1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.82.8.3 2008/07/23 12:04:32 marka Exp $ -->
22 <book xmlns:xi="http://www.w3.org/2001/XInclude">
23 <title>BIND 9 Administrator Reference Manual</title>
32 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
39 <holder>Internet Software Consortium.</holder>
43 <chapter id="Bv9ARM.ch01">
44 <title>Introduction</title>
46 The Internet Domain Name System (<acronym>DNS</acronym>)
47 consists of the syntax
48 to specify the names of entities in the Internet in a hierarchical
49 manner, the rules used for delegating authority over names, and the
50 system implementation that actually maps names to Internet
51 addresses. <acronym>DNS</acronym> data is maintained in a
53 hierarchical databases.
57 <title>Scope of Document</title>
60 The Berkeley Internet Name Domain
61 (<acronym>BIND</acronym>) implements a
62 domain name server for a number of operating systems. This
63 document provides basic information about the installation and
64 care of the Internet Systems Consortium (<acronym>ISC</acronym>)
65 <acronym>BIND</acronym> version 9 software package for
66 system administrators.
70 This version of the manual corresponds to BIND version 9.4.
75 <title>Organization of This Document</title>
77 In this document, <emphasis>Section 1</emphasis> introduces
78 the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
79 describes resource requirements for running <acronym>BIND</acronym> in various
80 environments. Information in <emphasis>Section 3</emphasis> is
81 <emphasis>task-oriented</emphasis> in its presentation and is
82 organized functionally, to aid in the process of installing the
83 <acronym>BIND</acronym> 9 software. The task-oriented
84 section is followed by
85 <emphasis>Section 4</emphasis>, which contains more advanced
86 concepts that the system administrator may need for implementing
87 certain options. <emphasis>Section 5</emphasis>
88 describes the <acronym>BIND</acronym> 9 lightweight
89 resolver. The contents of <emphasis>Section 6</emphasis> are
90 organized as in a reference manual to aid in the ongoing
91 maintenance of the software. <emphasis>Section 7</emphasis> addresses
92 security considerations, and
93 <emphasis>Section 8</emphasis> contains troubleshooting help. The
94 main body of the document is followed by several
95 <emphasis>appendices</emphasis> which contain useful reference
96 information, such as a <emphasis>bibliography</emphasis> and
97 historic information related to <acronym>BIND</acronym>
103 <title>Conventions Used in This Document</title>
106 In this document, we use the following general typographic
112 <colspec colname="1" colnum="1" colwidth="3.000in"/>
113 <colspec colname="2" colnum="2" colwidth="2.625in"/>
118 <emphasis>To describe:</emphasis>
123 <emphasis>We use the style:</emphasis>
130 a pathname, filename, URL, hostname,
131 mailing list name, or new term or concept
136 <filename>Fixed width</filename>
149 <userinput>Fixed Width Bold</userinput>
161 <computeroutput>Fixed Width</computeroutput>
170 The following conventions are used in descriptions of the
171 <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
172 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
173 <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
174 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
177 <entry colname="1" colsep="1" rowsep="1">
179 <emphasis>To describe:</emphasis>
182 <entry colname="2" rowsep="1">
184 <emphasis>We use the style:</emphasis>
189 <entry colname="1" colsep="1" rowsep="1">
194 <entry colname="2" rowsep="1">
196 <literal>Fixed Width</literal>
201 <entry colname="1" colsep="1" rowsep="1">
206 <entry colname="2" rowsep="1">
208 <varname>Fixed Width</varname>
213 <entry colname="1" colsep="1">
220 <optional>Text is enclosed in square brackets</optional>
230 <title>The Domain Name System (<acronym>DNS</acronym>)</title>
232 The purpose of this document is to explain the installation
233 and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
234 Name Domain) software package, and we
235 begin by reviewing the fundamentals of the Domain Name System
236 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
240 <title>DNS Fundamentals</title>
243 The Domain Name System (DNS) is a hierarchical, distributed
244 database. It stores information for mapping Internet host names to
246 addresses and vice versa, mail routing information, and other data
247 used by Internet applications.
251 Clients look up information in the DNS by calling a
252 <emphasis>resolver</emphasis> library, which sends queries to one or
253 more <emphasis>name servers</emphasis> and interprets the responses.
254 The <acronym>BIND</acronym> 9 software distribution
256 name server, <command>named</command>, and two resolver
257 libraries, <command>liblwres</command> and <command>libbind</command>.
261 <title>Domains and Domain Names</title>
264 The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
265 organizational or administrative boundaries. Each node of the tree,
266 called a <emphasis>domain</emphasis>, is given a label. The domain
268 node is the concatenation of all the labels on the path from the
269 node to the <emphasis>root</emphasis> node. This is represented
270 in written form as a string of labels listed from right to left and
271 separated by dots. A label need only be unique within its parent
276 For example, a domain name for a host at the
277 company <emphasis>Example, Inc.</emphasis> could be
278 <literal>ourhost.example.com</literal>,
279 where <literal>com</literal> is the
280 top level domain to which
281 <literal>ourhost.example.com</literal> belongs,
282 <literal>example</literal> is
283 a subdomain of <literal>com</literal>, and
284 <literal>ourhost</literal> is the
289 For administrative purposes, the name space is partitioned into
290 areas called <emphasis>zones</emphasis>, each starting at a node and
291 extending down to the leaf nodes or to nodes where other zones
293 The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
294 <emphasis>DNS protocol</emphasis>.
298 The data associated with each domain name is stored in the
299 form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
300 Some of the supported resource record types are described in
301 <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
305 For more detailed information about the design of the DNS and
306 the DNS protocol, please refer to the standards documents listed in
307 <xref linkend="rfcs"/>.
314 To properly operate a name server, it is important to understand
315 the difference between a <emphasis>zone</emphasis>
316 and a <emphasis>domain</emphasis>.
320 As stated previously, a zone is a point of delegation in
321 the <acronym>DNS</acronym> tree. A zone consists of
322 those contiguous parts of the domain
323 tree for which a name server has complete information and over which
324 it has authority. It contains all domain names from a certain point
325 downward in the domain tree except those which are delegated to
326 other zones. A delegation point is marked by one or more
327 <emphasis>NS records</emphasis> in the
328 parent zone, which should be matched by equivalent NS records at
329 the root of the delegated zone.
333 For instance, consider the <literal>example.com</literal>
334 domain which includes names
335 such as <literal>host.aaa.example.com</literal> and
336 <literal>host.bbb.example.com</literal> even though
337 the <literal>example.com</literal> zone includes
338 only delegations for the <literal>aaa.example.com</literal> and
339 <literal>bbb.example.com</literal> zones. A zone can
341 exactly to a single domain, but could also include only part of a
342 domain, the rest of which could be delegated to other
343 name servers. Every name in the <acronym>DNS</acronym>
345 <emphasis>domain</emphasis>, even if it is
346 <emphasis>terminal</emphasis>, that is, has no
347 <emphasis>subdomains</emphasis>. Every subdomain is a domain and
348 every domain except the root is also a subdomain. The terminology is
349 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
351 gain a complete understanding of this difficult and subtle
356 Though <acronym>BIND</acronym> is called a "domain name
358 it deals primarily in terms of zones. The master and slave
359 declarations in the <filename>named.conf</filename> file
361 zones, not domains. When you ask some other site if it is willing to
362 be a slave server for your <emphasis>domain</emphasis>, you are
363 actually asking for slave service for some collection of zones.
368 <title>Authoritative Name Servers</title>
371 Each zone is served by at least
372 one <emphasis>authoritative name server</emphasis>,
373 which contains the complete data for the zone.
374 To make the DNS tolerant of server and network failures,
375 most zones have two or more authoritative servers, on
380 Responses from authoritative servers have the "authoritative
381 answer" (AA) bit set in the response packets. This makes them
382 easy to identify when debugging DNS configurations using tools like
383 <command>dig</command> (<xref linkend="diagnostic_tools"/>).
387 <title>The Primary Master</title>
390 The authoritative server where the master copy of the zone
391 data is maintained is called the
392 <emphasis>primary master</emphasis> server, or simply the
393 <emphasis>primary</emphasis>. Typically it loads the zone
394 contents from some local file edited by humans or perhaps
395 generated mechanically from some other local file which is
396 edited by humans. This file is called the
397 <emphasis>zone file</emphasis> or
398 <emphasis>master file</emphasis>.
402 In some cases, however, the master file may not be edited
403 by humans at all, but may instead be the result of
404 <emphasis>dynamic update</emphasis> operations.
409 <title>Slave Servers</title>
411 The other authoritative servers, the <emphasis>slave</emphasis>
412 servers (also known as <emphasis>secondary</emphasis> servers)
414 the zone contents from another server using a replication process
415 known as a <emphasis>zone transfer</emphasis>. Typically the data
417 transferred directly from the primary master, but it is also
419 to transfer it from another slave. In other words, a slave server
420 may itself act as a master to a subordinate slave server.
425 <title>Stealth Servers</title>
428 Usually all of the zone's authoritative servers are listed in
429 NS records in the parent zone. These NS records constitute
430 a <emphasis>delegation</emphasis> of the zone from the parent.
431 The authoritative servers are also listed in the zone file itself,
432 at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
433 of the zone. You can list servers in the zone's top-level NS
434 records that are not in the parent's NS delegation, but you cannot
435 list servers in the parent's delegation that are not present at
436 the zone's top level.
440 A <emphasis>stealth server</emphasis> is a server that is
441 authoritative for a zone but is not listed in that zone's NS
442 records. Stealth servers can be used for keeping a local copy of
444 zone to speed up access to the zone's records or to make sure that
446 zone is available even if all the "official" servers for the zone
452 A configuration where the primary master server itself is a
453 stealth server is often referred to as a "hidden primary"
454 configuration. One use for this configuration is when the primary
456 is behind a firewall and therefore unable to communicate directly
457 with the outside world.
465 <title>Caching Name Servers</title>
468 - Terminology here is inconsistent. Probably ought to
469 - convert to using "recursive name server" everywhere
470 - with just a note about "caching" terminology.
474 The resolver libraries provided by most operating systems are
475 <emphasis>stub resolvers</emphasis>, meaning that they are not
477 performing the full DNS resolution process by themselves by talking
478 directly to the authoritative servers. Instead, they rely on a
480 name server to perform the resolution on their behalf. Such a
482 is called a <emphasis>recursive</emphasis> name server; it performs
483 <emphasis>recursive lookups</emphasis> for local clients.
487 To improve performance, recursive servers cache the results of
488 the lookups they perform. Since the processes of recursion and
489 caching are intimately connected, the terms
490 <emphasis>recursive server</emphasis> and
491 <emphasis>caching server</emphasis> are often used synonymously.
495 The length of time for which a record may be retained in
496 the cache of a caching name server is controlled by the
497 Time To Live (TTL) field associated with each resource record.
501 <title>Forwarding</title>
504 Even a caching name server does not necessarily perform
505 the complete recursive lookup itself. Instead, it can
506 <emphasis>forward</emphasis> some or all of the queries
507 that it cannot satisfy from its cache to another caching name
509 commonly referred to as a <emphasis>forwarder</emphasis>.
513 There may be one or more forwarders,
514 and they are queried in turn until the list is exhausted or an
516 is found. Forwarders are typically used when you do not
517 wish all the servers at a given site to interact directly with the
519 the Internet servers. A typical scenario would involve a number
520 of internal <acronym>DNS</acronym> servers and an
521 Internet firewall. Servers unable
522 to pass packets through the firewall would forward to the server
523 that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
524 on the internal server's behalf.
531 <title>Name Servers in Multiple Roles</title>
534 The <acronym>BIND</acronym> name server can
535 simultaneously act as
536 a master for some zones, a slave for other zones, and as a caching
537 (recursive) server for a set of local clients.
541 However, since the functions of authoritative name service
542 and caching/recursive name service are logically separate, it is
543 often advantageous to run them on separate server machines.
545 A server that only provides authoritative name service
546 (an <emphasis>authoritative-only</emphasis> server) can run with
547 recursion disabled, improving reliability and security.
549 A server that is not authoritative for any zones and only provides
550 recursive service to local
551 clients (a <emphasis>caching-only</emphasis> server)
552 does not need to be reachable from the Internet at large and can
553 be placed inside a firewall.
561 <chapter id="Bv9ARM.ch02">
562 <title><acronym>BIND</acronym> Resource Requirements</title>
565 <title>Hardware requirements</title>
568 <acronym>DNS</acronym> hardware requirements have
569 traditionally been quite modest.
570 For many installations, servers that have been pensioned off from
571 active duty have performed admirably as <acronym>DNS</acronym> servers.
574 The DNSSEC features of <acronym>BIND</acronym> 9
575 may prove to be quite
576 CPU intensive however, so organizations that make heavy use of these
577 features may wish to consider larger systems for these applications.
578 <acronym>BIND</acronym> 9 is fully multithreaded, allowing
580 multiprocessor systems for installations that need it.
584 <title>CPU Requirements</title>
586 CPU requirements for <acronym>BIND</acronym> 9 range from
588 for serving of static zones without caching, to enterprise-class
589 machines if you intend to process many dynamic updates and DNSSEC
590 signed zones, serving many thousands of queries per second.
595 <title>Memory Requirements</title>
597 The memory of the server has to be large enough to fit the
598 cache and zones loaded off disk. The <command>max-cache-size</command>
599 option can be used to limit the amount of memory used by the cache,
600 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
602 Additionally, if additional section caching
603 (<xref linkend="acache"/>) is enabled,
604 the <command>max-acache-size</command> option can be used to
606 of memory used by the mechanism.
607 It is still good practice to have enough memory to load
608 all zone and cache data into memory — unfortunately, the best
610 to determine this for a given installation is to watch the name server
611 in operation. After a few weeks the server process should reach
612 a relatively stable size where entries are expiring from the cache as
613 fast as they are being inserted.
616 - Add something here about leaving overhead for attacks?
617 - How much overhead? Percentage?
622 <title>Name Server Intensive Environment Issues</title>
624 For name server intensive environments, there are two alternative
625 configurations that may be used. The first is where clients and
626 any second-level internal name servers query a main name server, which
627 has enough memory to build a large cache. This approach minimizes
628 the bandwidth used by external name lookups. The second alternative
629 is to set up second-level internal name servers to make queries
631 In this configuration, none of the individual machines needs to
632 have as much memory or CPU power as in the first alternative, but
633 this has the disadvantage of making many more external queries,
634 as none of the name servers share their cached data.
639 <title>Supported Operating Systems</title>
641 ISC <acronym>BIND</acronym> 9 compiles and runs on a large
643 of Unix-like operating system and on NT-derived versions of
644 Microsoft Windows such as Windows 2000 and Windows XP. For an
646 list of supported systems, see the README file in the top level
648 of the BIND 9 source distribution.
653 <chapter id="Bv9ARM.ch03">
654 <title>Name Server Configuration</title>
656 In this section we provide some suggested configurations along
657 with guidelines for their use. We suggest reasonable values for
658 certain option settings.
661 <sect1 id="sample_configuration">
662 <title>Sample Configurations</title>
664 <title>A Caching-only Name Server</title>
666 The following sample configuration is appropriate for a caching-only
667 name server for use by clients internal to a corporation. All
669 from outside clients are refused using the <command>allow-query</command>
670 option. Alternatively, the same effect could be achieved using
676 // Two corporate subnets we wish to allow queries from.
677 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
679 directory "/etc/namedb"; // Working directory
680 allow-query { corpnets; };
682 // Provide a reverse mapping for the loopback address 127.0.0.1
683 zone "0.0.127.in-addr.arpa" {
685 file "localhost.rev";
693 <title>An Authoritative-only Name Server</title>
695 This sample configuration is for an authoritative-only server
696 that is the master server for "<filename>example.com</filename>"
697 and a slave for the subdomain "<filename>eng.example.com</filename>".
702 directory "/etc/namedb"; // Working directory
703 allow-query-cache { none; }; // Do not allow access to cache
704 allow-query { any; }; // This is the default
705 recursion no; // Do not provide recursive service
708 // Provide a reverse mapping for the loopback address 127.0.0.1
709 zone "0.0.127.in-addr.arpa" {
711 file "localhost.rev";
714 // We are the master server for example.com
717 file "example.com.db";
718 // IP addresses of slave servers allowed to transfer example.com
724 // We are a slave server for eng.example.com
725 zone "eng.example.com" {
727 file "eng.example.com.bk";
728 // IP address of eng.example.com master server
729 masters { 192.168.4.12; };
737 <title>Load Balancing</title>
739 - Add explanation of why load balancing is fragile at best
740 - and completely pointless in the general case.
744 A primitive form of load balancing can be achieved in
745 the <acronym>DNS</acronym> by using multiple records
746 (such as multiple A records) for one name.
750 For example, if you have three WWW servers with network addresses
751 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
752 following means that clients will connect to each machine one third
756 <informaltable colsep="0" rowsep="0">
757 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
758 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
759 <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
760 <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
761 <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
762 <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
787 Resource Record (RR) Data
794 <literal>www</literal>
799 <literal>600</literal>
804 <literal>IN</literal>
814 <literal>10.0.0.1</literal>
824 <literal>600</literal>
829 <literal>IN</literal>
839 <literal>10.0.0.2</literal>
849 <literal>600</literal>
854 <literal>IN</literal>
864 <literal>10.0.0.3</literal>
872 When a resolver queries for these records, <acronym>BIND</acronym> will rotate
873 them and respond to the query with the records in a different
874 order. In the example above, clients will randomly receive
875 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
876 will use the first record returned and discard the rest.
879 For more detail on ordering responses, check the
880 <command>rrset-order</command> substatement in the
881 <command>options</command> statement, see
882 <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
888 <title>Name Server Operations</title>
891 <title>Tools for Use With the Name Server Daemon</title>
893 This section describes several indispensable diagnostic,
894 administrative and monitoring tools available to the system
895 administrator for controlling and debugging the name server
898 <sect3 id="diagnostic_tools">
899 <title>Diagnostic Tools</title>
901 The <command>dig</command>, <command>host</command>, and
902 <command>nslookup</command> programs are all command
904 for manually querying name servers. They differ in style and
910 <term id="dig"><command>dig</command></term>
913 The domain information groper (<command>dig</command>)
914 is the most versatile and complete of these lookup tools.
915 It has two modes: simple interactive
916 mode for a single query, and batch mode which executes a
918 each in a list of several query lines. All query options are
920 from the command line.
922 <cmdsynopsis label="Usage">
923 <command>dig</command>
924 <arg>@<replaceable>server</replaceable></arg>
925 <arg choice="plain"><replaceable>domain</replaceable></arg>
926 <arg><replaceable>query-type</replaceable></arg>
927 <arg><replaceable>query-class</replaceable></arg>
928 <arg>+<replaceable>query-option</replaceable></arg>
929 <arg>-<replaceable>dig-option</replaceable></arg>
930 <arg>%<replaceable>comment</replaceable></arg>
933 The usual simple use of dig will take the form
936 <command>dig @server domain query-type query-class</command>
939 For more information and a list of available commands and
940 options, see the <command>dig</command> man
947 <term><command>host</command></term>
950 The <command>host</command> utility emphasizes
952 and ease of use. By default, it converts
953 between host names and Internet addresses, but its
955 can be extended with the use of options.
957 <cmdsynopsis label="Usage">
958 <command>host</command>
959 <arg>-aCdlnrsTwv</arg>
960 <arg>-c <replaceable>class</replaceable></arg>
961 <arg>-N <replaceable>ndots</replaceable></arg>
962 <arg>-t <replaceable>type</replaceable></arg>
963 <arg>-W <replaceable>timeout</replaceable></arg>
964 <arg>-R <replaceable>retries</replaceable></arg>
965 <arg>-m <replaceable>flag</replaceable></arg>
968 <arg choice="plain"><replaceable>hostname</replaceable></arg>
969 <arg><replaceable>server</replaceable></arg>
972 For more information and a list of available commands and
973 options, see the <command>host</command> man
980 <term><command>nslookup</command></term>
982 <para><command>nslookup</command>
983 has two modes: interactive and
984 non-interactive. Interactive mode allows the user to
985 query name servers for information about various
986 hosts and domains or to print a list of hosts in a
987 domain. Non-interactive mode is used to print just
988 the name and requested information for a host or
991 <cmdsynopsis label="Usage">
992 <command>nslookup</command>
993 <arg rep="repeat">-option</arg>
995 <arg><replaceable>host-to-find</replaceable></arg>
996 <arg>- <arg>server</arg></arg>
1000 Interactive mode is entered when no arguments are given (the
1001 default name server will be used) or when the first argument
1003 hyphen (`-') and the second argument is the host name or
1008 Non-interactive mode is used when the name or Internet
1010 of the host to be looked up is given as the first argument.
1012 optional second argument specifies the host name or address
1016 Due to its arcane user interface and frequently inconsistent
1017 behavior, we do not recommend the use of <command>nslookup</command>.
1018 Use <command>dig</command> instead.
1026 <sect3 id="admin_tools">
1027 <title>Administrative Tools</title>
1029 Administrative tools play an integral part in the management
1033 <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1035 <term><command>named-checkconf</command></term>
1038 The <command>named-checkconf</command> program
1039 checks the syntax of a <filename>named.conf</filename> file.
1041 <cmdsynopsis label="Usage">
1042 <command>named-checkconf</command>
1044 <arg>-t <replaceable>directory</replaceable></arg>
1045 <arg><replaceable>filename</replaceable></arg>
1049 <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1051 <term><command>named-checkzone</command></term>
1054 The <command>named-checkzone</command> program
1055 checks a master file for
1056 syntax and consistency.
1058 <cmdsynopsis label="Usage">
1059 <command>named-checkzone</command>
1061 <arg>-c <replaceable>class</replaceable></arg>
1062 <arg>-o <replaceable>output</replaceable></arg>
1063 <arg>-t <replaceable>directory</replaceable></arg>
1064 <arg>-w <replaceable>directory</replaceable></arg>
1065 <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1066 <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1067 <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1068 <arg choice="plain"><replaceable>zone</replaceable></arg>
1069 <arg><replaceable>filename</replaceable></arg>
1073 <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
1074 <term><command>named-compilezone</command></term>
1077 Similar to <command>named-checkzone,</command> but
1078 it always dumps the zone content to a specified file
1079 (typically in a different format).
1083 <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1085 <term><command>rndc</command></term>
1088 The remote name daemon control
1089 (<command>rndc</command>) program allows the
1091 administrator to control the operation of a name server.
1092 Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1093 supports all the commands of the BIND 8 <command>ndc</command>
1094 utility except <command>ndc start</command> and
1095 <command>ndc restart</command>, which were also
1096 not supported in <command>ndc</command>'s
1098 If you run <command>rndc</command> without any
1100 it will display a usage message as follows:
1102 <cmdsynopsis label="Usage">
1103 <command>rndc</command>
1104 <arg>-c <replaceable>config</replaceable></arg>
1105 <arg>-s <replaceable>server</replaceable></arg>
1106 <arg>-p <replaceable>port</replaceable></arg>
1107 <arg>-y <replaceable>key</replaceable></arg>
1108 <arg choice="plain"><replaceable>command</replaceable></arg>
1109 <arg rep="repeat"><replaceable>command</replaceable></arg>
1111 <para>The <command>command</command>
1112 is one of the following:
1118 <term><userinput>reload</userinput></term>
1121 Reload configuration file and zones.
1127 <term><userinput>reload <replaceable>zone</replaceable>
1128 <optional><replaceable>class</replaceable>
1129 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1132 Reload the given zone.
