record (the IPv4 address) matches
6175 the specified prefix
192.0.2.0/
24, this response will be
6179 On the other hand, if the browser looks up a legitimate
6180 internal web server
"www.example.net" and the
6181 following response is returned to
6182 the
<acronym class=
"acronym">BIND
</acronym> 9 server
6184 <pre class=
"programlisting">www.example.net. A
192.0.2.2</pre>
6186 it will be accepted since the owner name
"www.example.net"
6187 matches the
<span><strong class=
"command">except-from
</strong></span> element,
6191 Note that this is not really an attack on the DNS per se.
6192 In fact, there is nothing wrong for an
"external" name to
6193 be mapped to your
"internal" IP address or domain name
6194 from the DNS point of view.
6195 It might actually be provided for a legitimate purpose,
6196 such as for debugging.
6197 As long as the mapping is provided by the correct owner,
6198 it is not possible or does not make sense to detect
6199 whether the intent of the mapping is legitimate or not
6201 The
"rebinding" attack must primarily be protected at the
6202 application that uses the DNS.
6203 For a large site, however, it may be difficult to protect
6204 all possible applications at once.
6205 This filtering feature is provided only to help such an
6206 operational environment;
6207 it is generally discouraged to turn it on unless you are
6208 very sure you have no other choice and the attack is a
6209 real threat for your applications.
6212 Care should be particularly taken if you want to use this
6213 option for addresses within
127.0.0.0/
8.
6214 These addresses are obviously
"internal", but many
6215 applications conventionally rely on a DNS mapping from
6216 some name to such an address.
6217 Filtering out DNS records containing this address
6218 spuriously can break such applications.
6221 <div class=
"sect3" lang=
"en">
6222 <div class=
"titlepage"><div><div><h4 class=
"title">
6223 <a name=
"id2589548"></a>Response Policy Zone (RPZ) Rewriting
</h4></div></div></div>
6225 <acronym class=
"acronym">BIND
</acronym> 9 includes a limited
6226 mechanism to modify DNS responses for requests
6227 analogous to email anti-spam DNS blacklists.
6228 Responses can be changed to deny the existence of domains (NXDOMAIN),
6229 deny the existence of IP addresses for domains (NODATA),
6230 or contain other IP addresses or data.
6233 Response policy zones are named in the
6234 <span><strong class=
"command">response-policy
</strong></span> option for the view or among the
6235 global options if there is no response-policy option for the view.
6236 Response policy zones are ordinary DNS zones containing RRsets
6237 that can be queried normally if allowed.
6238 It is usually best to restrict those queries with something like
6239 <span><strong class=
"command">allow-query { localhost; };
</strong></span>.
6242 A
<span><strong class=
"command">response-policy
</strong></span> option can support
6243 multiple policy zones. To maximize performance, a radix
6244 tree is used to quickly identify response policy zones
6245 containing triggers that match the current query. This
6246 imposes an upper limit of
32 on the number of policy zones
6247 in a single
<span><strong class=
"command">response-policy
</strong></span> option; more
6248 than that is a configuration error.
6251 Five policy triggers can be encoded in RPZ records.
6253 <div class=
"variablelist"><dl>
6254 <dt><span class=
"term"><span><strong class=
"command">RPZ-CLIENT-IP
</strong></span></span></dt>
6257 IP records are triggered by the IP address of the
6259 Client IP address triggers are encoded in records that have
6260 owner names that are subdomains of
6261 <span><strong class=
"command">rpz-client-ip
</strong></span> relativized to the
6262 policy zone origin name
6263 and encode an address or address block.
6264 IPv4 addresses are represented as
6265 <strong class=
"userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip
</code></strong>.
6266 The IPv4 prefix length must be between
1 and
32.
6267 All four bytes, B4, B3, B2, and B1, must be present.
6268 B4 is the decimal value of the least significant byte of the
6269 IPv4 address as in IN-ADDR.ARPA.
6272 IPv6 addresses are encoded in a format similar
6273 to the standard IPv6 text representation,
6274 <strong class=
"userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip
</code></strong>.
6275 Each of W8,...,W1 is a one to four digit hexadecimal number
6276 representing
16 bits of the IPv6 address as in the standard
6277 text representation of IPv6 addresses,
6278 but reversed as in IN-ADDR.ARPA.
6279 All
8 words must be present except when one set of consecutive
6280 zero words is replaced with
<strong class=
"userinput"><code>.zz.
</code></strong>
6281 analogous to double colons (::) in standard IPv6 text
6283 The IPv6 prefix length must be between
64 and
128.
6286 <dt><span class=
"term"><span><strong class=
"command">QNAME
</strong></span></span></dt>
6288 QNAME policy records are triggered by query names of
6289 requests and targets of CNAME records resolved to generate
6291 The owner name of a QNAME policy record is
6292 the query name relativized to the policy zone.
6294 <dt><span class=
"term"><span><strong class=
"command">RPZ-IP
</strong></span></span></dt>
6296 IP triggers are IP addresses in an
6297 A or AAAA record in the ANSWER section of a response.
6298 They are encoded like client-IP triggers except as
6299 subdomains of
<span><strong class=
"command">rpz-ip
</strong></span>.
6301 <dt><span class=
"term"><span><strong class=
"command">RPZ-NSDNAME
</strong></span></span></dt>
6303 NSDNAME triggers match names of authoritative servers
6304 for the query name, a parent of the query name, a CNAME for
6305 query name, or a parent of a CNAME.
6306 They are encoded as subdomains of
6307 <span><strong class=
"command">rpz-nsdname
</strong></span> relativized
6308 to the RPZ origin name.
6309 NSIP triggers match IP addresses in A and
6310 AAAA RRsets for domains that can be checked against NSDNAME
6313 <dt><span class=
"term"><span><strong class=
"command">RPZ-NSIP
</strong></span></span></dt>
6315 NSIP triggers are encoded like IP triggers except as
6316 subdomains of
<span><strong class=
"command">rpz-nsip
</strong></span>.
6317 NSDNAME and NSIP triggers are checked only for names with at
6318 least
<span><strong class=
"command">min-ns-dots
</strong></span> dots.
6319 The default value of
<span><strong class=
"command">min-ns-dots
</strong></span> is
1 to
6320 exclude top level domains.
6326 The query response is checked against all response policy zones,
6327 so two or more policy records can be triggered by a response.
6328 Because DNS responses are rewritten according to at most one
6329 policy record, a single record encoding an action (other than
6330 <span><strong class=
"command">DISABLED
</strong></span> actions) must be chosen.
6331 Triggers or the records that encode them are chosen for the
6332 rewriting in the following order:
6334 <div class=
"orderedlist"><ol type=
"1">
6335 <li>Choose the triggered record in the zone that appears
6336 first in the
<span><strong class=
"command">response-policy
</strong></span> option.
6338 <li>Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP
6339 triggers in a single zone.
6341 <li>Among NSDNAME triggers, prefer the
6342 trigger that matches the smallest name under the DNSSEC ordering.
6344 <li>Among IP or NSIP triggers, prefer the trigger
6345 with the longest prefix.
6347 <li>Among triggers with the same prefix length,
6348 prefer the IP or NSIP trigger that matches
6349 the smallest IP address.
6355 When the processing of a response is restarted to resolve
6356 DNAME or CNAME records and a policy record set has
6358 all response policy zones are again consulted for the
6359 DNAME or CNAME names and addresses.
6362 RPZ record sets are any types of DNS record except
6363 DNAME or DNSSEC that encode actions or responses to
6365 Any of the policies can be used with any of the triggers.
6366 For example, while the
<span><strong class=
"command">TCP-only
</strong></span> policy is
6367 commonly used with
<span><strong class=
"command">client-IP
</strong></span> triggers,
6368 it cn be used with any type of trigger to force the use of
6369 TCP for responses with owner names in a zone.
6371 <div class=
"variablelist"><dl>
6372 <dt><span class=
"term"><span><strong class=
"command">PASSTHRU
</strong></span></span></dt>
6374 The whitelist policy is specified
6375 by a CNAME whose target is
<span><strong class=
"command">rpz-passthru
</strong></span>.
6376 It causes the response to not be rewritten
6377 and is most often used to
"poke holes" in policies for
6380 <dt><span class=
"term"><span><strong class=
"command">DROP
</strong></span></span></dt>
6382 The blacklist policy is specified
6383 by a CNAME whose target is
<span><strong class=
"command">rpz-drop
</strong></span>.
6384 It causes the response to be discarded.
6385 Nothing is sent to the DNS client.
6387 <dt><span class=
"term"><span><strong class=
"command">TCP-Only
</strong></span></span></dt>
6389 The
"slip" policy is specified
6390 by a CNAME whose target is
<span><strong class=
"command">rpz-tcp-only
</strong></span>.
6391 It changes UDP responses to short, truncated DNS responses
6392 that require the DNS client to try again with TCP.
6393 It is used to mitigate distributed DNS reflection attacks.
6395 <dt><span class=
"term"><span><strong class=
"command">NXDOMAIN
</strong></span></span></dt>
6397 The domain undefined response is encoded
6398 by a CNAME whose target is the root domain (.)
6400 <dt><span class=
"term"><span><strong class=
"command">NODATA
</strong></span></span></dt>
6402 The empty set of resource records is specified by
6403 CNAME whose target is the wildcard top-level
6405 It rewrites the response to NODATA or ANCOUNT=
1.
6407 <dt><span class=
"term"><span><strong class=
"command">Local Data
</strong></span></span></dt>
6410 A set of ordinary DNS records can be used to answer queries.
6411 Queries for record types not the set are answered with
6415 A special form of local data is a CNAME whose target is a
6416 wildcard such as *.example.com.
6417 It is used as if were an ordinary CNAME after the astrisk (*)
6418 has been replaced with the query name.
6419 The purpose for this special form is query logging in the
6420 walled garden's authority DNS server.
6427 All of the actions specified in all of the individual records
6429 can be overridden with a
<span><strong class=
"command">policy
</strong></span> clause in the
6430 <span><strong class=
"command">response-policy
</strong></span> option.
6431 An organization using a policy zone provided by another
6432 organization might use this mechanism to redirect domains
6433 to its own walled garden.
6435 <div class=
"variablelist"><dl>
6436 <dt><span class=
"term"><span><strong class=
"command">GIVEN
</strong></span></span></dt>
6437 <dd><p>The placeholder policy says
"do not override but
6438 perform the action specified in the zone."
6440 <dt><span class=
"term"><span><strong class=
"command">DISABLED
</strong></span></span></dt>
6442 The testing override policy causes policy zone records to do
6443 nothing but log what they would have done if the
6444 policy zone were not disabled.
6445 The response to the DNS query will be written (or not)
6446 according to any triggered policy records that are not
6448 Disabled policy zones should appear first,
6449 because they will often not be logged
6450 if a higher precedence trigger is found first.
6453 <span class=
"term"><span><strong class=
"command">PASSTHRU
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">DROP
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">TCP-Only
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">NXDOMAIN
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">NODATA
</strong></span></span>
6456 override with the corresponding per-record policy.
6458 <dt><span class=
"term"><span><strong class=
"command">CNAME domain
</strong></span></span></dt>
6460 causes all RPZ policy records to act as if they were
6461 "cname domain" records.
6467 By default, the actions encoded in a response policy zone
6468 are applied only to queries that ask for recursion (RD=
1).
6469 That default can be changed for a single policy zone or
6470 all response policy zones in a view
6471 with a
<span><strong class=
"command">recursive-only no
</strong></span> clause.
6472 This feature is useful for serving the same zone files
6473 both inside and outside an RFC
1918 cloud and using RPZ to
6474 delete answers that would otherwise contain RFC
1918 values
6475 on the externally visible name server or view.
6478 Also by default, RPZ actions are applied only to DNS requests
6479 that either do not request DNSSEC metadata (DO=
0) or when no
6480 DNSSEC records are available for request name in the original
6481 zone (not the response policy zone). This default can be
6482 changed for all response policy zones in a view with a
6483 <span><strong class=
"command">break-dnssec yes
</strong></span> clause. In that case, RPZ
6484 actions are applied regardless of DNSSEC. The name of the
6485 clause option reflects the fact that results rewritten by RPZ
6486 actions cannot verify.
6489 No DNS records are needed for a QNAME or Client-IP trigger.
6490 The name or IP address itself is sufficient,
6491 so in principle the query name need not be recursively resolved.
6492 However, not resolving the requested
6493 name can leak the fact that response policy rewriting is in use
6494 and that the name is listed in a policy zone to operators of
6495 servers for listed names. To prevent that information leak, by
6496 default any recursion needed for a request is done before any
6497 policy triggers are considered. Because listed domains often
6498 have slow authoritative servers, this default behavior can cost
6500 The
<span><strong class=
"command">qname-wait-recurse no
</strong></span> option
6501 overrides that default behavior when recursion cannot
6502 change a non-error response.
6503 The option does not affect QNAME or client-IP triggers
6504 in policy zones listed
6505 after other zones containing IP, NSIP and NSDNAME triggers, because
6506 those may depend on the A, AAAA, and NS records that would be
6507 found during recursive resolution. It also does not affect
6508 DNSSEC requests (DO=
1) unless
<span><strong class=
"command">break-dnssec yes
</strong></span>
6509 is in use, because the response would depend on whether or not
6510 RRSIG records were found during resolution.
6511 Using this option can cause error responses such as SERVFAIL to
6512 appear to be rewritten, since no recursion is being done to
6513 discover problems at the authoritative server.
6516 The TTL of a record modified by RPZ policies is set from the
6517 TTL of the relevant record in policy zone. It is then limited
6519 The
<span><strong class=
"command">max-policy-ttl
</strong></span> clause changes that
6520 maximum from its default of
5.
6523 For example, you might use this option statement
6525 <pre class=
"programlisting"> response-policy { zone
"badlist"; };
</pre>
6527 and this zone statement
6529 <pre class=
"programlisting"> zone
"badlist" {type master; file
"master/badlist"; allow-query {none;}; };
</pre>
6533 <pre class=
"programlisting">$TTL
1H
6534 @ SOA LOCALHOST. named-mgr.example.com (
1 1h
15m
30d
2h)
6537 ; QNAME policy records. There are no periods (.) after the owner names.
6538 nxdomain.domain.com CNAME . ; NXDOMAIN policy
6539 *.nxdomain.domain.com CNAME . ; NXDOMAIN policy
6540 nodata.domain.com CNAME *. ; NODATA policy
6541 *.nodata.domain.com CNAME *. ; NODATA policy
6542 bad.domain.com A
10.0.0.1 ; redirect to a walled garden
6544 bzone.domain.com CNAME garden.example.com.
6546 ; do not rewrite (PASSTHRU) OK.DOMAIN.COM
6547 ok.domain.com CNAME rpz-passthru.
6549 ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
6550 *.bzone.domain.com CNAME *.garden.example.com.
6553 ; IP policy records that rewrite all responses containing A records in
127/
8
6555 8.0.0.0.127.rpz-ip CNAME .
6556 32.1.0.0.127.rpz-ip CNAME rpz-passthru.
6558 ; NSDNAME and NSIP policy records
6559 ns.domain.com.rpz-nsdname CNAME .
6560 48.zz
.2.2001.rpz-nsip CNAME .
6562 ; blacklist and whitelist some DNS clients
6563 112.zz
.2001.rpz-client-ip CNAME rpz-drop.
6564 8.0.0.0.127.rpz-client-ip CNAME rpz-drop.
6566 ; force some DNS clients and responses in the example.com zone to TCP
6567 16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only.
6568 example.com CNAME rpz-tcp-only.
6569 *.example.com CNAME rpz-tcp-only.
6573 RPZ can affect server performance.
6574 Each configured response policy zone requires the server to
6575 perform one to four additional database lookups before a
6576 query can be answered.
6577 For example, a DNS server with four policy zones, each with all
6578 four kinds of response triggers, QNAME, IP, NSIP, and
6579 NSDNAME, requires a total of
17 times as many database
6580 lookups as a similar DNS server with no response policy zones.
6581 A
<acronym class=
"acronym">BIND9
</acronym> server with adequate memory and one
6582 response policy zone with QNAME and IP triggers might achieve a
6583 maximum queries-per-second rate about
20% lower.
6584 A server with four response policy zones with QNAME and IP
6585 triggers might have a maximum QPS rate about
50% lower.
6588 Responses rewritten by RPZ are counted in the
6589 <span><strong class=
"command">RPZRewrites
</strong></span> statistics.
6592 <div class=
"sect3" lang=
"en">
6593 <div class=
"titlepage"><div><div><h4 class=
"title">
6594 <a name=
"id2590393"></a>Response Rate Limiting
</h4></div></div></div>
6596 Excessive almost identical UDP
<span class=
"emphasis"><em>responses
</em></span>
6597 can be controlled by configuring a
6598 <span><strong class=
"command">rate-limit
</strong></span> clause in an
6599 <span><strong class=
"command">options
</strong></span> or
<span><strong class=
"command">view
</strong></span> statement.
6600 This mechanism keeps authoritative BIND
9 from being used
6601 in amplifying reflection denial of service (DoS) attacks.
6602 Short truncated (TC=
1) responses can be sent to provide
6603 rate-limited responses to legitimate clients within
6604 a range of forged, attacked IP addresses.
6605 Legitimate clients react to dropped or truncated response
6606 by retrying with UDP or with TCP respectively.
6609 This mechanism is intended for authoritative DNS servers.
6610 It can be used on recursive servers but can slow
6611 applications such as SMTP servers (mail receivers) and
6612 HTTP clients (web browsers) that repeatedly request the
6614 When possible, closing
"open" recursive servers is better.
6617 Response rate limiting uses a
"credit" or
"token bucket" scheme.
6618 Each combination of identical response and client
6619 has a conceptual account that earns a specified number
6620 of credits every second.
6621 A prospective response debits its account by one.
6622 Responses are dropped or truncated
6623 while the account is negative.
6624 Responses are tracked within a rolling window of time
6625 which defaults to
15 seconds, but can be configured with
6626 the
<span><strong class=
"command">window
</strong></span> option to any value from
6627 1 to
3600 seconds (
1 hour).
6628 The account cannot become more positive than
6629 the per-second limit
6630 or more negative than
<span><strong class=
"command">window
</strong></span>
6631 times the per-second limit.
6632 When the specified number of credits for a class of
6633 responses is set to
0, those responses are not rate limited.
6636 The notions of
"identical response" and
"DNS client"
6637 for rate limiting are not simplistic.
6638 All responses to an address block are counted as if to a
6640 The prefix lengths of addresses blocks are
6641 specified with
<span><strong class=
"command">ipv4-prefix-length
</strong></span> (default
24)
6642 and
<span><strong class=
"command">ipv6-prefix-length
</strong></span> (default
56).
6645 All non-empty responses for a valid domain name (qname)
6646 and record type (qtype) are identical and have a limit specified
6647 with
<span><strong class=
"command">responses-per-second
</strong></span>
6648 (default
0 or no limit).
6649 All empty (NODATA) responses for a valid domain,
6650 regardless of query type, are identical.
6651 Responses in the NODATA class are limited by
6652 <span><strong class=
"command">nodata-per-second
</strong></span>
6653 (default
<span><strong class=
"command">responses-per-second
</strong></span>).
6654 Requests for any and all undefined subdomains of a given
6655 valid domain result in NXDOMAIN errors, and are identical
6656 regardless of query type.
6657 They are limited by
<span><strong class=
"command">nxdomains-per-second
</strong></span>
6658 (default base
<span><strong class=
"command">responses-per-second
</strong></span>).
6659 This controls some attacks using random names, but
6660 can be relaxed or turned off (set to
0)
6661 on servers that expect many legitimate
6662 NXDOMAIN responses, such as from anti-spam blacklists.
6663 Referrals or delegations to the server of a given
6664 domain are identical and are limited by
6665 <span><strong class=
"command">referrals-per-second
</strong></span>
6666 (default
<span><strong class=
"command">responses-per-second
</strong></span>).
6669 Responses generated from local wildcards are counted and limited
6670 as if they were for the parent domain name.
6671 This controls flooding using random.wild.example.com.
6674 All requests that result in DNS errors other
6675 than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
6676 regardless of requested name (qname) or record type (qtype).
6677 This controls attacks using invalid requests or distant,
6678 broken authoritative servers.
6679 By default the limit on errors is the same as the
6680 <span><strong class=
"command">responses-per-second
</strong></span> value,
6681 but it can be set separately with
6682 <span><strong class=
"command">errors-per-second
</strong></span>.
6685 Many attacks using DNS involve UDP requests with forged source
6687 Rate limiting prevents the use of BIND
9 to flood a network
6688 with responses to requests with forged source addresses,
6689 but could let a third party block responses to legitimate requests.
6690 There is a mechanism that can answer some legitimate
6691 requests from a client whose address is being forged in a flood.
6692 Setting
<span><strong class=
"command">slip
</strong></span> to
2 (its default) causes every
6693 other UDP request to be answered with a small truncated (TC=
1)
6695 The small size and reduced frequency, and so lack of
6696 amplification, of
"slipped" responses make them unattractive
6697 for reflection DoS attacks.
6698 <span><strong class=
"command">slip
</strong></span> must be between
0 and
10.
6699 A value of
0 does not
"slip":
6700 no truncated responses are sent due to rate limiting,
6701 all responses are dropped.
6702 A value of
1 causes every response to slip;
6703 values between
2 and
10 cause every n'th response to slip.
6704 Some error responses including REFUSED and SERVFAIL
6705 cannot be replaced with truncated responses and are instead
6706 leaked at the
<span><strong class=
"command">slip
</strong></span> rate.
6709 (NOTE: Dropped responses from an authoritative server may
6710 reduce the difficulty of a third party successfully forging
6711 a response to a recursive resolver. The best security
6712 against forged responses is for authoritative operators
6713 to sign their zones using DNSSEC and for resolver operators
6714 to validate the responses. When this is not an option,
6715 operators who are more concerned with response integrity
6716 than with flood mitigation may consider setting
6717 <span><strong class=
"command">slip
</strong></span> to
1, causing all rate-limited
6718 responses to be truncated rather than dropped. This reduces
6719 the effectiveness of rate-limiting against reflection attacks.)
