2 * Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2001 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* Id: named.conf,v 1.58 2007/06/19 23:46:59 tbox Exp */
21 * This is a worthless, nonrunnable example of a named.conf file that has
22 * every conceivable syntax element in use. We use it to test the parser.
23 * It could also be used as a conceptual template for users of new features.
27 * C-style comments are OK
30 // So are C++-style comments
32 # So are shell-style comments
34 // watch out for ";" -- it's important!
37 additional-from-auth true;
38 additional-from-cache false;
40 version "my version string";
41 random-device "/dev/random";
46 sig-validity-interval 33;
49 named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER
51 dump-file "named_dump.db"; // _PATH_DUMPFILE
52 pid-file "/var/run/named.pid"; // _PATH_PIDFILE
53 statistics-file "named.stats"; // _PATH_STATS
54 memstatistics-file "named.memstats"; // _PATH_MEMSTATS
57 auth-nxdomain yes; // always set AA on NXDOMAIN.
58 // don't set this to 'no' unless
59 // you know what you're doing -- older
60 // servers won't like it.
63 deallocate-on-exit no;
75 multiple-cnames no; // if yes, then a name my have more
76 // than one CNAME RR. This use
77 // is non-standard and is not
78 // recommended, but it is available
79 // because previous releases supported
80 // it and it was used by large sites
81 // for load balancing.
83 notify yes; // send NOTIFY messages. You can set
84 // notify on a zone-by-zone
85 // basis in the "zone" statement
94 treat-cr-as-space yes;
96 also-notify { 10.0.2.3; };
98 // The "forward" option is only meaningful if you've defined
99 // forwarders. "first" gives the normal BIND
100 // forwarding behavior, i.e. ask the forwarders first, and if that
101 // doesn't work then do the full lookup. You can also say
102 // "forward only;" which is what used to be specified with
103 // "slave" or "options forward-only". "only" will never attempt
104 // a full lookup; only the forwarders will be used.
111 check-names master fail;
112 check-names slave warn;
113 check-names response ignore;
115 allow-query { any; };
116 allow-transfer { any; };
117 allow-recursion { !any; };
118 blackhole { 45/24; };
125 listen-on port 53 { any; };
127 listen-on { 5.6.7.8; };
129 listen-on port 1234 {
138 listen-on-v6 port 777 {
142 query-source-v6 address 8:7:6:5:4:3:2:1 port *;
143 query-source port * address 10.0.0.54 ;
147 max-transfer-time-in 300;
148 max-transfer-time-out 10;
149 max-transfer-idle-in 100;
150 max-transfer-idle-out 11;
154 max-refresh-time 888;
155 min-refresh-time 777;
161 transfer-format one-answer;
167 transfer-source 10.0.0.5;
168 transfer-source-v6 4:3:2:1:5:6:7:8;
173 # Now called 'provide-ixfr'
174 # maintain-ixfr-base no; // If yes, keep transaction log file for IXFR
176 max-ixfr-log-size 20m;
182 cleaning-interval 1000;
183 heartbeat-interval 1001;
184 interface-interval 1002;
185 statistics-interval 1003;
197 sortlist { 10/8; 11/8; };
199 tkey-domain "foo.com";
200 tkey-dhkey "xyz" 666 ;
203 class IN type A name "foo" order random;
209 * Control listeners, for "ndc". Every nameserver needs at least one.
212 // 'inet' lines without a 'port' defaults to 'port 953'
213 // 'keys' must be used and the list must have at least one entry
214 inet * port 52 allow { any; } keys { "key2"; };
215 unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named.
216 inet 10.0.0.1 allow { any; key foo; } keys { "key4";};
217 inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; };
218 inet 10.0.0.2 allow { none; };
221 zone "master.demo.zone" {
222 type master; // what used to be called "primary"
223 database "somedb -option1 -option2 arg1 arg2 arg3";
224 file "master.demo.zone";
226 allow-update { none; };
227 allow-update-forwarding { 10.0.0.5; !any; };
228 allow-transfer { any; };
229 allow-query { any; };
230 sig-validity-interval 990;
232 also-notify { 1.0.0.1; }; // don't notify any nameservers other
233 // than those on the NS list for this
236 forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; };
239 zone "slave.demo.zone" {
240 type slave; // what used to be called "secondary"
241 file "slave.demo.zone";
242 ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file
244 1.2.3.4 port 10 key "foo"; // where to zone transfer from
248 transfer-source 10.0.0.53; // fixes multihoming problems
250 allow-update { none; };
251 allow-transfer { any; };
252 allow-update-forwarding { any; };
253 allow-query { any; };
254 max-transfer-time-in 120; // if not set, global option is used.