1138 <term><userinput>refresh <replaceable>zone</replaceable>
1139 <optional><replaceable>class</replaceable>
1140 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1143 Schedule zone maintenance for the given zone.
1149 <term><userinput>retransfer <replaceable>zone</replaceable>
1151 <optional><replaceable>class</replaceable>
1152 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1155 Retransfer the given zone from the master.
1162 <term><userinput>freeze
1163 <optional><replaceable>zone</replaceable>
1164 <optional><replaceable>class</replaceable>
1165 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1168 Suspend updates to a dynamic zone. If no zone is
1170 then all zones are suspended. This allows manual
1171 edits to be made to a zone normally updated by dynamic
1173 also causes changes in the journal file to be synced
1175 and the journal file to be removed. All dynamic
1176 update attempts will
1177 be refused while the zone is frozen.
1183 <term><userinput>thaw
1184 <optional><replaceable>zone</replaceable>
1185 <optional><replaceable>class</replaceable>
1186 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1189 Enable updates to a frozen dynamic zone. If no zone
1191 specified, then all frozen zones are enabled. This
1193 the server to reload the zone from disk, and
1194 re-enables dynamic updates
1195 after the load has completed. After a zone is thawed,
1197 will no longer be refused.
1203 <term><userinput>notify <replaceable>zone</replaceable>
1204 <optional><replaceable>class</replaceable>
1205 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1208 Resend NOTIFY messages for the zone.
1214 <term><userinput>reconfig</userinput></term>
1217 Reload the configuration file and load new zones,
1218 but do not reload existing zone files even if they
1220 This is faster than a full <command>reload</command> when there
1221 is a large number of zones because it avoids the need
1223 modification times of the zones files.
1229 <term><userinput>stats</userinput></term>
1232 Write server statistics to the statistics file.
1238 <term><userinput>querylog</userinput></term>
1241 Toggle query logging. Query logging can also be enabled
1242 by explicitly directing the <command>queries</command>
1243 <command>category</command> to a
1244 <command>channel</command> in the
1245 <command>logging</command> section of
1246 <filename>named.conf</filename> or by specifying
1247 <command>querylog yes;</command> in the
1248 <command>options</command> section of
1249 <filename>named.conf</filename>.
1255 <term><userinput>dumpdb
1256 <optional>-all|-cache|-zone</optional>
1257 <optional><replaceable>view ...</replaceable></optional></userinput></term>
1260 Dump the server's caches (default) and/or zones to
1262 dump file for the specified views. If no view is
1270 <term><userinput>stop <optional>-p</optional></userinput></term>
1273 Stop the server, making sure any recent changes
1274 made through dynamic update or IXFR are first saved to
1275 the master files of the updated zones.
1276 If -p is specified named's process id is returned.
1277 This allows an external process to determine when named
1278 had completed stopping.
1284 <term><userinput>halt <optional>-p</optional></userinput></term>
1287 Stop the server immediately. Recent changes
1288 made through dynamic update or IXFR are not saved to
1289 the master files, but will be rolled forward from the
1290 journal files when the server is restarted.
1291 If -p is specified named's process id is returned.
1292 This allows an external process to determine when named
1293 had completed halting.
1299 <term><userinput>trace</userinput></term>
1302 Increment the servers debugging level by one.
1308 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
1311 Sets the server's debugging level to an explicit
1318 <term><userinput>notrace</userinput></term>
1321 Sets the server's debugging level to 0.
1327 <term><userinput>flush</userinput></term>
1330 Flushes the server's cache.
1336 <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1339 Flushes the given name from the server's cache.
1345 <term><userinput>status</userinput></term>
1348 Display status of the server.
1349 Note that the number of zones includes the internal <command>bind/CH</command> zone
1350 and the default <command>./IN</command>
1351 hint zone if there is not an
1352 explicit root zone configured.
1358 <term><userinput>recursing</userinput></term>
1361 Dump the list of queries named is currently recursing
1370 A configuration file is required, since all
1371 communication with the server is authenticated with
1372 digital signatures that rely on a shared secret, and
1373 there is no way to provide that secret other than with a
1374 configuration file. The default location for the
1375 <command>rndc</command> configuration file is
1376 <filename>/etc/rndc.conf</filename>, but an
1378 location can be specified with the <option>-c</option>
1379 option. If the configuration file is not found,
1380 <command>rndc</command> will also look in
1381 <filename>/etc/rndc.key</filename> (or whatever
1382 <varname>sysconfdir</varname> was defined when
1383 the <acronym>BIND</acronym> build was
1385 The <filename>rndc.key</filename> file is
1387 running <command>rndc-confgen -a</command> as
1389 <xref linkend="controls_statement_definition_and_usage"/>.
1393 The format of the configuration file is similar to
1394 that of <filename>named.conf</filename>, but
1396 only four statements, the <command>options</command>,
1397 <command>key</command>, <command>server</command> and
1398 <command>include</command>
1399 statements. These statements are what associate the
1400 secret keys to the servers with which they are meant to
1401 be shared. The order of statements is not
1406 The <command>options</command> statement has
1408 <command>default-server</command>, <command>default-key</command>,
1409 and <command>default-port</command>.
1410 <command>default-server</command> takes a
1411 host name or address argument and represents the server
1413 be contacted if no <option>-s</option>
1414 option is provided on the command line.
1415 <command>default-key</command> takes
1416 the name of a key as its argument, as defined by a <command>key</command> statement.
1417 <command>default-port</command> specifies the
1419 <command>rndc</command> should connect if no
1420 port is given on the command line or in a
1421 <command>server</command> statement.
1425 The <command>key</command> statement defines a
1427 by <command>rndc</command> when authenticating
1429 <command>named</command>. Its syntax is
1431 <command>key</command> statement in named.conf.
1432 The keyword <userinput>key</userinput> is
1433 followed by a key name, which must be a valid
1434 domain name, though it need not actually be hierarchical;
1436 a string like "<userinput>rndc_key</userinput>" is a valid
1438 The <command>key</command> statement has two
1440 <command>algorithm</command> and <command>secret</command>.
1441 While the configuration parser will accept any string as the
1443 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1444 has any meaning. The secret is a base-64 encoded string
1445 as specified in RFC 3548.
1449 The <command>server</command> statement
1451 defined using the <command>key</command>
1452 statement with a server.
1453 The keyword <userinput>server</userinput> is followed by a
1454 host name or address. The <command>server</command> statement
1455 has two clauses: <command>key</command> and <command>port</command>.
1456 The <command>key</command> clause specifies the
1458 to be used when communicating with this server, and the
1459 <command>port</command> clause can be used to
1460 specify the port <command>rndc</command> should
1466 A sample minimal configuration file is as follows:
1471 algorithm "hmac-md5";
1472 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
1475 default-server 127.0.0.1;
1476 default-key rndc_key;
1481 This file, if installed as <filename>/etc/rndc.conf</filename>,
1482 would allow the command:
1486 <prompt>$ </prompt><userinput>rndc reload</userinput>
1490 to connect to 127.0.0.1 port 953 and cause the name server
1491 to reload, if a name server on the local machine were
1493 following controls statements:
1498 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
1503 and it had an identical key statement for
1504 <literal>rndc_key</literal>.
1508 Running the <command>rndc-confgen</command>
1510 conveniently create a <filename>rndc.conf</filename>
1511 file for you, and also display the
1512 corresponding <command>controls</command>
1513 statement that you need to
1514 add to <filename>named.conf</filename>.
1516 you can run <command>rndc-confgen -a</command>
1518 a <filename>rndc.key</filename> file and not
1520 <filename>named.conf</filename> at all.
1531 <title>Signals</title>
1533 Certain UNIX signals cause the name server to take specific
1534 actions, as described in the following table. These signals can
1535 be sent using the <command>kill</command> command.
1537 <informaltable frame="all">
1539 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1540 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1544 <para><command>SIGHUP</command></para>
1548 Causes the server to read <filename>named.conf</filename> and
1549 reload the database.
1555 <para><command>SIGTERM</command></para>
1559 Causes the server to clean up and exit.
1565 <para><command>SIGINT</command></para>
1569 Causes the server to clean up and exit.
1580 <chapter id="Bv9ARM.ch04">
1581 <title>Advanced DNS Features</title>
1585 <title>Notify</title>
1587 <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1588 servers to notify their slave servers of changes to a zone's data. In
1589 response to a <command>NOTIFY</command> from a master server, the
1590 slave will check to see that its version of the zone is the
1591 current version and, if not, initiate a zone transfer.
1595 For more information about <acronym>DNS</acronym>
1596 <command>NOTIFY</command>, see the description of the
1597 <command>notify</command> option in <xref linkend="boolean_options"/> and
1598 the description of the zone option <command>also-notify</command> in
1599 <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1600 protocol is specified in RFC 1996.
1604 As a slave zone can also be a master to other slaves, named,
1605 by default, sends <command>NOTIFY</command> messages for every zone
1606 it loads. Specifying <command>notify master-only;</command> will
1607 cause named to only send <command>NOTIFY</command> for master
1608 zones that it loads.
1613 <sect1 id="dynamic_update">
1614 <title>Dynamic Update</title>
1617 Dynamic Update is a method for adding, replacing or deleting
1618 records in a master server by sending it a special form of DNS
1619 messages. The format and meaning of these messages is specified
1624 Dynamic update is enabled by
1625 including an <command>allow-update</command> or
1626 <command>update-policy</command> clause in the
1627 <command>zone</command> statement.
1631 Updating of secure zones (zones using DNSSEC) follows
1632 RFC 3007: RRSIG and NSEC records affected by updates are automatically
1633 regenerated by the server using an online zone key.
1634 Update authorization is based
1635 on transaction signatures and an explicit server policy.
1638 <sect2 id="journal">
1639 <title>The journal file</title>
1642 All changes made to a zone using dynamic update are stored
1643 in the zone's journal file. This file is automatically created
1644 by the server when the first dynamic update takes place.
1645 The name of the journal file is formed by appending the extension
1646 <filename>.jnl</filename> to the name of the
1648 file unless specifically overridden. The journal file is in a
1649 binary format and should not be edited manually.
1653 The server will also occasionally write ("dump")
1654 the complete contents of the updated zone to its zone file.
1655 This is not done immediately after
1656 each dynamic update, because that would be too slow when a large
1657 zone is updated frequently. Instead, the dump is delayed by
1658 up to 15 minutes, allowing additional updates to take place.
1662 When a server is restarted after a shutdown or crash, it will replay
1663 the journal file to incorporate into the zone any updates that
1665 place after the last zone dump.
1669 Changes that result from incoming incremental zone transfers are
1671 journalled in a similar way.
1675 The zone files of dynamic zones cannot normally be edited by
1676 hand because they are not guaranteed to contain the most recent
1677 dynamic changes — those are only in the journal file.
1678 The only way to ensure that the zone file of a dynamic zone
1679 is up to date is to run <command>rndc stop</command>.
1683 If you have to make changes to a dynamic zone
1684 manually, the following procedure will work: Disable dynamic updates
1686 <command>rndc freeze <replaceable>zone</replaceable></command>.
1687 This will also remove the zone's <filename>.jnl</filename> file
1688 and update the master file. Edit the zone file. Run
1689 <command>rndc thaw <replaceable>zone</replaceable></command>
1690 to reload the changed zone and re-enable dynamic updates.
1697 <sect1 id="incremental_zone_transfers">
1698 <title>Incremental Zone Transfers (IXFR)</title>
1701 The incremental zone transfer (IXFR) protocol is a way for
1702 slave servers to transfer only changed data, instead of having to
1703 transfer the entire zone. The IXFR protocol is specified in RFC
1704 1995. See <xref linkend="proposed_standards"/>.
1708 When acting as a master, <acronym>BIND</acronym> 9
1709 supports IXFR for those zones
1710 where the necessary change history information is available. These
1711 include master zones maintained by dynamic update and slave zones
1712 whose data was obtained by IXFR. For manually maintained master
1713 zones, and for slave zones obtained by performing a full zone
1714 transfer (AXFR), IXFR is supported only if the option
1715 <command>ixfr-from-differences</command> is set
1716 to <userinput>yes</userinput>.
1720 When acting as a slave, <acronym>BIND</acronym> 9 will
1721 attempt to use IXFR unless
1722 it is explicitly disabled. For more information about disabling
1723 IXFR, see the description of the <command>request-ixfr</command> clause
1724 of the <command>server</command> statement.
1729 <title>Split DNS</title>
1731 Setting up different views, or visibility, of the DNS space to
1732 internal and external resolvers is usually referred to as a
1733 <emphasis>Split DNS</emphasis> setup. There are several
1734 reasons an organization would want to set up its DNS this way.
1737 One common reason for setting up a DNS system this way is
1738 to hide "internal" DNS information from "external" clients on the
1739 Internet. There is some debate as to whether or not this is actually
1741 Internal DNS information leaks out in many ways (via email headers,
1742 for example) and most savvy "attackers" can find the information
1743 they need using other means.
1744 However, since listing addresses of internal servers that
1745 external clients cannot possibly reach can result in
1746 connection delays and other annoyances, an organization may
1747 choose to use a Split DNS to present a consistent view of itself
1748 to the outside world.
1751 Another common reason for setting up a Split DNS system is
1752 to allow internal networks that are behind filters or in RFC 1918
1753 space (reserved IP space, as documented in RFC 1918) to resolve DNS
1754 on the Internet. Split DNS can also be used to allow mail from outside
1755 back in to the internal network.
1758 <title>Example split DNS setup</title>
1760 Let's say a company named <emphasis>Example, Inc.</emphasis>
1761 (<literal>example.com</literal>)
1762 has several corporate sites that have an internal network with
1764 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1765 or "outside" section of a network, that is available to the public.
1768 <emphasis>Example, Inc.</emphasis> wants its internal clients
1769 to be able to resolve external hostnames and to exchange mail with
1770 people on the outside. The company also wants its internal resolvers
1771 to have access to certain internal-only zones that are not available
1772 at all outside of the internal network.
1775 In order to accomplish this, the company will set up two sets
1776 of name servers. One set will be on the inside network (in the
1778 IP space) and the other set will be on bastion hosts, which are
1780 hosts that can talk to both sides of its network, in the DMZ.
1783 The internal servers will be configured to forward all queries,
1784 except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1785 and <filename>site2.example.com</filename>, to the servers
1787 DMZ. These internal servers will have complete sets of information
1788 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1789 and <filename>site2.internal</filename>.
1792 To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1793 the internal name servers must be configured to disallow all queries
1794 to these domains from any external hosts, including the bastion
1798 The external servers, which are on the bastion hosts, will
1799 be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1800 This could include things such as the host records for public servers
1801 (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1802 and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1805 In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1806 should have special MX records that contain wildcard (`*') records
1807 pointing to the bastion hosts. This is needed because external mail
1808 servers do not have any other way of looking up how to deliver mail
1809 to those internal hosts. With the wildcard records, the mail will
1810 be delivered to the bastion host, which can then forward it on to
1814 Here's an example of a wildcard MX record:
1816 <programlisting>* IN MX 10 external1.example.com.</programlisting>
1818 Now that they accept mail on behalf of anything in the internal
1819 network, the bastion hosts will need to know how to deliver mail
1820 to internal hosts. In order for this to work properly, the resolvers
1822 the bastion hosts will need to be configured to point to the internal
1823 name servers for DNS resolution.
1826 Queries for internal hostnames will be answered by the internal
1827 servers, and queries for external hostnames will be forwarded back
1828 out to the DNS servers on the bastion hosts.
1831 In order for all this to work properly, internal clients will
1832 need to be configured to query <emphasis>only</emphasis> the internal
1833 name servers for DNS queries. This could also be enforced via
1835 filtering on the network.
1838 If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1839 internal clients will now be able to:
1844 Look up any hostnames in the <literal>site1</literal>
1846 <literal>site2.example.com</literal> zones.
1851 Look up any hostnames in the <literal>site1.internal</literal> and
1852 <literal>site2.internal</literal> domains.
1856 <simpara>Look up any hostnames on the Internet.</simpara>
1859 <simpara>Exchange mail with both internal and external people.</simpara>
1863 Hosts on the Internet will be able to:
1868 Look up any hostnames in the <literal>site1</literal>
1870 <literal>site2.example.com</literal> zones.
1875 Exchange mail with anyone in the <literal>site1</literal> and
1876 <literal>site2.example.com</literal> zones.
1882 Here is an example configuration for the setup we just
1883 described above. Note that this is only configuration information;
1884 for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1888 Internal DNS server config:
1893 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1895 acl externals { <varname>bastion-ips-go-here</varname>; };
1901 forwarders { // forward to external servers
1902 <varname>bastion-ips-go-here</varname>;
1904 allow-transfer { none; }; // sample allow-transfer (no one)
1905 allow-query { internals; externals; }; // restrict query access
1906 allow-recursion { internals; }; // restrict recursion
1911 zone "site1.example.com" { // sample master zone
1913 file "m/site1.example.com";
1914 forwarders { }; // do normal iterative
1915 // resolution (do not forward)
1916 allow-query { internals; externals; };
1917 allow-transfer { internals; };
1920 zone "site2.example.com" { // sample slave zone
1922 file "s/site2.example.com";
1923 masters { 172.16.72.3; };
1925 allow-query { internals; externals; };
1926 allow-transfer { internals; };
1929 zone "site1.internal" {
1931 file "m/site1.internal";
1933 allow-query { internals; };
1934 allow-transfer { internals; }
1937 zone "site2.internal" {
1939 file "s/site2.internal";
1940 masters { 172.16.72.3; };
1942 allow-query { internals };
1943 allow-transfer { internals; }
1948 External (bastion host) DNS server config:
1952 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1954 acl externals { bastion-ips-go-here; };
1959 allow-transfer { none; }; // sample allow-transfer (no one)
1960 allow-query { any; }; // default query access
1961 allow-query-cache { internals; externals; }; // restrict cache access
1962 allow-recursion { internals; externals; }; // restrict recursion
1967 zone "site1.example.com" { // sample slave zone
1969 file "m/site1.foo.com";
1970 allow-transfer { internals; externals; };
1973 zone "site2.example.com" {
1975 file "s/site2.foo.com";
1976 masters { another_bastion_host_maybe; };
1977 allow-transfer { internals; externals; }
1982 In the <filename>resolv.conf</filename> (or equivalent) on
1983 the bastion host(s):
1988 nameserver 172.16.72.2
1989 nameserver 172.16.72.3
1990 nameserver 172.16.72.4
1998 This is a short guide to setting up Transaction SIGnatures
1999 (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
2000 to the configuration file as well as what changes are required for
2001 different features, including the process of creating transaction
2002 keys and using transaction signatures with <acronym>BIND</acronym>.
2005 <acronym>BIND</acronym> primarily supports TSIG for server
2006 to server communication.
2007 This includes zone transfer, notify, and recursive query messages.
2008 Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2013 TSIG can also be useful for dynamic update. A primary
2014 server for a dynamic zone should control access to the dynamic
2015 update service, but IP-based access control is insufficient.
2016 The cryptographic access control provided by TSIG
2017 is far superior. The <command>nsupdate</command>
2018 program supports TSIG via the <option>-k</option> and
2019 <option>-y</option> command line options or inline by use
2020 of the <command>key</command>.
2024 <title>Generate Shared Keys for Each Pair of Hosts</title>
2026 A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2027 An arbitrary key name is chosen: "host1-host2.". The key name must
2028 be the same on both hosts.
2031 <title>Automatic Generation</title>
2033 The following command will generate a 128-bit (16 byte) HMAC-MD5
2034 key as described above. Longer keys are better, but shorter keys
2035 are easier to read. Note that the maximum key length is 512 bits;
2036 keys longer than that will be digested with MD5 to produce a
2040 <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
2043 The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
2044 Nothing directly uses this file, but the base-64 encoded string
2045 following "<literal>Key:</literal>"
2046 can be extracted from the file and used as a shared secret:
2048 <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2050 The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2051 be used as the shared secret.
2055 <title>Manual Generation</title>
2057 The shared secret is simply a random sequence of bits, encoded
2058 in base-64. Most ASCII strings are valid base-64 strings (assuming
2059 the length is a multiple of 4 and only valid characters are used),
2060 so the shared secret can be manually generated.
2063 Also, a known string can be run through <command>mmencode</command> or
2064 a similar program to generate base-64 encoded data.
2069 <title>Copying the Shared Secret to Both Machines</title>
2071 This is beyond the scope of DNS. A secure transport mechanism
2072 should be used. This could be secure FTP, ssh, telephone, etc.
2076 <title>Informing the Servers of the Key's Existence</title>
2078 Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2080 both servers. The following is added to each server's <filename>named.conf</filename> file:
2086 secret "La/E5CjG9O+os1jq0a2jdA==";
2091 The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
2092 The secret is the one generated above. Since this is a secret, it
2093 is recommended that either <filename>named.conf</filename> be non-world
2094 readable, or the key directive be added to a non-world readable
2095 file that is included by
2096 <filename>named.conf</filename>.
2099 At this point, the key is recognized. This means that if the
2100 server receives a message signed by this key, it can verify the
2101 signature. If the signature is successfully verified, the
2102 response is signed by the same key.
2107 <title>Instructing the Server to Use the Key</title>
2109 Since keys are shared between two hosts only, the server must
2110 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2111 for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2117 keys { host1-host2. ;};
2122 Multiple keys may be present, but only the first is used.
2123 This directive does not contain any secrets, so it may be in a
2128 If <emphasis>host1</emphasis> sends a message that is a request
2129 to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2130 expect any responses to signed messages to be signed with the same
2134 A similar statement must be present in <emphasis>host2</emphasis>'s
2135 configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2136 sign request messages to <emphasis>host1</emphasis>.
2140 <title>TSIG Key Based Access Control</title>
2142 <acronym>BIND</acronym> allows IP addresses and ranges
2143 to be specified in ACL
2145 <command>allow-{ query | transfer | update }</command>
2147 This has been extended to allow TSIG keys also. The above key would
2148 be denoted <command>key host1-host2.</command>
2151 An example of an allow-update directive would be:
2155 allow-update { key host1-host2. ;};
2159 This allows dynamic updates to succeed only if the request
2160 was signed by a key named
2161 "<command>host1-host2.</command>".
2164 You may want to read about the more
2165 powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
2170 <title>Errors</title>
2173 The processing of TSIG signed messages can result in
2174 several errors. If a signed message is sent to a non-TSIG aware
2175 server, a FORMERR (format error) will be returned, since the server will not
2176 understand the record. This is a result of misconfiguration,
2177 since the server must be explicitly configured to send a TSIG
2178 signed message to a specific server.