6722 When the approximate query per second rate exceeds
6723 the
<span><strong class=
"command">qps-scale
</strong></span> value,
6724 then the
<span><strong class=
"command">responses-per-second
</strong></span>,
6725 <span><strong class=
"command">errors-per-second
</strong></span>,
6726 <span><strong class=
"command">nxdomains-per-second
</strong></span> and
6727 <span><strong class=
"command">all-per-second
</strong></span> values are reduced by the
6728 ratio of the current rate to the
<span><strong class=
"command">qps-scale
</strong></span> value.
6729 This feature can tighten defenses during attacks.
6731 <span><strong class=
"command">qps-scale
250; responses-per-second
20;
</strong></span> and
6732 a total query rate of
1000 queries/second for all queries from
6733 all DNS clients including via TCP,
6734 then the effective responses/second limit changes to
6736 Responses sent via TCP are not limited
6737 but are counted to compute the query per second rate.
6740 Communities of DNS clients can be given their own parameters or no
6741 rate limiting by putting
6742 <span><strong class=
"command">rate-limit
</strong></span> statements in
<span><strong class=
"command">view
</strong></span>
6743 statements instead of the global
<span><strong class=
"command">option
</strong></span>
6745 A
<span><strong class=
"command">rate-limit
</strong></span> statement in a view replaces,
6746 rather than supplementing, a
<span><strong class=
"command">rate-limit
</strong></span>
6747 statement among the main options.
6748 DNS clients within a view can be exempted from rate limits
6749 with the
<span><strong class=
"command">exempt-clients
</strong></span> clause.
6752 UDP responses of all kinds can be limited with the
6753 <span><strong class=
"command">all-per-second
</strong></span> phrase.
6754 This rate limiting is unlike the rate limiting provided by
6755 <span><strong class=
"command">responses-per-second
</strong></span>,
6756 <span><strong class=
"command">errors-per-second
</strong></span>, and
6757 <span><strong class=
"command">nxdomains-per-second
</strong></span> on a DNS server
6758 which are often invisible to the victim of a DNS reflection attack.
6759 Unless the forged requests of the attack are the same as the
6760 legitimate requests of the victim, the victim's requests are
6762 Responses affected by an
<span><strong class=
"command">all-per-second
</strong></span> limit
6763 are always dropped; the
<span><strong class=
"command">slip
</strong></span> value has no
6765 An
<span><strong class=
"command">all-per-second
</strong></span> limit should be
6766 at least
4 times as large as the other limits,
6767 because single DNS clients often send bursts of legitimate
6769 For example, the receipt of a single mail message can prompt
6770 requests from an SMTP server for NS, PTR, A, and AAAA records
6771 as the incoming SMTP/TCP/IP connection is considered.
6772 The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF
6773 records as it considers the STMP
<span><strong class=
"command">Mail From
</strong></span>
6775 Web browsers often repeatedly resolve the same names that
6776 are repeated in HTML
<IMG
> tags in a page.
6777 <span><strong class=
"command">All-per-second
</strong></span> is similar to the
6778 rate limiting offered by firewalls but often inferior.
6779 Attacks that justify ignoring the
6780 contents of DNS responses are likely to be attacks on the
6782 They usually should be discarded before the DNS server
6783 spends resources making TCP connections or parsing DNS requests,
6784 but that rate limiting must be done before the
6785 DNS server sees the requests.
6788 The maximum size of the table used to track requests and
6789 rate limit responses is set with
<span><strong class=
"command">max-table-size
</strong></span>.
6790 Each entry in the table is between
40 and
80 bytes.
6791 The table needs approximately as many entries as the number
6792 of requests received per second.
6793 The default is
20,
000.
6794 To reduce the cold start of growing the table,
6795 <span><strong class=
"command">min-table-size
</strong></span> (default
500)
6796 can set the minimum table size.
6797 Enable
<span><strong class=
"command">rate-limit
</strong></span> category logging to monitor
6798 expansions of the table and inform
6799 choices for the initial and maximum table size.
6802 Use
<span><strong class=
"command">log-only yes
</strong></span> to test rate limiting parameters
6803 without actually dropping any requests.
6806 Responses dropped by rate limits are included in the
6807 <span><strong class=
"command">RateDropped
</strong></span> and
<span><strong class=
"command">QryDropped
</strong></span>
6809 Responses that truncated by rate limits are included in
6810 <span><strong class=
"command">RateSlipped
</strong></span> and
<span><strong class=
"command">RespTruncated
</strong></span>.
6814 <div class=
"sect2" lang=
"en">
6815 <div class=
"titlepage"><div><div><h3 class=
"title">
6816 <a name=
"server_statement_grammar"></a><span><strong class=
"command">server
</strong></span> Statement Grammar
</h3></div></div></div>
6817 <pre class=
"programlisting"><span><strong class=
"command">server
</strong></span> <em class=
"replaceable"><code>ip_addr[/prefixlen]
</code></em> {
6818 [
<span class=
"optional"> bogus
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
6819 [
<span class=
"optional"> provide-ixfr
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
6820 [
<span class=
"optional"> request-ixfr
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
6821 [
<span class=
"optional"> request-nsid
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
6822 [
<span class=
"optional"> request-sit
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
6823 [
<span class=
"optional"> edns
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
6824 [
<span class=
"optional"> edns-udp-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
6825 [
<span class=
"optional"> nosit-udp-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
6826 [
<span class=
"optional"> max-udp-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
6827 [
<span class=
"optional"> transfers
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
6828 [
<span class=
"optional"> transfer-format
<em class=
"replaceable"><code>( one-answer | many-answers )
</code></em> ; ]
</span>]
6829 [
<span class=
"optional"> keys
<em class=
"replaceable"><code>{ string ; [
<span class=
"optional"> string ; [
<span class=
"optional">...
</span>]
</span>] }
</code></em> ;
</span>]
6830 [
<span class=
"optional"> transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
6831 [
<span class=
"optional"> transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
6832 [
<span class=
"optional"> notify-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
6833 [
<span class=
"optional"> notify-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
6834 [
<span class=
"optional"> query-source [
<span class=
"optional"> address (
<em class=
"replaceable"><code>ip_addr
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>]
6835 [
<span class=
"optional"> port (
<em class=
"replaceable"><code>ip_port
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
6836 [
<span class=
"optional"> query-source-v6 [
<span class=
"optional"> address (
<em class=
"replaceable"><code>ip_addr
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>]
6837 [
<span class=
"optional"> port (
<em class=
"replaceable"><code>ip_port
</code></em> |
<em class=
"replaceable"><code>*
</code></em> )
</span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
6838 [
<span class=
"optional"> use-queryport-pool
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
6839 [
<span class=
"optional"> queryport-pool-ports
<em class=
"replaceable"><code>number
</code></em>;
</span>]
6840 [
<span class=
"optional"> queryport-pool-updateinterval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
6844 <div class=
"sect2" lang=
"en">
6845 <div class=
"titlepage"><div><div><h3 class=
"title">
6846 <a name=
"server_statement_definition_and_usage"></a><span><strong class=
"command">server
</strong></span> Statement Definition and
6847 Usage
</h3></div></div></div>
6849 The
<span><strong class=
"command">server
</strong></span> statement defines
6851 to be associated with a remote name server. If a prefix length is
6852 specified, then a range of servers is covered. Only the most
6854 server clause applies regardless of the order in
6855 <code class=
"filename">named.conf
</code>.
6858 The
<span><strong class=
"command">server
</strong></span> statement can occur at
6859 the top level of the
6860 configuration file or inside a
<span><strong class=
"command">view
</strong></span>
6862 If a
<span><strong class=
"command">view
</strong></span> statement contains
6863 one or more
<span><strong class=
"command">server
</strong></span> statements, only
6865 apply to the view and any top-level ones are ignored.
6866 If a view contains no
<span><strong class=
"command">server
</strong></span>
6868 any top-level
<span><strong class=
"command">server
</strong></span> statements are
6873 If you discover that a remote server is giving out bad data,
6874 marking it as bogus will prevent further queries to it. The
6876 value of
<span><strong class=
"command">bogus
</strong></span> is
<span><strong class=
"command">no
</strong></span>.
6879 The
<span><strong class=
"command">provide-ixfr
</strong></span> clause determines
6881 the local server, acting as master, will respond with an
6883 zone transfer when the given remote server, a slave, requests it.
6884 If set to
<span><strong class=
"command">yes
</strong></span>, incremental transfer
6886 whenever possible. If set to
<span><strong class=
"command">no
</strong></span>,
6888 to the remote server will be non-incremental. If not set, the
6890 of the
<span><strong class=
"command">provide-ixfr
</strong></span> option in the
6892 global options block is used as a default.
6895 The
<span><strong class=
"command">request-ixfr
</strong></span> clause determines
6897 the local server, acting as a slave, will request incremental zone
6898 transfers from the given remote server, a master. If not set, the
6899 value of the
<span><strong class=
"command">request-ixfr
</strong></span> option in
6900 the view or global options block is used as a default. It may
6901 also be set in the zone block and, if set there, it will
6902 override the global or view setting for that zone.
6905 IXFR requests to servers that do not support IXFR will
6907 fall back to AXFR. Therefore, there is no need to manually list
6908 which servers support IXFR and which ones do not; the global
6910 of
<span><strong class=
"command">yes
</strong></span> should always work.
6911 The purpose of the
<span><strong class=
"command">provide-ixfr
</strong></span> and
6912 <span><strong class=
"command">request-ixfr
</strong></span> clauses is
6913 to make it possible to disable the use of IXFR even when both
6915 and slave claim to support it, for example if one of the servers
6916 is buggy and crashes or corrupts data when IXFR is used.
6919 The
<span><strong class=
"command">edns
</strong></span> clause determines whether
6920 the local server will attempt to use EDNS when communicating
6921 with the remote server. The default is
<span><strong class=
"command">yes
</strong></span>.
6924 The
<span><strong class=
"command">edns-udp-size
</strong></span> option sets the
6925 EDNS UDP size that is advertised by
<span><strong class=
"command">named
</strong></span>
6926 when querying the remote server. Valid values are
512
6927 to
4096 bytes (values outside this range will be silently
6928 adjusted to the nearest value within it). This option
6929 is useful when you wish to advertise a different value
6930 to this server than the value you advertise globally,
6931 for example, when there is a firewall at the remote
6932 site that is blocking large replies. (Note: Currently,
6933 this sets a single UDP size for all packets sent to the
6934 server;
<span><strong class=
"command">named
</strong></span> will not deviate from
6935 this value. This differs from the behavior of
6936 <span><strong class=
"command">edns-udp-size
</strong></span> in
<span><strong class=
"command">options
</strong></span>
6937 or
<span><strong class=
"command">view
</strong></span> statements, where it specifies
6938 a maximum value. The
<span><strong class=
"command">server
</strong></span> statement
6939 behavior may be brought into conformance with the
6940 <span><strong class=
"command">options/view
</strong></span> behavior in future releases.)
6943 The
<span><strong class=
"command">max-udp-size
</strong></span> option sets the
6944 maximum EDNS UDP message size
<span><strong class=
"command">named
</strong></span> will send. Valid
6945 values are
512 to
4096 bytes (values outside this range will
6946 be silently adjusted). This option is useful when you
6947 know that there is a firewall that is blocking large
6948 replies from
<span><strong class=
"command">named
</strong></span>.
6951 The
<span><strong class=
"command">nosit-udp-size
</strong></span> option sets the
6952 maximum size of UDP responses that will be sent to
6953 queries without a valid source identity token. The command
6954 <span><strong class=
"command">max-udp-size
</strong></span> option may further limit
6958 The server supports two zone transfer methods. The first,
<span><strong class=
"command">one-answer
</strong></span>,
6959 uses one DNS message per resource record transferred.
<span><strong class=
"command">many-answers
</strong></span> packs
6960 as many resource records as possible into a message.
<span><strong class=
"command">many-answers
</strong></span> is
6961 more efficient, but is only known to be understood by
<acronym class=
"acronym">BIND
</acronym> 9,
<acronym class=
"acronym">BIND
</acronym>
6962 8.x, and patched versions of
<acronym class=
"acronym">BIND
</acronym>
6963 4.9.5. You can specify which method
6964 to use for a server with the
<span><strong class=
"command">transfer-format
</strong></span> option.
6965 If
<span><strong class=
"command">transfer-format
</strong></span> is not
6966 specified, the
<span><strong class=
"command">transfer-format
</strong></span>
6968 by the
<span><strong class=
"command">options
</strong></span> statement will be
6971 <p><span><strong class=
"command">transfers
</strong></span>
6972 is used to limit the number of concurrent inbound zone
6973 transfers from the specified server. If no
6974 <span><strong class=
"command">transfers
</strong></span> clause is specified, the
6975 limit is set according to the
6976 <span><strong class=
"command">transfers-per-ns
</strong></span> option.
6979 The
<span><strong class=
"command">keys
</strong></span> clause identifies a
6980 <span><strong class=
"command">key_id
</strong></span> defined by the
<span><strong class=
"command">key
</strong></span> statement,
6981 to be used for transaction security (TSIG,
<a href=
"Bv9ARM.ch04.html#tsig" title=
"TSIG">the section called
“TSIG
”</a>)
6982 when talking to the remote server.
6983 When a request is sent to the remote server, a request signature
6984 will be generated using the key specified here and appended to the
6985 message. A request originating from the remote server is not
6987 to be signed by this key.
6990 Although the grammar of the
<span><strong class=
"command">keys
</strong></span>
6992 allows for multiple keys, only a single key per server is
6997 The
<span><strong class=
"command">transfer-source
</strong></span> and
6998 <span><strong class=
"command">transfer-source-v6
</strong></span> clauses specify
6999 the IPv4 and IPv6 source
7000 address to be used for zone transfer with the remote server,
7002 For an IPv4 remote server, only
<span><strong class=
"command">transfer-source
</strong></span> can
7004 Similarly, for an IPv6 remote server, only
7005 <span><strong class=
"command">transfer-source-v6
</strong></span> can be
7007 For more details, see the description of
7008 <span><strong class=
"command">transfer-source
</strong></span> and
7009 <span><strong class=
"command">transfer-source-v6
</strong></span> in
7010 <a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
7013 The
<span><strong class=
"command">notify-source
</strong></span> and
7014 <span><strong class=
"command">notify-source-v6
</strong></span> clauses specify the
7015 IPv4 and IPv6 source address to be used for notify
7016 messages sent to remote servers, respectively. For an
7017 IPv4 remote server, only
<span><strong class=
"command">notify-source
</strong></span>
7018 can be specified. Similarly, for an IPv6 remote server,
7019 only
<span><strong class=
"command">notify-source-v6
</strong></span> can be specified.
7022 The
<span><strong class=
"command">query-source
</strong></span> and
7023 <span><strong class=
"command">query-source-v6
</strong></span> clauses specify the
7024 IPv4 and IPv6 source address to be used for queries
7025 sent to remote servers, respectively. For an IPv4
7026 remote server, only
<span><strong class=
"command">query-source
</strong></span> can
7027 be specified. Similarly, for an IPv6 remote server,
7028 only
<span><strong class=
"command">query-source-v6
</strong></span> can be specified.
7031 The
<span><strong class=
"command">request-nsid
</strong></span> clause determines
7032 whether the local server will add a NSID EDNS option
7033 to requests sent to the server. This overrides
7034 <span><strong class=
"command">request-nsid
</strong></span> set at the view or
7038 The
<span><strong class=
"command">request-sit
</strong></span> clause determines
7039 whether the local server will add a SIT EDNS option
7040 to requests sent to the server. This overrides
7041 <span><strong class=
"command">request-sit
</strong></span> set at the view or
7042 option level. Named may determine that SIT is not
7043 supported by the remote server and not add a SIT
7044 EDNS option to requests.
7047 <div class=
"sect2" lang=
"en">
7048 <div class=
"titlepage"><div><div><h3 class=
"title">
7049 <a name=
"statschannels"></a><span><strong class=
"command">statistics-channels
</strong></span> Statement Grammar
</h3></div></div></div>
7050 <pre class=
"programlisting"><span><strong class=
"command">statistics-channels
</strong></span> {
7051 [ inet ( ip_addr | * ) [ port ip_port ]
7052 [ allow {
<em class=
"replaceable"><code> address_match_list
</code></em> } ]; ]
7057 <div class=
"sect2" lang=
"en">
7058 <div class=
"titlepage"><div><div><h3 class=
"title">
7059 <a name=
"id2591758"></a><span><strong class=
"command">statistics-channels
</strong></span> Statement Definition and
7060 Usage
</h3></div></div></div>
7062 The
<span><strong class=
"command">statistics-channels
</strong></span> statement
7063 declares communication channels to be used by system
7064 administrators to get access to statistics information of
7068 This statement intends to be flexible to support multiple
7069 communication protocols in the future, but currently only
7070 HTTP access is supported.
7071 It requires that BIND
9 be compiled with libxml2 and/or
7072 json-c (also known as libjson0); the
7073 <span><strong class=
"command">statistics-channels
</strong></span> statement is
7074 still accepted even if it is built without the library,
7075 but any HTTP access will fail with an error.
7078 An
<span><strong class=
"command">inet
</strong></span> control channel is a TCP socket
7079 listening at the specified
<span><strong class=
"command">ip_port
</strong></span> on the
7080 specified
<span><strong class=
"command">ip_addr
</strong></span>, which can be an IPv4 or IPv6
7081 address. An
<span><strong class=
"command">ip_addr
</strong></span> of
<code class=
"literal">*
</code>
7083 interpreted as the IPv4 wildcard address; connections will be
7084 accepted on any of the system's IPv4 addresses.
7085 To listen on the IPv6 wildcard address,
7086 use an
<span><strong class=
"command">ip_addr
</strong></span> of
<code class=
"literal">::
</code>.
7089 If no port is specified, port
80 is used for HTTP channels.
7090 The asterisk
"<code class="literal
">*</code>" cannot be used for
7091 <span><strong class=
"command">ip_port
</strong></span>.
7094 The attempt of opening a statistics channel is
7095 restricted by the optional
<span><strong class=
"command">allow
</strong></span> clause.
7096 Connections to the statistics channel are permitted based on the
7097 <span><strong class=
"command">address_match_list
</strong></span>.
7098 If no
<span><strong class=
"command">allow
</strong></span> clause is present,
7099 <span><strong class=
"command">named
</strong></span> accepts connection
7100 attempts from any address; since the statistics may
7101 contain sensitive internal information, it is highly
7102 recommended to restrict the source of connection requests
7106 If no
<span><strong class=
"command">statistics-channels
</strong></span> statement is present,
7107 <span><strong class=
"command">named
</strong></span> will not open any communication channels.
7110 The statistics are available in various formats and views
7111 depending on the URI used to access them. For example, if
7112 the statistics channel is configured to listen on
127.0.0.1
7113 port
8888, then the statistics are accessible in XML format at
7114 <a href=
"http://127.0.0.1:8888/" target=
"_top">http://
127.0.0.1:
8888/
</a> or
7115 <a href=
"http://127.0.0.1:8888/xml" target=
"_top">http://
127.0.0.1:
8888/xml
</a>. A CSS file is
7116 included which can format the XML statistics into tables
7117 when viewed with a stylesheet-capable browser, and into
7118 charts and graphs using the Google Charts API when using a
7119 javascript-capable browser.
7122 Applications that depend on a particular XML schema
7124 <a href=
"http://127.0.0.1:8888/xml/v2" target=
"_top">http://
127.0.0.1:
8888/xml/v2
</a> for version
2
7125 of the statistics XML schema or
7126 <a href=
"http://127.0.0.1:8888/xml/v3" target=
"_top">http://
127.0.0.1:
8888/xml/v3
</a> for version
3.
7127 If the requested schema is supported by the server, then
7128 it will respond; if not, it will return a
"page not found"
7132 Broken-out subsets of the statistics can be viewed at
7133 <a href=
"http://127.0.0.1:8888/xml/v3/status" target=
"_top">http://
127.0.0.1:
8888/xml/v3/status
</a>
7134 (server uptime and last reconfiguration time),
7135 <a href=
"http://127.0.0.1:8888/xml/v3/server" target=
"_top">http://
127.0.0.1:
8888/xml/v3/server
</a>
7136 (server and resolver statistics),
7137 <a href=
"http://127.0.0.1:8888/xml/v3/zones" target=
"_top">http://
127.0.0.1:
8888/xml/v3/zones
</a>
7139 <a href=
"http://127.0.0.1:8888/xml/v3/net" target=
"_top">http://
127.0.0.1:
8888/xml/v3/net
</a>
7140 (network status and socket statistics),
7141 <a href=
"http://127.0.0.1:8888/xml/v3/mem" target=
"_top">http://
127.0.0.1:
8888/xml/v3/mem
</a>
7142 (memory manager statistics),
7143 <a href=
"http://127.0.0.1:8888/xml/v3/tasks" target=
"_top">http://
127.0.0.1:
8888/xml/v3/tasks
</a>
7144 (task manager statistics).
7147 The full set of statistics can also be read in JSON format at
7148 <a href=
"http://127.0.0.1:8888/json" target=
"_top">http://
127.0.0.1:
8888/json
</a>,
7149 with the broken-out subsets at
7150 <a href=
"http://127.0.0.1:8888/json/v1/status" target=
"_top">http://
127.0.0.1:
8888/json/v1/status
</a>
7151 (server uptime and last reconfiguration time),
7152 <a href=
"http://127.0.0.1:8888/json/v1/server" target=
"_top">http://
127.0.0.1:
8888/json/v1/server
</a>
7153 (server and resolver statistics),
7154 <a href=
"http://127.0.0.1:8888/json/v1/zones" target=
"_top">http://
127.0.0.1:
8888/json/v1/zones
</a>
7156 <a href=
"http://127.0.0.1:8888/json/v1/net" target=
"_top">http://
127.0.0.1:
8888/json/v1/net
</a>
7157 (network status and socket statistics),
7158 <a href=
"http://127.0.0.1:8888/json/v1/mem" target=
"_top">http://
127.0.0.1:
8888/json/v1/mem
</a>
7159 (memory manager statistics),
7160 <a href=
"http://127.0.0.1:8888/json/v1/tasks" target=
"_top">http://
127.0.0.1:
8888/json/v1/tasks
</a>
7161 (task manager statistics).
