Copy stable/9 to releng/9.3 as part of the 9.3-RELEASE cycle.

[FreeBSD/releng/9.3.git] / contrib / bind9 / bin / named / named.conf.docbook

<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
               [<!ENTITY mdash "&#8212;">]>
<!--
 - Copyright (C) 2004-2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
 -
 - Permission to use, copy, modify, and/or distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
-->

<!-- $Id: named.conf.docbook,v 1.55 2011/11/07 00:25:53 each Exp $ -->
<refentry>
  <refentryinfo>
    <date>Aug 13, 2004</date>
  </refentryinfo>

  <refmeta>
    <refentrytitle><filename>named.conf</filename></refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>BIND9</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname><filename>named.conf</filename></refname>
    <refpurpose>configuration file for named</refpurpose>
  </refnamediv>

  <docinfo>
    <copyright>
      <year>2004</year>
      <year>2005</year>
      <year>2006</year>
      <year>2007</year>
      <year>2008</year>
      <year>2009</year>
      <year>2010</year>
      <year>2011</year>
      <year>2013</year>
      <year>2014</year>
      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
    </copyright>
  </docinfo>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>named.conf</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>DESCRIPTION</title>
    <para><filename>named.conf</filename> is the configuration file
      for
      <command>named</command>.  Statements are enclosed
      in braces and terminated with a semi-colon.  Clauses in
      the statements are also semi-colon terminated.  The usual
      comment styles are supported:
    </para>
    <para>
      C style: /* */
    </para>
    <para>
      C++ style: // to end of line
    </para>
    <para>
      Unix style: # to end of line
    </para>
  </refsect1>

  <refsect1>
    <title>ACL</title>
    <literallayout>
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };

</literallayout>
  </refsect1>

  <refsect1>
    <title>KEY</title>
    <literallayout>
key <replaceable>domain_name</replaceable> {
        algorithm <replaceable>string</replaceable>;
        secret <replaceable>string</replaceable>;
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>MASTERS</title>
    <literallayout>
masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
        ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
        <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>SERVER</title>
    <literallayout>
server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
        bogus <replaceable>boolean</replaceable>;
        edns <replaceable>boolean</replaceable>;
        edns-udp-size <replaceable>integer</replaceable>;
        max-udp-size <replaceable>integer</replaceable>;
        provide-ixfr <replaceable>boolean</replaceable>;
        request-ixfr <replaceable>boolean</replaceable>;
        keys <replaceable>server_key</replaceable>;
        transfers <replaceable>integer</replaceable>;
        transfer-format ( many-answers | one-answer );
        transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