2182 If a TSIG aware server receives a message signed by an
2183 unknown key, the response will be unsigned with the TSIG
2184 extended error code set to BADKEY. If a TSIG aware server
2185 receives a message with a signature that does not validate, the
2186 response will be unsigned with the TSIG extended error code set
2187 to BADSIG. If a TSIG aware server receives a message with a time
2188 outside of the allowed range, the response will be signed with
2189 the TSIG extended error code set to BADTIME, and the time values
2190 will be adjusted so that the response can be successfully
2191 verified. In any of these cases, the message's rcode (response code) is set to
2192 NOTAUTH (not authenticated).
2200 <para><command>TKEY</command>
2201 is a mechanism for automatically generating a shared secret
2202 between two hosts. There are several "modes" of
2203 <command>TKEY</command> that specify how the key is generated
2204 or assigned. <acronym>BIND</acronym> 9 implements only one of
2205 these modes, the Diffie-Hellman key exchange. Both hosts are
2206 required to have a Diffie-Hellman KEY record (although this
2207 record is not required to be present in a zone). The
2208 <command>TKEY</command> process must use signed messages,
2209 signed either by TSIG or SIG(0). The result of
2210 <command>TKEY</command> is a shared secret that can be used to
2211 sign messages with TSIG. <command>TKEY</command> can also be
2212 used to delete shared secrets that it had previously
2217 The <command>TKEY</command> process is initiated by a
2219 or server by sending a signed <command>TKEY</command>
2221 (including any appropriate KEYs) to a TKEY-aware server. The
2222 server response, if it indicates success, will contain a
2223 <command>TKEY</command> record and any appropriate keys.
2225 this exchange, both participants have enough information to
2226 determine the shared secret; the exact process depends on the
2227 <command>TKEY</command> mode. When using the
2229 <command>TKEY</command> mode, Diffie-Hellman keys are
2231 and the shared secret is derived by both participants.
2236 <title>SIG(0)</title>
2239 <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2240 transaction signatures as specified in RFC 2535 and RFC2931.
2242 uses public/private keys to authenticate messages. Access control
2243 is performed in the same manner as TSIG keys; privileges can be
2244 granted or denied based on the key name.
2248 When a SIG(0) signed message is received, it will only be
2249 verified if the key is known and trusted by the server; the server
2250 will not attempt to locate and/or validate the key.
2254 SIG(0) signing of multiple-message TCP streams is not
2259 The only tool shipped with <acronym>BIND</acronym> 9 that
2260 generates SIG(0) signed messages is <command>nsupdate</command>.
2265 <title>DNSSEC</title>
2268 Cryptographic authentication of DNS information is possible
2269 through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2270 defined in RFC 4033, RFC 4034, and RFC 4035.
2271 This section describes the creation and use of DNSSEC signed zones.
2275 In order to set up a DNSSEC secure zone, there are a series
2276 of steps which must be followed. <acronym>BIND</acronym>
2279 that are used in this process, which are explained in more detail
2280 below. In all cases, the <option>-h</option> option prints a
2281 full list of parameters. Note that the DNSSEC tools require the
2282 keyset files to be in the working directory or the
2283 directory specified by the <option>-d</option> option, and
2284 that the tools shipped with BIND 9.2.x and earlier are not compatible
2285 with the current ones.
2289 There must also be communication with the administrators of
2290 the parent and/or child zone to transmit keys. A zone's security
2291 status must be indicated by the parent zone for a DNSSEC capable
2292 resolver to trust its data. This is done through the presence
2293 or absence of a <literal>DS</literal> record at the
2299 For other servers to trust data in this zone, they must
2300 either be statically configured with this zone's zone key or the
2301 zone key of another zone above this one in the DNS tree.
2305 <title>Generating Keys</title>
2308 The <command>dnssec-keygen</command> program is used to
2313 A secure zone must contain one or more zone keys. The
2314 zone keys will sign all other records in the zone, as well as
2315 the zone keys of any secure delegated zones. Zone keys must
2316 have the same name as the zone, a name type of
2317 <command>ZONE</command>, and must be usable for
2319 It is recommended that zone keys use a cryptographic algorithm
2320 designated as "mandatory to implement" by the IETF; currently
2321 the only one is RSASHA1.
2325 The following command will generate a 768-bit RSASHA1 key for
2326 the <filename>child.example</filename> zone:
2330 <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2334 Two output files will be produced:
2335 <filename>Kchild.example.+005+12345.key</filename> and
2336 <filename>Kchild.example.+005+12345.private</filename>
2338 12345 is an example of a key tag). The key filenames contain
2339 the key name (<filename>child.example.</filename>),
2341 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2343 The private key (in the <filename>.private</filename>
2345 used to generate signatures, and the public key (in the
2346 <filename>.key</filename> file) is used for signature
2351 To generate another key with the same properties (but with
2352 a different key tag), repeat the above command.
2356 The public keys should be inserted into the zone file by
2357 including the <filename>.key</filename> files using
2358 <command>$INCLUDE</command> statements.
2363 <title>Signing the Zone</title>
2366 The <command>dnssec-signzone</command> program is used
2372 Any <filename>keyset</filename> files corresponding
2373 to secure subzones should be present. The zone signer will
2374 generate <literal>NSEC</literal> and <literal>RRSIG</literal>
2375 records for the zone, as well as <literal>DS</literal>
2377 the child zones if <literal>'-d'</literal> is specified.
2378 If <literal>'-d'</literal> is not specified, then
2380 the secure child zones need to be added manually.
2384 The following command signs the zone, assuming it is in a
2385 file called <filename>zone.child.example</filename>. By
2386 default, all zone keys which have an available private key are
2387 used to generate signatures.
2391 <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2395 One output file is produced:
2396 <filename>zone.child.example.signed</filename>. This
2398 should be referenced by <filename>named.conf</filename>
2400 input file for the zone.
2403 <para><command>dnssec-signzone</command>
2404 will also produce a keyset and dsset files and optionally a
2405 dlvset file. These are used to provide the parent zone
2406 administrators with the <literal>DNSKEYs</literal> (or their
2407 corresponding <literal>DS</literal> records) that are the
2408 secure entry point to the zone.
2414 <title>Configuring Servers</title>
2417 To enable <command>named</command> to respond appropriately
2418 to DNS requests from DNSSEC aware clients,
2419 <command>dnssec-enable</command> must be set to yes.
2423 To enable <command>named</command> to validate answers from
2424 other servers both <command>dnssec-enable</command> and
2425 <command>dnssec-validation</command> must be set and some
2426 <command>trusted-keys</command> must be configured
2427 into <filename>named.conf</filename>.
2431 <command>trusted-keys</command> are copies of DNSKEY RRs
2432 for zones that are used to form the first link in the
2433 cryptographic chain of trust. All keys listed in
2434 <command>trusted-keys</command> (and corresponding zones)
2435 are deemed to exist and only the listed keys will be used
2436 to validated the DNSKEY RRset that they are from.
2440 <command>trusted-keys</command> are described in more detail
2441 later in this document.
2445 Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2446 9 does not verify signatures on load, so zone keys for
2447 authoritative zones do not need to be specified in the
2452 After DNSSEC gets established, a typical DNSSEC configuration
2453 will look something like the following. It has a one or
2454 more public keys for the root. This allows answers from
2455 outside the organization to be validated. It will also
2456 have several keys for parts of the namespace the organization
2457 controls. These are here to ensure that named is immune
2458 to compromises in the DNSSEC components of the security
2466 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2467 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2468 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2469 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2470 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2471 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2472 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2474 /* Key for our organization's forward zone */
2475 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2476 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2477 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2478 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2479 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2480 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2481 SCThlHf3xiYleDbt/o1OTQ09A0=";
2483 /* Key for our reverse zone. */
2484 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2485 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2486 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2487 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2488 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2489 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2490 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2491 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2497 dnssec-validation yes;
2502 None of the keys listed in this example are valid. In particular,
2503 the root key is not valid.
2510 <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2513 <acronym>BIND</acronym> 9 fully supports all currently
2514 defined forms of IPv6
2515 name to address and address to name lookups. It will also use
2516 IPv6 addresses to make queries when running on an IPv6 capable
2521 For forward lookups, <acronym>BIND</acronym> 9 supports
2522 only AAAA records. RFC 3363 deprecated the use of A6 records,
2523 and client-side support for A6 records was accordingly removed
2524 from <acronym>BIND</acronym> 9.
2525 However, authoritative <acronym>BIND</acronym> 9 name servers still
2526 load zone files containing A6 records correctly, answer queries
2527 for A6 records, and accept zone transfer for a zone containing A6
2532 For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2533 the traditional "nibble" format used in the
2534 <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2535 <emphasis>ip6.int</emphasis> domain.
2536 Older versions of <acronym>BIND</acronym> 9
2537 supported the "binary label" (also known as "bitstring") format,
2538 but support of binary labels has been completely removed per
2540 Many applications in <acronym>BIND</acronym> 9 do not understand
2541 the binary label format at all any more, and will return an
2543 In particular, an authoritative <acronym>BIND</acronym> 9
2544 name server will not load a zone file containing binary labels.
2548 For an overview of the format and structure of IPv6 addresses,
2549 see <xref linkend="ipv6addresses"/>.
2553 <title>Address Lookups Using AAAA Records</title>
2556 The IPv6 AAAA record is a parallel to the IPv4 A record,
2557 and, unlike the deprecated A6 record, specifies the entire
2558 IPv6 address in a single record. For example,
2562 $ORIGIN example.com.
2563 host 3600 IN AAAA 2001:db8::1
2567 Use of IPv4-in-IPv6 mapped addresses is not recommended.
2568 If a host has an IPv4 address, use an A record, not
2569 a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2574 <title>Address to Name Lookups Using Nibble Format</title>
2577 When looking up an address in nibble format, the address
2578 components are simply reversed, just as in IPv4, and
2579 <literal>ip6.arpa.</literal> is appended to the
2581 For example, the following would provide reverse name lookup for
2583 <literal>2001:db8::1</literal>.
2587 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
2588 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
2595 <chapter id="Bv9ARM.ch05">
2596 <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2598 <title>The Lightweight Resolver Library</title>
2600 Traditionally applications have been linked with a stub resolver
2601 library that sends recursive DNS queries to a local caching name
2605 IPv6 once introduced new complexity into the resolution process,
2606 such as following A6 chains and DNAME records, and simultaneous
2607 lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2608 then removed, these are hard or impossible
2609 to implement in a traditional stub resolver.
2612 <acronym>BIND</acronym> 9 therefore can also provide resolution
2613 services to local clients
2614 using a combination of a lightweight resolver library and a resolver
2615 daemon process running on the local host. These communicate using
2616 a simple UDP-based protocol, the "lightweight resolver protocol"
2617 that is distinct from and simpler than the full DNS protocol.
2621 <title>Running a Resolver Daemon</title>
2624 To use the lightweight resolver interface, the system must
2625 run the resolver daemon <command>lwresd</command> or a
2627 name server configured with a <command>lwres</command>
2632 By default, applications using the lightweight resolver library will
2634 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2636 address can be overridden by <command>lwserver</command>
2638 <filename>/etc/resolv.conf</filename>.
2642 The daemon currently only looks in the DNS, but in the future
2643 it may use other sources such as <filename>/etc/hosts</filename>,
2648 The <command>lwresd</command> daemon is essentially a
2649 caching-only name server that responds to requests using the
2651 resolver protocol rather than the DNS protocol. Because it needs
2652 to run on each host, it is designed to require no or minimal
2654 Unless configured otherwise, it uses the name servers listed on
2655 <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2656 as forwarders, but is also capable of doing the resolution
2661 The <command>lwresd</command> daemon may also be
2663 <filename>named.conf</filename> style configuration file,
2665 <filename>/etc/lwresd.conf</filename> by default. A name
2667 be configured to act as a lightweight resolver daemon using the
2668 <command>lwres</command> statement in <filename>named.conf</filename>.
2674 <chapter id="Bv9ARM.ch06">
2675 <title><acronym>BIND</acronym> 9 Configuration Reference</title>
2678 <acronym>BIND</acronym> 9 configuration is broadly similar
2679 to <acronym>BIND</acronym> 8; however, there are a few new
2681 of configuration, such as views. <acronym>BIND</acronym>
2682 8 configuration files should work with few alterations in <acronym>BIND</acronym>
2683 9, although more complex configurations should be reviewed to check
2684 if they can be more efficiently implemented using the new features
2685 found in <acronym>BIND</acronym> 9.
2689 <acronym>BIND</acronym> 4 configuration files can be
2690 converted to the new format
2691 using the shell script
2692 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2694 <sect1 id="configuration_file_elements">
2695 <title>Configuration File Elements</title>
2697 Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2700 <informaltable colsep="0" rowsep="0">
2701 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2702 <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2703 <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2708 <varname>acl_name</varname>
2713 The name of an <varname>address_match_list</varname> as
2714 defined by the <command>acl</command> statement.
2721 <varname>address_match_list</varname>
2726 A list of one or more
2727 <varname>ip_addr</varname>,
2728 <varname>ip_prefix</varname>, <varname>key_id</varname>,
2729 or <varname>acl_name</varname> elements, see
2730 <xref linkend="address_match_lists"/>.
2737 <varname>masters_list</varname>
2742 A named list of one or more <varname>ip_addr</varname>
2743 with optional <varname>key_id</varname> and/or
2744 <varname>ip_port</varname>.
2745 A <varname>masters_list</varname> may include other
2746 <varname>masters_lists</varname>.
2753 <varname>domain_name</varname>
2758 A quoted string which will be used as
2759 a DNS name, for example "<literal>my.test.domain</literal>".
2766 <varname>dotted_decimal</varname>
2771 One to four integers valued 0 through
2772 255 separated by dots (`.'), such as <command>123</command>,
2773 <command>45.67</command> or <command>89.123.45.67</command>.
2780 <varname>ip4_addr</varname>
2785 An IPv4 address with exactly four elements
2786 in <varname>dotted_decimal</varname> notation.
2793 <varname>ip6_addr</varname>
2798 An IPv6 address, such as <command>2001:db8::1234</command>.
2799 IPv6 scoped addresses that have ambiguity on their scope
2801 disambiguated by an appropriate zone ID with the percent
2804 It is strongly recommended to use string zone names rather
2806 numeric identifiers, in order to be robust against system
2807 configuration changes.
2808 However, since there is no standard mapping for such names
2810 identifier values, currently only interface names as link
2812 are supported, assuming one-to-one mapping between
2813 interfaces and links.
2814 For example, a link-local address <command>fe80::1</command> on the
2815 link attached to the interface <command>ne0</command>
2816 can be specified as <command>fe80::1%ne0</command>.
2817 Note that on most systems link-local addresses always have
2819 ambiguity, and need to be disambiguated.
2826 <varname>ip_addr</varname>
2831 An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2838 <varname>ip_port</varname>
2843 An IP port <varname>number</varname>.
2844 The <varname>number</varname> is limited to 0
2845 through 65535, with values
2846 below 1024 typically restricted to use by processes running
2848 In some cases, an asterisk (`*') character can be used as a
2850 select a random high-numbered port.
2857 <varname>ip_prefix</varname>
2862 An IP network specified as an <varname>ip_addr</varname>,
2863 followed by a slash (`/') and then the number of bits in the
2865 Trailing zeros in a <varname>ip_addr</varname>
2867 For example, <command>127/8</command> is the
2868 network <command>127.0.0.0</command> with
2869 netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2870 network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2877 <varname>key_id</varname>
2882 A <varname>domain_name</varname> representing
2883 the name of a shared key, to be used for transaction
2891 <varname>key_list</varname>
2896 A list of one or more
2897 <varname>key_id</varname>s,
2898 separated by semicolons and ending with a semicolon.
2905 <varname>number</varname>
2910 A non-negative 32-bit integer
2911 (i.e., a number between 0 and 4294967295, inclusive).
2912 Its acceptable value might further
2913 be limited by the context in which it is used.
2920 <varname>path_name</varname>
2925 A quoted string which will be used as
2926 a pathname, such as <filename>zones/master/my.test.domain</filename>.
2933 <varname>size_spec</varname>
2938 A number, the word <userinput>unlimited</userinput>,
2939 or the word <userinput>default</userinput>.
2942 An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
2943 use, or the maximum available amount. A <varname>default size_spec</varname> uses
2944 the limit that was in force when the server was started.
2947 A <varname>number</varname> can optionally be
2948 followed by a scaling factor:
2949 <userinput>K</userinput> or <userinput>k</userinput>
2951 <userinput>M</userinput> or <userinput>m</userinput>
2953 <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
2954 which scale by 1024, 1024*1024, and 1024*1024*1024
2958 The value must be representable as a 64-bit unsigned integer
2959 (0 to 18446744073709551615, inclusive).
2960 Using <varname>unlimited</varname> is the best
2962 to safely set a really large number.
2969 <varname>yes_or_no</varname>
2974 Either <userinput>yes</userinput> or <userinput>no</userinput>.
2975 The words <userinput>true</userinput> and <userinput>false</userinput> are
2976 also accepted, as are the numbers <userinput>1</userinput>
2977 and <userinput>0</userinput>.
2984 <varname>dialup_option</varname>
2989 One of <userinput>yes</userinput>,
2990 <userinput>no</userinput>, <userinput>notify</userinput>,
2991 <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
2992 <userinput>passive</userinput>.
2993 When used in a zone, <userinput>notify-passive</userinput>,
2994 <userinput>refresh</userinput>, and <userinput>passive</userinput>
2995 are restricted to slave and stub zones.
3002 <sect2 id="address_match_lists">
3003 <title>Address Match Lists</title>
3005 <title>Syntax</title>
3007 <programlisting><varname>address_match_list</varname> = address_match_list_element ;
3008 <optional> address_match_list_element; ... </optional>
3009 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
3010 key key_id | acl_name | { address_match_list } )
3015 <title>Definition and Usage</title>
3017 Address match lists are primarily used to determine access
3018 control for various server operations. They are also used in
3019 the <command>listen-on</command> and <command>sortlist</command>
3020 statements. The elements
3021 which constitute an address match list can be any of the
3026 <simpara>an IP address (IPv4 or IPv6)</simpara>
3029 <simpara>an IP prefix (in `/' notation)</simpara>
3033 a key ID, as defined by the <command>key</command>
3038 <simpara>the name of an address match list defined with
3039 the <command>acl</command> statement
3043 <simpara>a nested address match list enclosed in braces</simpara>
3048 Elements can be negated with a leading exclamation mark (`!'),
3049 and the match list names "any", "none", "localhost", and
3051 are predefined. More information on those names can be found in
3052 the description of the acl statement.
3056 The addition of the key clause made the name of this syntactic
3057 element something of a misnomer, since security keys can be used
3058 to validate access without regard to a host or network address.
3060 the term "address match list" is still used throughout the
3065 When a given IP address or prefix is compared to an address
3066 match list, the list is traversed in order until an element
3068 The interpretation of a match depends on whether the list is being
3070 for access control, defining listen-on ports, or in a sortlist,
3071 and whether the element was negated.
3075 When used as an access control list, a non-negated match
3076 allows access and a negated match denies access. If
3077 there is no match, access is denied. The clauses
3078 <command>allow-notify</command>,
3079 <command>allow-query</command>,
3080 <command>allow-query-cache</command>,
3081 <command>allow-transfer</command>,
3082 <command>allow-update</command>,
3083 <command>allow-update-forwarding</command>, and
3084 <command>blackhole</command> all use address match
3085 lists. Similarly, the listen-on option will cause the
3086 server to not accept queries on any of the machine's
3087 addresses which do not match the list.
3091 Because of the first-match aspect of the algorithm, an element
3092 that defines a subset of another element in the list should come
3093 before the broader element, regardless of whether either is
3096 <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
3098 completely useless because the algorithm will match any lookup for
3099 1.2.3.13 to the 1.2.3/24 element.
3100 Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3101 that problem by having 1.2.3.13 blocked by the negation but all
3102 other 1.2.3.* hosts fall through.
3108 <title>Comment Syntax</title>
3111 The <acronym>BIND</acronym> 9 comment syntax allows for
3113 anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3114 file. To appeal to programmers of all kinds, they can be written
3115 in the C, C++, or shell/perl style.
3119 <title>Syntax</title>
3122 <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3123 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3124 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3128 <title>Definition and Usage</title>
3130 Comments may appear anywhere that whitespace may appear in
3131 a <acronym>BIND</acronym> configuration file.
3134 C-style comments start with the two characters /* (slash,
3135 star) and end with */ (star, slash). Because they are completely
3136 delimited with these characters, they can be used to comment only
3137 a portion of a line or to span multiple lines.
3140 C-style comments cannot be nested. For example, the following
3141 is not valid because the entire comment ends with the first */:
3145 <programlisting>/* This is the start of a comment.
3146 This is still part of the comment.
3147 /* This is an incorrect attempt at nesting a comment. */
3148 This is no longer in any comment. */
3154 C++-style comments start with the two characters // (slash,
3155 slash) and continue to the end of the physical line. They cannot
3156 be continued across multiple physical lines; to have one logical
3157 comment span multiple lines, each line must use the // pair.
3164 <programlisting>// This is the start of a comment. The next line
3165 // is a new comment, even though it is logically
3166 // part of the previous comment.
3171 Shell-style (or perl-style, if you prefer) comments start
3172 with the character <literal>#</literal> (number sign)
3173 and continue to the end of the
3174 physical line, as in C++ comments.
3182 <programlisting># This is the start of a comment. The next line
3183 # is a new comment, even though it is logically
3184 # part of the previous comment.
3191 You cannot use the semicolon (`;') character
3192 to start a comment such as you would in a zone file. The
3193 semicolon indicates the end of a configuration
3201 <sect1 id="Configuration_File_Grammar">
3202 <title>Configuration File Grammar</title>
3205 A <acronym>BIND</acronym> 9 configuration consists of
3206 statements and comments.
3207 Statements end with a semicolon. Statements and comments are the
3208 only elements that can appear without enclosing braces. Many
3209 statements contain a block of sub-statements, which are also
3210 terminated with a semicolon.
3214 The following statements are supported:
3217 <informaltable colsep="0" rowsep="0">
3218 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3219 <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3220 <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3224 <para><command>acl</command></para>
3228 defines a named IP address
3229 matching list, for access control and other uses.
3235 <para><command>controls</command></para>
3239 declares control channels to be used
3240 by the <command>rndc</command> utility.
3246 <para><command>include</command></para>
3256 <para><command>key</command></para>
3260 specifies key information for use in
3261 authentication and authorization using TSIG.
3267 <para><command>logging</command></para>
3271 specifies what the server logs, and where
3272 the log messages are sent.
3278 <para><command>lwres</command></para>
3282 configures <command>named</command> to
3283 also act as a light-weight resolver daemon (<command>lwresd</command>).
3289 <para><command>masters</command></para>
3293 defines a named masters list for
3294 inclusion in stub and slave zone masters clauses.
3300 <para><command>options</command></para>
3304 controls global server configuration
3305 options and sets defaults for other statements.
3311 <para><command>server</command></para>
3315 sets certain configuration options on
3322 <para><command>trusted-keys</command></para>
3326 defines trusted DNSSEC keys.