7164 <div class=
"sect2" lang=
"en">
7165 <div class=
"titlepage"><div><div><h3 class=
"title">
7166 <a name=
"trusted-keys"></a><span><strong class=
"command">trusted-keys
</strong></span> Statement Grammar
</h3></div></div></div>
7167 <pre class=
"programlisting"><span><strong class=
"command">trusted-keys
</strong></span> {
7168 <em class=
"replaceable"><code>string
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>string
</code></em> ;
7169 [
<span class=
"optional"> <em class=
"replaceable"><code>string
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>string
</code></em> ; [
<span class=
"optional">...
</span>]
</span>]
7173 <div class=
"sect2" lang=
"en">
7174 <div class=
"titlepage"><div><div><h3 class=
"title">
7175 <a name=
"id2592176"></a><span><strong class=
"command">trusted-keys
</strong></span> Statement Definition
7176 and Usage
</h3></div></div></div>
7178 The
<span><strong class=
"command">trusted-keys
</strong></span> statement defines
7179 DNSSEC security roots. DNSSEC is described in
<a href=
"Bv9ARM.ch04.html#DNSSEC" title=
"DNSSEC">the section called
“DNSSEC
”</a>. A security root is defined when the
7180 public key for a non-authoritative zone is known, but
7181 cannot be securely obtained through DNS, either because
7182 it is the DNS root zone or because its parent zone is
7183 unsigned. Once a key has been configured as a trusted
7184 key, it is treated as if it had been validated and
7185 proven secure. The resolver attempts DNSSEC validation
7186 on all DNS data in subdomains of a security root.
7189 All keys (and corresponding zones) listed in
7190 <span><strong class=
"command">trusted-keys
</strong></span> are deemed to exist regardless
7191 of what parent zones say. Similarly for all keys listed in
7192 <span><strong class=
"command">trusted-keys
</strong></span> only those keys are
7193 used to validate the DNSKEY RRset. The parent's DS RRset
7197 The
<span><strong class=
"command">trusted-keys
</strong></span> statement can contain
7198 multiple key entries, each consisting of the key's
7199 domain name, flags, protocol, algorithm, and the Base-
64
7200 representation of the key data.
7201 Spaces, tabs, newlines and carriage returns are ignored
7202 in the key data, so the configuration may be split up into
7206 <span><strong class=
"command">trusted-keys
</strong></span> may be set at the top level
7207 of
<code class=
"filename">named.conf
</code> or within a view. If it is
7208 set in both places, they are additive: keys defined at the top
7209 level are inherited by all views, but keys defined in a view
7210 are only used within that view.
7213 <div class=
"sect2" lang=
"en">
7214 <div class=
"titlepage"><div><div><h3 class=
"title">
7215 <a name=
"id2592222"></a><span><strong class=
"command">managed-keys
</strong></span> Statement Grammar
</h3></div></div></div>
7216 <pre class=
"programlisting"><span><strong class=
"command">managed-keys
</strong></span> {
7217 <em class=
"replaceable"><code>name
</code></em> initial-key
<em class=
"replaceable"><code>flags
</code></em> <em class=
"replaceable"><code>protocol
</code></em> <em class=
"replaceable"><code>algorithm
</code></em> <em class=
"replaceable"><code>key-data
</code></em> ;
7218 [
<span class=
"optional"> <em class=
"replaceable"><code>name
</code></em> initial-key
<em class=
"replaceable"><code>flags
</code></em> <em class=
"replaceable"><code>protocol
</code></em> <em class=
"replaceable"><code>algorithm
</code></em> <em class=
"replaceable"><code>key-data
</code></em> ; [
<span class=
"optional">...
</span>]
</span>]
7222 <div class=
"sect2" lang=
"en">
7223 <div class=
"titlepage"><div><div><h3 class=
"title">
7224 <a name=
"managed-keys"></a><span><strong class=
"command">managed-keys
</strong></span> Statement Definition
7225 and Usage
</h3></div></div></div>
7227 The
<span><strong class=
"command">managed-keys
</strong></span> statement, like
7228 <span><strong class=
"command">trusted-keys
</strong></span>, defines DNSSEC
7229 security roots. The difference is that
7230 <span><strong class=
"command">managed-keys
</strong></span> can be kept up to date
7231 automatically, without intervention from the resolver
7235 Suppose, for example, that a zone's key-signing
7236 key was compromised, and the zone owner had to revoke and
7237 replace the key. A resolver which had the old key in a
7238 <span><strong class=
"command">trusted-keys
</strong></span> statement would be
7239 unable to validate this zone any longer; it would
7240 reply with a SERVFAIL response code. This would
7241 continue until the resolver operator had updated the
7242 <span><strong class=
"command">trusted-keys
</strong></span> statement with the new key.
7245 If, however, the zone were listed in a
7246 <span><strong class=
"command">managed-keys
</strong></span> statement instead, then the
7247 zone owner could add a
"stand-by" key to the zone in advance.
7248 <span><strong class=
"command">named
</strong></span> would store the stand-by key, and
7249 when the original key was revoked,
<span><strong class=
"command">named
</strong></span>
7250 would be able to transition smoothly to the new key. It would
7251 also recognize that the old key had been revoked, and cease
7252 using that key to validate answers, minimizing the damage that
7253 the compromised key could do.
7256 A
<span><strong class=
"command">managed-keys
</strong></span> statement contains a list of
7257 the keys to be managed, along with information about how the
7258 keys are to be initialized for the first time. The only
7259 initialization method currently supported (as of
7260 <acronym class=
"acronym">BIND
</acronym> 9.7.0) is
<code class=
"literal">initial-key
</code>.
7261 This means the
<span><strong class=
"command">managed-keys
</strong></span> statement must
7262 contain a copy of the initializing key. (Future releases may
7263 allow keys to be initialized by other methods, eliminating this
7267 Consequently, a
<span><strong class=
"command">managed-keys
</strong></span> statement
7268 appears similar to a
<span><strong class=
"command">trusted-keys
</strong></span>, differing
7269 in the presence of the second field, containing the keyword
7270 <code class=
"literal">initial-key
</code>. The difference is, whereas the
7271 keys listed in a
<span><strong class=
"command">trusted-keys
</strong></span> continue to be
7272 trusted until they are removed from
7273 <code class=
"filename">named.conf
</code>, an initializing key listed
7274 in a
<span><strong class=
"command">managed-keys
</strong></span> statement is only trusted
7275 <span class=
"emphasis"><em>once
</em></span>: for as long as it takes to load the
7276 managed key database and start the RFC
5011 key maintenance
7280 The first time
<span><strong class=
"command">named
</strong></span> runs with a managed key
7281 configured in
<code class=
"filename">named.conf
</code>, it fetches the
7282 DNSKEY RRset directly from the zone apex, and validates it
7283 using the key specified in the
<span><strong class=
"command">managed-keys
</strong></span>
7284 statement. If the DNSKEY RRset is validly signed, then it is
7285 used as the basis for a new managed keys database.
7288 From that point on, whenever
<span><strong class=
"command">named
</strong></span> runs, it
7289 sees the
<span><strong class=
"command">managed-keys
</strong></span> statement, checks to
7290 make sure RFC
5011 key maintenance has already been initialized
7291 for the specified domain, and if so, it simply moves on. The
7292 key specified in the
<span><strong class=
"command">managed-keys
</strong></span> is not
7293 used to validate answers; it has been superseded by the key or
7294 keys stored in the managed keys database.
7297 The next time
<span><strong class=
"command">named
</strong></span> runs after a name
7298 has been
<span class=
"emphasis"><em>removed
</em></span> from the
7299 <span><strong class=
"command">managed-keys
</strong></span> statement, the corresponding
7300 zone will be removed from the managed keys database,
7301 and RFC
5011 key maintenance will no longer be used for that
7305 <span><strong class=
"command">named
</strong></span> only maintains a single managed keys
7306 database; consequently, unlike
<span><strong class=
"command">trusted-keys
</strong></span>,
7307 <span><strong class=
"command">managed-keys
</strong></span> may only be set at the top
7308 level of
<code class=
"filename">named.conf
</code>, not within a view.
7311 In the current implementation, the managed keys database is
7312 stored as a master-format zone file called
7313 <code class=
"filename">managed-keys.bind
</code>. When the key database
7314 is changed, the zone is updated. As with any other dynamic
7315 zone, changes will be written into a journal file,
7316 <code class=
"filename">managed-keys.bind.jnl
</code>. They are committed
7317 to the master file as soon as possible afterward; in the case
7318 of the managed key database, this will usually occur within
30
7319 seconds. So, whenever
<span><strong class=
"command">named
</strong></span> is using
7320 automatic key maintenance, those two files can be expected to
7321 exist in the working directory. (For this reason among others,
7322 the working directory should be always be writable by
7323 <span><strong class=
"command">named
</strong></span>.)
7326 If the
<span><strong class=
"command">dnssec-validation
</strong></span> option is
7327 set to
<strong class=
"userinput"><code>auto
</code></strong>,
<span><strong class=
"command">named
</strong></span>
7328 will automatically initialize a managed key for the
7329 root zone. Similarly, if the
<span><strong class=
"command">dnssec-lookaside
</strong></span>
7330 option is set to
<strong class=
"userinput"><code>auto
</code></strong>,
7331 <span><strong class=
"command">named
</strong></span> will automatically initialize
7332 a managed key for the zone
<code class=
"literal">dlv.isc.org
</code>.
7333 In both cases, the key that is used to initialize the key
7334 maintenance process is built into
<span><strong class=
"command">named
</strong></span>,
7335 and can be overridden from
<span><strong class=
"command">bindkeys-file
</strong></span>.
7338 <div class=
"sect2" lang=
"en">
7339 <div class=
"titlepage"><div><div><h3 class=
"title">
7340 <a name=
"view_statement_grammar"></a><span><strong class=
"command">view
</strong></span> Statement Grammar
</h3></div></div></div>
7341 <pre class=
"programlisting"><span><strong class=
"command">view
</strong></span> <em class=
"replaceable"><code>view_name
</code></em>
7342 [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7343 match-clients {
<em class=
"replaceable"><code>address_match_list
</code></em> };
7344 match-destinations {
<em class=
"replaceable"><code>address_match_list
</code></em> };
7345 match-recursive-only
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
7346 [
<span class=
"optional"> <em class=
"replaceable"><code>view_option
</code></em>; ...
</span>]
7347 [
<span class=
"optional"> <em class=
"replaceable"><code>zone_statement
</code></em>; ...
</span>]
7351 <div class=
"sect2" lang=
"en">
7352 <div class=
"titlepage"><div><div><h3 class=
"title">
7353 <a name=
"id2592589"></a><span><strong class=
"command">view
</strong></span> Statement Definition and Usage
</h3></div></div></div>
7355 The
<span><strong class=
"command">view
</strong></span> statement is a powerful
7357 of
<acronym class=
"acronym">BIND
</acronym> 9 that lets a name server
7358 answer a DNS query differently
7359 depending on who is asking. It is particularly useful for
7361 split DNS setups without having to run multiple servers.
7364 Each
<span><strong class=
"command">view
</strong></span> statement defines a view
7366 DNS namespace that will be seen by a subset of clients. A client
7368 a view if its source IP address matches the
7369 <code class=
"varname">address_match_list
</code> of the view's
7370 <span><strong class=
"command">match-clients
</strong></span> clause and its
7371 destination IP address matches
7372 the
<code class=
"varname">address_match_list
</code> of the
7374 <span><strong class=
"command">match-destinations
</strong></span> clause. If not
7376 <span><strong class=
"command">match-clients
</strong></span> and
<span><strong class=
"command">match-destinations
</strong></span>
7377 default to matching all addresses. In addition to checking IP
7379 <span><strong class=
"command">match-clients
</strong></span> and
<span><strong class=
"command">match-destinations
</strong></span>
7380 can also take
<span><strong class=
"command">keys
</strong></span> which provide an
7382 client to select the view. A view can also be specified
7383 as
<span><strong class=
"command">match-recursive-only
</strong></span>, which
7384 means that only recursive
7385 requests from matching clients will match that view.
7386 The order of the
<span><strong class=
"command">view
</strong></span> statements is
7388 a client request will be resolved in the context of the first
7389 <span><strong class=
"command">view
</strong></span> that it matches.
7392 Zones defined within a
<span><strong class=
"command">view
</strong></span>
7394 only be accessible to clients that match the
<span><strong class=
"command">view
</strong></span>.
7395 By defining a zone of the same name in multiple views, different
7396 zone data can be given to different clients, for example,
7398 and
"external" clients in a split DNS setup.
7401 Many of the options given in the
<span><strong class=
"command">options
</strong></span> statement
7402 can also be used within a
<span><strong class=
"command">view
</strong></span>
7404 apply only when resolving queries with that view. When no
7406 value is given, the value in the
<span><strong class=
"command">options
</strong></span> statement
7407 is used as a default. Also, zone options can have default values
7409 in the
<span><strong class=
"command">view
</strong></span> statement; these
7410 view-specific defaults
7411 take precedence over those in the
<span><strong class=
"command">options
</strong></span> statement.
7414 Views are class specific. If no class is given, class IN
7415 is assumed. Note that all non-IN views must contain a hint zone,
7416 since only the IN class has compiled-in default hints.
7419 If there are no
<span><strong class=
"command">view
</strong></span> statements in
7421 file, a default view that matches any client is automatically
7423 in class IN. Any
<span><strong class=
"command">zone
</strong></span> statements
7425 the top level of the configuration file are considered to be part
7427 this default view, and the
<span><strong class=
"command">options
</strong></span>
7429 apply to the default view. If any explicit
<span><strong class=
"command">view
</strong></span>
7430 statements are present, all
<span><strong class=
"command">zone
</strong></span>
7432 occur inside
<span><strong class=
"command">view
</strong></span> statements.
7435 Here is an example of a typical split DNS setup implemented
7436 using
<span><strong class=
"command">view
</strong></span> statements:
7438 <pre class=
"programlisting">view
"internal" {
7439 // This should match our internal networks.
7440 match-clients {
10.0.0.0/
8; };
7442 // Provide recursive service to internal
7446 // Provide a complete view of the example.com
7447 // zone including addresses of internal hosts.
7448 zone
"example.com" {
7450 file
"example-internal.db";
7455 // Match all clients not matched by the
7457 match-clients { any; };
7459 // Refuse recursive service to external clients.
7462 // Provide a restricted view of the example.com
7463 // zone containing only publicly accessible hosts.
7464 zone
"example.com" {
7466 file
"example-external.db";
7471 <div class=
"sect2" lang=
"en">
7472 <div class=
"titlepage"><div><div><h3 class=
"title">
7473 <a name=
"zone_statement_grammar"></a><span><strong class=
"command">zone
</strong></span>
7474 Statement Grammar
</h3></div></div></div>
7475 <pre class=
"programlisting"><span><strong class=
"command">zone
</strong></span> <em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7477 [
<span class=
"optional"> allow-query {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7478 [
<span class=
"optional"> allow-query-on {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7479 [
<span class=
"optional"> allow-transfer {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7480 [
<span class=
"optional"> allow-update {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7481 [
<span class=
"optional"> update-check-ksk
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7482 [
<span class=
"optional"> dnssec-dnskey-kskonly
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7483 [
<span class=
"optional"> dnssec-loadkeys-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
7484 [
<span class=
"optional"> update-policy
<em class=
"replaceable"><code>local
</code></em> | {
<em class=
"replaceable"><code>update_policy_rule
</code></em> [
<span class=
"optional">...
</span>] };
</span>]
7485 [
<span class=
"optional"> also-notify {
<em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
7486 [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
7487 [
<span class=
"optional"> check-names (
<code class=
"constant">warn
</code>|
<code class=
"constant">fail
</code>|
<code class=
"constant">ignore
</code>) ;
</span>]
7488 [
<span class=
"optional"> check-mx (
<code class=
"constant">warn
</code>|
<code class=
"constant">fail
</code>|
<code class=
"constant">ignore
</code>) ;
</span>]
7489 [
<span class=
"optional"> check-wildcard
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7490 [
<span class=
"optional"> check-spf (
<em class=
"replaceable"><code>warn
</code></em> |
<em class=
"replaceable"><code>ignore
</code></em> );
</span>]
7491 [
<span class=
"optional"> check-integrity
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7492 [
<span class=
"optional"> dialup
<em class=
"replaceable"><code>dialup_option
</code></em> ;
</span>]
7493 [
<span class=
"optional"> file
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7494 [
<span class=
"optional"> masterfile-format (
<code class=
"constant">text
</code>|
<code class=
"constant">raw
</code>|
<code class=
"constant">map
</code>) ;
</span>]
7495 [
<span class=
"optional"> journal
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7496 [
<span class=
"optional"> max-journal-size
<em class=
"replaceable"><code>size_spec
</code></em>;
</span>]
7497 [
<span class=
"optional"> forward (
<code class=
"constant">only
</code>|
<code class=
"constant">first
</code>) ;
</span>]
7498 [
<span class=
"optional"> forwarders { [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
7499 [
<span class=
"optional"> ixfr-base
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7500 [
<span class=
"optional"> ixfr-from-differences
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7501 [
<span class=
"optional"> ixfr-tmp-file
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7502 [
<span class=
"optional"> request-ixfr
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7503 [
<span class=
"optional"> maintain-ixfr-base
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7504 [
<span class=
"optional"> max-ixfr-log-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7505 [
<span class=
"optional"> max-transfer-idle-out
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7506 [
<span class=
"optional"> max-transfer-time-out
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7507 [
<span class=
"optional"> notify
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<em class=
"replaceable"><code>explicit
</code></em> |
<em class=
"replaceable"><code>master-only
</code></em> ;
</span>]
7508 [
<span class=
"optional"> notify-delay
<em class=
"replaceable"><code>seconds
</code></em> ;
</span>]
7509 [
<span class=
"optional"> notify-to-soa
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7510 [
<span class=
"optional"> pubkey
<em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>string
</code></em> ;
</span>]
7511 [
<span class=
"optional"> notify-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7512 [
<span class=
"optional"> notify-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7513 [
<span class=
"optional"> zone-statistics
<em class=
"replaceable"><code>full
</code></em> |
<em class=
"replaceable"><code>terse
</code></em> |
<em class=
"replaceable"><code>none
</code></em>;
</span>]
7514 [
<span class=
"optional"> sig-validity-interval
<em class=
"replaceable"><code>number
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>number
</code></em></span>] ;
</span>]
7515 [
<span class=
"optional"> sig-signing-nodes
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7516 [
<span class=
"optional"> sig-signing-signatures
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7517 [
<span class=
"optional"> sig-signing-type
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7518 [
<span class=
"optional"> database
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7519 [
<span class=
"optional"> min-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7520 [
<span class=
"optional"> max-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7521 [
<span class=
"optional"> min-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7522 [
<span class=
"optional"> max-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7523 [
<span class=
"optional"> key-directory
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
7524 [
<span class=
"optional"> auto-dnssec
<code class=
"constant">allow
</code>|
<code class=
"constant">maintain
</code>|
<code class=
"constant">off
</code>;
</span>]
7525 [
<span class=
"optional"> inline-signing
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7526 [
<span class=
"optional"> zero-no-soa-ttl
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7527 [
<span class=
"optional"> serial-update-method
<code class=
"constant">increment
</code>|
<code class=
"constant">unixtime
</code>;
</span>]
7528 [
<span class=
"optional"> max-zone-ttl
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7531 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7533 [
<span class=
"optional"> allow-notify {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7534 [
<span class=
"optional"> allow-query {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7535 [
<span class=
"optional"> allow-query-on {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7536 [
<span class=
"optional"> allow-transfer {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7537 [
<span class=
"optional"> allow-update-forwarding {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7538 [
<span class=
"optional"> dnssec-update-mode (
<em class=
"replaceable"><code>maintain
</code></em> |
<em class=
"replaceable"><code>no-resign
</code></em> );
</span>]
7539 [
<span class=
"optional"> update-check-ksk
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7540 [
<span class=
"optional"> dnssec-dnskey-kskonly
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7541 [
<span class=
"optional"> dnssec-loadkeys-interval
<em class=
"replaceable"><code>number
</code></em>;
</span>]
7542 [
<span class=
"optional"> dnssec-secure-to-insecure
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7543 [
<span class=
"optional"> try-tcp-refresh
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7544 [
<span class=
"optional"> also-notify [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] { (
<em class=
"replaceable"><code>masters_list
</code></em> |
<em class=
"replaceable"><code>ip_addr
</code></em>
7545 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>]
7546 [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>]
7547 [
<span class=
"optional">key
<em class=
"replaceable"><code>key
</code></em></span>] ) ; [
<span class=
"optional">...
</span>] };
</span>]
7548 [
<span class=
"optional"> check-names (
<code class=
"constant">warn
</code>|
<code class=
"constant">fail
</code>|
<code class=
"constant">ignore
</code>) ;
</span>]
7549 [
<span class=
"optional"> dialup
<em class=
"replaceable"><code>dialup_option
</code></em> ;
</span>]
7550 [
<span class=
"optional"> file
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7551 [
<span class=
"optional"> masterfile-format (
<code class=
"constant">text
</code>|
<code class=
"constant">raw
</code>|
<code class=
"constant">map
</code>) ;
</span>]
7552 [
<span class=
"optional"> journal
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7553 [
<span class=
"optional"> max-journal-size
<em class=
"replaceable"><code>size_spec
</code></em>;
</span>]
7554 [
<span class=
"optional"> forward (
<code class=
"constant">only
</code>|
<code class=
"constant">first
</code>) ;
</span>]
7555 [
<span class=
"optional"> forwarders { [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
7556 [
<span class=
"optional"> ixfr-base
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7557 [
<span class=
"optional"> ixfr-from-differences
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7558 [
<span class=
"optional"> ixfr-tmp-file
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7559 [
<span class=
"optional"> maintain-ixfr-base
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7560 [
<span class=
"optional"> masters [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] { (
<em class=
"replaceable"><code>masters_list
</code></em> |
<em class=
"replaceable"><code>ip_addr
</code></em>
7561 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>]
7562 [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>]
7563 [
<span class=
"optional">key
<em class=
"replaceable"><code>key
</code></em></span>] ) ; [
<span class=
"optional">...