        support-ixfr <replaceable>boolean</replaceable>; // obsolete
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>TRUSTED-KEYS</title>
    <literallayout>
trusted-keys {
        <replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>MANAGED-KEYS</title>
    <literallayout>
managed-keys {
        <replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>CONTROLS</title>
    <literallayout>
controls {
        inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>
                allow { <replaceable>address_match_element</replaceable>; ... }
                <optional> keys { <replaceable>string</replaceable>; ... } </optional>;
        unix <replaceable>unsupported</replaceable>; // not implemented
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>LOGGING</title>
    <literallayout>
logging {
        channel <replaceable>string</replaceable> {
                file <replaceable>log_file</replaceable>;
                syslog <replaceable>optional_facility</replaceable>;
                null;
                stderr;
                severity <replaceable>log_severity</replaceable>;
                print-time <replaceable>boolean</replaceable>;
                print-severity <replaceable>boolean</replaceable>;
                print-category <replaceable>boolean</replaceable>;
        };
        category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>LWRES</title>
    <literallayout>
lwres {
        listen-on <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
        };
        view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
        search { <replaceable>string</replaceable>; ... };
        ndots <replaceable>integer</replaceable>;
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>OPTIONS</title>
    <literallayout>
options {
        avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
        avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
        blackhole { <replaceable>address_match_element</replaceable>; ... };
        coresize <replaceable>size</replaceable>;
        datasize <replaceable>size</replaceable>;
        directory <replaceable>quoted_string</replaceable>;
        dump-file <replaceable>quoted_string</replaceable>;
        files <replaceable>size</replaceable>;
        heartbeat-interval <replaceable>integer</replaceable>;
        host-statistics <replaceable>boolean</replaceable>; // not implemented
        host-statistics-max <replaceable>number</replaceable>; // not implemented
        hostname ( <replaceable>quoted_string</replaceable> | none );
        interface-interval <replaceable>integer</replaceable>;
        listen-on <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
        listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
        match-mapped-addresses <replaceable>boolean</replaceable>;
        memstatistics-file <replaceable>quoted_string</replaceable>;
        pid-file ( <replaceable>quoted_string</replaceable> | none );
        port <replaceable>integer</replaceable>;
        querylog <replaceable>boolean</replaceable>;
        recursing-file <replaceable>quoted_string</replaceable>;
        reserved-sockets <replaceable>integer</replaceable>;
        random-device <replaceable>quoted_string</replaceable>;
        recursive-clients <replaceable>integer</replaceable>;
        serial-query-rate <replaceable>integer</replaceable>;
        server-id ( <replaceable>quoted_string</replaceable> | hostname | none );
        stacksize <replaceable>size</replaceable>;
        statistics-file <replaceable>quoted_string</replaceable>;
        statistics-interval <replaceable>integer</replaceable>; // not yet implemented
        tcp-clients <replaceable>integer</replaceable>;
        tcp-listen-queue <replaceable>integer</replaceable>;
        tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
        tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
        tkey-gssapi-keytab <replaceable>quoted_string</replaceable>;
        tkey-domain <replaceable>quoted_string</replaceable>;
        transfers-per-ns <replaceable>integer</replaceable>;
        transfers-in <replaceable>integer</replaceable>;
        transfers-out <replaceable>integer</replaceable>;
        use-ixfr <replaceable>boolean</replaceable>;
        version ( <replaceable>quoted_string</replaceable> | none );
        allow-recursion { <replaceable>address_match_element</replaceable>; ... };
        allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
        sortlist { <replaceable>address_match_element</replaceable>; ... };
        topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
        auth-nxdomain <replaceable>boolean</replaceable>; // default changed
        minimal-responses <replaceable>boolean</replaceable>;
        recursion <replaceable>boolean</replaceable>;
        rrset-order {
                <optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
                <optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
        };
        provide-ixfr <replaceable>boolean</replaceable>;
        request-ixfr <replaceable>boolean</replaceable>;
        rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
        additional-from-auth <replaceable>boolean</replaceable>;
        additional-from-cache <replaceable>boolean</replaceable>;
        query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        use-queryport-pool <replaceable>boolean</replaceable>;
        queryport-pool-ports <replaceable>integer</replaceable>;
        queryport-pool-updateinterval <replaceable>integer</replaceable>;
        cleaning-interval <replaceable>integer</replaceable>;
        resolver-query-timeout <replaceable>integer</replaceable>;
        min-roots <replaceable>integer</replaceable>; // not implemented
        lame-ttl <replaceable>integer</replaceable>;
        max-ncache-ttl <replaceable>integer</replaceable>;
        max-cache-ttl <replaceable>integer</replaceable>;
        transfer-format ( many-answers | one-answer );
        max-cache-size <replaceable>size</replaceable>;
        max-acache-size <replaceable>size</replaceable>;
        clients-per-query <replaceable>number</replaceable>;
        max-clients-per-query <replaceable>number</replaceable>;
        check-names ( master | slave | response )
                ( fail | warn | ignore );
        check-mx ( fail | warn | ignore );
        check-integrity <replaceable>boolean</replaceable>;
        check-mx-cname ( fail | warn | ignore );
        check-srv-cname ( fail | warn | ignore );
        cache-file <replaceable>quoted_string</replaceable>; // test option
        suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
        preferred-glue <replaceable>string</replaceable>;
        dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
                <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
                <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
        };
        edns-udp-size <replaceable>integer</replaceable>;
        max-udp-size <replaceable>integer</replaceable>;
        root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
        disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
        dnssec-enable <replaceable>boolean</replaceable>;
        dnssec-validation <replaceable>boolean</replaceable>;
        dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
        dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
        dnssec-accept-expired <replaceable>boolean</replaceable>;

        dns64-server <replaceable>string</replaceable>;
        dns64-contact <replaceable>string</replaceable>;
        dns64 <replaceable>prefix</replaceable> {
                clients { <replacable>acl</replacable>; };
                exclude { <replacable>acl</replacable>; };
                mapped { <replacable>acl</replacable>; };
                break-dnssec <replaceable>boolean</replaceable>;
                recursive-only <replaceable>boolean</replaceable>;
                suffix <replaceable>ipv6_address</replaceable>;
        };