3332 <para><command>view</command></para>
3342 <para><command>zone</command></para>
3355 The <command>logging</command> and
3356 <command>options</command> statements may only occur once
3362 <title><command>acl</command> Statement Grammar</title>
3364 <programlisting><command>acl</command> acl-name {
3371 <title><command>acl</command> Statement Definition and
3375 The <command>acl</command> statement assigns a symbolic
3376 name to an address match list. It gets its name from a primary
3377 use of address match lists: Access Control Lists (ACLs).
3381 Note that an address match list's name must be defined
3382 with <command>acl</command> before it can be used
3384 forward references are allowed.
3388 The following ACLs are built-in:
3391 <informaltable colsep="0" rowsep="0">
3392 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3393 <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3394 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3398 <para><command>any</command></para>
3408 <para><command>none</command></para>
3418 <para><command>localhost</command></para>
3422 Matches the IPv4 and IPv6 addresses of all network
3423 interfaces on the system.
3429 <para><command>localnets</command></para>
3433 Matches any host on an IPv4 or IPv6 network
3434 for which the system has an interface.
3435 Some systems do not provide a way to determine the prefix
3437 local IPv6 addresses.
3438 In such a case, <command>localnets</command>
3439 only matches the local
3440 IPv6 addresses, just like <command>localhost</command>.
3450 <title><command>controls</command> Statement Grammar</title>
3452 <programlisting><command>controls</command> {
3453 [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3454 keys { <replaceable>key_list</replaceable> }; ]
3456 [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
3463 <sect2 id="controls_statement_definition_and_usage">
3464 <title><command>controls</command> Statement Definition and
3468 The <command>controls</command> statement declares control
3469 channels to be used by system administrators to control the
3470 operation of the name server. These control channels are
3471 used by the <command>rndc</command> utility to send
3472 commands to and retrieve non-DNS results from a name server.
3476 An <command>inet</command> control channel is a TCP socket
3477 listening at the specified <command>ip_port</command> on the
3478 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3479 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3480 interpreted as the IPv4 wildcard address; connections will be
3481 accepted on any of the system's IPv4 addresses.
3482 To listen on the IPv6 wildcard address,
3483 use an <command>ip_addr</command> of <literal>::</literal>.
3484 If you will only use <command>rndc</command> on the local host,
3485 using the loopback address (<literal>127.0.0.1</literal>
3486 or <literal>::1</literal>) is recommended for maximum security.
3490 If no port is specified, port 953 is used. The asterisk
3491 "<literal>*</literal>" cannot be used for <command>ip_port</command>.
3495 The ability to issue commands over the control channel is
3496 restricted by the <command>allow</command> and
3497 <command>keys</command> clauses.
3498 Connections to the control channel are permitted based on the
3499 <command>address_match_list</command>. This is for simple
3500 IP address based filtering only; any <command>key_id</command>
3501 elements of the <command>address_match_list</command>
3506 A <command>unix</command> control channel is a UNIX domain
3507 socket listening at the specified path in the file system.
3508 Access to the socket is specified by the <command>perm</command>,
3509 <command>owner</command> and <command>group</command> clauses.
3510 Note on some platforms (SunOS and Solaris) the permissions
3511 (<command>perm</command>) are applied to the parent directory
3512 as the permissions on the socket itself are ignored.
3516 The primary authorization mechanism of the command
3517 channel is the <command>key_list</command>, which
3518 contains a list of <command>key_id</command>s.
3519 Each <command>key_id</command> in the <command>key_list</command>
3520 is authorized to execute commands over the control channel.
3521 See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3522 for information about configuring keys in <command>rndc</command>.
3526 If no <command>controls</command> statement is present,
3527 <command>named</command> will set up a default
3528 control channel listening on the loopback address 127.0.0.1
3529 and its IPv6 counterpart ::1.
3530 In this case, and also when the <command>controls</command> statement
3531 is present but does not have a <command>keys</command> clause,
3532 <command>named</command> will attempt to load the command channel key
3533 from the file <filename>rndc.key</filename> in
3534 <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3535 was specified as when <acronym>BIND</acronym> was built).
3536 To create a <filename>rndc.key</filename> file, run
3537 <userinput>rndc-confgen -a</userinput>.
3541 The <filename>rndc.key</filename> feature was created to
3542 ease the transition of systems from <acronym>BIND</acronym> 8,
3543 which did not have digital signatures on its command channel
3544 messages and thus did not have a <command>keys</command> clause.
3546 It makes it possible to use an existing <acronym>BIND</acronym> 8
3547 configuration file in <acronym>BIND</acronym> 9 unchanged,
3548 and still have <command>rndc</command> work the same way
3549 <command>ndc</command> worked in BIND 8, simply by executing the
3550 command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3555 Since the <filename>rndc.key</filename> feature
3556 is only intended to allow the backward-compatible usage of
3557 <acronym>BIND</acronym> 8 configuration files, this
3559 have a high degree of configurability. You cannot easily change
3560 the key name or the size of the secret, so you should make a
3561 <filename>rndc.conf</filename> with your own key if you
3563 those things. The <filename>rndc.key</filename> file
3565 permissions set such that only the owner of the file (the user that
3566 <command>named</command> is running as) can access it.
3568 desire greater flexibility in allowing other users to access
3569 <command>rndc</command> commands, then you need to create
3571 <filename>rndc.conf</filename> file and make it group
3573 that contains the users who should have access.
3577 To disable the command channel, use an empty
3578 <command>controls</command> statement:
3579 <command>controls { };</command>.
3584 <title><command>include</command> Statement Grammar</title>
3585 <programlisting>include <replaceable>filename</replaceable>;</programlisting>
3588 <title><command>include</command> Statement Definition and
3592 The <command>include</command> statement inserts the
3593 specified file at the point where the <command>include</command>
3594 statement is encountered. The <command>include</command>
3595 statement facilitates the administration of configuration
3597 by permitting the reading or writing of some things but not
3598 others. For example, the statement could include private keys
3599 that are readable only by the name server.
3604 <title><command>key</command> Statement Grammar</title>
3606 <programlisting>key <replaceable>key_id</replaceable> {
3607 algorithm <replaceable>string</replaceable>;
3608 secret <replaceable>string</replaceable>;
3615 <title><command>key</command> Statement Definition and Usage</title>
3618 The <command>key</command> statement defines a shared
3619 secret key for use with TSIG (see <xref linkend="tsig"/>)
3620 or the command channel
3621 (see <xref linkend="controls_statement_definition_and_usage"/>).
3625 The <command>key</command> statement can occur at the
3627 of the configuration file or inside a <command>view</command>
3628 statement. Keys defined in top-level <command>key</command>
3629 statements can be used in all views. Keys intended for use in
3630 a <command>controls</command> statement
3631 (see <xref linkend="controls_statement_definition_and_usage"/>)
3632 must be defined at the top level.
3636 The <replaceable>key_id</replaceable>, also known as the
3637 key name, is a domain name uniquely identifying the key. It can
3638 be used in a <command>server</command>
3639 statement to cause requests sent to that
3640 server to be signed with this key, or in address match lists to
3641 verify that incoming requests have been signed with a key
3642 matching this name, algorithm, and secret.
3646 The <replaceable>algorithm_id</replaceable> is a string
3647 that specifies a security/authentication algorithm. Named
3648 supports <literal>hmac-md5</literal>,
3649 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3650 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3651 and <literal>hmac-sha512</literal> TSIG authentication.
3652 Truncated hashes are supported by appending the minimum
3653 number of required bits preceded by a dash, e.g.
3654 <literal>hmac-sha1-80</literal>. The
3655 <replaceable>secret_string</replaceable> is the secret
3656 to be used by the algorithm, and is treated as a base-64
3662 <title><command>logging</command> Statement Grammar</title>
3664 <programlisting><command>logging</command> {
3665 [ <command>channel</command> <replaceable>channel_name</replaceable> {
3666 ( <command>file</command> <replaceable>path name</replaceable>
3667 [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
3668 [ <command>size</command> <replaceable>size spec</replaceable> ]
3669 | <command>syslog</command> <replaceable>syslog_facility</replaceable>
3670 | <command>stderr</command>
3671 | <command>null</command> );
3672 [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
3673 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
3674 [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
3675 [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
3676 [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
3678 [ <command>category</command> <replaceable>category_name</replaceable> {
3679 <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
3688 <title><command>logging</command> Statement Definition and
3692 The <command>logging</command> statement configures a
3694 variety of logging options for the name server. Its <command>channel</command> phrase
3695 associates output methods, format options and severity levels with
3696 a name that can then be used with the <command>category</command> phrase
3697 to select how various classes of messages are logged.
3700 Only one <command>logging</command> statement is used to
3702 as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3703 the logging configuration will be:
3706 <programlisting>logging {
3707 category default { default_syslog; default_debug; };
3708 category unmatched { null; };
3713 In <acronym>BIND</acronym> 9, the logging configuration
3714 is only established when
3715 the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3716 established as soon as the <command>logging</command>
3718 was parsed. When the server is starting up, all logging messages
3719 regarding syntax errors in the configuration file go to the default
3720 channels, or to standard error if the "<option>-g</option>" option
3725 <title>The <command>channel</command> Phrase</title>
3728 All log output goes to one or more <emphasis>channels</emphasis>;
3729 you can make as many of them as you want.
3733 Every channel definition must include a destination clause that
3734 says whether messages selected for the channel go to a file, to a
3735 particular syslog facility, to the standard error stream, or are
3736 discarded. It can optionally also limit the message severity level
3737 that will be accepted by the channel (the default is
3738 <command>info</command>), and whether to include a
3739 <command>named</command>-generated time stamp, the
3741 and/or severity level (the default is not to include any).
3745 The <command>null</command> destination clause
3746 causes all messages sent to the channel to be discarded;
3747 in that case, other options for the channel are meaningless.
3751 The <command>file</command> destination clause directs
3753 to a disk file. It can include limitations
3754 both on how large the file is allowed to become, and how many
3756 of the file will be saved each time the file is opened.
3760 If you use the <command>versions</command> log file
3762 <command>named</command> will retain that many backup
3763 versions of the file by
3764 renaming them when opening. For example, if you choose to keep
3766 of the file <filename>lamers.log</filename>, then just
3768 <filename>lamers.log.1</filename> is renamed to
3769 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3770 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3771 renamed to <filename>lamers.log.0</filename>.
3772 You can say <command>versions unlimited</command> to
3774 the number of versions.
3775 If a <command>size</command> option is associated with
3777 then renaming is only done when the file being opened exceeds the
3778 indicated size. No backup versions are kept by default; any
3780 log file is simply appended.
3784 The <command>size</command> option for files is used
3786 growth. If the file ever exceeds the size, then <command>named</command> will
3787 stop writing to the file unless it has a <command>versions</command> option
3788 associated with it. If backup versions are kept, the files are
3790 described above and a new one begun. If there is no
3791 <command>versions</command> option, no more data will
3792 be written to the log
3793 until some out-of-band mechanism removes or truncates the log to
3795 maximum size. The default behavior is not to limit the size of
3801 Example usage of the <command>size</command> and
3802 <command>versions</command> options:
3805 <programlisting>channel an_example_channel {
3806 file "example.log" versions 3 size 20m;
3813 The <command>syslog</command> destination clause
3815 channel to the system log. Its argument is a
3816 syslog facility as described in the <command>syslog</command> man
3817 page. Known facilities are <command>kern</command>, <command>user</command>,
3818 <command>mail</command>, <command>daemon</command>, <command>auth</command>,
3819 <command>syslog</command>, <command>lpr</command>, <command>news</command>,
3820 <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3821 <command>ftp</command>, <command>local0</command>, <command>local1</command>,
3822 <command>local2</command>, <command>local3</command>, <command>local4</command>,
3823 <command>local5</command>, <command>local6</command> and
3824 <command>local7</command>, however not all facilities
3826 all operating systems.
3827 How <command>syslog</command> will handle messages
3829 this facility is described in the <command>syslog.conf</command> man
3830 page. If you have a system which uses a very old version of <command>syslog</command> that
3831 only uses two arguments to the <command>openlog()</command> function,
3832 then this clause is silently ignored.
3835 The <command>severity</command> clause works like <command>syslog</command>'s
3836 "priorities", except that they can also be used if you are writing
3837 straight to a file rather than using <command>syslog</command>.
3838 Messages which are not at least of the severity level given will
3839 not be selected for the channel; messages of higher severity
3844 If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3845 will also determine what eventually passes through. For example,
3846 defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3847 only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3848 cause messages of severity <command>info</command> and
3849 <command>notice</command> to
3850 be dropped. If the situation were reversed, with <command>named</command> writing
3851 messages of only <command>warning</command> or higher,
3852 then <command>syslogd</command> would
3853 print all messages it received from the channel.
3857 The <command>stderr</command> destination clause
3859 channel to the server's standard error stream. This is intended
3861 use when the server is running as a foreground process, for
3863 when debugging a configuration.
3867 The server can supply extensive debugging information when
3868 it is in debugging mode. If the server's global debug level is
3870 than zero, then debugging mode will be active. The global debug
3871 level is set either by starting the <command>named</command> server
3872 with the <option>-d</option> flag followed by a positive integer,
3873 or by running <command>rndc trace</command>.
3874 The global debug level
3875 can be set to zero, and debugging mode turned off, by running <command>rndc
3876 notrace</command>. All debugging messages in the server have a debug
3877 level, and higher debug levels give more detailed output. Channels
3878 that specify a specific debug severity, for example:
3881 <programlisting>channel specific_debug_level {
3888 will get debugging output of level 3 or less any time the
3889 server is in debugging mode, regardless of the global debugging
3890 level. Channels with <command>dynamic</command>
3892 server's global debug level to determine what messages to print.
3895 If <command>print-time</command> has been turned on,
3897 the date and time will be logged. <command>print-time</command> may
3898 be specified for a <command>syslog</command> channel,
3900 pointless since <command>syslog</command> also prints
3902 time. If <command>print-category</command> is
3904 category of the message will be logged as well. Finally, if <command>print-severity</command> is
3905 on, then the severity level of the message will be logged. The <command>print-</command> options may
3906 be used in any combination, and will always be printed in the
3908 order: time, category, severity. Here is an example where all
3909 three <command>print-</command> options
3914 <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
3918 There are four predefined channels that are used for
3919 <command>named</command>'s default logging as follows.
3921 used is described in <xref linkend="the_category_phrase"/>.
3924 <programlisting>channel default_syslog {
3925 syslog daemon; // send to syslog's daemon
3927 severity info; // only send priority info
3931 channel default_debug {
3932 file "named.run"; // write to named.run in
3933 // the working directory
3934 // Note: stderr is used instead
3936 // if the server is started
3937 // with the '-f' option.
3938 severity dynamic; // log at the server's
3939 // current debug level
3942 channel default_stderr {
3943 stderr; // writes to stderr
3944 severity info; // only send priority info
3949 null; // toss anything sent to
3955 The <command>default_debug</command> channel has the
3957 property that it only produces output when the server's debug
3959 nonzero. It normally writes to a file called <filename>named.run</filename>
3960 in the server's working directory.
3964 For security reasons, when the "<option>-u</option>"
3965 command line option is used, the <filename>named.run</filename> file
3966 is created only after <command>named</command> has
3968 new UID, and any debug output generated while <command>named</command> is
3969 starting up and still running as root is discarded. If you need
3970 to capture this output, you must run the server with the "<option>-g</option>"
3971 option and redirect standard error to a file.
3975 Once a channel is defined, it cannot be redefined. Thus you
3976 cannot alter the built-in channels directly, but you can modify
3977 the default logging by pointing categories at channels you have
3982 <sect3 id="the_category_phrase">
3983 <title>The <command>category</command> Phrase</title>
3986 There are many categories, so you can send the logs you want
3987 to see wherever you want, without seeing logs you don't want. If
3988 you don't specify a list of channels for a category, then log
3990 in that category will be sent to the <command>default</command> category
3991 instead. If you don't specify a default category, the following
3992 "default default" is used:
3995 <programlisting>category default { default_syslog; default_debug; };
3999 As an example, let's say you want to log security events to
4000 a file, but you also want keep the default logging behavior. You'd
4001 specify the following:
4004 <programlisting>channel my_security_channel {
4005 file "my_security_file";
4009 my_security_channel;
4015 To discard all messages in a category, specify the <command>null</command> channel:
4018 <programlisting>category xfer-out { null; };
4019 category notify { null; };
4023 Following are the available categories and brief descriptions
4024 of the types of log information they contain. More
4025 categories may be added in future <acronym>BIND</acronym> releases.
4027 <informaltable colsep="0" rowsep="0">
4028 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4029 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4030 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4034 <para><command>default</command></para>
4038 The default category defines the logging
4039 options for those categories where no specific
4040 configuration has been
4047 <para><command>general</command></para>
4051 The catch-all. Many things still aren't
4052 classified into categories, and they all end up here.
4058 <para><command>database</command></para>
4062 Messages relating to the databases used
4063 internally by the name server to store zone and cache
4070 <para><command>security</command></para>
4074 Approval and denial of requests.
4080 <para><command>config</command></para>
4084 Configuration file parsing and processing.
4090 <para><command>resolver</command></para>
4094 DNS resolution, such as the recursive
4095 lookups performed on behalf of clients by a caching name
4102 <para><command>xfer-in</command></para>
4106 Zone transfers the server is receiving.
4112 <para><command>xfer-out</command></para>
4116 Zone transfers the server is sending.
4122 <para><command>notify</command></para>
4126 The NOTIFY protocol.
4132 <para><command>client</command></para>
4136 Processing of client requests.
4142 <para><command>unmatched</command></para>
4146 Messages that named was unable to determine the
4147 class of or for which there was no matching <command>view</command>.
4148 A one line summary is also logged to the <command>client</command> category.
4149 This category is best sent to a file or stderr, by
4150 default it is sent to
4151 the <command>null</command> channel.
4157 <para><command>network</command></para>
4167 <para><command>update</command></para>
4177 <para><command>update-security</command></para>
4181 Approval and denial of update requests.
4187 <para><command>queries</command></para>
4191 Specify where queries should be logged to.
4194 At startup, specifying the category <command>queries</command> will also
4195 enable query logging unless <command>querylog</command> option has been
4199 The query log entry reports the client's IP address and
4200 port number, and the
4201 query name, class and type. It also reports whether the
4203 flag was set (+ if set, - if not set), EDNS was in use
4205 query was signed (S).
4208 <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
4211 <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
4217 <para><command>dispatch</command></para>
4221 Dispatching of incoming packets to the
4222 server modules where they are to be processed.
4228 <para><command>dnssec</command></para>
4232 DNSSEC and TSIG protocol processing.
4238 <para><command>lame-servers</command></para>
4242 Lame servers. These are misconfigurations
4243 in remote servers, discovered by BIND 9 when trying to
4245 those servers during resolution.
4251 <para><command>delegation-only</command></para>
4255 Delegation only. Logs queries that have have
4256 been forced to NXDOMAIN as the result of a
4257 delegation-only zone or
4258 a <command>delegation-only</command> in a
4259 hint or stub zone declaration.
4270 <title><command>lwres</command> Statement Grammar</title>
4273 This is the grammar of the <command>lwres</command>
4274 statement in the <filename>named.conf</filename> file:
4277 <programlisting><command>lwres</command> {
4278 <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4279 <optional> view <replaceable>view_name</replaceable>; </optional>
4280 <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
4281 <optional> ndots <replaceable>number</replaceable>; </optional>
4287 <title><command>lwres</command> Statement Definition and Usage</title>
4290 The <command>lwres</command> statement configures the
4292 server to also act as a lightweight resolver server. (See
4293 <xref linkend="lwresd"/>.) There may be multiple
4294 <command>lwres</command> statements configuring
4295 lightweight resolver servers with different properties.
4299 The <command>listen-on</command> statement specifies a
4301 addresses (and ports) that this instance of a lightweight resolver
4303 should accept requests on. If no port is specified, port 921 is
4305 If this statement is omitted, requests will be accepted on
4311 The <command>view</command> statement binds this
4313 lightweight resolver daemon to a view in the DNS namespace, so that
4315 response will be constructed in the same manner as a normal DNS
4317 matching this view. If this statement is omitted, the default view
4319 used, and if there is no default view, an error is triggered.
4323 The <command>search</command> statement is equivalent to
4325 <command>search</command> statement in
4326 <filename>/etc/resolv.conf</filename>. It provides a
4328 which are appended to relative names in queries.
4332 The <command>ndots</command> statement is equivalent to
4334 <command>ndots</command> statement in
4335 <filename>/etc/resolv.conf</filename>. It indicates the
4337 number of dots in a relative domain name that should result in an
4338 exact match lookup before search path elements are appended.
4342 <title><command>masters</command> Statement Grammar</title>
4345 <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
4351 <title><command>masters</command> Statement Definition and
4353 <para><command>masters</command>
4354 lists allow for a common set of masters to be easily used by
4355 multiple stub and slave zones.
4360 <title><command>options</command> Statement Grammar</title>
4363 This is the grammar of the <command>options</command>
4364 statement in the <filename>named.conf</filename> file:
4367 <programlisting>options {
4368 <optional> version <replaceable>version_string</replaceable>; </optional>
4369 <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
4370 <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
4371 <optional> directory <replaceable>path_name</replaceable>; </optional>
4372 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
4373 <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4374 <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
4375 <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4376 <optional> cache-file <replaceable>path_name</replaceable>; </optional>
4377 <optional> dump-file <replaceable>path_name</replaceable>; </optional>
4378 <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
4379 <optional> pid-file <replaceable>path_name</replaceable>; </optional>
4380 <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
4381 <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
4382 <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
4383 <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
4384 <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
4385 <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
4386 <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
4387 <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
4388 <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
4389 <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
4390 <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
4391 <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
4392 <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
4393 <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
4394 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
4395 <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
4396 <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
4397 <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
4398 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
4399 <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4400 <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
4401 <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
4402 <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4403 <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
4404 <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
4405 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4406 <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4407 ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4408 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4410 <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4411 ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4412 <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4413 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4414 <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4415 <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4416 <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4417 <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
4418 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
4419 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4420 <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4421 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
4422 <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4423 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
4424 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4425 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4426 <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
4427 <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
4428 <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4429 <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4430 <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4431 <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4432 <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4433 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4434 <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4435 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4436 <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4437 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4438 <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4439 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4440 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
4441 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
4442 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
4443 <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
4444 <optional> tcp-clients <replaceable>number</replaceable>; </optional>
4445 <optional> reserved-sockets <replaceable>number</replaceable>; </optional>
4446 <optional> recursive-clients <replaceable>number</replaceable>; </optional>
4447 <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
4448 <optional> serial-queries <replaceable>number</replaceable>; </optional>
4449 <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
4450 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
4451 <optional> transfers-in <replaceable>number</replaceable>; </optional>
4452 <optional> transfers-out <replaceable>number</replaceable>; </optional>
4453 <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
4454 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4455 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4456 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4457 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4458 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4459 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
4460 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4461 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4462 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4463 <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
4464 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
4465 <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
4466 <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
4467 <optional> files <replaceable>size_spec</replaceable> ; </optional>
4468 <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
4469 <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
4470 <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
4471 <optional> interface-interval <replaceable>number</replaceable>; </optional>
4472 <optional> statistics-interval <replaceable>number</replaceable>; </optional>
4473 <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
4474 <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
4475 <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
4476 <optional> lame-ttl <replaceable>number</replaceable>; </optional>
4477 <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
4478 <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
4479 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
4480 <optional> min-roots <replaceable>number</replaceable>; </optional>
4481 <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4482 <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4483 <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4484 <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
4485 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
4486 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4487 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4488 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4489 <optional> port <replaceable>ip_port</replaceable>; </optional>
4490 <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
4491 <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
4492 <optional> random-device <replaceable>path_name</replaceable> ; </optional>
4493 <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
4494 <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
4495 <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
4496 <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4497 <optional> max-udp-size <replaceable>number</replaceable>; </optional>
4498 <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
4499 <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
4500 <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4501 <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4502 <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4503 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4504 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4505 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4506 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4507 <optional> empty-server <replaceable>name</replaceable> ; </optional>
4508 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
4509 <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4510 <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4511 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4512 <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
4518 <sect2 id="options">
4519 <title><command>options</command> Statement Definition and
4523 The <command>options</command> statement sets up global
4525 to be used by <acronym>BIND</acronym>. This statement
4527 once in a configuration file. If there is no <command>options</command>
4528 statement, an options block with each option set to its default will
4535 <term><command>directory</command></term>
4538 The working directory of the server.
4539 Any non-absolute pathnames in the configuration file will be
4541 as relative to this directory. The default location for most
4543 output files (e.g. <filename>named.run</filename>)
4545 If a directory is not specified, the working directory
4546 defaults to `<filename>.</filename>', the directory from
4548 was started. The directory specified should be an absolute
4555 <term><command>key-directory</command></term>
4558 When performing dynamic update of secure zones, the
4559 directory where the public and private key files should be
4561 if different than the current working directory. The
4563 must be an absolute path.