</span>] };
</span>]
7564 [
<span class=
"optional"> max-ixfr-log-size
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7565 [
<span class=
"optional"> max-transfer-idle-in
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7566 [
<span class=
"optional"> max-transfer-idle-out
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7567 [
<span class=
"optional"> max-transfer-time-in
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7568 [
<span class=
"optional"> max-transfer-time-out
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7569 [
<span class=
"optional"> notify
<em class=
"replaceable"><code>yes_or_no
</code></em> |
<em class=
"replaceable"><code>explicit
</code></em> |
<em class=
"replaceable"><code>master-only
</code></em> ;
</span>]
7570 [
<span class=
"optional"> notify-delay
<em class=
"replaceable"><code>seconds
</code></em> ;
</span>]
7571 [
<span class=
"optional"> notify-to-soa
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7572 [
<span class=
"optional"> pubkey
<em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>string
</code></em> ;
</span>]
7573 [
<span class=
"optional"> transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7574 [
<span class=
"optional"> transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7575 [
<span class=
"optional"> alt-transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7576 [
<span class=
"optional"> alt-transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>)
7577 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>]
7578 [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7579 [
<span class=
"optional"> use-alt-transfer-source
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7580 [
<span class=
"optional"> notify-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7581 [
<span class=
"optional"> notify-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7582 [
<span class=
"optional"> zone-statistics
<em class=
"replaceable"><code>full
</code></em> |
<em class=
"replaceable"><code>terse
</code></em> |
<em class=
"replaceable"><code>none
</code></em>;
</span>]
7583 [
<span class=
"optional"> sig-validity-interval
<em class=
"replaceable"><code>number
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>number
</code></em></span>] ;
</span>]
7584 [
<span class=
"optional"> sig-signing-nodes
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7585 [
<span class=
"optional"> sig-signing-signatures
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7586 [
<span class=
"optional"> sig-signing-type
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7587 [
<span class=
"optional"> database
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7588 [
<span class=
"optional"> min-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7589 [
<span class=
"optional"> max-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7590 [
<span class=
"optional"> min-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7591 [
<span class=
"optional"> max-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7592 [
<span class=
"optional"> key-directory
<em class=
"replaceable"><code>path_name
</code></em>;
</span>]
7593 [
<span class=
"optional"> auto-dnssec
<code class=
"constant">allow
</code>|
<code class=
"constant">maintain
</code>|
<code class=
"constant">off
</code>;
</span>]
7594 [
<span class=
"optional"> inline-signing
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7595 [
<span class=
"optional"> multi-master
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7596 [
<span class=
"optional"> zero-no-soa-ttl
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7599 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7601 file
<em class=
"replaceable"><code>string
</code></em> ;
7602 [
<span class=
"optional"> delegation-only
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7603 [
<span class=
"optional"> check-names (
<code class=
"constant">warn
</code>|
<code class=
"constant">fail
</code>|
<code class=
"constant">ignore
</code>) ;
</span>] // Not Implemented.
7606 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7608 [
<span class=
"optional"> allow-query {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7609 [
<span class=
"optional"> allow-query-on {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7610 [
<span class=
"optional"> check-names (
<code class=
"constant">warn
</code>|
<code class=
"constant">fail
</code>|
<code class=
"constant">ignore
</code>) ;
</span>]
7611 [
<span class=
"optional"> dialup
<em class=
"replaceable"><code>dialup_option
</code></em> ;
</span>]
7612 [
<span class=
"optional"> delegation-only
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7613 [
<span class=
"optional"> file
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7614 [
<span class=
"optional"> masterfile-format (
<code class=
"constant">text
</code>|
<code class=
"constant">raw
</code>|
<code class=
"constant">map
</code>) ;
</span>]
7615 [
<span class=
"optional"> forward (
<code class=
"constant">only
</code>|
<code class=
"constant">first
</code>) ;
</span>]
7616 [
<span class=
"optional"> forwarders { [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
7617 [
<span class=
"optional"> masters [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] { (
<em class=
"replaceable"><code>masters_list
</code></em> |
<em class=
"replaceable"><code>ip_addr
</code></em>
7618 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>]
7619 [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>]
7620 [
<span class=
"optional">key
<em class=
"replaceable"><code>key
</code></em></span>] ) ; [
<span class=
"optional">...
</span>] };
</span>]
7621 [
<span class=
"optional"> max-transfer-idle-in
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7622 [
<span class=
"optional"> max-transfer-time-in
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7623 [
<span class=
"optional"> pubkey
<em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>number
</code></em> <em class=
"replaceable"><code>string
</code></em> ;
</span>]
7624 [
<span class=
"optional"> transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7625 [
<span class=
"optional"> transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>)
7626 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7627 [
<span class=
"optional"> alt-transfer-source (
<em class=
"replaceable"><code>ip4_addr
</code></em> |
<code class=
"constant">*
</code>) [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7628 [
<span class=
"optional"> alt-transfer-source-v6 (
<em class=
"replaceable"><code>ip6_addr
</code></em> |
<code class=
"constant">*
</code>)
7629 [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ;
</span>]
7630 [
<span class=
"optional"> use-alt-transfer-source
<em class=
"replaceable"><code>yes_or_no
</code></em>;
</span>]
7631 [
<span class=
"optional"> zone-statistics
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7632 [
<span class=
"optional"> database
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7633 [
<span class=
"optional"> min-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7634 [
<span class=
"optional"> max-refresh-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7635 [
<span class=
"optional"> min-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7636 [
<span class=
"optional"> max-retry-time
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7637 [
<span class=
"optional"> multi-master
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7640 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7642 [
<span class=
"optional"> allow-query {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7643 [
<span class=
"optional"> server-addresses { [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> ; ...
</span>] };
</span>]
7644 [
<span class=
"optional"> server-names { [
<span class=
"optional"> <em class=
"replaceable"><code>namelist
</code></em> </span>] };
</span>]
7645 [
<span class=
"optional"> zone-statistics
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7648 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7650 [
<span class=
"optional"> forward (
<code class=
"constant">only
</code>|
<code class=
"constant">first
</code>) ;
</span>]
7651 [
<span class=
"optional"> forwarders { [
<span class=
"optional"> <em class=
"replaceable"><code>ip_addr
</code></em> [
<span class=
"optional">port
<em class=
"replaceable"><code>ip_port
</code></em></span>] [
<span class=
"optional">dscp
<em class=
"replaceable"><code>ip_dscp
</code></em></span>] ; ...
</span>] };
</span>]
7652 [
<span class=
"optional"> delegation-only
<em class=
"replaceable"><code>yes_or_no
</code></em> ;
</span>]
7655 zone
<em class=
"replaceable"><code>"."</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7657 file
<em class=
"replaceable"><code>string
</code></em> ;
7658 [
<span class=
"optional"> masterfile-format (
<code class=
"constant">text
</code>|
<code class=
"constant">raw
</code>|
<code class=
"constant">map
</code>) ;
</span>]
7659 [
<span class=
"optional"> allow-query {
<em class=
"replaceable"><code>address_match_list
</code></em> };
</span>]
7660 [
<span class=
"optional"> max-zone-ttl
<em class=
"replaceable"><code>number
</code></em> ;
</span>]
7663 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7664 type delegation-only;
7667 zone
<em class=
"replaceable"><code>zone_name
</code></em> [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>] {
7668 [
<span class=
"optional"> in-view
<em class=
"replaceable"><code>string
</code></em> ;
</span>]
7673 <div class=
"sect2" lang=
"en">
7674 <div class=
"titlepage"><div><div><h3 class=
"title">
7675 <a name=
"id2594602"></a><span><strong class=
"command">zone
</strong></span> Statement Definition and Usage
</h3></div></div></div>
7676 <div class=
"sect3" lang=
"en">
7677 <div class=
"titlepage"><div><div><h4 class=
"title">
7678 <a name=
"id2594610"></a>Zone Types
</h4></div></div></div>
7679 <div class=
"informaltable"><table border=
"1">
7688 <code class=
"varname">master
</code>
7693 The server has a master copy of the data
7694 for the zone and will be able to provide authoritative
7703 <code class=
"varname">slave
</code>
7708 A slave zone is a replica of a master
7709 zone. The
<span><strong class=
"command">masters
</strong></span> list
7710 specifies one or more IP addresses
7711 of master servers that the slave contacts to update
7712 its copy of the zone.
7713 Masters list elements can also be names of other
7715 By default, transfers are made from port
53 on the
7717 be changed for all servers by specifying a port number
7719 list of IP addresses, or on a per-server basis after
7721 Authentication to the master can also be done with
7722 per-server TSIG keys.
7723 If a file is specified, then the
7724 replica will be written to this file whenever the zone
7726 and reloaded from this file on a server restart. Use
7728 recommended, since it often speeds server startup and
7730 a needless waste of bandwidth. Note that for large
7732 tens or hundreds of thousands) of zones per server, it
7734 use a two-level naming scheme for zone filenames. For
7736 a slave server for the zone
<code class=
"literal">example.com
</code> might place
7737 the zone contents into a file called
7738 <code class=
"filename">ex/example.com
</code> where
<code class=
"filename">ex/
</code> is
7739 just the first two letters of the zone name. (Most
7741 behave very slowly if you put
100000 files into
7742 a single directory.)
7749 <code class=
"varname">stub
</code>
7754 A stub zone is similar to a slave zone,
7755 except that it replicates only the NS records of a
7757 of the entire zone. Stub zones are not a standard part
7759 they are a feature specific to the
<acronym class=
"acronym">BIND
</acronym> implementation.
7763 Stub zones can be used to eliminate the need for glue
7765 in a parent zone at the expense of maintaining a stub
7767 a set of name server addresses in
<code class=
"filename">named.conf
</code>.
7768 This usage is not recommended for new configurations,
7770 supports it only in a limited way.
7771 In
<acronym class=
"acronym">BIND
</acronym> 4/
8, zone
7772 transfers of a parent zone
7773 included the NS records from stub children of that
7775 that, in some cases, users could get away with
7776 configuring child stubs
7777 only in the master server for the parent zone.
<acronym class=
"acronym">BIND
</acronym>
7778 9 never mixes together zone data from different zones
7780 way. Therefore, if a
<acronym class=
"acronym">BIND
</acronym> 9 master serving a parent
7781 zone has child stub zones configured, all the slave
7783 parent zone also need to have the same child stub
7789 Stub zones can also be used as a way of forcing the
7791 of a given domain to use a particular set of
7792 authoritative servers.
7793 For example, the caching name servers on a private
7795 RFC1918 addressing may be configured with stub zones
7797 <code class=
"literal">10.in-addr.arpa
</code>
7798 to use a set of internal name servers as the
7800 servers for that domain.
7807 <code class=
"varname">static-stub
</code>
7812 A static-stub zone is similar to a stub zone
7813 with the following exceptions:
7814 the zone data is statically configured, rather
7815 than transferred from a master server;
7816 when recursion is necessary for a query that
7817 matches a static-stub zone, the locally
7818 configured data (nameserver names and glue addresses)
7819 is always used even if different authoritative
7820 information is cached.
7823 Zone data is configured via the
7824 <span><strong class=
"command">server-addresses
</strong></span> and
7825 <span><strong class=
"command">server-names
</strong></span> zone options.
7828 The zone data is maintained in the form of NS
7829 and (if necessary) glue A or AAAA RRs
7830 internally, which can be seen by dumping zone
7831 databases by
<span><strong class=
"command">rndc dumpdb -all
</strong></span>.
7832 The configured RRs are considered local configuration
7833 parameters rather than public data.
7834 Non recursive queries (i.e., those with the RD
7835 bit off) to a static-stub zone are therefore
7836 prohibited and will be responded with REFUSED.
7839 Since the data is statically configured, no
7840 zone maintenance action takes place for a static-stub
7842 For example, there is no periodic refresh
7843 attempt, and an incoming notify message
7844 will be rejected with an rcode of NOTAUTH.
7847 Each static-stub zone is configured with
7848 internally generated NS and (if necessary)
7856 <code class=
"varname">forward
</code>
7861 A
"forward zone" is a way to configure
7862 forwarding on a per-domain basis. A
<span><strong class=
"command">zone
</strong></span> statement
7863 of type
<span><strong class=
"command">forward
</strong></span> can
7864 contain a
<span><strong class=
"command">forward
</strong></span>
7865 and/or
<span><strong class=
"command">forwarders
</strong></span>
7867 which will apply to queries within the domain given by
7869 name. If no
<span><strong class=
"command">forwarders
</strong></span>
7870 statement is present or
7871 an empty list for
<span><strong class=
"command">forwarders
</strong></span> is given, then no
7872 forwarding will be done for the domain, canceling the
7874 any forwarders in the
<span><strong class=
"command">options
</strong></span> statement. Thus
7875 if you want to use this type of zone to change the
7877 global
<span><strong class=
"command">forward
</strong></span> option
7878 (that is,
"forward first"
7879 to, then
"forward only", or vice versa, but want to
7881 servers as set globally) you need to re-specify the
7889 <code class=
"varname">hint
</code>
7894 The initial set of root name servers is
7895 specified using a
"hint zone". When the server starts
7897 the root hints to find a root name server and get the
7899 list of root name servers. If no hint zone is
7901 IN, the server uses a compiled-in default set of root
7903 Classes other than IN have no built-in defaults hints.
7910 <code class=
"varname">redirect
</code>
7915 Redirect zones are used to provide answers to
7916 queries when normal resolution would result in
7917 NXDOMAIN being returned.
7918 Only one redirect zone is supported
7919 per view.
<span><strong class=
"command">allow-query
</strong></span> can be
7920 used to restrict which clients see these answers.
7923 If the client has requested DNSSEC records (DO=
1) and
7924 the NXDOMAIN response is signed then no substitution
7928 To redirect all NXDOMAIN responses to
7930 2001:ffff:ffff::
100.100.100.2, one would
7931 configure a type redirect zone named
".",
7932 with the zone file containing wildcard records
7933 that point to the desired addresses:
7934 <code class=
"literal">"*. IN A 100.100.100.2"</code>
7936 <code class=
"literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
7939 To redirect all Spanish names (under .ES) one
7940 would use similar entries but with the names
7941 "*.ES." instead of
"*.". To redirect all
7942 commercial Spanish names (under COM.ES) one
7943 would use wildcard entries called
"*.COM.ES.".
7946 Note that the redirect zone supports all
7947 possible types; it is not limited to A and
7951 Because redirect zones are not referenced
7952 directly by name, they are not kept in the
7953 zone lookup table with normal master and slave
7954 zones. Consequently, it is not currently possible
7956 <span><strong class=
"command">rndc reload
7957 <em class=
"replaceable"><code>zonename
</code></em></strong></span>
7958 to reload a redirect zone. However, when using
7959 <span><strong class=
"command">rndc reload
</strong></span> without specifying
7960 a zone name, redirect zones will be reloaded along
7968 <code class=
"varname">delegation-only
</code>
7973 This is used to enforce the delegation-only
7974 status of infrastructure zones (e.g. COM,
7975 NET, ORG). Any answer that is received
7976 without an explicit or implicit delegation
7977 in the authority section will be treated
7978 as NXDOMAIN. This does not apply to the
7979 zone apex. This should not be applied to
7983 <code class=
"varname">delegation-only
</code> has no
7984 effect on answers received from forwarders.
7987 See caveats in
<a href=
"Bv9ARM.ch06.html#root_delegation_only"><span><strong class=
"command">root-delegation-only
</strong></span></a>.
7994 <div class=
"sect3" lang=
"en">
7995 <div class=
"titlepage"><div><div><h4 class=
"title">
7996 <a name=
"id2595218"></a>Class
</h4></div></div></div>
7998 The zone's name may optionally be followed by a class. If
7999 a class is not specified, class
<code class=
"literal">IN
</code> (for
<code class=
"varname">Internet
</code>),
8000 is assumed. This is correct for the vast majority of cases.
8003 The
<code class=
"literal">hesiod
</code> class is
8004 named for an information service from MIT's Project Athena. It
8006 used to share information about various systems databases, such
8007 as users, groups, printers and so on. The keyword
8008 <code class=
"literal">HS
</code> is
8009 a synonym for hesiod.
8012 Another MIT development is Chaosnet, a LAN protocol created
8013 in the mid-
1970s. Zone data for it can be specified with the
<code class=
"literal">CHAOS
</code> class.
8016 <div class=
"sect3" lang=
"en">
8017 <div class=
"titlepage"><div><div><h4 class=
"title">
8018 <a name=
"id2595456"></a>Zone Options
</h4></div></div></div>
8019 <div class=
"variablelist"><dl>
8020 <dt><span class=
"term"><span><strong class=
"command">allow-notify
</strong></span></span></dt>
8022 See the description of
8023 <span><strong class=
"command">allow-notify
</strong></span> in
<a href=
"Bv9ARM.ch06.html#access_control" title=
"Access Control">the section called
“Access Control
”</a>.
8025 <dt><span class=
"term"><span><strong class=
"command">allow-query
</strong></span></span></dt>
8027 See the description of
8028 <span><strong class=
"command">allow-query
</strong></span> in
<a href=
"Bv9ARM.ch06.html#access_control" title=
"Access Control">the section called
“Access Control
”</a>.
8030 <dt><span class=
"term"><span><strong class=
"command">allow-query-on
</strong></span></span></dt>
8032 See the description of
8033 <span><strong class=
"command">allow-query-on
</strong></span> in
<a href=
"Bv9ARM.ch06.html#access_control" title=
"Access Control">the section called
“Access Control
”</a>.
8035 <dt><span class=
"term"><span><strong class=
"command">allow-transfer
</strong></span></span></dt>
8037 See the description of
<span><strong class=
"command">allow-transfer
</strong></span>
8038 in
<a href=
"Bv9ARM.ch06.html#access_control" title=
"Access Control">the section called
“Access Control
”</a>.
8040 <dt><span class=
"term"><span><strong class=
"command">allow-update
</strong></span></span></dt>
8042 See the description of
<span><strong class=
"command">allow-update
</strong></span>
8043 in
<a href=
"Bv9ARM.ch06.html#access_control" title=
"Access Control">the section called
“Access Control
”</a>.
8045 <dt><span class=
"term"><span><strong class=
"command">update-policy
</strong></span></span></dt>
8047 Specifies a
"Simple Secure Update" policy. See
8048 <a href=
"Bv9ARM.ch06.html#dynamic_update_policies" title=
"Dynamic Update Policies">the section called
“Dynamic Update Policies
”</a>.
8050 <dt><span class=
"term"><span><strong class=
"command">allow-update-forwarding
</strong></span></span></dt>
8052 See the description of
<span><strong class=
"command">allow-update-forwarding
</strong></span>
8053 in
<a href=
"Bv9ARM.ch06.html#access_control" title=
"Access Control">the section called
“Access Control
”</a>.
8055 <dt><span class=
"term"><span><strong class=
"command">also-notify
</strong></span></span></dt>
8057 Only meaningful if
<span><strong class=
"command">notify
</strong></span>
8059 active for this zone. The set of machines that will
8061 <code class=
"literal">DNS NOTIFY
</code> message
8062 for this zone is made up of all the listed name servers
8064 the primary master) for the zone plus any IP addresses
8066 with
<span><strong class=
"command">also-notify
</strong></span>. A port
8068 with each
<span><strong class=
"command">also-notify
</strong></span>
8069 address to send the notify
8070 messages to a port other than the default of
53.
8071 A TSIG key may also be specified to cause the
8072 <code class=
"literal">NOTIFY
</code> to be signed by the
8074 <span><strong class=
"command">also-notify
</strong></span> is not
8075 meaningful for stub zones.
8076 The default is the empty list.
8078 <dt><span class=
"term"><span><strong class=
"command">check-names
</strong></span></span></dt>
8080 This option is used to restrict the character set and
8082 certain domain names in master files and/or DNS responses
8084 network. The default varies according to zone type. For
<span><strong class=
"command">master
</strong></span> zones the default is
<span><strong class=
"command">fail
</strong></span>. For
<span><strong class=
"command">slave
</strong></span>
8085 zones the default is
<span><strong class=
"command">warn
</strong></span>.
8086 It is not implemented for
<span><strong class=
"command">hint
</strong></span> zones.
8088 <dt><span class=
"term"><span><strong class=
"command">check-mx
</strong></span></span></dt>
8090 See the description of
8091 <span><strong class=
"command">check-mx
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8093 <dt><span class=
"term"><span><strong class=
"command">check-spf
</strong></span></span></dt>
8095 See the description of
8096 <span><strong class=
"command">check-spf
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8098 <dt><span class=
"term"><span><strong class=
"command">check-wildcard
</strong></span></span></dt>
8100 See the description of
8101 <span><strong class=
"command">check-wildcard
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8103 <dt><span class=
"term"><span><strong class=
"command">check-integrity
</strong></span></span></dt>
8105 See the description of
8106 <span><strong class=
"command">check-integrity
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8108 <dt><span class=
"term"><span><strong class=
"command">check-sibling
</strong></span></span></dt>
8110 See the description of
8111 <span><strong class=
"command">check-sibling
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8113 <dt><span class=
"term"><span><strong class=
"command">zero-no-soa-ttl
</strong></span></span></dt>
8115 See the description of
8116 <span><strong class=
"command">zero-no-soa-ttl
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8118 <dt><span class=
"term"><span><strong class=
"command">update-check-ksk
</strong></span></span></dt>
8120 See the description of
8121 <span><strong class=
"command">update-check-ksk
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8123 <dt><span class=
"term"><span><strong class=
"command">dnssec-update-mode
</strong></span></span></dt>
8125 See the description of
8126 <span><strong class=
"command">dnssec-update-mode
</strong></span> in
<a href=
"Bv9ARM.ch06.html#options" title=
"options Statement Definition and
8127 Usage">the section called
“<span><strong class=
"command">options
</strong></span> Statement Definition and
8130 <dt><span class=
"term"><span><strong class=
"command">dnssec-dnskey-kskonly
</strong></span></span></dt>
8132 See the description of
8133 <span><strong class=
"command">dnssec-dnskey-kskonly
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8135 <dt><span class=
"term"><span><strong class=
"command">try-tcp-refresh
</strong></span></span></dt>
8137 See the description of
8138 <span><strong class=
"command">try-tcp-refresh
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8140 <dt><span class=
"term"><span><strong class=
"command">database
</strong></span></span></dt>
8143 Specify the type of database to be used for storing the
8144 zone data. The string following the
<span><strong class=
"command">database
</strong></span> keyword
8145 is interpreted as a list of whitespace-delimited words.