255 max-transfer-time-out 1; // if not set, global option is used.
256 max-transfer-idle-in 2; // if not set, global option is used.
257 max-transfer-idle-out 3; // if not set, global option is used.
258 also-notify { 1.0.0.2; };
260 forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; };
263 key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; };
265 view "test-view" in {
266 key "viewkey" { algorithm "xxx" ; secret "eXl5" ; };
267 also-notify { 10.2.2.3; };
269 foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz";
271 sig-validity-interval 45;
272 max-cache-size 100000;
273 allow-query { 10.0.0.30;};
274 additional-from-cache false;
275 additional-from-auth no;
276 match-clients { 10.0.0.1 ; };
277 check-names master warn;
278 check-names slave ignore;
279 check-names response fail;
287 transfer-source 10.0.0.55;
288 transfer-source-v6 4:3:8:1:5:6:7:8;
289 query-source port * address 10.0.0.54 ;
290 query-source-v6 address 6:6:6:6:6:6:6:6 port *;
291 max-transfer-time-out 45;
292 max-transfer-idle-out 55;
293 cleaning-interval 100;
298 transfer-format many-answers;
301 max-refresh-time 999;
302 min-refresh-time 111;
304 zone "view-zone.com" {
306 allow-update-forwarding { 10.0.0.34;};
307 file "view-zone-master";
321 zone "stub.demo.zone" {
322 type stub; // stub zones are like slave zones,
323 // except that only the NS records
326 file "stub.demo.zone";
328 1.2.3.4 ; // where to zone transfer from
332 allow-update { none; };
333 allow-transfer { any; };
334 allow-query { any; };
341 max-transfer-time-in 120; // if not set, global option is used.
342 pubkey 257 255 1 "a useless key";
343 pubkey 257 255 1 "another useless key";
347 type hint; // used to be specified w/ "cache"
349 // pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
353 "." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q==";
357 acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0
358 // is disallowed; rest are OK
359 acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed
360 // by can_query are OK
362 zone "disabled-zone.com" {
368 max-refresh-time 120;
369 min-refresh-time 130;
372 zone "non-default-acl.demo.zone" {
375 allow-query { can_query; };
376 allow-transfer { can_axfr; };
381 pubkey 666 665 664 "key of the beast";
382 // Errors trapped by parser:
383 // identity or name not absolute
384 // 'wildcard' match type and no wildcard character in name
387 // - certain rdatatype values (such as "key") are config file keywords and
388 // must be quoted or a syntax error will occur.
392 grant root.domain. subdomain host.domain. A MX CNAME;
393 grant sub.root.domain. wildcard *.host.domain. A;
394 grant root.domain. name host.domain. a ns md mf cname soa mb mg
395 mr "null" wks ptr hinfo minfo mx txt rp afsdb x25
396 isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx
397 cert a6 dname opt unspec tkey tsig ;
398 grant foo.bar.com. self foo.bar.com. a;
402 key sample_key { // for TSIG; supported by parser
403 algorithm hmac-md5; // but not yet implemented in the
404 secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server
409 secret "ZXJlaCB0ZXJjZXMgcm91eQ==";
412 acl key_acl { key sample_key; }; // a request signed with sample_key
417 bogus no; // if yes, we won't query or listen
419 transfer-format one-answer; // set transfer format for this
420 // server (see the description of
421 // 'transfer-format' above)
422 // if not specified, the global option
424 transfers 0; // not implemented
425 keys { "sample_key" }; // for TSIG; supported by the parser
426 // but not yet implemented in the
427 // rest of the server
428 # Now called 'request-ixfr'
429 # support-ixfr yes; // for IXFR supported by server
430 // if yes, the listed server talks IXFR
435 * All log output goes to one or more "channels"; you can make as
436 * many of them as you want.