4569 <term><command>named-xfer</command></term>
4572 <emphasis>This option is obsolete.</emphasis>
4573 It was used in <acronym>BIND</acronym> 8 to
4574 specify the pathname to the <command>named-xfer</command> program.
4575 In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
4576 needed; its functionality is built into the name server.
4583 <term><command>tkey-domain</command></term>
4586 The domain appended to the names of all
4587 shared keys generated with
4588 <command>TKEY</command>. When a client
4589 requests a <command>TKEY</command> exchange, it
4590 may or may not specify
4591 the desired name for the key. If present, the name of the
4593 key will be "<varname>client specified part</varname>" +
4594 "<varname>tkey-domain</varname>".
4595 Otherwise, the name of the shared key will be "<varname>random hex
4596 digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
4597 the <command>domainname</command> should be the
4605 <term><command>tkey-dhkey</command></term>
4608 The Diffie-Hellman key used by the server
4609 to generate shared keys with clients using the Diffie-Hellman
4611 of <command>TKEY</command>. The server must be
4613 public and private keys from files in the working directory.
4615 most cases, the keyname should be the server's host name.
4621 <term><command>cache-file</command></term>
4624 This is for testing only. Do not use.
4630 <term><command>dump-file</command></term>
4633 The pathname of the file the server dumps
4634 the database to when instructed to do so with
4635 <command>rndc dumpdb</command>.
4636 If not specified, the default is <filename>named_dump.db</filename>.
4642 <term><command>memstatistics-file</command></term>
4645 The pathname of the file the server writes memory
4646 usage statistics to on exit. If specified the
4647 statistics will be written to the file on exit.
4650 In <acronym>BIND</acronym> 9.5 and later this will
4651 default to <filename>named.memstats</filename>.
4652 <acronym>BIND</acronym> 9.5 will also introduce
4653 <command>memstatistics</command> to control the
4660 <term><command>pid-file</command></term>
4663 The pathname of the file the server writes its process ID
4664 in. If not specified, the default is <filename>/var/run/named.pid</filename>.
4665 The pid-file is used by programs that want to send signals to
4667 name server. Specifying <command>pid-file none</command> disables the
4668 use of a PID file — no file will be written and any
4669 existing one will be removed. Note that <command>none</command>
4670 is a keyword, not a filename, and therefore is not enclosed
4678 <term><command>recursing-file</command></term>
4681 The pathname of the file the server dumps
4682 the queries that are currently recursing when instructed
4683 to do so with <command>rndc recursing</command>.
4684 If not specified, the default is <filename>named.recursing</filename>.
4690 <term><command>statistics-file</command></term>
4693 The pathname of the file the server appends statistics
4694 to when instructed to do so using <command>rndc stats</command>.
4695 If not specified, the default is <filename>named.stats</filename> in the
4696 server's current directory. The format of the file is
4698 in <xref linkend="statsfile"/>.
4704 <term><command>port</command></term>
4707 The UDP/TCP port number the server uses for
4708 receiving and sending DNS protocol traffic.
4709 The default is 53. This option is mainly intended for server
4711 a server using a port other than 53 will not be able to
4719 <term><command>random-device</command></term>
4722 The source of entropy to be used by the server. Entropy is
4724 for DNSSEC operations, such as TKEY transactions and dynamic
4726 zones. This options specifies the device (or file) from which
4728 entropy. If this is a file, operations requiring entropy will
4730 file has been exhausted. If not specified, the default value
4732 <filename>/dev/random</filename>
4733 (or equivalent) when present, and none otherwise. The
4734 <command>random-device</command> option takes
4736 the initial configuration load at server startup time and
4737 is ignored on subsequent reloads.
4743 <term><command>preferred-glue</command></term>
4746 If specified, the listed type (A or AAAA) will be emitted
4748 in the additional section of a query response.
4749 The default is not to prefer any type (NONE).
4755 <term><command>root-delegation-only</command></term>
4758 Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
4763 Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
4769 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
4777 <term><command>disable-algorithms</command></term>
4780 Disable the specified DNSSEC algorithms at and below the
4782 Multiple <command>disable-algorithms</command>
4783 statements are allowed.
4784 Only the most specific will be applied.
4790 <term><command>dnssec-lookaside</command></term>
4793 When set, <command>dnssec-lookaside</command>
4795 validator with an alternate method to validate DNSKEY records
4797 top of a zone. When a DNSKEY is at or below a domain
4799 deepest <command>dnssec-lookaside</command>, and
4800 the normal dnssec validation
4801 has left the key untrusted, the trust-anchor will be append to
4803 name and a DLV record will be looked up to see if it can
4805 key. If the DLV record validates a DNSKEY (similarly to the
4807 record does) the DNSKEY RRset is deemed to be trusted.
4813 <term><command>dnssec-must-be-secure</command></term>
4816 Specify hierarchies which must be or may not be secure (signed and
4818 If <userinput>yes</userinput>, then named will only accept
4821 If <userinput>no</userinput>, then normal dnssec validation
4823 allowing for insecure answers to be accepted.
4824 The specified domain must be under a <command>trusted-key</command> or
4825 <command>dnssec-lookaside</command> must be
4833 <sect3 id="boolean_options">
4834 <title>Boolean Options</title>
4839 <term><command>auth-nxdomain</command></term>
4842 If <userinput>yes</userinput>, then the <command>AA</command> bit
4843 is always set on NXDOMAIN responses, even if the server is
4845 authoritative. The default is <userinput>no</userinput>;
4847 a change from <acronym>BIND</acronym> 8. If you
4848 are using very old DNS software, you
4849 may need to set it to <userinput>yes</userinput>.
4855 <term><command>deallocate-on-exit</command></term>
4858 This option was used in <acronym>BIND</acronym>
4859 8 to enable checking
4860 for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
4867 <term><command>dialup</command></term>
4870 If <userinput>yes</userinput>, then the
4871 server treats all zones as if they are doing zone transfers
4873 a dial-on-demand dialup link, which can be brought up by
4875 originating from this server. This has different effects
4877 to zone type and concentrates the zone maintenance so that
4879 happens in a short interval, once every <command>heartbeat-interval</command> and
4880 hopefully during the one call. It also suppresses some of
4882 zone maintenance traffic. The default is <userinput>no</userinput>.
4885 The <command>dialup</command> option
4886 may also be specified in the <command>view</command> and
4887 <command>zone</command> statements,
4888 in which case it overrides the global <command>dialup</command>
4892 If the zone is a master zone, then the server will send out a
4894 request to all the slaves (default). This should trigger the
4896 number check in the slave (providing it supports NOTIFY)
4898 to verify the zone while the connection is active.
4899 The set of servers to which NOTIFY is sent can be controlled
4901 <command>notify</command> and <command>also-notify</command>.
4905 zone is a slave or stub zone, then the server will suppress
4907 "zone up to date" (refresh) queries and only perform them
4909 <command>heartbeat-interval</command> expires in
4914 Finer control can be achieved by using
4915 <userinput>notify</userinput> which only sends NOTIFY
4917 <userinput>notify-passive</userinput> which sends NOTIFY
4919 suppresses the normal refresh queries, <userinput>refresh</userinput>
4920 which suppresses normal refresh processing and sends refresh
4922 when the <command>heartbeat-interval</command>
4924 <userinput>passive</userinput> which just disables normal
4929 <informaltable colsep="0" rowsep="0">
4930 <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4931 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4932 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
4933 <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
4934 <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
4960 <para><command>no</command> (default)</para>
4980 <para><command>yes</command></para>
5000 <para><command>notify</command></para>
5020 <para><command>refresh</command></para>
5040 <para><command>passive</command></para>
5060 <para><command>notify-passive</command></para>
5083 Note that normal NOTIFY processing is not affected by
5084 <command>dialup</command>.
5091 <term><command>fake-iquery</command></term>
5094 In <acronym>BIND</acronym> 8, this option
5095 enabled simulating the obsolete DNS query type
5096 IQUERY. <acronym>BIND</acronym> 9 never does
5103 <term><command>fetch-glue</command></term>
5106 This option is obsolete.
5107 In BIND 8, <userinput>fetch-glue yes</userinput>
5108 caused the server to attempt to fetch glue resource records
5110 didn't have when constructing the additional
5111 data section of a response. This is now considered a bad
5113 and BIND 9 never does it.
5119 <term><command>flush-zones-on-shutdown</command></term>
5122 When the nameserver exits due receiving SIGTERM,
5123 flush or do not flush any pending zone writes. The default
5125 <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5131 <term><command>has-old-clients</command></term>
5134 This option was incorrectly implemented
5135 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5136 To achieve the intended effect
5138 <command>has-old-clients</command> <userinput>yes</userinput>, specify
5139 the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5140 and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5146 <term><command>host-statistics</command></term>
5149 In BIND 8, this enables keeping of
5150 statistics for every host that the name server interacts
5152 Not implemented in BIND 9.
5158 <term><command>maintain-ixfr-base</command></term>
5161 <emphasis>This option is obsolete</emphasis>.
5162 It was used in <acronym>BIND</acronym> 8 to
5163 determine whether a transaction log was
5164 kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5165 log whenever possible. If you need to disable outgoing
5167 transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5173 <term><command>minimal-responses</command></term>
5176 If <userinput>yes</userinput>, then when generating
5177 responses the server will only add records to the authority
5178 and additional data sections when they are required (e.g.
5179 delegations, negative responses). This may improve the
5180 performance of the server.
5181 The default is <userinput>no</userinput>.
5187 <term><command>multiple-cnames</command></term>
5190 This option was used in <acronym>BIND</acronym> 8 to allow
5191 a domain name to have multiple CNAME records in violation of
5192 the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5193 always strictly enforces the CNAME rules both in master
5194 files and dynamic updates.
5200 <term><command>notify</command></term>
5203 If <userinput>yes</userinput> (the default),
5204 DNS NOTIFY messages are sent when a zone the server is
5206 changes, see <xref linkend="notify"/>. The messages are
5208 servers listed in the zone's NS records (except the master
5210 in the SOA MNAME field), and to any servers listed in the
5211 <command>also-notify</command> option.
5214 If <userinput>master-only</userinput>, notifies are only
5217 If <userinput>explicit</userinput>, notifies are sent only
5219 servers explicitly listed using <command>also-notify</command>.
5220 If <userinput>no</userinput>, no notifies are sent.
5223 The <command>notify</command> option may also be
5224 specified in the <command>zone</command>
5226 in which case it overrides the <command>options notify</command> statement.
5227 It would only be necessary to turn off this option if it
5235 <term><command>recursion</command></term>
5238 If <userinput>yes</userinput>, and a
5239 DNS query requests recursion, then the server will attempt
5241 all the work required to answer the query. If recursion is
5243 and the server does not already know the answer, it will
5245 referral response. The default is
5246 <userinput>yes</userinput>.
5247 Note that setting <command>recursion no</command> does not prevent
5248 clients from getting data from the server's cache; it only
5249 prevents new data from being cached as an effect of client
5251 Caching may still occur as an effect the server's internal
5252 operation, such as NOTIFY address lookups.
5253 See also <command>fetch-glue</command> above.
5259 <term><command>rfc2308-type1</command></term>
5262 Setting this to <userinput>yes</userinput> will
5263 cause the server to send NS records along with the SOA
5265 answers. The default is <userinput>no</userinput>.
5269 Not yet implemented in <acronym>BIND</acronym>
5277 <term><command>use-id-pool</command></term>
5280 <emphasis>This option is obsolete</emphasis>.
5281 <acronym>BIND</acronym> 9 always allocates query
5288 <term><command>zone-statistics</command></term>
5291 If <userinput>yes</userinput>, the server will collect
5292 statistical data on all zones (unless specifically turned
5294 on a per-zone basis by specifying <command>zone-statistics no</command>
5295 in the <command>zone</command> statement).
5296 These statistics may be accessed
5297 using <command>rndc stats</command>, which will
5298 dump them to the file listed
5299 in the <command>statistics-file</command>. See
5300 also <xref linkend="statsfile"/>.
5306 <term><command>use-ixfr</command></term>
5309 <emphasis>This option is obsolete</emphasis>.
5310 If you need to disable IXFR to a particular server or
5312 the information on the <command>provide-ixfr</command> option
5313 in <xref linkend="server_statement_definition_and_usage"/>.
5315 <xref linkend="incremental_zone_transfers"/>.
5321 <term><command>provide-ixfr</command></term>
5324 See the description of
5325 <command>provide-ixfr</command> in
5326 <xref linkend="server_statement_definition_and_usage"/>.
5332 <term><command>request-ixfr</command></term>
5335 See the description of
5336 <command>request-ixfr</command> in
5337 <xref linkend="server_statement_definition_and_usage"/>.
5343 <term><command>treat-cr-as-space</command></term>
5346 This option was used in <acronym>BIND</acronym>
5348 the server treat carriage return ("<command>\r</command>") characters the same way
5349 as a space or tab character,
5350 to facilitate loading of zone files on a UNIX system that
5352 on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5353 and NT/DOS "<command>\r\n</command>" newlines
5354 are always accepted,
5355 and the option is ignored.
5361 <term><command>additional-from-auth</command></term>
5362 <term><command>additional-from-cache</command></term>
5366 These options control the behavior of an authoritative
5368 answering queries which have additional data, or when
5374 When both of these options are set to <userinput>yes</userinput>
5376 query is being answered from authoritative data (a zone
5377 configured into the server), the additional data section of
5379 reply will be filled in using data from other authoritative
5381 and from the cache. In some situations this is undesirable,
5383 as when there is concern over the correctness of the cache,
5385 in servers where slave zones may be added and modified by
5386 untrusted third parties. Also, avoiding
5387 the search for this additional data will speed up server
5389 at the possible expense of additional queries to resolve
5391 otherwise be provided in the additional section.
5395 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5396 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5397 records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5398 if known, even though they are not in the example.com zone.
5399 Setting these options to <command>no</command>
5400 disables this behavior and makes
5401 the server only search for additional data in the zone it
5406 These options are intended for use in authoritative-only
5407 servers, or in authoritative-only views. Attempts to set
5408 them to <command>no</command> without also
5410 <command>recursion no</command> will cause the
5412 ignore the options and log a warning message.
5416 Specifying <command>additional-from-cache no</command> actually
5417 disables the use of the cache not only for additional data
5419 but also when looking up the answer. This is usually the
5421 behavior in an authoritative-only server where the
5423 the cached data is an issue.
5427 When a name server is non-recursively queried for a name
5429 below the apex of any served zone, it normally answers with
5431 "upwards referral" to the root servers or the servers of
5433 known parent of the query name. Since the data in an
5435 comes from the cache, the server will not be able to provide
5437 referrals when <command>additional-from-cache no</command>
5438 has been specified. Instead, it will respond to such
5440 with REFUSED. This should not cause any problems since
5441 upwards referrals are not required for the resolution
5449 <term><command>match-mapped-addresses</command></term>
5452 If <userinput>yes</userinput>, then an
5453 IPv4-mapped IPv6 address will match any address match
5454 list entries that match the corresponding IPv4 address.
5455 Enabling this option is sometimes useful on IPv6-enabled
5457 systems, to work around a kernel quirk that causes IPv4
5458 TCP connections such as zone transfers to be accepted
5459 on an IPv6 socket using mapped addresses, causing
5460 address match lists designed for IPv4 to fail to match.
5461 The use of this option for any other purpose is discouraged.
5467 <term><command>ixfr-from-differences</command></term>
5470 When <userinput>yes</userinput> and the server loads a new version of a master
5471 zone from its zone file or receives a new version of a slave
5472 file by a non-incremental zone transfer, it will compare
5473 the new version to the previous one and calculate a set
5474 of differences. The differences are then logged in the
5475 zone's journal file such that the changes can be transmitted
5476 to downstream slaves as an incremental zone transfer.
5479 By allowing incremental zone transfers to be used for
5480 non-dynamic zones, this option saves bandwidth at the
5481 expense of increased CPU and memory consumption at the
5483 In particular, if the new version of a zone is completely
5484 different from the previous one, the set of differences
5485 will be of a size comparable to the combined size of the
5486 old and new zone version, and the server will need to
5487 temporarily allocate memory to hold this complete
5490 <para><command>ixfr-from-differences</command>
5491 also accepts <command>master</command> and
5492 <command>slave</command> at the view and options
5494 <command>ixfr-from-differences</command> to apply to
5495 all <command>master</command> or
5496 <command>slave</command> zones respectively.
5502 <term><command>multi-master</command></term>
5505 This should be set when you have multiple masters for a zone
5507 addresses refer to different machines. If <userinput>yes</userinput>, named will
5509 when the serial number on the master is less than what named
5511 has. The default is <userinput>no</userinput>.
5517 <term><command>dnssec-enable</command></term>
5520 Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
5521 named behaves as if it does not support DNSSEC.
5522 The default is <userinput>yes</userinput>.
5528 <term><command>dnssec-validation</command></term>
5531 Enable DNSSEC validation in named.
5532 Note <command>dnssec-enable</command> also needs to be
5533 set to <userinput>yes</userinput> to be effective.
5534 The default is <userinput>no</userinput>.
5540 <term><command>dnssec-accept-expired</command></term>
5543 Accept expired signatures when verifying DNSSEC signatures.
5544 The default is <userinput>no</userinput>.
5545 Setting this option to "yes" leaves named vulnerable to replay attacks.
5551 <term><command>querylog</command></term>
5554 Specify whether query logging should be started when named
5556 If <command>querylog</command> is not specified,
5557 then the query logging
5558 is determined by the presence of the logging category <command>queries</command>.
5564 <term><command>check-names</command></term>
5567 This option is used to restrict the character set and syntax
5569 certain domain names in master files and/or DNS responses
5571 from the network. The default varies according to usage
5573 <command>master</command> zones the default is <command>fail</command>.
5574 For <command>slave</command> zones the default
5575 is <command>warn</command>.
5576 For answers received from the network (<command>response</command>)
5577 the default is <command>ignore</command>.
5580 The rules for legal hostnames and mail domains are derived
5581 from RFC 952 and RFC 821 as modified by RFC 1123.
5583 <para><command>check-names</command>
5584 applies to the owner names of A, AAA and MX records.
5585 It also applies to the domain names in the RDATA of NS, SOA
5587 It also applies to the RDATA of PTR records where the owner
5588 name indicated that it is a reverse lookup of a hostname
5589 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
5595 <term><command>check-mx</command></term>
5598 Check whether the MX record appears to refer to a IP address.
5599 The default is to <command>warn</command>. Other possible
5600 values are <command>fail</command> and
5601 <command>ignore</command>.
5607 <term><command>check-wildcard</command></term>
5610 This option is used to check for non-terminal wildcards.
5611 The use of non-terminal wildcards is almost always as a
5613 to understand the wildcard matching algorithm (RFC 1034).
5615 affects master zones. The default (<command>yes</command>) is to check
5616 for non-terminal wildcards and issue a warning.
5622 <term><command>check-integrity</command></term>
5625 Perform post load zone integrity checks on master
5626 zones. This checks that MX and SRV records refer
5627 to address (A or AAAA) records and that glue
5628 address records exist for delegated zones. For
5629 MX and SRV records only in-zone hostnames are
5630 checked (for out-of-zone hostnames use named-checkzone).
5631 For NS records only names below top of zone are
5632 checked (for out-of-zone names and glue consistency
5633 checks use named-checkzone). The default is
5634 <command>yes</command>.
5640 <term><command>check-mx-cname</command></term>
5643 If <command>check-integrity</command> is set then
5644 fail, warn or ignore MX records that refer
5645 to CNAMES. The default is to <command>warn</command>.
5651 <term><command>check-srv-cname</command></term>
5654 If <command>check-integrity</command> is set then
5655 fail, warn or ignore SRV records that refer
5656 to CNAMES. The default is to <command>warn</command>.
5662 <term><command>check-sibling</command></term>
5665 When performing integrity checks, also check that
5666 sibling glue exists. The default is <command>yes</command>.
5672 <term><command>zero-no-soa-ttl</command></term>
5675 When returning authoritative negative responses to
5676 SOA queries set the TTL of the SOA recored returned in
5677 the authority section to zero.
5678 The default is <command>yes</command>.
5684 <term><command>zero-no-soa-ttl-cache</command></term>
5687 When caching a negative response to a SOA query
5688 set the TTL to zero.
5689 The default is <command>no</command>.
5695 <term><command>update-check-ksk</command></term>
5698 When regenerating the RRSIGs following a UPDATE
5699 request to a secure zone, check the KSK flag on
5700 the DNSKEY RR to determine if this key should be
5701 used to generate the RRSIG. This flag is ignored
5702 if there are not DNSKEY RRs both with and without
5704 The default is <command>yes</command>.
5714 <title>Forwarding</title>
5716 The forwarding facility can be used to create a large site-wide
5717 cache on a few servers, reducing traffic over links to external
5718 name servers. It can also be used to allow queries by servers that
5719 do not have direct access to the Internet, but wish to look up
5721 names anyway. Forwarding occurs only on those queries for which
5722 the server is not authoritative and does not have the answer in
5728 <term><command>forward</command></term>
5731 This option is only meaningful if the
5732 forwarders list is not empty. A value of <varname>first</varname>,
5733 the default, causes the server to query the forwarders
5735 if that doesn't answer the question, the server will then
5737 the answer itself. If <varname>only</varname> is
5739 server will only query the forwarders.