8147 identifies the database type, and any subsequent words are
8149 as arguments to the database to be interpreted in a way
8151 to the database type.
8154 The default is
<strong class=
"userinput"><code>"rbt"</code></strong>, BIND
9's
8156 red-black-tree database. This database does not take
8160 Other values are possible if additional database drivers
8161 have been linked into the server. Some sample drivers are
8163 with the distribution but none are linked in by default.
8166 <dt><span class=
"term"><span><strong class=
"command">dialup
</strong></span></span></dt>
8168 See the description of
8169 <span><strong class=
"command">dialup
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8171 <dt><span class=
"term"><span><strong class=
"command">delegation-only
</strong></span></span></dt>
8174 The flag only applies to forward, hint and stub
8175 zones. If set to
<strong class=
"userinput"><code>yes
</code></strong>,
8176 then the zone will also be treated as if it is
8177 also a delegation-only type zone.
8180 See caveats in
<a href=
"Bv9ARM.ch06.html#root_delegation_only"><span><strong class=
"command">root-delegation-only
</strong></span></a>.
8183 <dt><span class=
"term"><span><strong class=
"command">forward
</strong></span></span></dt>
8185 Only meaningful if the zone has a forwarders
8186 list. The
<span><strong class=
"command">only
</strong></span> value causes
8188 after trying the forwarders and getting no answer, while
<span><strong class=
"command">first
</strong></span> would
8189 allow a normal lookup to be tried.
8191 <dt><span class=
"term"><span><strong class=
"command">forwarders
</strong></span></span></dt>
8193 Used to override the list of global forwarders.
8194 If it is not specified in a zone of type
<span><strong class=
"command">forward
</strong></span>,
8195 no forwarding is done for the zone and the global options are
8198 <dt><span class=
"term"><span><strong class=
"command">ixfr-base
</strong></span></span></dt>
8200 Was used in
<acronym class=
"acronym">BIND
</acronym> 8 to
8202 of the transaction log (journal) file for dynamic update
8204 <acronym class=
"acronym">BIND
</acronym> 9 ignores the option
8205 and constructs the name of the journal
8206 file by appending
"<code class="filename
">.jnl</code>"
8210 <dt><span class=
"term"><span><strong class=
"command">ixfr-tmp-file
</strong></span></span></dt>
8212 Was an undocumented option in
<acronym class=
"acronym">BIND
</acronym> 8.
8213 Ignored in
<acronym class=
"acronym">BIND
</acronym> 9.
8215 <dt><span class=
"term"><span><strong class=
"command">journal
</strong></span></span></dt>
8217 Allow the default journal's filename to be overridden.
8218 The default is the zone's filename with
"<code class="filename
">.jnl</code>" appended.
8219 This is applicable to
<span><strong class=
"command">master
</strong></span> and
<span><strong class=
"command">slave
</strong></span> zones.
8221 <dt><span class=
"term"><span><strong class=
"command">max-journal-size
</strong></span></span></dt>
8223 See the description of
8224 <span><strong class=
"command">max-journal-size
</strong></span> in
<a href=
"Bv9ARM.ch06.html#server_resource_limits" title=
"Server Resource Limits">the section called
“Server Resource Limits
”</a>.
8226 <dt><span class=
"term"><span><strong class=
"command">max-transfer-time-in
</strong></span></span></dt>
8228 See the description of
8229 <span><strong class=
"command">max-transfer-time-in
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8231 <dt><span class=
"term"><span><strong class=
"command">max-transfer-idle-in
</strong></span></span></dt>
8233 See the description of
8234 <span><strong class=
"command">max-transfer-idle-in
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8236 <dt><span class=
"term"><span><strong class=
"command">max-transfer-time-out
</strong></span></span></dt>
8238 See the description of
8239 <span><strong class=
"command">max-transfer-time-out
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8241 <dt><span class=
"term"><span><strong class=
"command">max-transfer-idle-out
</strong></span></span></dt>
8243 See the description of
8244 <span><strong class=
"command">max-transfer-idle-out
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8246 <dt><span class=
"term"><span><strong class=
"command">notify
</strong></span></span></dt>
8248 See the description of
8249 <span><strong class=
"command">notify
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8251 <dt><span class=
"term"><span><strong class=
"command">notify-delay
</strong></span></span></dt>
8253 See the description of
8254 <span><strong class=
"command">notify-delay
</strong></span> in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8256 <dt><span class=
"term"><span><strong class=
"command">notify-to-soa
</strong></span></span></dt>
8258 See the description of
8259 <span><strong class=
"command">notify-to-soa
</strong></span> in
8260 <a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8262 <dt><span class=
"term"><span><strong class=
"command">pubkey
</strong></span></span></dt>
8264 In
<acronym class=
"acronym">BIND
</acronym> 8, this option was
8265 intended for specifying
8266 a public zone key for verification of signatures in DNSSEC
8268 zones when they are loaded from disk.
<acronym class=
"acronym">BIND
</acronym> 9 does not verify signatures
8269 on load and ignores the option.
8271 <dt><span class=
"term"><span><strong class=
"command">zone-statistics
</strong></span></span></dt>
8273 If
<strong class=
"userinput"><code>yes
</code></strong>, the server will keep
8275 information for this zone, which can be dumped to the
8276 <span><strong class=
"command">statistics-file
</strong></span> defined in
8279 <dt><span class=
"term"><span><strong class=
"command">server-addresses
</strong></span></span></dt>
8282 Only meaningful for static-stub zones.
8283 This is a list of IP addresses to which queries
8284 should be sent in recursive resolution for the
8286 A non empty list for this option will internally
8287 configure the apex NS RR with associated glue A or
8291 For example, if
"example.com" is configured as a
8292 static-stub zone with
192.0.2.1 and
2001:db8::
1234
8293 in a
<span><strong class=
"command">server-addresses
</strong></span> option,
8294 the following RRs will be internally configured.
8296 <pre class=
"programlisting">example.com. NS example.com.
8297 example.com. A
192.0.2.1
8298 example.com. AAAA
2001:db8::
1234</pre>
8300 These records are internally used to resolve
8301 names under the static-stub zone.
8302 For instance, if the server receives a query for
8303 "www.example.com" with the RD bit on, the server
8304 will initiate recursive resolution and send
8305 queries to
192.0.2.1 and/or
2001:db8::
1234.
8308 <dt><span class=
"term"><span><strong class=
"command">server-names
</strong></span></span></dt>
8311 Only meaningful for static-stub zones.
8312 This is a list of domain names of nameservers that
8313 act as authoritative servers of the static-stub
8315 These names will be resolved to IP addresses when
8316 <span><strong class=
"command">named
</strong></span> needs to send queries to
8318 To make this supplemental resolution successful,
8319 these names must not be a subdomain of the origin
8320 name of static-stub zone.
8321 That is, when
"example.net" is the origin of a
8322 static-stub zone,
"ns.example" and
8323 "master.example.com" can be specified in the
8324 <span><strong class=
"command">server-names
</strong></span> option, but
8325 "ns.example.net" cannot, and will be rejected by
8326 the configuration parser.
8329 A non empty list for this option will internally
8330 configure the apex NS RR with the specified names.
8331 For example, if
"example.com" is configured as a
8332 static-stub zone with
"ns1.example.net" and
8334 in a
<span><strong class=
"command">server-names
</strong></span> option,
8335 the following RRs will be internally configured.
8337 <pre class=
"programlisting">example.com. NS ns1.example.net.
8338 example.com. NS ns2.example.net.
8341 These records are internally used to resolve
8342 names under the static-stub zone.
8343 For instance, if the server receives a query for
8344 "www.example.com" with the RD bit on, the server
8345 initiate recursive resolution,
8346 resolve
"ns1.example.net" and/or
8347 "ns2.example.net" to IP addresses, and then send
8348 queries to (one or more of) these addresses.
8351 <dt><span class=
"term"><span><strong class=
"command">sig-validity-interval
</strong></span></span></dt>
8353 See the description of
8354 <span><strong class=
"command">sig-validity-interval
</strong></span> in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8356 <dt><span class=
"term"><span><strong class=
"command">sig-signing-nodes
</strong></span></span></dt>
8358 See the description of
8359 <span><strong class=
"command">sig-signing-nodes
</strong></span> in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8361 <dt><span class=
"term"><span><strong class=
"command">sig-signing-signatures
</strong></span></span></dt>
8363 See the description of
8364 <span><strong class=
"command">sig-signing-signatures
</strong></span> in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8366 <dt><span class=
"term"><span><strong class=
"command">sig-signing-type
</strong></span></span></dt>
8368 See the description of
8369 <span><strong class=
"command">sig-signing-type
</strong></span> in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8371 <dt><span class=
"term"><span><strong class=
"command">transfer-source
</strong></span></span></dt>
8373 See the description of
8374 <span><strong class=
"command">transfer-source
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8376 <dt><span class=
"term"><span><strong class=
"command">transfer-source-v6
</strong></span></span></dt>
8378 See the description of
8379 <span><strong class=
"command">transfer-source-v6
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8381 <dt><span class=
"term"><span><strong class=
"command">alt-transfer-source
</strong></span></span></dt>
8383 See the description of
8384 <span><strong class=
"command">alt-transfer-source
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8386 <dt><span class=
"term"><span><strong class=
"command">alt-transfer-source-v6
</strong></span></span></dt>
8388 See the description of
8389 <span><strong class=
"command">alt-transfer-source-v6
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8391 <dt><span class=
"term"><span><strong class=
"command">use-alt-transfer-source
</strong></span></span></dt>
8393 See the description of
8394 <span><strong class=
"command">use-alt-transfer-source
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8396 <dt><span class=
"term"><span><strong class=
"command">notify-source
</strong></span></span></dt>
8398 See the description of
8399 <span><strong class=
"command">notify-source
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8401 <dt><span class=
"term"><span><strong class=
"command">notify-source-v6
</strong></span></span></dt>
8403 See the description of
8404 <span><strong class=
"command">notify-source-v6
</strong></span> in
<a href=
"Bv9ARM.ch06.html#zone_transfers" title=
"Zone Transfers">the section called
“Zone Transfers
”</a>.
8407 <span class=
"term"><span><strong class=
"command">min-refresh-time
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">max-refresh-time
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">min-retry-time
</strong></span>,
</span><span class=
"term"><span><strong class=
"command">max-retry-time
</strong></span></span>
8410 See the description in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8412 <dt><span class=
"term"><span><strong class=
"command">ixfr-from-differences
</strong></span></span></dt>
8414 See the description of
8415 <span><strong class=
"command">ixfr-from-differences
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8416 (Note that the
<span><strong class=
"command">ixfr-from-differences
</strong></span>
8417 <strong class=
"userinput"><code>master
</code></strong> and
8418 <strong class=
"userinput"><code>slave
</code></strong> choices are not
8419 available at the zone level.)
8421 <dt><span class=
"term"><span><strong class=
"command">key-directory
</strong></span></span></dt>
8423 See the description of
8424 <span><strong class=
"command">key-directory
</strong></span> in
<a href=
"Bv9ARM.ch06.html#options" title=
"options Statement Definition and
8425 Usage">the section called
“<span><strong class=
"command">options
</strong></span> Statement Definition and
8428 <dt><span class=
"term"><span><strong class=
"command">auto-dnssec
</strong></span></span></dt>
8431 Zones configured for dynamic DNS may also use this
8432 option to allow varying levels of automatic DNSSEC key
8433 management. There are three possible settings:
8436 <span><strong class=
"command">auto-dnssec allow;
</strong></span> permits
8437 keys to be updated and the zone fully re-signed
8438 whenever the user issues the command
<span><strong class=
"command">rndc sign
8439 <em class=
"replaceable"><code>zonename
</code></em></strong></span>.
8442 <span><strong class=
"command">auto-dnssec maintain;
</strong></span> includes the
8443 above, but also automatically adjusts the zone's DNSSEC
8444 keys on schedule, according to the keys' timing metadata
8445 (see
<a href=
"man.dnssec-keygen.html" title=
"dnssec-keygen"><span class=
"refentrytitle"><span class=
"application">dnssec-keygen
</span></span>(
8)
</a> and
8446 <a href=
"man.dnssec-settime.html" title=
"dnssec-settime"><span class=
"refentrytitle"><span class=
"application">dnssec-settime
</span></span>(
8)
</a>). The command
8447 <span><strong class=
"command">rndc sign
8448 <em class=
"replaceable"><code>zonename
</code></em></strong></span> causes
8449 <span><strong class=
"command">named
</strong></span> to load keys from the key
8450 repository and sign the zone with all keys that are
8452 <span><strong class=
"command">rndc loadkeys
8453 <em class=
"replaceable"><code>zonename
</code></em></strong></span> causes
8454 <span><strong class=
"command">named
</strong></span> to load keys from the key
8455 repository and schedule key maintenance events to occur
8456 in the future, but it does not sign the full zone
8457 immediately. Note: once keys have been loaded for a
8458 zone the first time, the repository will be searched
8459 for changes periodically, regardless of whether
8460 <span><strong class=
"command">rndc loadkeys
</strong></span> is used. The recheck
8461 interval is defined by
8462 <span><strong class=
"command">dnssec-loadkeys-interval
</strong></span>.)
8465 The default setting is
<span><strong class=
"command">auto-dnssec off
</strong></span>.
8468 <dt><span class=
"term"><span><strong class=
"command">serial-update-method
</strong></span></span></dt>
8471 Zones configured for dynamic DNS may use this
8472 option to set the update method that will be used for
8473 the zone serial number in the SOA record.
8476 With the default setting of
8477 <span><strong class=
"command">serial-update-method increment;
</strong></span>, the
8478 SOA serial number will be incremented by one each time
8479 the zone is updated.
8483 <span><strong class=
"command">serial-update-method unixtime;
</strong></span>, the
8484 SOA serial number will be set to the number of seconds
8485 since the UNIX epoch, unless the serial number is
8486 already greater than or equal to that value, in which
8487 case it is simply incremented by one.
8490 <dt><span class=
"term"><span><strong class=
"command">inline-signing
</strong></span></span></dt>
8492 If
<code class=
"literal">yes
</code>, this enables
8493 "bump in the wire" signing of a zone, where a
8494 unsigned zone is transferred in or loaded from
8495 disk and a signed version of the zone is served,
8496 with possibly, a different serial number. This
8497 behaviour is disabled by default.
8499 <dt><span class=
"term"><span><strong class=
"command">multi-master
</strong></span></span></dt>
8501 See the description of
<span><strong class=
"command">multi-master
</strong></span> in
8502 <a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8504 <dt><span class=
"term"><span><strong class=
"command">masterfile-format
</strong></span></span></dt>
8506 See the description of
<span><strong class=
"command">masterfile-format
</strong></span>
8507 in
<a href=
"Bv9ARM.ch06.html#tuning" title=
"Tuning">the section called
“Tuning
”</a>.
8509 <dt><span class=
"term"><span><strong class=
"command">max-zone-ttl
</strong></span></span></dt>
8511 See the description of
<span><strong class=
"command">max-zone-ttl
</strong></span>
8512 in
<a href=
"Bv9ARM.ch06.html#options" title=
"options Statement Definition and
8513 Usage">the section called
“<span><strong class=
"command">options
</strong></span> Statement Definition and
8516 <dt><span class=
"term"><span><strong class=
"command">dnssec-secure-to-insecure
</strong></span></span></dt>
8518 See the description of
8519 <span><strong class=
"command">dnssec-secure-to-insecure
</strong></span> in
<a href=
"Bv9ARM.ch06.html#boolean_options" title=
"Boolean Options">the section called
“Boolean Options
”</a>.
8523 <div class=
"sect3" lang=
"en">
8524 <div class=
"titlepage"><div><div><h4 class=
"title">
8525 <a name=
"dynamic_update_policies"></a>Dynamic Update Policies
</h4></div></div></div>
8526 <p><acronym class=
"acronym">BIND
</acronym> 9 supports two alternative
8527 methods of granting clients the right to perform
8528 dynamic updates to a zone, configured by the
8529 <span><strong class=
"command">allow-update
</strong></span> and
8530 <span><strong class=
"command">update-policy
</strong></span> option, respectively.
8533 The
<span><strong class=
"command">allow-update
</strong></span> clause works the
8534 same way as in previous versions of
<acronym class=
"acronym">BIND
</acronym>.
8535 It grants given clients the permission to update any
8536 record of any name in the zone.
8539 The
<span><strong class=
"command">update-policy
</strong></span> clause
8540 allows more fine-grained control over what updates are
8541 allowed. A set of rules is specified, where each rule
8542 either grants or denies permissions for one or more
8543 names to be updated by one or more identities. If
8544 the dynamic update request message is signed (that is,
8545 it includes either a TSIG or SIG(
0) record), the
8546 identity of the signer can be determined.
8549 Rules are specified in the
<span><strong class=
"command">update-policy
</strong></span>
8550 zone option, and are only meaningful for master zones.
8551 When the
<span><strong class=
"command">update-policy
</strong></span> statement
8552 is present, it is a configuration error for the
8553 <span><strong class=
"command">allow-update
</strong></span> statement to be
8554 present. The
<span><strong class=
"command">update-policy
</strong></span> statement
8555 only examines the signer of a message; the source
8556 address is not relevant.
8559 There is a pre-defined
<span><strong class=
"command">update-policy
</strong></span>
8560 rule which can be switched on with the command
8561 <span><strong class=
"command">update-policy local;
</strong></span>.
8562 Switching on this rule in a zone causes
8563 <span><strong class=
"command">named
</strong></span> to generate a TSIG session
8564 key and place it in a file, and to allow that key
8565 to update the zone. (By default, the file is
8566 <code class=
"filename">/var/run/named/session.key
</code>, the key
8567 name is
"local-ddns" and the key algorithm is HMAC-SHA256,
8568 but these values are configurable with the
8569 <span><strong class=
"command">session-keyfile
</strong></span>,
8570 <span><strong class=
"command">session-keyname
</strong></span> and
8571 <span><strong class=
"command">session-keyalg
</strong></span> options, respectively).
8574 A client running on the local system, and with appropriate
8575 permissions, may read that file and use the key to sign update
8576 requests. The zone's update policy will be set to allow that
8577 key to change any record within the zone. Assuming the
8578 key name is
"local-ddns", this policy is equivalent to:
8580 <pre class=
"programlisting">update-policy { grant local-ddns zonesub any; };
8583 The command
<span><strong class=
"command">nsupdate -l
</strong></span> sends update
8584 requests to localhost, and signs them using the session key.
8587 Other rule definitions look like this:
8589 <pre class=
"programlisting">
8590 (
<span><strong class=
"command">grant
</strong></span> |
<span><strong class=
"command">deny
</strong></span> )
<em class=
"replaceable"><code>identity
</code></em> <em class=
"replaceable"><code>nametype
</code></em> [
<span class=
"optional"> <em class=
"replaceable"><code>name
</code></em> </span>] [
<span class=
"optional"> <em class=
"replaceable"><code>types
</code></em> </span>]
8593 Each rule grants or denies privileges. Once a message has
8594 successfully matched a rule, the operation is immediately
8595 granted or denied and no further rules are examined. A rule
8596 is matched when the signer matches the identity field, the
8597 name matches the name field in accordance with the nametype
8598 field, and the type matches the types specified in the type
8602 No signer is required for
<em class=
"replaceable"><code>tcp-self
</code></em>
8603 or
<em class=
"replaceable"><code>6to4-self
</code></em> however the standard
8604 reverse mapping / prefix conversion must match the identity
8608 The identity field specifies a name or a wildcard
8609 name. Normally, this is the name of the TSIG or
8610 SIG(
0) key used to sign the update request. When a
8611 TKEY exchange has been used to create a shared secret,
8612 the identity of the shared secret is the same as the
8613 identity of the key used to authenticate the TKEY
8614 exchange. TKEY is also the negotiation method used
8615 by GSS-TSIG, which establishes an identity that is
8616 the Kerberos principal of the client, such as
8617 <strong class=
"userinput"><code>"user@host.domain"</code></strong>. When the
8618 <em class=
"replaceable"><code>identity
</code></em> field specifies
8619 a wildcard name, it is subject to DNS wildcard
8620 expansion, so the rule will apply to multiple identities.
8621 The
<em class=
"replaceable"><code>identity
</code></em> field must
8622 contain a fully-qualified domain name.
8625 For nametypes
<code class=
"varname">krb5-self
</code>,
8626 <code class=
"varname">ms-self
</code>,
<code class=
"varname">krb5-subdomain
</code>,
8627 and
<code class=
"varname">ms-subdomain
</code> the
8628 <em class=
"replaceable"><code>identity
</code></em> field specifies
8629 the Windows or Kerberos realm of the machine belongs to.
8632 The
<em class=
"replaceable"><code>nametype
</code></em> field has
13
8634 <code class=
"varname">name
</code>,
<code class=
"varname">subdomain
</code>,
8635 <code class=
"varname">wildcard
</code>,
<code class=
"varname">self
</code>,
8636 <code class=
"varname">selfsub
</code>,
<code class=
"varname">selfwild
</code>,
8637 <code class=
"varname">krb5-self
</code>,
<code class=
"varname">ms-self
</code>,
8638 <code class=
"varname">krb5-subdomain
</code>,
8639 <code class=
"varname">ms-subdomain
</code>,
8640 <code class=
"varname">tcp-self
</code>,
<code class=
"varname">6to4-self
</code>,
8641 <code class=
"varname">zonesub
</code>, and
<code class=
"varname">external
</code>.