439 channel syslog_errors { // this channel will send errors or
440 syslog user; // or worse to syslog (user facility)
444 channel stderr_errors {
449 * Channels have a severity level. Messages at severity levels
450 * greater than or equal to the channel's level will be logged on
451 * the channel. In order of decreasing severity, the levels are:
453 * critical a fatal error
456 * notice a normal, but significant event
457 * info an informational message
458 * debug 1 the least detailed debugging info
460 * debug 99 the most detailed debugging info
464 * Here are the built-in channels:
466 * channel default_syslog {
471 * channel default_debug {
472 * file "named.run"; // note: stderr is used instead
473 * // of "named.run" if the server
474 * // is started with the "-f"
476 * severity dynamic; // this means log debugging
477 * // at whatever debugging level
478 * // the server is at, and don't
479 * // log anything if not
483 * channel null { // this is the bit bucket;
484 * file "/dev/null"; // any logging to this channel
488 * channel default_stderr { // writes to stderr
489 * file "<stderr>"; // this is illustrative only;
490 * // there's currently no way
491 * // of saying "stderr" in the
492 * // configuration language.
493 * // i.e. don't try this at home.
497 * default_stderr only works before the server daemonizes (i.e.
498 * during initial startup) or when it is running in foreground
499 * mode (-f command line option).
503 * There are many categories, so you can send the logs
504 * you want to see wherever you want, without seeing logs you
505 * don't want. Right now the categories are
507 * default the catch-all. many things still
508 * aren't classified into categories, and
509 * they all end up here. also, if you
510 * don't specify any channels for a
511 * category, the default category is used
513 * config high-level configuration file
515 * parser low-level configuration file processing
516 * queries what used to be called "query logging"
517 * lame-servers messages like "Lame server on ..."
519 * panic if the server has to shut itself
520 * down due to an internal problem, it
521 * logs the problem here (as well as
522 * in the problem's native category)
523 * update dynamic update
524 * ncache negative caching
525 * xfer-in zone transfers we're receiving
526 * xfer-out zone transfers we're sending
527 * db all database operations
528 * eventlib debugging info from the event system
530 * packet dumps of packets received and sent
532 * notify the NOTIFY protocol
533 * cname messages like "XX points to a CNAME"
534 * security approved/unapproved requests
535 * os operating system problems
536 * insist consistency check failures
537 * maintenance periodic maintenance
539 * response-checks messages like
540 * "Malformed response ..."
541 * "wrong ans. name ..."
542 * "unrelated additional info ..."
543 * "invalid RR type ..."
548 syslog_errors; // you can log to as many channels
549 default_syslog; // as you want
552 category lame-servers { null; }; // don't log these at all
554 channel moderate_debug {
556 severity debug 3; // level 3 debugging to file
557 print-time yes; // timestamp log entries
558 print-category yes; // print category name
559 print-severity yes; // print severity level
561 * Note that debugging must have been turned on either
562 * on the command line or with a signal to get debugging
563 * output (non-debugging output will still be written to
569 file "bar" versions 99 size 10M;
574 file "bar" size 100000 versions unlimited;
575 severity debug; // use default debug level
579 * If you don't want to see "zone XXXX loaded" messages but do
580 * want to see any problems, you could do the following.
582 channel no_info_messages {
587 category load { no_info_messages; };
590 * You can also define category "default"; it gets used when no
591 * "category" statement has been given for a category.
599 * If you don't define category default yourself, the default
600 * default category will be used. It is
602 * category default { default_syslog; default_debug; };
606 * If you don't define category panic yourself, the default
607 * panic category will be used. It is
609 * category panic { default_syslog; default_stderr; };
613 * Two categories, 'packet' and 'eventlib', are special. Only one
614 * channel may be assigned to each of them, and it must be a
615 * file channel. If you don't define them yourself, they default to
617 * category eventlib { default_debug; };
619 * category packet { default_debug; };
623 #include "filename"; // can't do within a statement