5745 <term><command>forwarders</command></term>
5748 Specifies the IP addresses to be used
5749 for forwarding. The default is the empty list (no
5758 Forwarding can also be configured on a per-domain basis, allowing
5759 for the global forwarding options to be overridden in a variety
5760 of ways. You can set particular domains to use different
5762 or have a different <command>forward only/first</command> behavior,
5763 or not forward at all, see <xref linkend="zone_statement_grammar"/>.
5768 <title>Dual-stack Servers</title>
5770 Dual-stack servers are used as servers of last resort to work
5772 problems in reachability due the lack of support for either IPv4
5774 on the host machine.
5779 <term><command>dual-stack-servers</command></term>
5782 Specifies host names or addresses of machines with access to
5783 both IPv4 and IPv6 transports. If a hostname is used, the
5785 to resolve the name using only the transport it has. If the
5787 stacked, then the <command>dual-stack-servers</command> have no effect unless
5788 access to a transport has been disabled on the command line
5789 (e.g. <command>named -4</command>).
5796 <sect3 id="access_control">
5797 <title>Access Control</title>
5800 Access to the server can be restricted based on the IP address
5801 of the requesting system. See <xref linkend="address_match_lists"/> for
5802 details on how to specify IP address lists.
5808 <term><command>allow-notify</command></term>
5811 Specifies which hosts are allowed to
5812 notify this server, a slave, of zone changes in addition
5813 to the zone masters.
5814 <command>allow-notify</command> may also be
5816 <command>zone</command> statement, in which case
5818 <command>options allow-notify</command>
5819 statement. It is only meaningful
5820 for a slave zone. If not specified, the default is to
5821 process notify messages
5822 only from a zone's master.
5828 <term><command>allow-query</command></term>
5831 Specifies which hosts are allowed to ask ordinary
5832 DNS questions. <command>allow-query</command> may
5833 also be specified in the <command>zone</command>
5834 statement, in which case it overrides the
5835 <command>options allow-query</command> statement.
5836 If not specified, the default is to allow queries
5841 <command>allow-query-cache</command> is now
5842 used to specify access to the cache.
5849 <term><command>allow-query-cache</command></term>
5852 Specifies which hosts are allowed to get answers
5853 from the cache. If <command>allow-query-cache</command>
5854 is not set then <command>allow-recursion</command>
5855 is used if set, otherwise <command>allow-query</command>
5856 is used if set, otherwise the default
5857 (<command>localnets;</command>
5858 <command>localhost;</command>) is used.
5864 <term><command>allow-recursion</command></term>
5867 Specifies which hosts are allowed to make recursive
5868 queries through this server. If
5869 <command>allow-recursion</command> is not set
5870 then <command>allow-query-cache</command> is
5871 used if set, otherwise <command>allow-query</command>
5872 is used if set, otherwise the default
5873 (<command>localnets;</command>
5874 <command>localhost;</command>) is used.
5880 <term><command>allow-update</command></term>
5883 Specifies which hosts are allowed to
5884 submit Dynamic DNS updates for master zones. The default is
5886 updates from all hosts. Note that allowing updates based
5887 on the requestor's IP address is insecure; see
5888 <xref linkend="dynamic_update_security"/> for details.
5894 <term><command>allow-update-forwarding</command></term>
5897 Specifies which hosts are allowed to
5898 submit Dynamic DNS updates to slave zones to be forwarded to
5900 master. The default is <userinput>{ none; }</userinput>,
5902 means that no update forwarding will be performed. To
5904 update forwarding, specify
5905 <userinput>allow-update-forwarding { any; };</userinput>.
5906 Specifying values other than <userinput>{ none; }</userinput> or
5907 <userinput>{ any; }</userinput> is usually
5908 counterproductive, since
5909 the responsibility for update access control should rest
5911 master server, not the slaves.
5914 Note that enabling the update forwarding feature on a slave
5916 may expose master servers relying on insecure IP address
5918 access control to attacks; see <xref linkend="dynamic_update_security"/>
5925 <term><command>allow-v6-synthesis</command></term>
5928 This option was introduced for the smooth transition from
5930 to A6 and from "nibble labels" to binary labels.
5931 However, since both A6 and binary labels were then
5933 this option was also deprecated.
5934 It is now ignored with some warning messages.
5940 <term><command>allow-transfer</command></term>
5943 Specifies which hosts are allowed to
5944 receive zone transfers from the server. <command>allow-transfer</command> may
5945 also be specified in the <command>zone</command>
5947 case it overrides the <command>options allow-transfer</command> statement.
5948 If not specified, the default is to allow transfers to all
5955 <term><command>blackhole</command></term>
5958 Specifies a list of addresses that the
5959 server will not accept queries from or use to resolve a
5961 from these addresses will not be responded to. The default
5962 is <userinput>none</userinput>.
5972 <title>Interfaces</title>
5974 The interfaces and ports that the server will answer queries
5975 from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
5976 an optional port, and an <varname>address_match_list</varname>.
5977 The server will listen on all interfaces allowed by the address
5978 match list. If a port is not specified, port 53 will be used.
5981 Multiple <command>listen-on</command> statements are
5986 <programlisting>listen-on { 5.6.7.8; };
5987 listen-on port 1234 { !1.2.3.4; 1.2/16; };
5991 will enable the name server on port 53 for the IP address
5992 5.6.7.8, and on port 1234 of an address on the machine in net
5993 1.2 that is not 1.2.3.4.
5997 If no <command>listen-on</command> is specified, the
5998 server will listen on port 53 on all interfaces.
6002 The <command>listen-on-v6</command> option is used to
6003 specify the interfaces and the ports on which the server will
6005 for incoming queries sent using IPv6.
6009 When <programlisting>{ any; }</programlisting> is
6011 as the <varname>address_match_list</varname> for the
6012 <command>listen-on-v6</command> option,
6013 the server does not bind a separate socket to each IPv6 interface
6014 address as it does for IPv4 if the operating system has enough API
6015 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6017 Instead, it listens on the IPv6 wildcard address.
6018 If the system only has incomplete API support for IPv6, however,
6019 the behavior is the same as that for IPv4.
6023 A list of particular IPv6 addresses can also be specified, in
6025 the server listens on a separate socket for each specified
6027 regardless of whether the desired API is supported by the system.
6031 Multiple <command>listen-on-v6</command> options can
6036 <programlisting>listen-on-v6 { any; };
6037 listen-on-v6 port 1234 { !2001:db8::/32; any; };
6041 will enable the name server on port 53 for any IPv6 addresses
6042 (with a single wildcard socket),
6043 and on port 1234 of IPv6 addresses that is not in the prefix
6044 2001:db8::/32 (with separate sockets for each matched address.)
6048 To make the server not listen on any IPv6 address, use
6051 <programlisting>listen-on-v6 { none; };
6055 If no <command>listen-on-v6</command> option is
6057 the server will not listen on any IPv6 address.
6062 <title>Query Address</title>
6064 If the server doesn't know the answer to a question, it will
6065 query other name servers. <command>query-source</command> specifies
6066 the address and port used for such queries. For queries sent over
6067 IPv6, there is a separate <command>query-source-v6</command> option.
6068 If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6069 a wildcard IP address (<command>INADDR_ANY</command>)
6071 If <command>port</command> is <command>*</command> or is omitted,
6072 a random unprivileged port number is picked up and will be
6073 used for each query.
6074 It is generally strongly discouraged to
6075 specify a particular port for the
6076 <command>query-source</command> or
6077 <command>query-source-v6</command> options;
6078 it implicitly disables the use of randomized port numbers
6079 and leads to insecure operation.
6080 The <command>avoid-v4-udp-ports</command>
6081 and <command>avoid-v6-udp-ports</command> options can be used
6083 from selecting certain ports. The defaults are:
6086 <programlisting>query-source address * port *;
6087 query-source-v6 address * port *;
6092 The address specified in the <command>query-source</command> option
6093 is used for both UDP and TCP queries, but the port applies only
6095 UDP queries. TCP queries always use a random
6101 Solaris 2.5.1 and earlier does not support setting the source
6102 address for TCP sockets.
6107 See also <command>transfer-source</command> and
6108 <command>notify-source</command>.
6113 <sect3 id="zone_transfers">
6114 <title>Zone Transfers</title>
6116 <acronym>BIND</acronym> has mechanisms in place to
6117 facilitate zone transfers
6118 and set limits on the amount of load that transfers place on the
6119 system. The following options apply to zone transfers.
6125 <term><command>also-notify</command></term>
6128 Defines a global list of IP addresses of name servers
6129 that are also sent NOTIFY messages whenever a fresh copy of
6131 zone is loaded, in addition to the servers listed in the
6133 This helps to ensure that copies of the zones will
6134 quickly converge on stealth servers. If an <command>also-notify</command> list
6135 is given in a <command>zone</command> statement,
6137 the <command>options also-notify</command>
6138 statement. When a <command>zone notify</command>
6140 is set to <command>no</command>, the IP
6141 addresses in the global <command>also-notify</command> list will
6142 not be sent NOTIFY messages for that zone. The default is
6144 list (no global notification list).
6150 <term><command>max-transfer-time-in</command></term>
6153 Inbound zone transfers running longer than
6154 this many minutes will be terminated. The default is 120
6156 (2 hours). The maximum value is 28 days (40320 minutes).
6162 <term><command>max-transfer-idle-in</command></term>
6165 Inbound zone transfers making no progress
6166 in this many minutes will be terminated. The default is 60
6168 (1 hour). The maximum value is 28 days (40320 minutes).
6174 <term><command>max-transfer-time-out</command></term>
6177 Outbound zone transfers running longer than
6178 this many minutes will be terminated. The default is 120
6180 (2 hours). The maximum value is 28 days (40320 minutes).
6186 <term><command>max-transfer-idle-out</command></term>
6189 Outbound zone transfers making no progress
6190 in this many minutes will be terminated. The default is 60
6192 hour). The maximum value is 28 days (40320 minutes).
6198 <term><command>serial-query-rate</command></term>
6201 Slave servers will periodically query master servers
6202 to find out if zone serial numbers have changed. Each such
6204 a minute amount of the slave server's network bandwidth. To
6206 amount of bandwidth used, BIND 9 limits the rate at which
6208 sent. The value of the <command>serial-query-rate</command> option,
6209 an integer, is the maximum number of queries sent per
6217 <term><command>serial-queries</command></term>
6220 In BIND 8, the <command>serial-queries</command>
6222 set the maximum number of concurrent serial number queries
6223 allowed to be outstanding at any given time.
6224 BIND 9 does not limit the number of outstanding
6225 serial queries and ignores the <command>serial-queries</command> option.
6226 Instead, it limits the rate at which the queries are sent
6227 as defined using the <command>serial-query-rate</command> option.
6233 <term><command>transfer-format</command></term>
6237 Zone transfers can be sent using two different formats,
6238 <command>one-answer</command> and
6239 <command>many-answers</command>.
6240 The <command>transfer-format</command> option is used
6241 on the master server to determine which format it sends.
6242 <command>one-answer</command> uses one DNS message per
6243 resource record transferred.
6244 <command>many-answers</command> packs as many resource
6245 records as possible into a message.
6246 <command>many-answers</command> is more efficient, but is
6247 only supported by relatively new slave servers,
6248 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6249 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6250 The <command>many-answers</command> format is also supported by
6251 recent Microsoft Windows nameservers.
6252 The default is <command>many-answers</command>.
6253 <command>transfer-format</command> may be overridden on a
6254 per-server basis by using the <command>server</command>
6262 <term><command>transfers-in</command></term>
6265 The maximum number of inbound zone transfers
6266 that can be running concurrently. The default value is <literal>10</literal>.
6267 Increasing <command>transfers-in</command> may
6268 speed up the convergence
6269 of slave zones, but it also may increase the load on the
6276 <term><command>transfers-out</command></term>
6279 The maximum number of outbound zone transfers
6280 that can be running concurrently. Zone transfer requests in
6282 of the limit will be refused. The default value is <literal>10</literal>.
6288 <term><command>transfers-per-ns</command></term>
6291 The maximum number of inbound zone transfers
6292 that can be concurrently transferring from a given remote
6294 The default value is <literal>2</literal>.
6295 Increasing <command>transfers-per-ns</command>
6297 speed up the convergence of slave zones, but it also may
6299 the load on the remote name server. <command>transfers-per-ns</command> may
6300 be overridden on a per-server basis by using the <command>transfers</command> phrase
6301 of the <command>server</command> statement.
6307 <term><command>transfer-source</command></term>
6309 <para><command>transfer-source</command>
6310 determines which local address will be bound to IPv4
6311 TCP connections used to fetch zones transferred
6312 inbound by the server. It also determines the
6313 source IPv4 address, and optionally the UDP port,
6314 used for the refresh queries and forwarded dynamic
6315 updates. If not set, it defaults to a system
6316 controlled value which will usually be the address
6317 of the interface "closest to" the remote end. This
6318 address must appear in the remote end's
6319 <command>allow-transfer</command> option for the
6320 zone being transferred, if one is specified. This
6322 <command>transfer-source</command> for all zones,
6323 but can be overridden on a per-view or per-zone
6324 basis by including a
6325 <command>transfer-source</command> statement within
6326 the <command>view</command> or
6327 <command>zone</command> block in the configuration
6332 Solaris 2.5.1 and earlier does not support setting the
6333 source address for TCP sockets.
6340 <term><command>transfer-source-v6</command></term>
6343 The same as <command>transfer-source</command>,
6344 except zone transfers are performed using IPv6.
6350 <term><command>alt-transfer-source</command></term>
6353 An alternate transfer source if the one listed in
6354 <command>transfer-source</command> fails and
6355 <command>use-alt-transfer-source</command> is
6359 If you do not wish the alternate transfer source
6360 to be used, you should set
6361 <command>use-alt-transfer-source</command>
6362 appropriately and you should not depend upon
6363 getting a answer back to the first refresh
6370 <term><command>alt-transfer-source-v6</command></term>
6373 An alternate transfer source if the one listed in
6374 <command>transfer-source-v6</command> fails and
6375 <command>use-alt-transfer-source</command> is
6382 <term><command>use-alt-transfer-source</command></term>
6385 Use the alternate transfer sources or not. If views are
6386 specified this defaults to <command>no</command>
6387 otherwise it defaults to
6388 <command>yes</command> (for BIND 8
6395 <term><command>notify-source</command></term>
6397 <para><command>notify-source</command>
6398 determines which local source address, and
6399 optionally UDP port, will be used to send NOTIFY
6400 messages. This address must appear in the slave
6401 server's <command>masters</command> zone clause or
6402 in an <command>allow-notify</command> clause. This
6403 statement sets the <command>notify-source</command>
6404 for all zones, but can be overridden on a per-zone or
6405 per-view basis by including a
6406 <command>notify-source</command> statement within
6407 the <command>zone</command> or
6408 <command>view</command> block in the configuration
6413 Solaris 2.5.1 and earlier does not support setting the
6414 source address for TCP sockets.
6421 <term><command>notify-source-v6</command></term>
6424 Like <command>notify-source</command>,
6425 but applies to notify messages sent to IPv6 addresses.
6435 <title>Bad UDP Port Lists</title>
6436 <para><command>avoid-v4-udp-ports</command>
6437 and <command>avoid-v6-udp-ports</command> specify a list
6438 of IPv4 and IPv6 UDP ports that will not be used as system
6439 assigned source ports for UDP sockets. These lists
6440 prevent named from choosing as its random source port a
6441 port that is blocked by your firewall. If a query went
6442 out with such a source port, the answer would not get by
6443 the firewall and the name server would have to query
6449 <title>Operating System Resource Limits</title>
6452 The server's usage of many system resources can be limited.
6453 Scaled values are allowed when specifying resource limits. For
6454 example, <command>1G</command> can be used instead of
6455 <command>1073741824</command> to specify a limit of
6457 gigabyte. <command>unlimited</command> requests
6458 unlimited use, or the
6459 maximum available amount. <command>default</command>
6461 that was in force when the server was started. See the description
6462 of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
6466 The following options set operating system resource limits for
6467 the name server process. Some operating systems don't support
6469 any of the limits. On such systems, a warning will be issued if
6471 unsupported limit is used.
6477 <term><command>coresize</command></term>
6480 The maximum size of a core dump. The default
6481 is <literal>default</literal>.
6487 <term><command>datasize</command></term>
6490 The maximum amount of data memory the server
6491 may use. The default is <literal>default</literal>.
6492 This is a hard limit on server memory usage.
6493 If the server attempts to allocate memory in excess of this
6494 limit, the allocation will fail, which may in turn leave
6495 the server unable to perform DNS service. Therefore,
6496 this option is rarely useful as a way of limiting the
6497 amount of memory used by the server, but it can be used
6498 to raise an operating system data size limit that is
6499 too small by default. If you wish to limit the amount
6500 of memory used by the server, use the
6501 <command>max-cache-size</command> and
6502 <command>recursive-clients</command>
6509 <term><command>files</command></term>
6512 The maximum number of files the server
6513 may have open concurrently. The default is <literal>unlimited</literal>.
6519 <term><command>stacksize</command></term>
6522 The maximum amount of stack memory the server
6523 may use. The default is <literal>default</literal>.
6533 <title>Server Resource Limits</title>
6536 The following options set limits on the server's
6537 resource consumption that are enforced internally by the
6538 server rather than the operating system.
6544 <term><command>max-ixfr-log-size</command></term>
6547 This option is obsolete; it is accepted
6548 and ignored for BIND 8 compatibility. The option
6549 <command>max-journal-size</command> performs a
6550 similar function in BIND 9.
6556 <term><command>max-journal-size</command></term>
6559 Sets a maximum size for each journal file
6560 (see <xref linkend="journal"/>). When the journal file
6562 the specified size, some of the oldest transactions in the
6564 will be automatically removed. The default is
6565 <literal>unlimited</literal>.
6571 <term><command>host-statistics-max</command></term>
6574 In BIND 8, specifies the maximum number of host statistics
6576 Not implemented in BIND 9.
6582 <term><command>recursive-clients</command></term>
6585 The maximum number of simultaneous recursive lookups
6586 the server will perform on behalf of clients. The default
6588 <literal>1000</literal>. Because each recursing
6590 bit of memory, on the order of 20 kilobytes, the value of
6592 <command>recursive-clients</command> option may
6593 have to be decreased
6594 on hosts with limited memory.
6600 <term><command>tcp-clients</command></term>
6603 The maximum number of simultaneous client TCP
6604 connections that the server will accept.
6605 The default is <literal>100</literal>.
6611 <term><command>reserved-sockets</command></term>
6614 The number of file descriptors reserved for TCP, stdio,
6615 etc. This needs to be big enough to cover the number of
6616 interfaces named listens on, tcp-clients as well as
6617 to provide room for outgoing TCP queries and incoming zone
6618 transfers. The default is <literal>512</literal>.
6619 The minimum value is <literal>128</literal> and the
6620 maximum value is <literal>128</literal> less than
6621 'files' or FD_SETSIZE (whichever is smaller). This
6622 option may be removed in the future.
6628 <term><command>max-cache-size</command></term>
6631 The maximum amount of memory to use for the
6632 server's cache, in bytes. When the amount of data in the
6634 reaches this limit, the server will cause records to expire
6635 prematurely so that the limit is not exceeded. In a server
6637 multiple views, the limit applies separately to the cache of
6639 view. The default is <literal>unlimited</literal>, meaning that
6640 records are purged from the cache only when their TTLs
6647 <term><command>tcp-listen-queue</command></term>
6650 The listen queue depth. The default and minimum is 3.
6651 If the kernel supports the accept filter "dataready" this
6653 many TCP connections that will be queued in kernel space
6655 some data before being passed to accept. Values less than 3
6667 <title>Periodic Task Intervals</title>
6672 <term><command>cleaning-interval</command></term>
6675 The server will remove expired resource records
6676 from the cache every <command>cleaning-interval</command> minutes.
6677 The default is 60 minutes. The maximum value is 28 days
6679 If set to 0, no periodic cleaning will occur.
6685 <term><command>heartbeat-interval</command></term>
6688 The server will perform zone maintenance tasks
6689 for all zones marked as <command>dialup</command> whenever this
6690 interval expires. The default is 60 minutes. Reasonable
6692 to 1 day (1440 minutes). The maximum value is 28 days
6694 If set to 0, no zone maintenance for these zones will occur.
6700 <term><command>interface-interval</command></term>
6703 The server will scan the network interface list
6704 every <command>interface-interval</command>
6705 minutes. The default
6706 is 60 minutes. The maximum value is 28 days (40320 minutes).
6707 If set to 0, interface scanning will only occur when
6708 the configuration file is loaded. After the scan, the
6710 begin listening for queries on any newly discovered
6711 interfaces (provided they are allowed by the
6712 <command>listen-on</command> configuration), and
6714 stop listening on interfaces that have gone away.
6720 <term><command>statistics-interval</command></term>
6723 Name server statistics will be logged
6724 every <command>statistics-interval</command>
6725 minutes. The default is
6726 60. The maximum value is 28 days (40320 minutes).
6727 If set to 0, no statistics will be logged.
6730 Not yet implemented in
6731 <acronym>BIND</acronym> 9.
6741 <sect3 id="topology">
6742 <title>Topology</title>
6745 All other things being equal, when the server chooses a name
6747 to query from a list of name servers, it prefers the one that is
6748 topologically closest to itself. The <command>topology</command> statement
6749 takes an <command>address_match_list</command> and
6751 in a special way. Each top-level list element is assigned a
6753 Non-negated elements get a distance based on their position in the
6754 list, where the closer the match is to the start of the list, the
6755 shorter the distance is between it and the server. A negated match
6756 will be assigned the maximum distance from the server. If there
6757 is no match, the address will get a distance which is further than
6758 any non-negated list element, and closer than any negated element.
6762 <programlisting>topology {
6769 will prefer servers on network 10 the most, followed by hosts
6770 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
6771 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
6772 is preferred least of all.
6775 The default topology is
6778 <programlisting> topology { localhost; localnets; };
6783 The <command>topology</command> option
6784 is not implemented in <acronym>BIND</acronym> 9.
6789 <sect3 id="the_sortlist_statement">
6791 <title>The <command>sortlist</command> Statement</title>
6794 The response to a DNS query may consist of multiple resource
6795 records (RRs) forming a resource records set (RRset).
6796 The name server will normally return the
6797 RRs within the RRset in an indeterminate order
6798 (but see the <command>rrset-order</command>
6799 statement in <xref linkend="rrset_ordering"/>).
6800 The client resolver code should rearrange the RRs as appropriate,
6801 that is, using any addresses on the local net in preference to
6803 However, not all resolvers can do this or are correctly
6805 When a client is using a local server, the sorting can be performed
6806 in the server, based on the client's address. This only requires
6807 configuring the name servers, not all the clients.
6811 The <command>sortlist</command> statement (see below)
6813 an <command>address_match_list</command> and
6815 more specifically than the <command>topology</command>
6817 does (<xref linkend="topology"/>).