8643 <div class=
"informaltable"><table border=
"1">
8652 <code class=
"varname">name
</code>
8657 Exact-match semantics. This rule matches
8658 when the name being updated is identical
8659 to the contents of the
8660 <em class=
"replaceable"><code>name
</code></em> field.
8667 <code class=
"varname">subdomain
</code>
8672 This rule matches when the name being updated
8673 is a subdomain of, or identical to, the
8674 contents of the
<em class=
"replaceable"><code>name
</code></em>
8682 <code class=
"varname">zonesub
</code>
8687 This rule is similar to subdomain, except that
8688 it matches when the name being updated is a
8689 subdomain of the zone in which the
8690 <span><strong class=
"command">update-policy
</strong></span> statement
8691 appears. This obviates the need to type the zone
8692 name twice, and enables the use of a standard
8693 <span><strong class=
"command">update-policy
</strong></span> statement in
8694 multiple zones without modification.
8697 When this rule is used, the
8698 <em class=
"replaceable"><code>name
</code></em> field is omitted.
8705 <code class=
"varname">wildcard
</code>
8710 The
<em class=
"replaceable"><code>name
</code></em> field
8711 is subject to DNS wildcard expansion, and
8712 this rule matches when the name being updated
8713 name is a valid expansion of the wildcard.
8720 <code class=
"varname">self
</code>
8725 This rule matches when the name being updated
8726 matches the contents of the
8727 <em class=
"replaceable"><code>identity
</code></em> field.
8728 The
<em class=
"replaceable"><code>name
</code></em> field
8729 is ignored, but should be the same as the
8730 <em class=
"replaceable"><code>identity
</code></em> field.
8731 The
<code class=
"varname">self
</code> nametype is
8732 most useful when allowing using one key per
8733 name to update, where the key has the same
8734 name as the name to be updated. The
8735 <em class=
"replaceable"><code>identity
</code></em> would
8736 be specified as
<code class=
"constant">*
</code> (an asterisk) in
8744 <code class=
"varname">selfsub
</code>
8749 This rule is similar to
<code class=
"varname">self
</code>
8750 except that subdomains of
<code class=
"varname">self
</code>
8751 can also be updated.
8758 <code class=
"varname">selfwild
</code>
8763 This rule is similar to
<code class=
"varname">self
</code>
8764 except that only subdomains of
8765 <code class=
"varname">self
</code> can be updated.
8772 <code class=
"varname">ms-self
</code>
8777 This rule takes a Windows machine principal
8778 (machine$@REALM) for machine in REALM and
8779 and converts it machine.realm allowing the machine
8780 to update machine.realm. The REALM to be matched
8781 is specified in the
<em class=
"replaceable"><code>identity
</code></em>
8789 <code class=
"varname">ms-subdomain
</code>
8794 This rule takes a Windows machine principal
8795 (machine$@REALM) for machine in REALM and
8796 converts it to machine.realm allowing the machine
8797 to update subdomains of machine.realm. The REALM
8798 to be matched is specified in the
8799 <em class=
"replaceable"><code>identity
</code></em> field.
8806 <code class=
"varname">krb5-self
</code>
8811 This rule takes a Kerberos machine principal
8812 (host/machine@REALM) for machine in REALM and
8813 and converts it machine.realm allowing the machine
8814 to update machine.realm. The REALM to be matched
8815 is specified in the
<em class=
"replaceable"><code>identity
</code></em>
8823 <code class=
"varname">krb5-subdomain
</code>
8828 This rule takes a Kerberos machine principal
8829 (host/machine@REALM) for machine in REALM and
8830 converts it to machine.realm allowing the machine
8831 to update subdomains of machine.realm. The REALM
8832 to be matched is specified in the
8833 <em class=
"replaceable"><code>identity
</code></em> field.
8840 <code class=
"varname">tcp-self
</code>
8845 Allow updates that have been sent via TCP and
8846 for which the standard mapping from the initiating
8847 IP address into the IN-ADDR.ARPA and IP6.ARPA
8848 namespaces match the name to be updated.
8850 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
8851 <h3 class=
"title">Note
</h3>
8852 It is theoretically possible to spoof these TCP
8860 <code class=
"varname">6to4-self
</code>
8865 Allow the
6to4 prefix to be update by any TCP
8866 connection from the
6to4 network or from the
8867 corresponding IPv4 address. This is intended
8868 to allow NS or DNAME RRsets to be added to the
8871 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
8872 <h3 class=
"title">Note
</h3>
8873 It is theoretically possible to spoof these TCP
8881 <code class=
"varname">external
</code>
8886 This rule allows
<span><strong class=
"command">named
</strong></span>
8887 to defer the decision of whether to allow a
8888 given update to an external daemon.
8891 The method of communicating with the daemon is
8892 specified in the
<em class=
"replaceable"><code>identity
</code></em>
8893 field, the format of which is
8894 "<code class="constant
">local:</code><em class="replaceable
"><code>path</code></em>",
8895 where
<em class=
"replaceable"><code>path
</code></em> is the location
8896 of a UNIX-domain socket. (Currently,
"local" is the
8897 only supported mechanism.)
8900 Requests to the external daemon are sent over the
8901 UNIX-domain socket as datagrams with the following
8904 <pre class=
"programlisting">
8905 Protocol version number (
4 bytes, network byte order, currently
1)
8906 Request length (
4 bytes, network byte order)
8907 Signer (null-terminated string)
8908 Name (null-terminated string)
8909 TCP source address (null-terminated string)
8910 Rdata type (null-terminated string)
8911 Key (null-terminated string)
8912 TKEY token length (
4 bytes, network byte order)
8913 TKEY token (remainder of packet)
</pre>
8915 The daemon replies with a four-byte value in
8916 network byte order, containing either
0 or
1;
0
8917 indicates that the specified update is not
8918 permitted, and
1 indicates that it is.
8925 In all cases, the
<em class=
"replaceable"><code>name
</code></em>
8926 field must specify a fully-qualified domain name.
8929 If no types are explicitly specified, this rule matches
8930 all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
8931 may be specified by name, including
"ANY" (ANY matches
8932 all types except NSEC and NSEC3, which can never be
8933 updated). Note that when an attempt is made to delete
8934 all records associated with a name, the rules are
8935 checked for each existing record type.
8938 <div class=
"sect3" lang=
"en">
8939 <div class=
"titlepage"><div><div><h4 class=
"title">
8940 <a name=
"id2598241"></a>Multiple views
</h4></div></div></div>
8942 When multiple views are in use, a zone may be
8943 referenced by more than one of them. Often, the views
8944 will contain different zones with the same name, allowing
8945 different clients to receive different answers for the same
8946 queries. At times, however, it is desirable for multiple
8947 views to contain identical zones. The
8948 <span><strong class=
"command">in-view
</strong></span> zone option provides an efficient
8949 way to do this: it allows a view to reference a zone that
8950 was defined in a previously configured view. Example:
8952 <pre class=
"programlisting">
8954 match-clients {
10/
8; };
8958 file
"example-external.db";
8963 match-clients { any; };
8971 An
<span><strong class=
"command">in-view
</strong></span> option cannot refer to a view
8972 that is configured later in the configuration file.
8975 A
<span><strong class=
"command">zone
</strong></span> statement which uses the
8976 <span><strong class=
"command">in-view
</strong></span> option may not use any other
8977 options with the exception of
<span><strong class=
"command">forward
</strong></span>
8978 and
<span><strong class=
"command">forwarders
</strong></span>. (These options control
8979 the behavior of the containing view, rather than changing
8980 the zone object itself.)
8983 An
<span><strong class=
"command">in-view
</strong></span> zone cannot be used as a
8984 response policy zone.
8989 <div class=
"sect1" lang=
"en">
8990 <div class=
"titlepage"><div><div><h2 class=
"title" style=
"clear: both">
8991 <a name=
"id2598289"></a>Zone File
</h2></div></div></div>
8992 <div class=
"sect2" lang=
"en">
8993 <div class=
"titlepage"><div><div><h3 class=
"title">
8994 <a name=
"types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them
</h3></div></div></div>
8996 This section, largely borrowed from RFC
1034, describes the
8997 concept of a Resource Record (RR) and explains when each is used.
8998 Since the publication of RFC
1034, several new RRs have been
9000 and implemented in the DNS. These are also included.
9002 <div class=
"sect3" lang=
"en">
9003 <div class=
"titlepage"><div><div><h4 class=
"title">
9004 <a name=
"id2598375"></a>Resource Records
</h4></div></div></div>
9006 A domain name identifies a node. Each node has a set of
9007 resource information, which may be empty. The set of resource
9008 information associated with a particular name is composed of
9009 separate RRs. The order of RRs in a set is not significant and
9010 need not be preserved by name servers, resolvers, or other
9011 parts of the DNS. However, sorting of multiple RRs is
9012 permitted for optimization purposes, for example, to specify
9013 that a particular nearby server be tried first. See
<a href=
"Bv9ARM.ch06.html#the_sortlist_statement" title=
"The sortlist Statement">the section called
“The
<span><strong class=
"command">sortlist
</strong></span> Statement
”</a> and
<a href=
"Bv9ARM.ch06.html#rrset_ordering" title=
"RRset Ordering">the section called
“RRset Ordering
”</a>.
9016 The components of a Resource Record are:
9018 <div class=
"informaltable"><table border=
"1">
9032 The domain name where the RR is found.
9044 An encoded
16-bit value that specifies
9045 the type of the resource record.
9057 The time-to-live of the RR. This field
9058 is a
32-bit integer in units of seconds, and is
9060 resolvers when they cache RRs. The TTL describes how
9062 be cached before it should be discarded.
9074 An encoded
16-bit value that identifies
9075 a protocol family or instance of a protocol.
9087 The resource data. The format of the
9088 data is type (and sometimes class) specific.
9095 The following are
<span class=
"emphasis"><em>types
</em></span> of valid RRs:
9097 <div class=
"informaltable"><table border=
"1">
9111 A host address. In the IN class, this is a
9112 32-bit IP address. Described in RFC
1035.
9124 IPv6 address. Described in RFC
1886.
9136 IPv6 address. This can be a partial
9137 address (a suffix) and an indirection to the name
9138 where the rest of the
9139 address (the prefix) can be found. Experimental.
9140 Described in RFC
2874.
9152 Location of AFS database servers.
9153 Experimental. Described in RFC
1183.
9165 Address prefix list. Experimental.
9166 Described in RFC
3123.
9178 Holds a digital certificate.
9179 Described in RFC
2538.
9191 Identifies the canonical name of an alias.
9192 Described in RFC
1035.
9204 Is used for identifying which DHCP client is
9205 associated with this name. Described in RFC
4701.
9217 Replaces the domain name specified with
9218 another name to be looked up, effectively aliasing an
9220 subtree of the domain name space rather than a single
9222 as in the case of the CNAME RR.
9223 Described in RFC
2672.
9235 Stores a public key associated with a signed
9236 DNS zone. Described in RFC
4034.
9248 Stores the hash of a public key associated with a
9249 signed DNS zone. Described in RFC
4034.
9261 Specifies the global position. Superseded by LOC.
9273 Identifies the CPU and OS used by a host.
9274 Described in RFC
1035.
9286 Provides a method for storing IPsec keying material in
9287 DNS. Described in RFC
4025.
9299 Representation of ISDN addresses.
9300 Experimental. Described in RFC
1183.
9312 Stores a public key associated with a
9313 DNS name. Used in original DNSSEC; replaced
9314 by DNSKEY in DNSSECbis, but still used with
9315 SIG(
0). Described in RFCs
2535 and
2931.
9327 Identifies a key exchanger for this
9328 DNS name. Described in RFC
2230.
9340 For storing GPS info. Described in RFC
1876.
9353 Identifies a mail exchange for the domain with
9354 a
16-bit preference value (lower is better)
9355 followed by the host name of the mail exchange.
9356 Described in RFC
974, RFC
1035.
9368 Name authority pointer. Described in RFC
2915.
9380 A network service access point.
9381 Described in RFC
1706.
9393 The authoritative name server for the
9394 domain. Described in RFC
1035.
9406 Used in DNSSECbis to securely indicate that
9407 RRs with an owner name in a certain name interval do
9409 a zone and indicate what RR types are present for an
9411 Described in RFC
4034.
9423 Used in DNSSECbis to securely indicate that
9424 RRs with an owner name in a certain name
9425 interval do not exist in a zone and indicate
9426 what RR types are present for an existing
9427 name. NSEC3 differs from NSEC in that it
9428 prevents zone enumeration but is more
9429 computationally expensive on both the server
9430 and the client than NSEC. Described in RFC
9443 Used in DNSSECbis to tell the authoritative
9444 server which NSEC3 chains are available to use.
9445 Described in RFC
5155.
9457 Used in DNSSEC to securely indicate that
9458 RRs with an owner name in a certain name interval do
9460 a zone and indicate what RR types are present for an
9462 Used in original DNSSEC; replaced by NSEC in
9464 Described in RFC
2535.
9476 A pointer to another part of the domain
9477 name space. Described in RFC
1035.
9489 Provides mappings between RFC
822 and X
.400
9490 addresses. Described in RFC
2163.
9502 Information on persons responsible
9503 for the domain. Experimental. Described in RFC
1183.
9515 Contains DNSSECbis signature data. Described
9528 Route-through binding for hosts that
9529 do not have their own direct wide area network
9531 Experimental. Described in RFC
1183.
9543 Contains DNSSEC signature data. Used in
9544 original DNSSEC; replaced by RRSIG in
9545 DNSSECbis, but still used for SIG(
0).
9546 Described in RFCs
2535 and
2931.
9558 Identifies the start of a zone of authority.
9559 Described in RFC
1035.
9571 Contains the Sender Policy Framework information
9572 for a given email domain. Described in RFC
4408.
9584 Information about well known network
9585 services (replaces WKS). Described in RFC
2782.
9597 Provides a way to securely publish a secure shell key's
9598 fingerprint. Described in RFC
4255.
9610 Text records. Described in RFC
1035.
9622 Information about which well known
9623 network services, such as SMTP, that a domain
9624 supports. Historical.
9636 Representation of X
.25 network addresses.
9637 Experimental. Described in RFC
1183.
9644 The following
<span class=
"emphasis"><em>classes
</em></span> of resource records
9645 are currently valid in the DNS:
9647 <div class=
"informaltable"><table border=
"1">
9673 Chaosnet, a LAN protocol created at MIT in the
9675 Rarely used for its historical purpose, but reused for
9677 built-in server information zones, e.g.,
9678 <code class=
"literal">version.bind
</code>.
9690 Hesiod, an information service
9691 developed by MIT's Project Athena. It is used to share
9693 about various systems databases, such as users,
9702 The owner name is often implicit, rather than forming an
9704 part of the RR. For example, many name servers internally form
9706 or hash structures for the name space, and chain RRs off nodes.
9707 The remaining RR parts are the fixed header (type, class, TTL)
9708 which is consistent for all RRs, and a variable part (RDATA)
9710 fits the needs of the resource being described.
9713 The meaning of the TTL field is a time limit on how long an
9714 RR can be kept in a cache. This limit does not apply to
9716 data in zones; it is also timed out, but by the refreshing
9718 for the zone. The TTL is assigned by the administrator for the
9719 zone where the data originates. While short TTLs can be used to
9720 minimize caching, and a zero TTL prohibits caching, the
9722 of Internet performance suggest that these times should be on
9724 order of days for the typical host. If a change can be
9726 the TTL can be reduced prior to the change to minimize
9728 during the change, and then increased back to its former value
9733 The data in the RDATA section of RRs is carried as a combination
9734 of binary strings and domain names. The domain names are
9736 used as
"pointers" to other data in the DNS.
9739 <div class=
"sect3" lang=
"en">
9740 <div class=
"titlepage"><div><div><h4 class=
"title">
9741 <a name=
"id2599998"></a>Textual expression of RRs
</h4></div></div></div>
9743 RRs are represented in binary form in the packets of the DNS
9744 protocol, and are usually represented in highly encoded form
9746 stored in a name server or resolver. In the examples provided
9748 RFC
1034, a style similar to that used in master files was
9750 in order to show the contents of RRs. In this format, most RRs
9751 are shown on a single line, although continuation lines are
9756 The start of the line gives the owner of the RR. If a line
9757 begins with a blank, then the owner is assumed to be the same as
9758 that of the previous RR. Blank lines are often included for
9762 Following the owner, we list the TTL, type, and class of the
9763 RR. Class and type use the mnemonics defined above, and TTL is
9764 an integer before the type field. In order to avoid ambiguity
9766 parsing, type and class mnemonics are disjoint, TTLs are
9768 and the type mnemonic is always last. The IN class and TTL
9770 are often omitted from examples in the interests of clarity.
9773 The resource data or RDATA section of the RR are given using
9774 knowledge of the typical representation for the data.
9777 For example, we might show the RRs carried in a message as:
9779 <div class=
"informaltable"><table border=
"1">
9789 <code class=
"literal">ISI.EDU.
</code>
9794 <code class=
"literal">MX
</code>
9799 <code class=
"literal">10 VENERA.ISI.EDU.
</code>
9809 <code class=
"literal">MX
</code>
9814 <code class=
"literal">10 VAXA.ISI.EDU
</code>
9821 <code class=
"literal">VENERA.ISI.EDU
</code>
9826 <code class=
"literal">A
</code>
9831 <code class=
"literal">128.9.0.32</code>
9841 <code class=
"literal">A
</code>
9846 <code class=
"literal">10.1.0.52</code>
9853 <code class=
"literal">VAXA.ISI.EDU
</code>
9858 <code class=
"literal">A
</code>
9863 <code class=
"literal">10.2.0.27</code>
9873 <code class=
"literal">A
</code>
9878 <code class=
"literal">128.9.0.33</code>
9885 The MX RRs have an RDATA section which consists of a
16-bit
9886 number followed by a domain name. The address RRs use a
9888 IP address format to contain a
32-bit internet address.
9891 The above example shows six RRs, with two RRs at each of three
9895 Similarly we might see:
9897 <div class=
"informaltable"><table border=
"1">
9907 <code class=
"literal">XX.LCS.MIT.EDU.
</code>
9912 <code class=
"literal">IN A
</code>
9917 <code class=
"literal">10.0.0.44</code>
9925 <code class=
"literal">CH A
</code>
9930 <code class=
"literal">MIT.EDU.
2420</code>
9937 This example shows two addresses for
9938 <code class=
"literal">XX.LCS.MIT.EDU
</code>, each of a different class.
9942 <div class=
"sect2" lang=
"en">
9943 <div class=
"titlepage"><div><div><h3 class=
"title">
9944 <a name=
"id2600587"></a>Discussion of MX Records
</h3></div></div></div>
9946 As described above, domain servers store information as a
9947 series of resource records, each of which contains a particular
9948 piece of information about a given domain name (which is usually,
9949 but not always, a host). The simplest way to think of a RR is as
9950 a typed pair of data, a domain name matched with a relevant datum,
9951 and stored with some additional type information to help systems
9952 determine when the RR is relevant.
9955 MX records are used to control delivery of email. The data
9956 specified in the record is a priority and a domain name. The
9958 controls the order in which email delivery is attempted, with the
9959 lowest number first. If two priorities are the same, a server is
9960 chosen randomly. If no servers at a given priority are responding,
9961 the mail transport agent will fall back to the next largest
9963 Priority numbers do not have any absolute meaning
— they are
9965 only respective to other MX records for that domain name. The
9967 name given is the machine to which the mail will be delivered.
9968 It
<span class=
"emphasis"><em>must
</em></span> have an associated address record
9969 (A or AAAA)
— CNAME is not sufficient.
9972 For a given domain, if there is both a CNAME record and an
9973 MX record, the MX record is in error, and will be ignored.
9975 the mail will be delivered to the server specified in the MX
9977 pointed to by the CNAME.
9980 <div class=
"informaltable"><table border=
"1">
9992 <code class=
"literal">example.com.
</code>
9997 <code class=
"literal">IN
</code>
10002 <code class=
"literal">MX
</code>
10007 <code class=
"literal">10</code>
10012 <code class=
"literal">mail.example.com.
</code>
10022 <code class=
"literal">IN
</code>
10027 <code class=
"literal">MX
</code>
10032 <code class=
"literal">10</code>
10037 <code class=
"literal">mail2.example.com.
</code>
10047 <code class=
"literal">IN
</code>
10052 <code class=
"literal">MX
</code>
10057 <code class=
"literal">20</code>
10062 <code class=
"literal">mail.backup.org.
</code>
10069 <code class=
"literal">mail.example.com.
</code>
10074 <code class=
"literal">IN
</code>
10079 <code class=
"literal">A
</code>
10084 <code class=
"literal">10.0.0.1</code>
10094 <code class=
"literal">mail2.example.com.
</code>
10099 <code class=
"literal">IN
</code>
10104 <code class=
"literal">A
</code>
10109 <code class=
"literal">10.0.0.2</code>
10119 Mail delivery will be attempted to
<code class=
"literal">mail.example.com
</code> and
10120 <code class=
"literal">mail2.example.com
</code> (in
10121 any order), and if neither of those succeed, delivery to
<code class=
"literal">mail.backup.org
</code> will
10125 <div class=
"sect2" lang=
"en">
10126 <div class=
"titlepage"><div><div><h3 class=
"title">
10127 <a name=
"Setting_TTLs"></a>Setting TTLs
</h3></div></div></div>
10129 The time-to-live of the RR field is a
32-bit integer represented
10130 in units of seconds, and is primarily used by resolvers when they
10131 cache RRs. The TTL describes how long a RR can be cached before it
10132 should be discarded. The following three types of TTL are
10134 used in a zone file.
10136 <div class=
"informaltable"><table border=
"1">
10150 The last field in the SOA is the negative
10151 caching TTL. This controls how long other servers will
10152 cache no-such-domain
10153 (NXDOMAIN) responses from you.
10156 The maximum time for
10157 negative caching is
3 hours (
3h).
10169 The $TTL directive at the top of the
10170 zone file (before the SOA) gives a default TTL for every
10172 a specific TTL set.