        empty-server <replaceable>string</replaceable>;
        empty-contact <replaceable>string</replaceable>;
        empty-zones-enable <replaceable>boolean</replaceable>;
        disable-empty-zone <replaceable>string</replaceable>;

        dialup <replaceable>dialuptype</replaceable>;
        ixfr-from-differences <replaceable>ixfrdiff</replaceable>;

        allow-query { <replaceable>address_match_element</replaceable>; ... };
        allow-query-on { <replaceable>address_match_element</replaceable>; ... };
        allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
        allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
        allow-transfer { <replaceable>address_match_element</replaceable>; ... };
        allow-update { <replaceable>address_match_element</replaceable>; ... };
        allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
        update-check-ksk <replaceable>boolean</replaceable>;
        dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;

        masterfile-format ( text | raw );
        notify <replaceable>notifytype</replaceable>;
        notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        notify-delay <replaceable>seconds</replaceable>;
        notify-to-soa <replaceable>boolean</replaceable>;
        also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
                <optional> port <replaceable>integer</replaceable> </optional>; ...
                <optional> key <replaceable>keyname</replaceable> </optional> ... };
        allow-notify { <replaceable>address_match_element</replaceable>; ... };

        forward ( first | only );
        forwarders <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
        };

        max-journal-size <replaceable>size_no_default</replaceable>;
        max-transfer-time-in <replaceable>integer</replaceable>;
        max-transfer-time-out <replaceable>integer</replaceable>;
        max-transfer-idle-in <replaceable>integer</replaceable>;
        max-transfer-idle-out <replaceable>integer</replaceable>;
        max-retry-time <replaceable>integer</replaceable>;
        min-retry-time <replaceable>integer</replaceable>;
        max-refresh-time <replaceable>integer</replaceable>;
        min-refresh-time <replaceable>integer</replaceable>;
        multi-master <replaceable>boolean</replaceable>;

        sig-validity-interval <replaceable>integer</replaceable>;
        sig-re-signing-interval <replaceable>integer</replaceable>;
        sig-signing-nodes <replaceable>integer</replaceable>;
        sig-signing-signatures <replaceable>integer</replaceable>;
        sig-signing-type <replaceable>integer</replaceable>;

        transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

        alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        use-alt-transfer-source <replaceable>boolean</replaceable>;

        zone-statistics <replaceable>boolean</replaceable>;
        key-directory <replaceable>quoted_string</replaceable>;
        managed-keys-directory <replaceable>quoted_string</replaceable>;
        auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>;
        try-tcp-refresh <replaceable>boolean</replaceable>;
        zero-no-soa-ttl <replaceable>boolean</replaceable>;
        zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
        dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
        deny-answer-addresses {
                <replaceable>address_match_list</replaceable>
        } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;
        deny-answer-aliases {
                <replaceable>namelist</replaceable>
        } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;

        nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only

        allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
        deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
        fake-iquery <replaceable>boolean</replaceable>; // obsolete
        fetch-glue <replaceable>boolean</replaceable>; // obsolete
        has-old-clients <replaceable>boolean</replaceable>; // obsolete
        maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
        max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
        multiple-cnames <replaceable>boolean</replaceable>; // obsolete
        named-xfer <replaceable>quoted_string</replaceable>; // obsolete
        serial-queries <replaceable>integer</replaceable>; // obsolete
        treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
        use-id-pool <replaceable>boolean</replaceable>; // obsolete
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>VIEW</title>
    <literallayout>
view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
        match-clients { <replaceable>address_match_element</replaceable>; ... };
        match-destinations { <replaceable>address_match_element</replaceable>; ... };
        match-recursive-only <replaceable>boolean</replaceable>;

        key <replaceable>string</replaceable> {
                algorithm <replaceable>string</replaceable>;
                secret <replaceable>string</replaceable>;
        };

        zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
                ...
        };

        server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
                ...
        };

        trusted-keys {
                <replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>;
                <optional>...</optional>
        };