6818 Each top level statement in the <command>sortlist</command> must
6819 itself be an explicit <command>address_match_list</command> with
6820 one or two elements. The first element (which may be an IP
6822 an IP prefix, an ACL name or a nested <command>address_match_list</command>)
6823 of each top level list is checked against the source address of
6824 the query until a match is found.
6827 Once the source address of the query has been matched, if
6828 the top level statement contains only one element, the actual
6830 element that matched the source address is used to select the
6832 in the response to move to the beginning of the response. If the
6833 statement is a list of two elements, then the second element is
6834 treated the same as the <command>address_match_list</command> in
6835 a <command>topology</command> statement. Each top
6837 is assigned a distance and the address in the response with the
6839 distance is moved to the beginning of the response.
6842 In the following example, any queries received from any of
6843 the addresses of the host itself will get responses preferring
6845 on any of the locally connected networks. Next most preferred are
6847 on the 192.168.1/24 network, and after that either the
6850 192.168.3/24 network with no preference shown between these two
6851 networks. Queries received from a host on the 192.168.1/24 network
6852 will prefer other addresses on that network to the 192.168.2/24
6854 192.168.3/24 networks. Queries received from a host on the
6856 or the 192.168.5/24 network will only prefer other addresses on
6857 their directly connected networks.
6860 <programlisting>sortlist {
6861 { localhost; // IF the local host
6862 { localnets; // THEN first fit on the
6863 192.168.1/24; // following nets
6864 { 192.168.2/24; 192.168.3/24; }; }; };
6865 { 192.168.1/24; // IF on class C 192.168.1
6866 { 192.168.1/24; // THEN use .1, or .2 or .3
6867 { 192.168.2/24; 192.168.3/24; }; }; };
6868 { 192.168.2/24; // IF on class C 192.168.2
6869 { 192.168.2/24; // THEN use .2, or .1 or .3
6870 { 192.168.1/24; 192.168.3/24; }; }; };
6871 { 192.168.3/24; // IF on class C 192.168.3
6872 { 192.168.3/24; // THEN use .3, or .1 or .2
6873 { 192.168.1/24; 192.168.2/24; }; }; };
6874 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
6879 The following example will give reasonable behavior for the
6880 local host and hosts on directly connected networks. It is similar
6881 to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
6882 to queries from the local host will favor any of the directly
6884 networks. Responses sent to queries from any other hosts on a
6886 connected network will prefer addresses on that same network.
6888 to other queries will not be sorted.
6891 <programlisting>sortlist {
6892 { localhost; localnets; };
6898 <sect3 id="rrset_ordering">
6899 <title id="rrset_ordering_title">RRset Ordering</title>
6901 When multiple records are returned in an answer it may be
6902 useful to configure the order of the records placed into the
6904 The <command>rrset-order</command> statement permits
6906 of the ordering of the records in a multiple record response.
6907 See also the <command>sortlist</command> statement,
6908 <xref linkend="the_sortlist_statement"/>.
6912 An <command>order_spec</command> is defined as
6916 <optional>class <replaceable>class_name</replaceable></optional>
6917 <optional>type <replaceable>type_name</replaceable></optional>
6918 <optional>name <replaceable>"domain_name"</replaceable></optional>
6919 order <replaceable>ordering</replaceable>
6922 If no class is specified, the default is <command>ANY</command>.
6923 If no type is specified, the default is <command>ANY</command>.
6924 If no name is specified, the default is "<command>*</command>" (asterisk).
6927 The legal values for <command>ordering</command> are:
6929 <informaltable colsep="0" rowsep="0">
6930 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
6931 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
6932 <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
6936 <para><command>fixed</command></para>
6940 Records are returned in the order they
6941 are defined in the zone file.
6947 <para><command>random</command></para>
6951 Records are returned in some random order.
6957 <para><command>cyclic</command></para>
6961 Records are returned in a round-robin
6973 <programlisting>rrset-order {
6974 class IN type A name "host.example.com" order random;
6980 will cause any responses for type A records in class IN that
6981 have "<literal>host.example.com</literal>" as a
6982 suffix, to always be returned
6983 in random order. All other records are returned in cyclic order.
6986 If multiple <command>rrset-order</command> statements
6988 they are not combined — the last one applies.
6993 The <command>rrset-order</command> statement
6994 is not yet fully implemented in <acronym>BIND</acronym> 9.
6995 BIND 9 currently does not fully support "fixed" ordering.
7001 <title>Tuning</title>
7006 <term><command>lame-ttl</command></term>
7009 Sets the number of seconds to cache a
7010 lame server indication. 0 disables caching. (This is
7011 <emphasis role="bold">NOT</emphasis> recommended.)
7012 The default is <literal>600</literal> (10 minutes) and the
7014 <literal>1800</literal> (30 minutes).
7021 <term><command>max-ncache-ttl</command></term>
7024 To reduce network traffic and increase performance,
7025 the server stores negative answers. <command>max-ncache-ttl</command> is
7026 used to set a maximum retention time for these answers in
7028 in seconds. The default
7029 <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7030 <command>max-ncache-ttl</command> cannot exceed
7032 be silently truncated to 7 days if set to a greater value.
7038 <term><command>max-cache-ttl</command></term>
7041 Sets the maximum time for which the server will
7042 cache ordinary (positive) answers. The default is
7049 <term><command>min-roots</command></term>
7052 The minimum number of root servers that
7053 is required for a request for the root servers to be
7054 accepted. The default
7055 is <userinput>2</userinput>.
7059 Not implemented in <acronym>BIND</acronym> 9.
7066 <term><command>sig-validity-interval</command></term>
7069 Specifies the number of days into the
7070 future when DNSSEC signatures automatically generated as a
7072 of dynamic updates (<xref linkend="dynamic_update"/>)
7073 will expire. The default is <literal>30</literal> days.
7074 The maximum value is 10 years (3660 days). The signature
7075 inception time is unconditionally set to one hour before the
7077 to allow for a limited amount of clock skew.
7083 <term><command>min-refresh-time</command></term>
7084 <term><command>max-refresh-time</command></term>
7085 <term><command>min-retry-time</command></term>
7086 <term><command>max-retry-time</command></term>
7089 These options control the server's behavior on refreshing a
7091 (querying for SOA changes) or retrying failed transfers.
7092 Usually the SOA values for the zone are used, but these
7094 are set by the master, giving slave server administrators
7096 control over their contents.
7099 These options allow the administrator to set a minimum and
7101 refresh and retry time either per-zone, per-view, or
7103 These options are valid for slave and stub zones,
7104 and clamp the SOA refresh and retry times to the specified
7111 <term><command>edns-udp-size</command></term>
7114 Sets the advertised EDNS UDP buffer size in bytes. Valid
7115 values are 512 to 4096 (values outside this range
7116 will be silently adjusted). The default value is
7117 4096. The usual reason for setting edns-udp-size to
7118 a non-default value is to get UDP answers to pass
7119 through broken firewalls that block fragmented
7120 packets and/or block UDP packets that are greater
7127 <term><command>max-udp-size</command></term>
7130 Sets the maximum EDNS UDP message size named will
7131 send in bytes. Valid values are 512 to 4096 (values outside
7132 this range will be silently adjusted). The default
7133 value is 4096. The usual reason for setting
7134 max-udp-size to a non-default value is to get UDP
7135 answers to pass through broken firewalls that
7136 block fragmented packets and/or block UDP packets
7137 that are greater than 512 bytes.
7138 This is independent of the advertised receive
7139 buffer (<command>edns-udp-size</command>).
7145 <term><command>masterfile-format</command></term>
7148 the file format of zone files (see
7149 <xref linkend="zonefile_format"/>).
7150 The default value is <constant>text</constant>, which is the
7151 standard textual representation. Files in other formats
7152 than <constant>text</constant> are typically expected
7153 to be generated by the <command>named-compilezone</command> tool.
7154 Note that when a zone file in a different format than
7155 <constant>text</constant> is loaded, <command>named</command>
7156 may omit some of the checks which would be performed for a
7157 file in the <constant>text</constant> format. In particular,
7158 <command>check-names</command> checks do not apply
7159 for the <constant>raw</constant> format. This means
7160 a zone file in the <constant>raw</constant> format
7161 must be generated with the same check level as that
7162 specified in the <command>named</command> configuration
7163 file. This statement sets the
7164 <command>masterfile-format</command> for all zones,
7165 but can be overridden on a per-zone or per-view basis
7166 by including a <command>masterfile-format</command>
7167 statement within the <command>zone</command> or
7168 <command>view</command> block in the configuration
7175 <term><command>clients-per-query</command></term>
7176 <term><command>max-clients-per-query</command></term>
7179 initial value (minimum) and maximum number of recursive
7180 simultanious clients for any given query
7181 (<qname,qtype,qclass>) that the server will accept
7182 before dropping additional clients. named will attempt to
7183 self tune this value and changes will be logged. The
7184 default values are 10 and 100.
7187 This value should reflect how many queries come in for
7188 a given name in the time it takes to resolve that name.
7189 If the number of queries exceed this value, named will
7190 assume that it is dealing with a non-responsive zone
7191 and will drop additional queries. If it gets a response
7192 after dropping queries, it will raise the estimate. The
7193 estimate will then be lowered in 20 minutes if it has
7197 If <command>clients-per-query</command> is set to zero,
7198 then there is no limit on the number of clients per query
7199 and no queries will be dropped.
7202 If <command>max-clients-per-query</command> is set to zero,
7203 then there is no upper bound other than imposed by
7204 <command>recursive-clients</command>.
7210 <term><command>notify-delay</command></term>
7213 The delay, in seconds, between sending sets of notify
7214 messages for a zone. The default is zero.
7222 <sect3 id="builtin">
7223 <title>Built-in server information zones</title>
7226 The server provides some helpful diagnostic information
7227 through a number of built-in zones under the
7228 pseudo-top-level-domain <literal>bind</literal> in the
7229 <command>CHAOS</command> class. These zones are part
7231 built-in view (see <xref linkend="view_statement_grammar"/>) of
7233 <command>CHAOS</command> which is separate from the
7235 class <command>IN</command>; therefore, any global
7237 such as <command>allow-query</command> do not apply
7239 If you feel the need to disable these zones, use the options
7240 below, or hide the built-in <command>CHAOS</command>
7242 defining an explicit view of class <command>CHAOS</command>
7243 that matches all clients.
7249 <term><command>version</command></term>
7252 The version the server should report
7253 via a query of the name <literal>version.bind</literal>
7254 with type <command>TXT</command>, class <command>CHAOS</command>.
7255 The default is the real version number of this server.
7256 Specifying <command>version none</command>
7257 disables processing of the queries.
7263 <term><command>hostname</command></term>
7266 The hostname the server should report via a query of
7267 the name <filename>hostname.bind</filename>
7268 with type <command>TXT</command>, class <command>CHAOS</command>.
7269 This defaults to the hostname of the machine hosting the
7271 found by the gethostname() function. The primary purpose of such queries
7273 identify which of a group of anycast servers is actually
7274 answering your queries. Specifying <command>hostname none;</command>
7275 disables processing of the queries.
7281 <term><command>server-id</command></term>
7284 The ID of the server should report via a query of
7285 the name <filename>ID.SERVER</filename>
7286 with type <command>TXT</command>, class <command>CHAOS</command>.
7287 The primary purpose of such queries is to
7288 identify which of a group of anycast servers is actually
7289 answering your queries. Specifying <command>server-id none;</command>
7290 disables processing of the queries.
7291 Specifying <command>server-id hostname;</command> will cause named to
7292 use the hostname as found by the gethostname() function.
7293 The default <command>server-id</command> is <command>none</command>.
7303 <title>Built-in Empty Zones</title>
7305 Named has some built-in empty zones (SOA and NS records only).
7306 These are for zones that should normally be answered locally
7307 and which queries should not be sent to the Internet's root
7308 servers. The official servers which cover these namespaces
7309 return NXDOMAIN responses to these queries. In particular,
7310 these cover the reverse namespace for addresses from RFC 1918 and
7311 RFC 3330. They also include the reverse namespace for IPv6 local
7312 address (locally assigned), IPv6 link local addresses, the IPv6
7313 loopback address and the IPv6 unknown addresss.
7316 Named will attempt to determine if a built in zone already exists
7317 or is active (covered by a forward-only forwarding declaration)
7318 and will not not create a empty zone in that case.
7321 The current list of empty zones is:
7323 <listitem>10.IN-ADDR.ARPA</listitem>
7324 <listitem>127.IN-ADDR.ARPA</listitem>
7325 <listitem>254.169.IN-ADDR.ARPA</listitem>
7326 <listitem>16.172.IN-ADDR.ARPA</listitem>
7327 <listitem>17.172.IN-ADDR.ARPA</listitem>
7328 <listitem>18.172.IN-ADDR.ARPA</listitem>
7329 <listitem>19.172.IN-ADDR.ARPA</listitem>
7330 <listitem>20.172.IN-ADDR.ARPA</listitem>
7331 <listitem>21.172.IN-ADDR.ARPA</listitem>
7332 <listitem>22.172.IN-ADDR.ARPA</listitem>
7333 <listitem>23.172.IN-ADDR.ARPA</listitem>
7334 <listitem>24.172.IN-ADDR.ARPA</listitem>
7335 <listitem>25.172.IN-ADDR.ARPA</listitem>
7336 <listitem>26.172.IN-ADDR.ARPA</listitem>
7337 <listitem>27.172.IN-ADDR.ARPA</listitem>
7338 <listitem>28.172.IN-ADDR.ARPA</listitem>
7339 <listitem>29.172.IN-ADDR.ARPA</listitem>
7340 <listitem>30.172.IN-ADDR.ARPA</listitem>
7341 <listitem>31.172.IN-ADDR.ARPA</listitem>
7342 <listitem>168.192.IN-ADDR.ARPA</listitem>
7343 <listitem>2.0.192.IN-ADDR.ARPA</listitem>
7344 <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7345 <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7346 <listitem>D.F.IP6.ARPA</listitem>
7347 <listitem>8.E.F.IP6.ARPA</listitem>
7348 <listitem>9.E.F.IP6.ARPA</listitem>
7349 <listitem>A.E.F.IP6.ARPA</listitem>
7350 <listitem>B.E.F.IP6.ARPA</listitem>
7354 Empty zones are settable at the view level and only apply to
7355 views of class IN. Disabled empty zones are only inherited
7356 from options if there are no disabled empty zones specified
7357 at the view level. To override the options list of disabled
7358 zones, you can disable the root zone at the view level, for example:
7360 disable-empty-zone ".";
7364 If you are using the address ranges covered here, you should
7365 already have reverse zones covering the addresses you use.
7366 In practice this appears to not be the case with many queries
7367 being made to the infrastructure servers for names in these
7368 spaces. So many in fact that sacrificial servers were needed
7369 to be deployed to channel the query load away from the
7370 infrastructure servers.
7373 The real parent servers for these zones should disable all
7374 empty zone under the parent zone they serve. For the real
7375 root servers, this is all built in empty zones. This will
7376 enable them to return referrals to deeper in the tree.
7380 <term><command>empty-server</command></term>
7383 Specify what server name will appear in the returned
7384 SOA record for empty zones. If none is specified, then
7385 the zone's name will be used.
7391 <term><command>empty-contact</command></term>
7394 Specify what contact name will appear in the returned
7395 SOA record for empty zones. If none is specified, then
7402 <term><command>empty-zones-enable</command></term>
7405 Enable or disable all empty zones. By default they
7412 <term><command>disable-empty-zone</command></term>
7415 Disable individual empty zones. By default none are
7416 disabled. This option can be specified multiple times.
7423 <sect3 id="statsfile">
7424 <title>The Statistics File</title>
7427 The statistics file generated by <acronym>BIND</acronym> 9
7428 is similar, but not identical, to that
7429 generated by <acronym>BIND</acronym> 8.
7432 The statistics dump begins with a line, like:
7435 <command>+++ Statistics Dump +++ (973798949)</command>
7438 The number in parentheses is a standard
7439 Unix-style timestamp, measured as seconds since January 1, 1970.
7441 that line are a series of lines containing a counter type, the
7443 counter, optionally a zone name, and optionally a view name.
7444 The lines without view and zone listed are global statistics for
7446 Lines with a zone and view name for the given view and zone (the
7448 omitted for the default view).
7451 The statistics dump ends with the line where the
7452 number is identical to the number in the beginning line; for example:
7455 <command>--- Statistics Dump --- (973798949)</command>
7458 The following statistics counters are maintained:
7460 <informaltable colsep="0" rowsep="0">
7461 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7462 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
7463 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
7467 <para><command>success</command></para>
7472 successful queries made to the server or zone. A
7474 is defined as query which returns a NOERROR response
7482 <para><command>referral</command></para>
7486 The number of queries which resulted
7487 in referral responses.
7493 <para><command>nxrrset</command></para>
7497 The number of queries which resulted in
7498 NOERROR responses with no data.
7504 <para><command>nxdomain</command></para>
7509 of queries which resulted in NXDOMAIN responses.
7515 <para><command>failure</command></para>
7519 The number of queries which resulted in a
7520 failure response other than those above.
7526 <para><command>recursion</command></para>
7530 The number of queries which caused the server
7531 to perform recursion in order to find the final answer.
7537 <para><command>duplicate</command></para>
7541 The number of queries which the server attempted to
7542 recurse but discover a existing query with the same
7543 IP address, port, query id, name, type and class
7544 already being processed.
7550 <para><command>dropped</command></para>
7554 The number of queries for which the server
7555 discovered a excessive number of existing
7556 recursive queries for the same name, type and
7557 class and were subsequently dropped.
7566 Each query received by the server will cause exactly one of
7567 <command>success</command>,
7568 <command>referral</command>,
7569 <command>nxrrset</command>,
7570 <command>nxdomain</command>, or
7571 <command>failure</command>
7572 to be incremented, and may additionally cause the
7573 <command>recursion</command> counter to be
7580 <title>Additional Section Caching</title>
7583 The additional section cache, also called <command>acache</command>,
7584 is an internal cache to improve the response performance of BIND 9.
7585 When additional section caching is enabled, BIND 9 will
7586 cache an internal short-cut to the additional section content for
7588 Note that <command>acache</command> is an internal caching
7589 mechanism of BIND 9, and is not related to the DNS caching
7594 Additional section caching does not change the
7595 response content (except the RRsets ordering of the additional
7596 section, see below), but can improve the response performance
7598 It is particularly effective when BIND 9 acts as an authoritative
7599 server for a zone that has many delegations with many glue RRs.
7603 In order to obtain the maximum performance improvement
7604 from additional section caching, setting
7605 <command>additional-from-cache</command>
7606 to <command>no</command> is recommended, since the current
7607 implementation of <command>acache</command>
7608 does not short-cut of additional section information from the
7613 One obvious disadvantage of <command>acache</command> is
7614 that it requires much more
7615 memory for the internal cached data.
7616 Thus, if the response performance does not matter and memory
7617 consumption is much more critical, the
7618 <command>acache</command> mechanism can be
7619 disabled by setting <command>acache-enable</command> to
7620 <command>no</command>.
7621 It is also possible to specify the upper limit of memory
7623 for acache by using <command>max-acache-size</command>.
7627 Additional section caching also has a minor effect on the
7628 RRset ordering in the additional section.
7629 Without <command>acache</command>,
7630 <command>cyclic</command> order is effective for the additional
7631 section as well as the answer and authority sections.
7632 However, additional section caching fixes the ordering when it
7633 first caches an RRset for the additional section, and the same
7634 ordering will be kept in succeeding responses, regardless of the
7635 setting of <command>rrset-order</command>.
7636 The effect of this should be minor, however, since an
7637 RRset in the additional section
7638 typically only contains a small number of RRs (and in many cases
7639 it only contains a single RR), in which case the
7640 ordering does not matter much.
7644 The following is a summary of options related to
7645 <command>acache</command>.
7651 <term><command>acache-enable</command></term>
7654 If <command>yes</command>, additional section caching is
7655 enabled. The default value is <command>no</command>.
7661 <term><command>acache-cleaning-interval</command></term>
7664 The server will remove stale cache entries, based on an LRU
7666 algorithm, every <command>acache-cleaning-interval</command> minutes.
7667 The default is 60 minutes.
7668 If set to 0, no periodic cleaning will occur.
7674 <term><command>max-acache-size</command></term>
7677 The maximum amount of memory in bytes to use for the server's acache.
7678 When the amount of data in the acache reaches this limit,
7680 will clean more aggressively so that the limit is not
7682 In a server with multiple views, the limit applies
7684 acache of each view.
7685 The default is <literal>unlimited</literal>,
7687 entries are purged from the acache only at the
7688 periodic cleaning time.
7699 <sect2 id="server_statement_grammar">
7700 <title><command>server</command> Statement Grammar</title>
7702 <programlisting>server <replaceable>ip_addr[/prefixlen]</replaceable> {
7703 <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
7704 <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
7705 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
7706 <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
7707 <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
7708 <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
7709 <optional> transfers <replaceable>number</replaceable> ; </optional>
7710 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
7711 <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
7712 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7713 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7714 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7715 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7716 <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7717 <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7723 <sect2 id="server_statement_definition_and_usage">
7724 <title><command>server</command> Statement Definition and
7728 The <command>server</command> statement defines
7730 to be associated with a remote name server. If a prefix length is
7731 specified, then a range of servers is covered. Only the most
7733 server clause applies regardless of the order in
7734 <filename>named.conf</filename>.
7738 The <command>server</command> statement can occur at
7739 the top level of the
7740 configuration file or inside a <command>view</command>
7742 If a <command>view</command> statement contains
7743 one or more <command>server</command> statements, only
7745 apply to the view and any top-level ones are ignored.
7746 If a view contains no <command>server</command>
7748 any top-level <command>server</command> statements are
7754 If you discover that a remote server is giving out bad data,
7755 marking it as bogus will prevent further queries to it. The
7757 value of <command>bogus</command> is <command>no</command>.
7760 The <command>provide-ixfr</command> clause determines
7762 the local server, acting as master, will respond with an
7764 zone transfer when the given remote server, a slave, requests it.
7765 If set to <command>yes</command>, incremental transfer
7767 whenever possible. If set to <command>no</command>,
7769 to the remote server will be non-incremental. If not set, the
7771 of the <command>provide-ixfr</command> option in the
7773 global options block is used as a default.
7777 The <command>request-ixfr</command> clause determines
7779 the local server, acting as a slave, will request incremental zone
7780 transfers from the given remote server, a master. If not set, the
7781 value of the <command>request-ixfr</command> option in
7783 global options block is used as a default.
7787 IXFR requests to servers that do not support IXFR will
7789 fall back to AXFR. Therefore, there is no need to manually list
7790 which servers support IXFR and which ones do not; the global
7792 of <command>yes</command> should always work.
7793 The purpose of the <command>provide-ixfr</command> and
7794 <command>request-ixfr</command> clauses is
7795 to make it possible to disable the use of IXFR even when both
7797 and slave claim to support it, for example if one of the servers
7798 is buggy and crashes or corrupts data when IXFR is used.
7802 The <command>edns</command> clause determines whether
7803 the local server will attempt to use EDNS when communicating
7804 with the remote server. The default is <command>yes</command>.
7808 The <command>edns-udp-size</command> option sets the EDNS UDP size
7809 that is advertised by named when querying the remote server.