10184 Each RR can have a TTL as the second
10185 field in the RR, which will control how long other
10186 servers can cache it.
10193 All of these TTLs default to units of seconds, though units
10194 can be explicitly specified, for example,
<code class=
"literal">1h30m
</code>.
10197 <div class=
"sect2" lang=
"en">
10198 <div class=
"titlepage"><div><div><h3 class=
"title">
10199 <a name=
"id2601134"></a>Inverse Mapping in IPv4
</h3></div></div></div>
10201 Reverse name resolution (that is, translation from IP address
10202 to name) is achieved by means of the
<span class=
"emphasis"><em>in-addr.arpa
</em></span> domain
10203 and PTR records. Entries in the in-addr.arpa domain are made in
10204 least-to-most significant order, read left to right. This is the
10205 opposite order to the way IP addresses are usually written. Thus,
10206 a machine with an IP address of
10.1.2.3 would have a
10208 in-addr.arpa name of
10209 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10210 whose data field is the name of the machine or, optionally,
10212 PTR records if the machine has more than one name. For example,
10213 in the [
<span class=
"optional">example.com
</span>] domain:
10215 <div class=
"informaltable"><table border=
"1">
10224 <code class=
"literal">$ORIGIN
</code>
10229 <code class=
"literal">2.1.10.in-addr.arpa
</code>
10236 <code class=
"literal">3</code>
10241 <code class=
"literal">IN PTR foo.example.com.
</code>
10247 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
10248 <h3 class=
"title">Note
</h3>
10250 The
<span><strong class=
"command">$ORIGIN
</strong></span> lines in the examples
10251 are for providing context to the examples only
— they do not
10253 appear in the actual usage. They are only used here to indicate
10254 that the example is relative to the listed origin.
10258 <div class=
"sect2" lang=
"en">
10259 <div class=
"titlepage"><div><div><h3 class=
"title">
10260 <a name=
"id2601261"></a>Other Zone File Directives
</h3></div></div></div>
10262 The Master File Format was initially defined in RFC
1035 and
10263 has subsequently been extended. While the Master File Format
10265 is class independent all records in a Master File must be of the
10270 Master File Directives include
<span><strong class=
"command">$ORIGIN
</strong></span>,
<span><strong class=
"command">$INCLUDE
</strong></span>,
10271 and
<span><strong class=
"command">$TTL.
</strong></span>
10273 <div class=
"sect3" lang=
"en">
10274 <div class=
"titlepage"><div><div><h4 class=
"title">
10275 <a name=
"id2601284"></a>The
<span><strong class=
"command">@
</strong></span> (at-sign)
</h4></div></div></div>
10277 When used in the label (or name) field, the asperand or
10278 at-sign (@) symbol represents the current origin.
10279 At the start of the zone file, it is the
10280 <<code class=
"varname">zone_name
</code>> (followed by
10284 <div class=
"sect3" lang=
"en">
10285 <div class=
"titlepage"><div><div><h4 class=
"title">
10286 <a name=
"id2601300"></a>The
<span><strong class=
"command">$ORIGIN
</strong></span> Directive
</h4></div></div></div>
10288 Syntax:
<span><strong class=
"command">$ORIGIN
</strong></span>
10289 <em class=
"replaceable"><code>domain-name
</code></em>
10290 [
<span class=
"optional"><em class=
"replaceable"><code>comment
</code></em></span>]
10292 <p><span><strong class=
"command">$ORIGIN
</strong></span>
10293 sets the domain name that will be appended to any
10294 unqualified records. When a zone is first read in there
10295 is an implicit
<span><strong class=
"command">$ORIGIN
</strong></span>
10296 <<code class=
"varname">zone_name
</code>><span><strong class=
"command">.
</strong></span>
10297 (followed by trailing dot).
10298 The current
<span><strong class=
"command">$ORIGIN
</strong></span> is appended to
10299 the domain specified in the
<span><strong class=
"command">$ORIGIN
</strong></span>
10300 argument if it is not absolute.
10302 <pre class=
"programlisting">
10303 $ORIGIN example.com.
10304 WWW CNAME MAIN-SERVER
10309 <pre class=
"programlisting">
10310 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10313 <div class=
"sect3" lang=
"en">
10314 <div class=
"titlepage"><div><div><h4 class=
"title">
10315 <a name=
"id2601429"></a>The
<span><strong class=
"command">$INCLUDE
</strong></span> Directive
</h4></div></div></div>
10317 Syntax:
<span><strong class=
"command">$INCLUDE
</strong></span>
10318 <em class=
"replaceable"><code>filename
</code></em>
10319 [
<span class=
"optional">
10320 <em class=
"replaceable"><code>origin
</code></em> </span>]
10321 [
<span class=
"optional"> <em class=
"replaceable"><code>comment
</code></em> </span>]
10324 Read and process the file
<code class=
"filename">filename
</code> as
10325 if it were included into the file at this point. If
<span><strong class=
"command">origin
</strong></span> is
10326 specified the file is processed with
<span><strong class=
"command">$ORIGIN
</strong></span> set
10327 to that value, otherwise the current
<span><strong class=
"command">$ORIGIN
</strong></span> is
10331 The origin and the current domain name
10332 revert to the values they had prior to the
<span><strong class=
"command">$INCLUDE
</strong></span> once
10333 the file has been read.
10335 <div class=
"note" style=
"margin-left: 0.5in; margin-right: 0.5in;">
10336 <h3 class=
"title">Note
</h3>
10338 RFC
1035 specifies that the current origin should be restored
10340 an
<span><strong class=
"command">$INCLUDE
</strong></span>, but it is silent
10341 on whether the current
10342 domain name should also be restored. BIND
9 restores both of
10344 This could be construed as a deviation from RFC
1035, a
10349 <div class=
"sect3" lang=
"en">
10350 <div class=
"titlepage"><div><div><h4 class=
"title">
10351 <a name=
"id2601498"></a>The
<span><strong class=
"command">$TTL
</strong></span> Directive
</h4></div></div></div>
10353 Syntax:
<span><strong class=
"command">$TTL
</strong></span>
10354 <em class=
"replaceable"><code>default-ttl
</code></em>
10355 [
<span class=
"optional">
10356 <em class=
"replaceable"><code>comment
</code></em> </span>]
10359 Set the default Time To Live (TTL) for subsequent records
10360 with undefined TTLs. Valid TTLs are of the range
0-
2147483647
10363 <p><span><strong class=
"command">$TTL
</strong></span>
10364 is defined in RFC
2308.
10368 <div class=
"sect2" lang=
"en">
10369 <div class=
"titlepage"><div><div><h3 class=
"title">
10370 <a name=
"id2601534"></a><acronym class=
"acronym">BIND
</acronym> Master File Extension: the
<span><strong class=
"command">$GENERATE
</strong></span> Directive
</h3></div></div></div>
10372 Syntax:
<span><strong class=
"command">$GENERATE
</strong></span>
10373 <em class=
"replaceable"><code>range
</code></em>
10374 <em class=
"replaceable"><code>lhs
</code></em>
10375 [
<span class=
"optional"><em class=
"replaceable"><code>ttl
</code></em></span>]
10376 [
<span class=
"optional"><em class=
"replaceable"><code>class
</code></em></span>]
10377 <em class=
"replaceable"><code>type
</code></em>
10378 <em class=
"replaceable"><code>rhs
</code></em>
10379 [
<span class=
"optional"><em class=
"replaceable"><code>comment
</code></em></span>]
10381 <p><span><strong class=
"command">$GENERATE
</strong></span>
10382 is used to create a series of resource records that only
10383 differ from each other by an
10384 iterator.
<span><strong class=
"command">$GENERATE
</strong></span> can be used to
10385 easily generate the sets of records required to support
10386 sub /
24 reverse delegations described in RFC
2317:
10387 Classless IN-ADDR.ARPA delegation.
10389 <pre class=
"programlisting">$ORIGIN
0.0.192.IN-ADDR.ARPA.
10390 $GENERATE
1-
2 @ NS SERVER$.EXAMPLE.
10391 $GENERATE
1-
127 $ CNAME $
.0</pre>
10395 <pre class=
"programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
10396 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
10397 1.0.0.192.IN-ADDR.ARPA. CNAME
1.0.0.0.192.IN-ADDR.ARPA.
10398 2.0.0.192.IN-ADDR.ARPA. CNAME
2.0.0.0.192.IN-ADDR.ARPA.
10400 127.0.0.192.IN-ADDR.ARPA. CNAME
127.0.0.0.192.IN-ADDR.ARPA.
10403 Generate a set of A and MX records. Note the MX's right hand
10404 side is a quoted string. The quotes will be stripped when the
10405 right hand side is processed.
10407 <pre class=
"programlisting">
10409 $GENERATE
1-
127 HOST-$ A
1.2.3.$
10410 $GENERATE
1-
127 HOST-$ MX
"0 ."</pre>
10414 <pre class=
"programlisting">HOST-
1.EXAMPLE. A
1.2.3.1
10415 HOST-
1.EXAMPLE. MX
0 .
10416 HOST-
2.EXAMPLE. A
1.2.3.2
10417 HOST-
2.EXAMPLE. MX
0 .
10418 HOST-
3.EXAMPLE. A
1.2.3.3
10419 HOST-
3.EXAMPLE. MX
0 .
10421 HOST-
127.EXAMPLE. A
1.2.3.127
10422 HOST-
127.EXAMPLE. MX
0 .
10424 <div class=
"informaltable"><table border=
"1">
10432 <p><span><strong class=
"command">range
</strong></span></p>
10436 This can be one of two forms: start-stop
10437 or start-stop/step. If the first form is used, then step
10438 is set to
1. start, stop and step must be positive
10439 integers between
0 and (
2^
31)-
1. start must not be
10446 <p><span><strong class=
"command">lhs
</strong></span></p>
10450 describes the owner name of the resource records
10451 to be created. Any single
<span><strong class=
"command">$
</strong></span>
10453 symbols within the
<span><strong class=
"command">lhs
</strong></span> string
10454 are replaced by the iterator value.
10456 To get a $ in the output, you need to escape the
10457 <span><strong class=
"command">$
</strong></span> using a backslash
10458 <span><strong class=
"command">\
</strong></span>,
10459 e.g.
<span><strong class=
"command">\$
</strong></span>. The
10460 <span><strong class=
"command">$
</strong></span> may optionally be followed
10461 by modifiers which change the offset from the
10462 iterator, field width and base.
10464 Modifiers are introduced by a
10465 <span><strong class=
"command">{
</strong></span> (left brace) immediately following the
10466 <span><strong class=
"command">$
</strong></span> as
10467 <span><strong class=
"command">${offset[,width[,base]]}
</strong></span>.
10468 For example,
<span><strong class=
"command">${-
20,
3,d}
</strong></span>
10469 subtracts
20 from the current value, prints the
10470 result as a decimal in a zero-padded field of
10473 Available output forms are decimal
10474 (
<span><strong class=
"command">d
</strong></span>), octal
10475 (
<span><strong class=
"command">o
</strong></span>), hexadecimal
10476 (
<span><strong class=
"command">x
</strong></span> or
<span><strong class=
"command">X
</strong></span>
10477 for uppercase) and nibble
10478 (
<span><strong class=
"command">n
</strong></span> or
<span><strong class=
"command">N
</strong></span>\
10479 for uppercase). The default modifier is
10480 <span><strong class=
"command">${
0,
0,d}
</strong></span>. If the
10481 <span><strong class=
"command">lhs
</strong></span> is not absolute, the
10482 current
<span><strong class=
"command">$ORIGIN
</strong></span> is appended
10486 In nibble mode the value will be treated as
10487 if it was a reversed hexadecimal string
10488 with each hexadecimal digit as a separate
10489 label. The width field includes the label
10493 For compatibility with earlier versions,
10494 <span><strong class=
"command">$$
</strong></span> is still recognized as
10495 indicating a literal $ in the output.
10501 <p><span><strong class=
"command">ttl
</strong></span></p>
10505 Specifies the time-to-live of the generated records. If
10506 not specified this will be inherited using the
10507 normal TTL inheritance rules.
10509 <p><span><strong class=
"command">class
</strong></span>
10510 and
<span><strong class=
"command">ttl
</strong></span> can be
10511 entered in either order.
10517 <p><span><strong class=
"command">class
</strong></span></p>
10521 Specifies the class of the generated records.
10522 This must match the zone class if it is
10525 <p><span><strong class=
"command">class
</strong></span>
10526 and
<span><strong class=
"command">ttl
</strong></span> can be
10527 entered in either order.
10533 <p><span><strong class=
"command">type
</strong></span></p>
10543 <p><span><strong class=
"command">rhs
</strong></span></p>
10547 <span><strong class=
"command">rhs
</strong></span>, optionally, quoted string.
10554 The
<span><strong class=
"command">$GENERATE
</strong></span> directive is a
<acronym class=
"acronym">BIND
</acronym> extension
10555 and not part of the standard zone file format.
10558 BIND
8 does not support the optional TTL and CLASS fields.
10561 <div class=
"sect2" lang=
"en">
10562 <div class=
"titlepage"><div><div><h3 class=
"title">
10563 <a name=
"zonefile_format"></a>Additional File Formats
</h3></div></div></div>
10565 In addition to the standard textual format, BIND
9
10566 supports the ability to read or dump to zone files in
10570 The
<code class=
"constant">raw
</code> format is
10571 a binary representation of zone data in a manner similar
10572 to that used in zone transfers. Since it does not require
10573 parsing text, load time is significantly reduced.
10576 An even faster alternative is the
<code class=
"constant">map
</code>
10577 format, which is an image of a
<acronym class=
"acronym">BIND
</acronym> 9
10578 in-memory zone database; it is capable of being loaded
10579 directly into memory via the
<span><strong class=
"command">mmap()
</strong></span>
10580 function; the zone can begin serving queries almost
10584 For a primary server, a zone file in
10585 <code class=
"constant">raw
</code> or
<code class=
"constant">map
</code>
10586 format is expected to be generated from a textual zone
10587 file by the
<span><strong class=
"command">named-compilezone
</strong></span> command.
10588 For a secondary server or for a dynamic zone, it is automatically
10589 generated (if this format is specified by the
10590 <span><strong class=
"command">masterfile-format
</strong></span> option) when
10591 <span><strong class=
"command">named
</strong></span> dumps the zone contents after
10592 zone transfer or when applying prior updates.
10595 If a zone file in a binary format needs manual modification,
10596 it first must be converted to a textual form by the
10597 <span><strong class=
"command">named-compilezone
</strong></span> command. All
10598 necessary modification should go to the text file, which
10599 should then be converted to the binary form by the
10600 <span><strong class=
"command">named-compilezone
</strong></span> command again.
10603 Note that
<span><strong class=
"command">map
</strong></span> format is extremely
10604 architecture-specific. A
<code class=
"constant">map
</code>
10605 file
<span class=
"emphasis"><em>cannot
</em></span> be used on a system
10606 with different pointer size, endianness or data alignment
10607 than the system on which it was generated, and should in
10608 general be used only inside a single system.
10609 While
<code class=
"constant">raw
</code> format uses
10610 network byte order and avoids architecture-dependent
10611 data alignment so that it is as portable as
10612 possible, it is also primarily expected to be used
10613 inside the same single system. To export a
10614 zone file in either
<code class=
"constant">raw
</code> or
10615 <code class=
"constant">map
</code> format, or make a
10616 portable backup of such a file, conversion to
10617 <code class=
"constant">text
</code> format is recommended.
10621 <div class=
"sect1" lang=
"en">
10622 <div class=
"titlepage"><div><div><h2 class=
"title" style=
"clear: both">
10623 <a name=
"statistics"></a>BIND9 Statistics
</h2></div></div></div>
10625 <acronym class=
"acronym">BIND
</acronym> 9 maintains lots of statistics
10626 information and provides several interfaces for users to
10627 get access to the statistics.
10628 The available statistics include all statistics counters
10629 that were available in
<acronym class=
"acronym">BIND
</acronym> 8 and
10630 are meaningful in
<acronym class=
"acronym">BIND
</acronym> 9,
10631 and other information that is considered useful.
10634 The statistics information is categorized into the following
10637 <div class=
"informaltable"><table border=
"1">
10645 <p>Incoming Requests
</p>
10649 The number of incoming DNS requests for each OPCODE.
10655 <p>Incoming Queries
</p>
10659 The number of incoming queries for each RR type.
10665 <p>Outgoing Queries
</p>
10669 The number of outgoing queries for each RR
10670 type sent from the internal resolver.
10671 Maintained per view.
10677 <p>Name Server Statistics
</p>
10681 Statistics counters about incoming request processing.
10687 <p>Zone Maintenance Statistics
</p>
10691 Statistics counters regarding zone maintenance
10692 operations such as zone transfers.
10698 <p>Resolver Statistics
</p>
10702 Statistics counters about name resolution
10703 performed in the internal resolver.
10704 Maintained per view.
10710 <p>Cache DB RRsets
</p>
10714 The number of RRsets per RR type and nonexistent
10715 names stored in the cache database.
10716 If the exclamation mark (!) is printed for a RR
10717 type, it means that particular type of RRset is
10718 known to be nonexistent (this is also known as
10719 "NXRRSET"). If a hash mark (#) is present then
10720 the RRset is marked for garbage collection.
10721 Maintained per view.
10727 <p>Socket I/O Statistics
</p>
10731 Statistics counters about network related events.
10738 A subset of Name Server Statistics is collected and shown
10739 per zone for which the server has the authority when
10740 <span><strong class=
"command">zone-statistics
</strong></span> is set to
10741 <strong class=
"userinput"><code>yes
</code></strong>.
10742 These statistics counters are shown with their zone and view
10744 In some cases the view names are omitted for the default view.
10747 There are currently two user interfaces to get access to the
10749 One is in the plain text format dumped to the file specified
10750 by the
<span><strong class=
"command">statistics-file
</strong></span> configuration option.
10751 The other is remotely accessible via a statistics channel
10752 when the
<span><strong class=
"command">statistics-channels
</strong></span> statement
10753 is specified in the configuration file
10754 (see
<a href=
"Bv9ARM.ch06.html#statschannels" title=
"statistics-channels Statement Grammar">the section called
“<span><strong class=
"command">statistics-channels
</strong></span> Statement Grammar
”</a>.)
10756 <div class=
"sect3" lang=
"en">
10757 <div class=
"titlepage"><div><div><h4 class=
"title">
10758 <a name=
"statsfile"></a>The Statistics File
</h4></div></div></div>
10760 The text format statistics dump begins with a line, like:
10763 <span><strong class=
"command">+++ Statistics Dump +++ (
973798949)
</strong></span>
10766 The number in parentheses is a standard
10767 Unix-style timestamp, measured as seconds since January
1,
1970.
10770 that line is a set of statistics information, which is categorized
10771 as described above.
10772 Each section begins with a line, like:
10775 <span><strong class=
"command">++ Name Server Statistics ++
</strong></span>
10778 Each section consists of lines, each containing the statistics
10779 counter value followed by its textual description.
10780 See below for available counters.
10781 For brevity, counters that have a value of
0 are not shown
10782 in the statistics file.
10785 The statistics dump ends with the line where the
10786 number is identical to the number in the beginning line; for example:
10789 <span><strong class=
"command">--- Statistics Dump --- (
973798949)
</strong></span>
10792 <div class=
"sect2" lang=
"en">
10793 <div class=
"titlepage"><div><div><h3 class=
"title">
10794 <a name=
"statistics_counters"></a>Statistics Counters
</h3></div></div></div>
10796 The following tables summarize statistics counters that
10797 <acronym class=
"acronym">BIND
</acronym> 9 provides.
10798 For each row of the tables, the leftmost column is the
10799 abbreviated symbol name of that counter.
10800 These symbols are shown in the statistics information
10801 accessed via an HTTP statistics channel.
10802 The rightmost column gives the description of the counter,
10803 which is also shown in the statistics file
10804 (but, in this document, possibly with slight modification
10805 for better readability).
10806 Additional notes may also be provided in this column.
10807 When a middle column exists between these two columns,
10808 it gives the corresponding counter name of the
10809 <acronym class=
"acronym">BIND
</acronym> 8 statistics, if applicable.
10811 <div class=
"sect3" lang=
"en">
10812 <div class=
"titlepage"><div><div><h4 class=
"title">
10813 <a name=
"id2602597"></a>Name Server Statistics Counters
</h4></div></div></div>
10814 <div class=
"informaltable"><table border=
"1">
10824 <span class=
"emphasis"><em>Symbol
</em></span>
10829 <span class=
"emphasis"><em>BIND8 Symbol
</em></span>
10834 <span class=
"emphasis"><em>Description
</em></span>
10840 <p><span><strong class=
"command">Requestv4
</strong></span></p>
10843 <p><span><strong class=
"command">RQ
</strong></span></p>
10847 IPv4 requests received.
10848 Note: this also counts non query requests.
10854 <p><span><strong class=
"command">Requestv6
</strong></span></p>
10857 <p><span><strong class=
"command">RQ
</strong></span></p>
10861 IPv6 requests received.
10862 Note: this also counts non query requests.
10868 <p><span><strong class=
"command">ReqEdns0
</strong></span></p>
10871 <p><span><strong class=
"command"></strong></span></p>
10875 Requests with EDNS(
0) received.
10881 <p><span><strong class=
"command">ReqBadEDNSVer
</strong></span></p>
10884 <p><span><strong class=
"command"></strong></span></p>
10888 Requests with unsupported EDNS version received.
10894 <p><span><strong class=
"command">ReqTSIG
</strong></span></p>
10897 <p><span><strong class=
"command"></strong></span></p>
10901 Requests with TSIG received.
10907 <p><span><strong class=
"command">ReqSIG0
</strong></span></p>
10910 <p><span><strong class=
"command"></strong></span></p>
10914 Requests with SIG(
0) received.
10920 <p><span><strong class=
"command">ReqBadSIG
</strong></span></p>
10923 <p><span><strong class=
"command"></strong></span></p>
10927 Requests with invalid (TSIG or SIG(
0)) signature.