        allow-recursion { <replaceable>address_match_element</replaceable>; ... };
        allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
        sortlist { <replaceable>address_match_element</replaceable>; ... };
        topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
        auth-nxdomain <replaceable>boolean</replaceable>; // default changed
        minimal-responses <replaceable>boolean</replaceable>;
        recursion <replaceable>boolean</replaceable>;
        rrset-order {
                <optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
                <optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
        };
        provide-ixfr <replaceable>boolean</replaceable>;
        request-ixfr <replaceable>boolean</replaceable>;
        rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
        additional-from-auth <replaceable>boolean</replaceable>;
        additional-from-cache <replaceable>boolean</replaceable>;
        query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        use-queryport-pool <replaceable>boolean</replaceable>;
        queryport-pool-ports <replaceable>integer</replaceable>;
        queryport-pool-updateinterval <replaceable>integer</replaceable>;
        cleaning-interval <replaceable>integer</replaceable>;
        resolver-query-timeout <replaceable>integer</replaceable>;
        min-roots <replaceable>integer</replaceable>; // not implemented
        lame-ttl <replaceable>integer</replaceable>;
        max-ncache-ttl <replaceable>integer</replaceable>;
        max-cache-ttl <replaceable>integer</replaceable>;
        transfer-format ( many-answers | one-answer );
        max-cache-size <replaceable>size</replaceable>;
        max-acache-size <replaceable>size</replaceable>;
        clients-per-query <replaceable>number</replaceable>;
        max-clients-per-query <replaceable>number</replaceable>;
        check-names ( master | slave | response )
                ( fail | warn | ignore );
        check-mx ( fail | warn | ignore );
        check-integrity <replaceable>boolean</replaceable>;
        check-mx-cname ( fail | warn | ignore );
        check-srv-cname ( fail | warn | ignore );
        cache-file <replaceable>quoted_string</replaceable>; // test option
        suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
        preferred-glue <replaceable>string</replaceable>;
        dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
                <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
                <replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
        };
        edns-udp-size <replaceable>integer</replaceable>;
        max-udp-size <replaceable>integer</replaceable>;
        root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
        disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
        dnssec-enable <replaceable>boolean</replaceable>;
        dnssec-validation <replaceable>boolean</replaceable>;
        dnssec-lookaside ( <replaceable>auto</replaceable> | <replaceable>no</replaceable> | <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> );
        dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
        dnssec-accept-expired <replaceable>boolean</replaceable>;

        dns64-server <replaceable>string</replaceable>;
        dns64-contact <replaceable>string</replaceable>;
        dns64 <replaceable>prefix</replaceable> {
                clients { <replacable>acl</replacable>; };
                exclude { <replacable>acl</replacable>; };
                mapped { <replacable>acl</replacable>; };
                break-dnssec <replaceable>boolean</replaceable>;
                recursive-only <replaceable>boolean</replaceable>;
                suffix <replaceable>ipv6_address</replaceable>;
        };

        empty-server <replaceable>string</replaceable>;
        empty-contact <replaceable>string</replaceable>;
        empty-zones-enable <replaceable>boolean</replaceable>;
        disable-empty-zone <replaceable>string</replaceable>;

        dialup <replaceable>dialuptype</replaceable>;
        ixfr-from-differences <replaceable>ixfrdiff</replaceable>;

        allow-query { <replaceable>address_match_element</replaceable>; ... };
        allow-query-on { <replaceable>address_match_element</replaceable>; ... };
        allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
        allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
        allow-transfer { <replaceable>address_match_element</replaceable>; ... };
        allow-update { <replaceable>address_match_element</replaceable>; ... };
        allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
        update-check-ksk <replaceable>boolean</replaceable>;
        dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;

        masterfile-format ( text | raw );
        notify <replaceable>notifytype</replaceable>;
        notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        notify-delay <replaceable>seconds</replaceable>;
        notify-to-soa <replaceable>boolean</replaceable>;
        also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
                <optional> port <replaceable>integer</replaceable> </optional>; ...
                <optional> key <replaceable>keyname</replaceable> </optional> ... };
        allow-notify { <replaceable>address_match_element</replaceable>; ... };

        forward ( first | only );
        forwarders <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
        };

        max-journal-size <replaceable>size_no_default</replaceable>;
        max-transfer-time-in <replaceable>integer</replaceable>;
        max-transfer-time-out <replaceable>integer</replaceable>;
        max-transfer-idle-in <replaceable>integer</replaceable>;
        max-transfer-idle-out <replaceable>integer</replaceable>;
        max-retry-time <replaceable>integer</replaceable>;
        min-retry-time <replaceable>integer</replaceable>;
        max-refresh-time <replaceable>integer</replaceable>;
        min-refresh-time <replaceable>integer</replaceable>;
        multi-master <replaceable>boolean</replaceable>;
        sig-validity-interval <replaceable>integer</replaceable>;

        transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

        alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        use-alt-transfer-source <replaceable>boolean</replaceable>;

        zone-statistics <replaceable>boolean</replaceable>;
        try-tcp-refresh <replaceable>boolean</replaceable>;
        key-directory <replaceable>quoted_string</replaceable>;
        zero-no-soa-ttl <replaceable>boolean</replaceable>;
        zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
        dnssec-secure-to-insecure <replaceable>boolean</replaceable>;

        allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
        fetch-glue <replaceable>boolean</replaceable>; // obsolete
        maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
        max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>ZONE</title>
    <literallayout>
zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
        type ( master | slave | stub | hint | redirect |
                forward | delegation-only );
        file <replaceable>quoted_string</replaceable>;

        masters <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>masters</replaceable> |
                <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
                <replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
        };

        database <replaceable>string</replaceable>;
        delegation-only <replaceable>boolean</replaceable>;
        check-names ( fail | warn | ignore );
        check-mx ( fail | warn | ignore );
        check-integrity <replaceable>boolean</replaceable>;
        check-mx-cname ( fail | warn | ignore );
        check-srv-cname ( fail | warn | ignore );
        dialup <replaceable>dialuptype</replaceable>;
        ixfr-from-differences <replaceable>boolean</replaceable>;
        journal <replaceable>quoted_string</replaceable>;
        zero-no-soa-ttl <replaceable>boolean</replaceable>;
        dnssec-secure-to-insecure <replaceable>boolean</replaceable>;

        allow-query { <replaceable>address_match_element</replaceable>; ... };
        allow-query-on { <replaceable>address_match_element</replaceable>; ... };
        allow-transfer { <replaceable>address_match_element</replaceable>; ... };
        allow-update { <replaceable>address_match_element</replaceable>; ... };
        allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
        update-policy <replaceable>local</replaceable> | <replaceable> {
                ( grant | deny ) <replaceable>string</replaceable>
                ( name | subdomain | wildcard | self | selfsub | selfwild |
                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |
                  tcp-self | zonesub | 6to4-self ) <replaceable>string</replaceable>
                <replaceable>rrtypelist</replaceable>;
                <optional>...</optional>
        }</replaceable>;
        update-check-ksk <replaceable>boolean</replaceable>;
        dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;

        masterfile-format ( text | raw );
        notify <replaceable>notifytype</replaceable>;
        notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        notify-delay <replaceable>seconds</replaceable>;
        notify-to-soa <replaceable>boolean</replaceable>;
        also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
                <optional> port <replaceable>integer</replaceable> </optional>; ...
                <optional> key <replaceable>keyname</replaceable> </optional> ... };
        allow-notify { <replaceable>address_match_element</replaceable>; ... };

        forward ( first | only );
        forwarders <optional> port <replaceable>integer</replaceable> </optional> {
                ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
        };

        max-journal-size <replaceable>size_no_default</replaceable>;
        max-transfer-time-in <replaceable>integer</replaceable>;
        max-transfer-time-out <replaceable>integer</replaceable>;
        max-transfer-idle-in <replaceable>integer</replaceable>;
        max-transfer-idle-out <replaceable>integer</replaceable>;
        max-retry-time <replaceable>integer</replaceable>;
        min-retry-time <replaceable>integer</replaceable>;
        max-refresh-time <replaceable>integer</replaceable>;
        min-refresh-time <replaceable>integer</replaceable>;
        multi-master <replaceable>boolean</replaceable>;
        request-ixfr <replaceable>boolean</replaceable>;
        sig-validity-interval <replaceable>integer</replaceable>;

        transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

        alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
                <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
        use-alt-transfer-source <replaceable>boolean</replaceable>;

        zone-statistics <replaceable>boolean</replaceable>;
        try-tcp-refresh <replaceable>boolean</replaceable>;
        key-directory <replaceable>quoted_string</replaceable>;

        nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only

        ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
        ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
        maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
        max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
        pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
};
</literallayout>
  </refsect1>

  <refsect1>
    <title>FILES</title>
    <para><filename>/etc/named.conf</filename>
    </para>
  </refsect1>

  <refsect1>
    <title>SEE ALSO</title>
    <para><citerefentry>
        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
    </para>
  </refsect1>

</refentry><!--
 - Local variables:
 - mode: sgml
 - End:
-->