10933 <p><span><strong class=
"command">ReqTCP
</strong></span></p>
10936 <p><span><strong class=
"command">RTCP
</strong></span></p>
10940 TCP requests received.
10946 <p><span><strong class=
"command">AuthQryRej
</strong></span></p>
10949 <p><span><strong class=
"command">RUQ
</strong></span></p>
10953 Authoritative (non recursive) queries rejected.
10959 <p><span><strong class=
"command">RecQryRej
</strong></span></p>
10962 <p><span><strong class=
"command">RURQ
</strong></span></p>
10966 Recursive queries rejected.
10972 <p><span><strong class=
"command">XfrRej
</strong></span></p>
10975 <p><span><strong class=
"command">RUXFR
</strong></span></p>
10979 Zone transfer requests rejected.
10985 <p><span><strong class=
"command">UpdateRej
</strong></span></p>
10988 <p><span><strong class=
"command">RUUpd
</strong></span></p>
10992 Dynamic update requests rejected.
10998 <p><span><strong class=
"command">Response
</strong></span></p>
11001 <p><span><strong class=
"command">SAns
</strong></span></p>
11011 <p><span><strong class=
"command">RespTruncated
</strong></span></p>
11014 <p><span><strong class=
"command"></strong></span></p>
11018 Truncated responses sent.
11024 <p><span><strong class=
"command">RespEDNS0
</strong></span></p>
11027 <p><span><strong class=
"command"></strong></span></p>
11031 Responses with EDNS(
0) sent.
11037 <p><span><strong class=
"command">RespTSIG
</strong></span></p>
11040 <p><span><strong class=
"command"></strong></span></p>
11044 Responses with TSIG sent.
11050 <p><span><strong class=
"command">RespSIG0
</strong></span></p>
11053 <p><span><strong class=
"command"></strong></span></p>
11057 Responses with SIG(
0) sent.
11063 <p><span><strong class=
"command">QrySuccess
</strong></span></p>
11066 <p><span><strong class=
"command"></strong></span></p>
11070 Queries resulted in a successful answer.
11071 This means the query which returns a NOERROR response
11072 with at least one answer RR.
11073 This corresponds to the
11074 <span><strong class=
"command">success
</strong></span> counter
11075 of previous versions of
11076 <acronym class=
"acronym">BIND
</acronym> 9.
11082 <p><span><strong class=
"command">QryAuthAns
</strong></span></p>
11085 <p><span><strong class=
"command"></strong></span></p>
11089 Queries resulted in authoritative answer.
11095 <p><span><strong class=
"command">QryNoauthAns
</strong></span></p>
11098 <p><span><strong class=
"command">SNaAns
</strong></span></p>
11102 Queries resulted in non authoritative answer.
11108 <p><span><strong class=
"command">QryReferral
</strong></span></p>
11111 <p><span><strong class=
"command"></strong></span></p>
11115 Queries resulted in referral answer.
11116 This corresponds to the
11117 <span><strong class=
"command">referral
</strong></span> counter
11118 of previous versions of
11119 <acronym class=
"acronym">BIND
</acronym> 9.
11125 <p><span><strong class=
"command">QryNxrrset
</strong></span></p>
11128 <p><span><strong class=
"command"></strong></span></p>
11132 Queries resulted in NOERROR responses with no data.
11133 This corresponds to the
11134 <span><strong class=
"command">nxrrset
</strong></span> counter
11135 of previous versions of
11136 <acronym class=
"acronym">BIND
</acronym> 9.
11142 <p><span><strong class=
"command">QrySERVFAIL
</strong></span></p>
11145 <p><span><strong class=
"command">SFail
</strong></span></p>
11149 Queries resulted in SERVFAIL.
11155 <p><span><strong class=
"command">QryFORMERR
</strong></span></p>
11158 <p><span><strong class=
"command">SFErr
</strong></span></p>
11162 Queries resulted in FORMERR.
11168 <p><span><strong class=
"command">QryNXDOMAIN
</strong></span></p>
11171 <p><span><strong class=
"command">SNXD
</strong></span></p>
11175 Queries resulted in NXDOMAIN.
11176 This corresponds to the
11177 <span><strong class=
"command">nxdomain
</strong></span> counter
11178 of previous versions of
11179 <acronym class=
"acronym">BIND
</acronym> 9.
11185 <p><span><strong class=
"command">QryRecursion
</strong></span></p>
11188 <p><span><strong class=
"command">RFwdQ
</strong></span></p>
11192 Queries which caused the server
11193 to perform recursion in order to find the final answer.
11194 This corresponds to the
11195 <span><strong class=
"command">recursion
</strong></span> counter
11196 of previous versions of
11197 <acronym class=
"acronym">BIND
</acronym> 9.
11203 <p><span><strong class=
"command">QryDuplicate
</strong></span></p>
11206 <p><span><strong class=
"command">RDupQ
</strong></span></p>
11210 Queries which the server attempted to
11211 recurse but discovered an existing query with the same
11212 IP address, port, query ID, name, type and class
11213 already being processed.
11214 This corresponds to the
11215 <span><strong class=
"command">duplicate
</strong></span> counter
11216 of previous versions of
11217 <acronym class=
"acronym">BIND
</acronym> 9.
11223 <p><span><strong class=
"command">QryDropped
</strong></span></p>
11226 <p><span><strong class=
"command"></strong></span></p>
11230 Recursive queries for which the server
11231 discovered an excessive number of existing
11232 recursive queries for the same name, type and
11233 class and were subsequently dropped.
11234 This is the number of dropped queries due to
11235 the reason explained with the
11236 <span><strong class=
"command">clients-per-query
</strong></span>
11238 <span><strong class=
"command">max-clients-per-query
</strong></span>
11240 (see the description about
11241 <a href=
"Bv9ARM.ch06.html#clients-per-query"><span><strong class=
"command">clients-per-query
</strong></span></a>.)
11242 This corresponds to the
11243 <span><strong class=
"command">dropped
</strong></span> counter
11244 of previous versions of
11245 <acronym class=
"acronym">BIND
</acronym> 9.
11251 <p><span><strong class=
"command">QryFailure
</strong></span></p>
11254 <p><span><strong class=
"command"></strong></span></p>
11258 Other query failures.
11259 This corresponds to the
11260 <span><strong class=
"command">failure
</strong></span> counter
11261 of previous versions of
11262 <acronym class=
"acronym">BIND
</acronym> 9.
11263 Note: this counter is provided mainly for
11264 backward compatibility with the previous versions.
11265 Normally a more fine-grained counters such as
11266 <span><strong class=
"command">AuthQryRej
</strong></span> and
11267 <span><strong class=
"command">RecQryRej
</strong></span>
11268 that would also fall into this counter are provided,
11269 and so this counter would not be of much
11270 interest in practice.
11276 <p><span><strong class=
"command">XfrReqDone
</strong></span></p>
11279 <p><span><strong class=
"command"></strong></span></p>
11283 Requested zone transfers completed.
11289 <p><span><strong class=
"command">UpdateReqFwd
</strong></span></p>
11292 <p><span><strong class=
"command"></strong></span></p>
11296 Update requests forwarded.
11302 <p><span><strong class=
"command">UpdateRespFwd
</strong></span></p>
11305 <p><span><strong class=
"command"></strong></span></p>
11309 Update responses forwarded.
11315 <p><span><strong class=
"command">UpdateFwdFail
</strong></span></p>
11318 <p><span><strong class=
"command"></strong></span></p>
11322 Dynamic update forward failed.
11328 <p><span><strong class=
"command">UpdateDone
</strong></span></p>
11331 <p><span><strong class=
"command"></strong></span></p>
11335 Dynamic updates completed.
11341 <p><span><strong class=
"command">UpdateFail
</strong></span></p>
11344 <p><span><strong class=
"command"></strong></span></p>
11348 Dynamic updates failed.
11354 <p><span><strong class=
"command">UpdateBadPrereq
</strong></span></p>
11357 <p><span><strong class=
"command"></strong></span></p>
11361 Dynamic updates rejected due to prerequisite failure.
11367 <p><span><strong class=
"command">RateDropped
</strong></span></p>
11370 <p><span><strong class=
"command"></strong></span></p>
11374 Responses dropped by rate limits.
11380 <p><span><strong class=
"command">RateSlipped
</strong></span></p>
11383 <p><span><strong class=
"command"></strong></span></p>
11387 Responses truncated by rate limits.
11393 <p><span><strong class=
"command">RPZRewrites
</strong></span></p>
11396 <p><span><strong class=
"command"></strong></span></p>
11400 Response policy zone rewrites.
11407 <div class=
"sect3" lang=
"en">
11408 <div class=
"titlepage"><div><div><h4 class=
"title">
11409 <a name=
"id2604302"></a>Zone Maintenance Statistics Counters
</h4></div></div></div>
11410 <div class=
"informaltable"><table border=
"1">
11419 <span class=
"emphasis"><em>Symbol
</em></span>
11424 <span class=
"emphasis"><em>Description
</em></span>
11430 <p><span><strong class=
"command">NotifyOutv4
</strong></span></p>
11434 IPv4 notifies sent.
11440 <p><span><strong class=
"command">NotifyOutv6
</strong></span></p>
11444 IPv6 notifies sent.
11450 <p><span><strong class=
"command">NotifyInv4
</strong></span></p>
11454 IPv4 notifies received.
11460 <p><span><strong class=
"command">NotifyInv6
</strong></span></p>
11464 IPv6 notifies received.
11470 <p><span><strong class=
"command">NotifyRej
</strong></span></p>
11474 Incoming notifies rejected.
11480 <p><span><strong class=
"command">SOAOutv4
</strong></span></p>
11484 IPv4 SOA queries sent.
11490 <p><span><strong class=
"command">SOAOutv6
</strong></span></p>
11494 IPv6 SOA queries sent.
11500 <p><span><strong class=
"command">AXFRReqv4
</strong></span></p>
11504 IPv4 AXFR requested.
11510 <p><span><strong class=
"command">AXFRReqv6
</strong></span></p>
11514 IPv6 AXFR requested.
11520 <p><span><strong class=
"command">IXFRReqv4
</strong></span></p>
11524 IPv4 IXFR requested.
11530 <p><span><strong class=
"command">IXFRReqv6
</strong></span></p>
11534 IPv6 IXFR requested.
11540 <p><span><strong class=
"command">XfrSuccess
</strong></span></p>
11544 Zone transfer requests succeeded.
11550 <p><span><strong class=
"command">XfrFail
</strong></span></p>
11554 Zone transfer requests failed.
11561 <div class=
"sect3" lang=
"en">
11562 <div class=
"titlepage"><div><div><h4 class=
"title">
11563 <a name=
"id2604685"></a>Resolver Statistics Counters
</h4></div></div></div>
11564 <div class=
"informaltable"><table border=
"1">
11574 <span class=
"emphasis"><em>Symbol
</em></span>
11579 <span class=
"emphasis"><em>BIND8 Symbol
</em></span>
11584 <span class=
"emphasis"><em>Description
</em></span>
11590 <p><span><strong class=
"command">Queryv4
</strong></span></p>
11593 <p><span><strong class=
"command">SFwdQ
</strong></span></p>
11603 <p><span><strong class=
"command">Queryv6
</strong></span></p>
11606 <p><span><strong class=
"command">SFwdQ
</strong></span></p>
11616 <p><span><strong class=
"command">Responsev4
</strong></span></p>
11619 <p><span><strong class=
"command">RR
</strong></span></p>
11623 IPv4 responses received.
11629 <p><span><strong class=
"command">Responsev6
</strong></span></p>
11632 <p><span><strong class=
"command">RR
</strong></span></p>
11636 IPv6 responses received.
11642 <p><span><strong class=
"command">NXDOMAIN
</strong></span></p>
11645 <p><span><strong class=
"command">RNXD
</strong></span></p>
11655 <p><span><strong class=
"command">SERVFAIL
</strong></span></p>
11658 <p><span><strong class=
"command">RFail
</strong></span></p>
11668 <p><span><strong class=
"command">FORMERR
</strong></span></p>
11671 <p><span><strong class=
"command">RFErr
</strong></span></p>
11681 <p><span><strong class=
"command">OtherError
</strong></span></p>
11684 <p><span><strong class=
"command">RErr
</strong></span></p>
11688 Other errors received.
11694 <p><span><strong class=
"command">EDNS0Fail
</strong></span></p>
11697 <p><span><strong class=
"command"></strong></span></p>
11701 EDNS(
0) query failures.
11707 <p><span><strong class=
"command">Mismatch
</strong></span></p>
11710 <p><span><strong class=
"command">RDupR
</strong></span></p>
11714 Mismatch responses received.
11715 The DNS ID, response's source address,
11716 and/or the response's source port does not
11717 match what was expected.
11718 (The port must be
53 or as defined by
11719 the
<span><strong class=
"command">port
</strong></span> option.)
11720 This may be an indication of a cache
11727 <p><span><strong class=
"command">Truncated
</strong></span></p>
11730 <p><span><strong class=
"command"></strong></span></p>
11734 Truncated responses received.
11740 <p><span><strong class=
"command">Lame
</strong></span></p>
11743 <p><span><strong class=
"command">RLame
</strong></span></p>
11747 Lame delegations received.
11753 <p><span><strong class=
"command">Retry
</strong></span></p>
11756 <p><span><strong class=
"command">SDupQ
</strong></span></p>
11760 Query retries performed.
11766 <p><span><strong class=
"command">QueryAbort
</strong></span></p>
11769 <p><span><strong class=
"command"></strong></span></p>
11773 Queries aborted due to quota control.
11779 <p><span><strong class=
"command">QuerySockFail
</strong></span></p>
11782 <p><span><strong class=
"command"></strong></span></p>
11786 Failures in opening query sockets.
11787 One common reason for such failures is a
11788 failure of opening a new socket due to a
11789 limitation on file descriptors.
11795 <p><span><strong class=
"command">QueryTimeout
</strong></span></p>
11798 <p><span><strong class=
"command"></strong></span></p>
11808 <p><span><strong class=
"command">GlueFetchv4
</strong></span></p>
11811 <p><span><strong class=
"command">SSysQ
</strong></span></p>
11815 IPv4 NS address fetches invoked.
11821 <p><span><strong class=
"command">GlueFetchv6
</strong></span></p>
11824 <p><span><strong class=
"command">SSysQ
</strong></span></p>
11828 IPv6 NS address fetches invoked.
11834 <p><span><strong class=
"command">GlueFetchv4Fail
</strong></span></p>
11837 <p><span><strong class=
"command"></strong></span></p>
11841 IPv4 NS address fetch failed.
11847 <p><span><strong class=
"command">GlueFetchv6Fail
</strong></span></p>
11850 <p><span><strong class=
"command"></strong></span></p>
11854 IPv6 NS address fetch failed.
11860 <p><span><strong class=
"command">ValAttempt
</strong></span></p>
11863 <p><span><strong class=
"command"></strong></span></p>
11867 DNSSEC validation attempted.
11873 <p><span><strong class=
"command">ValOk
</strong></span></p>
11876 <p><span><strong class=
"command"></strong></span></p>
11880 DNSSEC validation succeeded.
11886 <p><span><strong class=
"command">ValNegOk
</strong></span></p>
11889 <p><span><strong class=
"command"></strong></span></p>
11893 DNSSEC validation on negative information succeeded.
11899 <p><span><strong class=
"command">ValFail
</strong></span></p>
11902 <p><span><strong class=
"command"></strong></span></p>
11906 DNSSEC validation failed.
11912 <p><span><strong class=
"command">QryRTTnn
</strong></span></p>
11915 <p><span><strong class=
"command"></strong></span></p>
11919 Frequency table on round trip times (RTTs) of
11921 Each
<span><strong class=
"command">nn
</strong></span> specifies the corresponding
11924 <span><strong class=
"command">nn_1
</strong></span>,
11925 <span><strong class=
"command">nn_2
</strong></span>,
11927 <span><strong class=
"command">nn_m
</strong></span>,
11928 the value of
<span><strong class=
"command">nn_i
</strong></span> is the
11929 number of queries whose RTTs are between
11930 <span><strong class=
"command">nn_(i-
1)
</strong></span> (inclusive) and
11931 <span><strong class=
"command">nn_i
</strong></span> (exclusive) milliseconds.
11932 For the sake of convenience we define
11933 <span><strong class=
"command">nn_0
</strong></span> to be
0.
11934 The last entry should be represented as
11935 <span><strong class=
"command">nn_m+
</strong></span>, which means the
11936 number of queries whose RTTs are equal to or over
11937 <span><strong class=
"command">nn_m
</strong></span> milliseconds.
11944 <div class=
"sect3" lang=
"en">
11945 <div class=
"titlepage"><div><div><h4 class=
"title">
11946 <a name=
"id2605707"></a>Socket I/O Statistics Counters
</h4></div></div></div>
11948 Socket I/O statistics counters are defined per socket
11950 <span><strong class=
"command">UDP4
</strong></span> (UDP/IPv4),
11951 <span><strong class=
"command">UDP6
</strong></span> (UDP/IPv6),
11952 <span><strong class=
"command">TCP4
</strong></span> (TCP/IPv4),
11953 <span><strong class=
"command">TCP6
</strong></span> (TCP/IPv6),
11954 <span><strong class=
"command">Unix
</strong></span> (Unix Domain), and
11955 <span><strong class=
"command">FDwatch
</strong></span> (sockets opened outside the
11957 In the following table
<span><strong class=
"command"><TYPE
></strong></span>
11958 represents a socket type.
11959 Not all counters are available for all socket types;
11960 exceptions are noted in the description field.
11962 <div class=
"informaltable"><table border=
"1">
11971 <span class=
"emphasis"><em>Symbol
</em></span>
11976 <span class=
"emphasis"><em>Description
</em></span>
11982 <p><span><strong class=
"command"><TYPE
>Open
</strong></span></p>
11986 Sockets opened successfully.
11987 This counter is not applicable to the
11988 <span><strong class=
"command">FDwatch
</strong></span> type.
11994 <p><span><strong class=
"command"><TYPE
>OpenFail
</strong></span></p>
11998 Failures of opening sockets.
11999 This counter is not applicable to the
12000 <span><strong class=
"command">FDwatch
</strong></span> type.
12006 <p><span><strong class=
"command"><TYPE
>Close
</strong></span></p>
12016 <p><span><strong class=
"command"><TYPE
>BindFail
</strong></span></p>
12020 Failures of binding sockets.
12026 <p><span><strong class=
"command"><TYPE
>ConnFail
</strong></span></p>
12030 Failures of connecting sockets.
12036 <p><span><strong class=
"command"><TYPE
>Conn
</strong></span></p>
12040 Connections established successfully.
12046 <p><span><strong class=
"command"><TYPE
>AcceptFail
</strong></span></p>
12050 Failures of accepting incoming connection requests.
12051 This counter is not applicable to the
12052 <span><strong class=
"command">UDP
</strong></span> and
12053 <span><strong class=
"command">FDwatch
</strong></span> types.
12059 <p><span><strong class=
"command"><TYPE
>Accept
</strong></span></p>
12063 Incoming connections successfully accepted.
12064 This counter is not applicable to the
12065 <span><strong class=
"command">UDP
</strong></span> and
12066 <span><strong class=
"command">FDwatch
</strong></span> types.
12072 <p><span><strong class=
"command"><TYPE
>SendErr
</strong></span></p>
12076 Errors in socket send operations.
12077 This counter corresponds
12078 to
<span><strong class=
"command">SErr
</strong></span> counter of
12079 <span><strong class=
"command">BIND
</strong></span> 8.
12085 <p><span><strong class=
"command"><TYPE
>RecvErr
</strong></span></p>
12089 Errors in socket receive operations.
12090 This includes errors of send operations on a
12091 connected UDP socket notified by an ICMP error
12099 <div class=
"sect3" lang=
"en">
12100 <div class=
"titlepage"><div><div><h4 class=
"title">
12101 <a name=
"id2606149"></a>Compatibility with
<span class=
"emphasis"><em>BIND
</em></span> 8 Counters
</h4></div></div></div>
12103 Most statistics counters that were available
12104 in
<span><strong class=
"command">BIND
</strong></span> 8 are also supported in
12105 <span><strong class=
"command">BIND
</strong></span> 9 as shown in the above tables.
12106 Here are notes about other counters that do not appear
12109 <div class=
"variablelist"><dl>
12110 <dt><span class=
"term"><span><strong class=
"command">RFwdR,SFwdR
</strong></span></span></dt>
12112 These counters are not supported
12113 because
<span><strong class=
"command">BIND
</strong></span> 9 does not adopt
12114 the notion of
<span class=
"emphasis"><em>forwarding
</em></span>
12115 as
<span><strong class=
"command">BIND
</strong></span> 8 did.
12117 <dt><span class=
"term"><span><strong class=
"command">RAXFR
</strong></span></span></dt>
12119 This counter is accessible in the Incoming Queries section.
12121 <dt><span class=
"term"><span><strong class=
"command">RIQ
</strong></span></span></dt>
12123 This counter is accessible in the Incoming Requests section.
12125 <dt><span class=
"term"><span><strong class=
"command">ROpts
</strong></span></span></dt>
12127 This counter is not supported
12128 because
<span><strong class=
"command">BIND
</strong></span> 9 does not care
12129 about IP options in the first place.
12136 <div class=
"navfooter">
12138 <table width=
"100%" summary=
"Navigation footer">
12140 <td width=
"40%" align=
"left">
12141 <a accesskey=
"p" href=
"Bv9ARM.ch05.html">Prev
</a> </td>
12142 <td width=
"20%" align=
"center"> </td>
12143 <td width=
"40%" align=
"right"> <a accesskey=
"n" href=
"Bv9ARM.ch07.html">Next
</a>
12147 <td width=
"40%" align=
"left" valign=
"top">Chapter
5. The
<acronym class=
"acronym">BIND
</acronym> 9 Lightweight Resolver
</td>
12148 <td width=
"20%" align=
"center"><a accesskey=
"h" href=
"Bv9ARM.html">Home
</a></td>
12149 <td width=
"40%" align=
"right" valign=
"top"> Chapter
7.
<acronym class=
"acronym">BIND
</acronym> 9 Security Considerations
</td>
12153 <p style=
"text-align: center;">BIND
9.10.2-P4
</p>