7810 Valid values are 512 to 4096 bytes (values outside this range will be
7811 silently adjusted). This option is useful when you wish to
7812 advertises a different value to this server than the value you
7813 advertise globally, for example, when there is a firewall at the
7814 remote site that is blocking large replies.
7818 The <command>max-udp-size</command> option sets the
7819 maximum EDNS UDP message size named will send. Valid
7820 values are 512 to 4096 bytes (values outside this range will
7821 be silently adjusted). This option is useful when you
7822 know that there is a firewall that is blocking large
7827 The server supports two zone transfer methods. The first, <command>one-answer</command>,
7828 uses one DNS message per resource record transferred. <command>many-answers</command> packs
7829 as many resource records as possible into a message. <command>many-answers</command> is
7830 more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
7831 8.x, and patched versions of <acronym>BIND</acronym>
7832 4.9.5. You can specify which method
7833 to use for a server with the <command>transfer-format</command> option.
7834 If <command>transfer-format</command> is not
7835 specified, the <command>transfer-format</command>
7837 by the <command>options</command> statement will be
7841 <para><command>transfers</command>
7842 is used to limit the number of concurrent inbound zone
7843 transfers from the specified server. If no
7844 <command>transfers</command> clause is specified, the
7845 limit is set according to the
7846 <command>transfers-per-ns</command> option.
7850 The <command>keys</command> clause identifies a
7851 <command>key_id</command> defined by the <command>key</command> statement,
7852 to be used for transaction security (TSIG, <xref linkend="tsig"/>)
7853 when talking to the remote server.
7854 When a request is sent to the remote server, a request signature
7855 will be generated using the key specified here and appended to the
7856 message. A request originating from the remote server is not
7858 to be signed by this key.
7862 Although the grammar of the <command>keys</command>
7864 allows for multiple keys, only a single key per server is
7870 The <command>transfer-source</command> and
7871 <command>transfer-source-v6</command> clauses specify
7872 the IPv4 and IPv6 source
7873 address to be used for zone transfer with the remote server,
7875 For an IPv4 remote server, only <command>transfer-source</command> can
7877 Similarly, for an IPv6 remote server, only
7878 <command>transfer-source-v6</command> can be
7880 For more details, see the description of
7881 <command>transfer-source</command> and
7882 <command>transfer-source-v6</command> in
7883 <xref linkend="zone_transfers"/>.
7887 The <command>notify-source</command> and
7888 <command>notify-source-v6</command> clauses specify the
7889 IPv4 and IPv6 source address to be used for notify
7890 messages sent to remote servers, respectively. For an
7891 IPv4 remote server, only <command>notify-source</command>
7892 can be specified. Similarly, for an IPv6 remote server,
7893 only <command>notify-source-v6</command> can be specified.
7897 The <command>query-source</command> and
7898 <command>query-source-v6</command> clauses specify the
7899 IPv4 and IPv6 source address to be used for queries
7900 sent to remote servers, respectively. For an IPv4
7901 remote server, only <command>query-source</command> can
7902 be specified. Similarly, for an IPv6 remote server,
7903 only <command>query-source-v6</command> can be specified.
7909 <title><command>trusted-keys</command> Statement Grammar</title>
7911 <programlisting>trusted-keys {
7912 <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
7913 <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
7919 <title><command>trusted-keys</command> Statement Definition
7922 The <command>trusted-keys</command> statement defines
7923 DNSSEC security roots. DNSSEC is described in <xref
7924 linkend="DNSSEC"/>. A security root is defined when the
7925 public key for a non-authoritative zone is known, but
7926 cannot be securely obtained through DNS, either because
7927 it is the DNS root zone or because its parent zone is
7928 unsigned. Once a key has been configured as a trusted
7929 key, it is treated as if it had been validated and
7930 proven secure. The resolver attempts DNSSEC validation
7931 on all DNS data in subdomains of a security root.
7934 All keys (and corresponding zones) listed in
7935 <command>trusted-keys</command> are deemed to exist regardless
7936 of what parent zones say. Similarly for all keys listed in
7937 <command>trusted-keys</command> only those keys are
7938 used to validate the DNSKEY RRset. The parent's DS RRset
7942 The <command>trusted-keys</command> statement can contain
7943 multiple key entries, each consisting of the key's
7944 domain name, flags, protocol, algorithm, and the Base-64
7945 representation of the key data.
7949 <sect2 id="view_statement_grammar">
7950 <title><command>view</command> Statement Grammar</title>
7952 <programlisting>view <replaceable>view_name</replaceable>
7953 <optional><replaceable>class</replaceable></optional> {
7954 match-clients { <replaceable>address_match_list</replaceable> };
7955 match-destinations { <replaceable>address_match_list</replaceable> };
7956 match-recursive-only <replaceable>yes_or_no</replaceable> ;
7957 <optional> <replaceable>view_option</replaceable>; ...</optional>
7958 <optional> <replaceable>zone_statement</replaceable>; ...</optional>
7964 <title><command>view</command> Statement Definition and Usage</title>
7967 The <command>view</command> statement is a powerful
7969 of <acronym>BIND</acronym> 9 that lets a name server
7970 answer a DNS query differently
7971 depending on who is asking. It is particularly useful for
7973 split DNS setups without having to run multiple servers.
7977 Each <command>view</command> statement defines a view
7979 DNS namespace that will be seen by a subset of clients. A client
7981 a view if its source IP address matches the
7982 <varname>address_match_list</varname> of the view's
7983 <command>match-clients</command> clause and its
7984 destination IP address matches
7985 the <varname>address_match_list</varname> of the
7987 <command>match-destinations</command> clause. If not
7989 <command>match-clients</command> and <command>match-destinations</command>
7990 default to matching all addresses. In addition to checking IP
7992 <command>match-clients</command> and <command>match-destinations</command>
7993 can also take <command>keys</command> which provide an
7995 client to select the view. A view can also be specified
7996 as <command>match-recursive-only</command>, which
7997 means that only recursive
7998 requests from matching clients will match that view.
7999 The order of the <command>view</command> statements is
8001 a client request will be resolved in the context of the first
8002 <command>view</command> that it matches.
8006 Zones defined within a <command>view</command>
8008 be only be accessible to clients that match the <command>view</command>.
8009 By defining a zone of the same name in multiple views, different
8010 zone data can be given to different clients, for example,
8012 and "external" clients in a split DNS setup.
8016 Many of the options given in the <command>options</command> statement
8017 can also be used within a <command>view</command>
8019 apply only when resolving queries with that view. When no
8021 value is given, the value in the <command>options</command> statement
8022 is used as a default. Also, zone options can have default values
8024 in the <command>view</command> statement; these
8025 view-specific defaults
8026 take precedence over those in the <command>options</command> statement.
8030 Views are class specific. If no class is given, class IN
8031 is assumed. Note that all non-IN views must contain a hint zone,
8032 since only the IN class has compiled-in default hints.
8036 If there are no <command>view</command> statements in
8038 file, a default view that matches any client is automatically
8040 in class IN. Any <command>zone</command> statements
8042 the top level of the configuration file are considered to be part
8044 this default view, and the <command>options</command>
8046 apply to the default view. If any explicit <command>view</command>
8047 statements are present, all <command>zone</command>
8049 occur inside <command>view</command> statements.
8053 Here is an example of a typical split DNS setup implemented
8054 using <command>view</command> statements:
8057 <programlisting>view "internal" {
8058 // This should match our internal networks.
8059 match-clients { 10.0.0.0/8; };
8061 // Provide recursive service to internal clients only.
8064 // Provide a complete view of the example.com zone
8065 // including addresses of internal hosts.
8066 zone "example.com" {
8068 file "example-internal.db";
8073 // Match all clients not matched by the previous view.
8074 match-clients { any; };
8076 // Refuse recursive service to external clients.
8079 // Provide a restricted view of the example.com zone
8080 // containing only publicly accessible hosts.
8081 zone "example.com" {
8083 file "example-external.db";
8089 <sect2 id="zone_statement_grammar">
8090 <title><command>zone</command>
8091 Statement Grammar</title>
8093 <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8095 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8096 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8097 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
8098 <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
8099 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8100 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8101 <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8102 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
8103 <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
8104 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8105 <optional> file <replaceable>string</replaceable> ; </optional>
8106 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8107 <optional> journal <replaceable>string</replaceable> ; </optional>
8108 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8109 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8110 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8111 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8112 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8113 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8114 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8115 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8116 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8117 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8118 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8119 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8120 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8121 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8122 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
8123 <optional> database <replaceable>string</replaceable> ; </optional>
8124 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8125 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8126 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8127 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8128 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
8129 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8132 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8134 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8135 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8136 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8137 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8138 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8139 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8140 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8141 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8142 <optional> file <replaceable>string</replaceable> ; </optional>
8143 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8144 <optional> journal <replaceable>string</replaceable> ; </optional>
8145 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8146 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8147 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8148 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8149 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8150 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8151 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8152 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8153 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8154 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8155 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8156 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8157 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8158 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8159 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8160 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8161 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8162 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8163 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8164 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8165 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8166 <optional> database <replaceable>string</replaceable> ; </optional>
8167 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8168 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8169 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8170 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8171 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8172 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8175 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8177 file <replaceable>string</replaceable> ;
8178 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8179 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8182 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8184 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8185 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8186 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8187 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8188 <optional> file <replaceable>string</replaceable> ; </optional>
8189 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8190 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8191 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8192 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8193 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8194 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8195 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8196 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8197 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8198 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8199 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8200 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8201 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8202 <optional> database <replaceable>string</replaceable> ; </optional>
8203 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8204 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8205 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8206 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8207 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8210 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8212 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8213 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8214 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8217 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8218 type delegation-only;
8225 <title><command>zone</command> Statement Definition and Usage</title>
8227 <title>Zone Types</title>
8228 <informaltable colsep="0" rowsep="0">
8229 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8230 <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8231 <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8232 <colspec colname="1" colnum="1" colsep="0"/>
8233 <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8238 <varname>master</varname>
8243 The server has a master copy of the data
8244 for the zone and will be able to provide authoritative
8253 <varname>slave</varname>
8258 A slave zone is a replica of a master
8259 zone. The <command>masters</command> list
8260 specifies one or more IP addresses
8261 of master servers that the slave contacts to update
8262 its copy of the zone.
8263 Masters list elements can also be names of other
8265 By default, transfers are made from port 53 on the
8267 be changed for all servers by specifying a port number
8269 list of IP addresses, or on a per-server basis after
8271 Authentication to the master can also be done with
8272 per-server TSIG keys.
8273 If a file is specified, then the
8274 replica will be written to this file whenever the zone
8276 and reloaded from this file on a server restart. Use
8278 recommended, since it often speeds server startup and
8280 a needless waste of bandwidth. Note that for large
8282 tens or hundreds of thousands) of zones per server, it
8284 use a two-level naming scheme for zone filenames. For
8286 a slave server for the zone <literal>example.com</literal> might place
8287 the zone contents into a file called
8288 <filename>ex/example.com</filename> where <filename>ex/</filename> is
8289 just the first two letters of the zone name. (Most
8291 behave very slowly if you put 100 000 files into
8292 a single directory.)
8299 <varname>stub</varname>
8304 A stub zone is similar to a slave zone,
8305 except that it replicates only the NS records of a
8307 of the entire zone. Stub zones are not a standard part
8309 they are a feature specific to the <acronym>BIND</acronym> implementation.
8313 Stub zones can be used to eliminate the need for glue
8315 in a parent zone at the expense of maintaining a stub
8317 a set of name server addresses in <filename>named.conf</filename>.
8318 This usage is not recommended for new configurations,
8320 supports it only in a limited way.
8321 In <acronym>BIND</acronym> 4/8, zone
8322 transfers of a parent zone
8323 included the NS records from stub children of that
8325 that, in some cases, users could get away with
8326 configuring child stubs
8327 only in the master server for the parent zone. <acronym>BIND</acronym>
8328 9 never mixes together zone data from different zones
8330 way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
8331 zone has child stub zones configured, all the slave
8333 parent zone also need to have the same child stub
8339 Stub zones can also be used as a way of forcing the
8341 of a given domain to use a particular set of
8342 authoritative servers.
8343 For example, the caching name servers on a private
8345 RFC1918 addressing may be configured with stub zones
8347 <literal>10.in-addr.arpa</literal>
8348 to use a set of internal name servers as the
8350 servers for that domain.
8357 <varname>forward</varname>
8362 A "forward zone" is a way to configure
8363 forwarding on a per-domain basis. A <command>zone</command> statement
8364 of type <command>forward</command> can
8365 contain a <command>forward</command>
8366 and/or <command>forwarders</command>
8368 which will apply to queries within the domain given by
8370 name. If no <command>forwarders</command>
8371 statement is present or
8372 an empty list for <command>forwarders</command> is given, then no
8373 forwarding will be done for the domain, canceling the
8375 any forwarders in the <command>options</command> statement. Thus
8376 if you want to use this type of zone to change the
8378 global <command>forward</command> option
8379 (that is, "forward first"
8380 to, then "forward only", or vice versa, but want to
8382 servers as set globally) you need to re-specify the
8390 <varname>hint</varname>
8395 The initial set of root name servers is
8396 specified using a "hint zone". When the server starts
8398 the root hints to find a root name server and get the
8400 list of root name servers. If no hint zone is
8402 IN, the server uses a compiled-in default set of root
8404 Classes other than IN have no built-in defaults hints.
8411 <varname>delegation-only</varname>
8416 This is used to enforce the delegation-only
8417 status of infrastructure zones (e.g. COM, NET, ORG).
8419 is received without an explicit or implicit delegation
8421 section will be treated as NXDOMAIN. This does not
8423 apex. This should not be applied to leaf zones.
8426 <varname>delegation-only</varname> has no
8427 effect on answers received
8438 <title>Class</title>
8440 The zone's name may optionally be followed by a class. If
8441 a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
8442 is assumed. This is correct for the vast majority of cases.
8445 The <literal>hesiod</literal> class is
8446 named for an information service from MIT's Project Athena. It
8448 used to share information about various systems databases, such
8449 as users, groups, printers and so on. The keyword
8450 <literal>HS</literal> is
8451 a synonym for hesiod.
8454 Another MIT development is Chaosnet, a LAN protocol created
8455 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
8460 <title>Zone Options</title>
8465 <term><command>allow-notify</command></term>
8468 See the description of
8469 <command>allow-notify</command> in <xref linkend="access_control"/>.
8475 <term><command>allow-query</command></term>
8478 See the description of
8479 <command>allow-query</command> in <xref linkend="access_control"/>.
8485 <term><command>allow-transfer</command></term>
8488 See the description of <command>allow-transfer</command>
8489 in <xref linkend="access_control"/>.
8495 <term><command>allow-update</command></term>
8498 See the description of <command>allow-update</command>
8499 in <xref linkend="access_control"/>.
8505 <term><command>update-policy</command></term>
8508 Specifies a "Simple Secure Update" policy. See
8509 <xref linkend="dynamic_update_policies"/>.
8515 <term><command>allow-update-forwarding</command></term>
8518 See the description of <command>allow-update-forwarding</command>
8519 in <xref linkend="access_control"/>.
8525 <term><command>also-notify</command></term>
8528 Only meaningful if <command>notify</command>
8530 active for this zone. The set of machines that will
8532 <literal>DNS NOTIFY</literal> message
8533 for this zone is made up of all the listed name servers
8535 the primary master) for the zone plus any IP addresses
8537 with <command>also-notify</command>. A port
8539 with each <command>also-notify</command>
8540 address to send the notify
8541 messages to a port other than the default of 53.
8542 <command>also-notify</command> is not
8543 meaningful for stub zones.
8544 The default is the empty list.
8550 <term><command>check-names</command></term>
8553 This option is used to restrict the character set and
8555 certain domain names in master files and/or DNS responses
8557 network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
8558 zones the default is <command>warn</command>.
8564 <term><command>check-mx</command></term>
8567 See the description of
8568 <command>check-mx</command> in <xref linkend="boolean_options"/>.
8574 <term><command>check-wildcard</command></term>
8577 See the description of
8578 <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
8584 <term><command>check-integrity</command></term>
8587 See the description of
8588 <command>check-integrity</command> in <xref linkend="boolean_options"/>.
8594 <term><command>check-sibling</command></term>
8597 See the description of
8598 <command>check-sibling</command> in <xref linkend="boolean_options"/>.
8604 <term><command>zero-no-soa-ttl</command></term>
8607 See the description of
8608 <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
8614 <term><command>update-check-ksk</command></term>
8617 See the description of
8618 <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
8624 <term><command>database</command></term>
8627 Specify the type of database to be used for storing the
8628 zone data. The string following the <command>database</command> keyword
8629 is interpreted as a list of whitespace-delimited words.
8631 identifies the database type, and any subsequent words are
8633 as arguments to the database to be interpreted in a way
8635 to the database type.
8638 The default is <userinput>"rbt"</userinput>, BIND 9's
8640 red-black-tree database. This database does not take
8644 Other values are possible if additional database drivers
8645 have been linked into the server. Some sample drivers are
8647 with the distribution but none are linked in by default.
8653 <term><command>dialup</command></term>
8656 See the description of
8657 <command>dialup</command> in <xref linkend="boolean_options"/>.
8663 <term><command>delegation-only</command></term>
8666 The flag only applies to hint and stub zones. If set
8667 to <userinput>yes</userinput>, then the zone will also be
8669 is also a delegation-only type zone.
8675 <term><command>forward</command></term>
8678 Only meaningful if the zone has a forwarders
8679 list. The <command>only</command> value causes
8681 after trying the forwarders and getting no answer, while <command>first</command> would
8682 allow a normal lookup to be tried.
8688 <term><command>forwarders</command></term>
8691 Used to override the list of global forwarders.
8692 If it is not specified in a zone of type <command>forward</command>,
8693 no forwarding is done for the zone and the global options are
8700 <term><command>ixfr-base</command></term>
8703 Was used in <acronym>BIND</acronym> 8 to
8705 of the transaction log (journal) file for dynamic update
8707 <acronym>BIND</acronym> 9 ignores the option
8708 and constructs the name of the journal
8709 file by appending "<filename>.jnl</filename>"
8717 <term><command>ixfr-tmp-file</command></term>
8720 Was an undocumented option in <acronym>BIND</acronym> 8.
8721 Ignored in <acronym>BIND</acronym> 9.
8727 <term><command>journal</command></term>
8730 Allow the default journal's filename to be overridden.
8731 The default is the zone's filename with "<filename>.jnl</filename>" appended.
8732 This is applicable to <command>master</command> and <command>slave</command> zones.
8738 <term><command>max-transfer-time-in</command></term>
8741 See the description of
8742 <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
8748 <term><command>max-transfer-idle-in</command></term>
8751 See the description of
8752 <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
8758 <term><command>max-transfer-time-out</command></term>
8761 See the description of
8762 <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
8768 <term><command>max-transfer-idle-out</command></term>
8771 See the description of
8772 <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
8778 <term><command>notify</command></term>
8781 See the description of
8782 <command>notify</command> in <xref linkend="boolean_options"/>.
8788 <term><command>notify-delay</command></term>
8791 See the description of
8792 <command>notify-delay</command> in <xref linkend="tuning"/>.
8798 <term><command>pubkey</command></term>
8801 In <acronym>BIND</acronym> 8, this option was
8802 intended for specifying
8803 a public zone key for verification of signatures in DNSSEC
8805 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
8806 on load and ignores the option.
8812 <term><command>zone-statistics</command></term>
8815 If <userinput>yes</userinput>, the server will keep
8817 information for this zone, which can be dumped to the
8818 <command>statistics-file</command> defined in
8825 <term><command>sig-validity-interval</command></term>
8828 See the description of
8829 <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
8835 <term><command>transfer-source</command></term>
8838 See the description of
8839 <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
8845 <term><command>transfer-source-v6</command></term>
8848 See the description of
8849 <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
8855 <term><command>alt-transfer-source</command></term>
8858 See the description of
8859 <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
8865 <term><command>alt-transfer-source-v6</command></term>
8868 See the description of
8869 <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
8875 <term><command>use-alt-transfer-source</command></term>
8878 See the description of
8879 <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
8886 <term><command>notify-source</command></term>
8889 See the description of
8890 <command>notify-source</command> in <xref linkend="zone_transfers"/>.
8896 <term><command>notify-source-v6</command></term>
8899 See the description of
8900 <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
8906 <term><command>min-refresh-time</command></term>
8907 <term><command>max-refresh-time</command></term>
8908 <term><command>min-retry-time</command></term>
8909 <term><command>max-retry-time</command></term>
8912 See the description in <xref linkend="tuning"/>.
8918 <term><command>ixfr-from-differences</command></term>
8921 See the description of
8922 <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
8928 <term><command>key-directory</command></term>
8931 See the description of
8932 <command>key-directory</command> in <xref linkend="options"/>.
8938 <term><command>multi-master</command></term>
8941 See the description of <command>multi-master</command> in
8942 <xref linkend="boolean_options"/>.
8948 <term><command>masterfile-format</command></term>
8951 See the description of <command>masterfile-format</command>
8952 in <xref linkend="tuning"/>.
8960 <sect3 id="dynamic_update_policies">
8961 <title>Dynamic Update Policies</title>
8963 <acronym>BIND</acronym> 9 supports two alternative
8964 methods of granting clients
8965 the right to perform dynamic updates to a zone,
8966 configured by the <command>allow-update</command>
8968 <command>update-policy</command> option,
8972 The <command>allow-update</command> clause works the
8974 way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
8975 permission to update any record of any name in the zone.
8978 The <command>update-policy</command> clause is new
8979 in <acronym>BIND</acronym>
8980 9 and allows more fine-grained control over what updates are
8982 A set of rules is specified, where each rule either grants or
8984 permissions for one or more names to be updated by one or more
8986 If the dynamic update request message is signed (that is, it
8988 either a TSIG or SIG(0) record), the identity of the signer can
8992 Rules are specified in the <command>update-policy</command> zone
8993 option, and are only meaningful for master zones. When the <command>update-policy</command> statement
8994 is present, it is a configuration error for the <command>allow-update</command> statement
8995 to be present. The <command>update-policy</command>
8997 examines the signer of a message; the source address is not
9001 This is how a rule definition looks:
9005 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
9009 Each rule grants or denies privileges. Once a message has
9010 successfully matched a rule, the operation is immediately
9012 or denied and no further rules are examined. A rule is matched
9013 when the signer matches the identity field, the name matches the
9014 name field in accordance with the nametype field, and the type
9016 the types specified in the type field.
9020 The identity field specifies a name or a wildcard name.
9022 is the name of the TSIG or SIG(0) key used to sign the update
9024 TKEY exchange has been used to create a shared secret, the
9026 shared secret is the same as the identity of the key used to
9028 TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
9029 wildcard name, it is subject to DNS wildcard expansion, so the
9031 to multiple identities. The <replaceable>identity</replaceable> field must
9032 contain a fully-qualified domain name.
9036 The <replaceable>nametype</replaceable> field has 6
9038 <varname>name</varname>, <varname>subdomain</varname>,
9039 <varname>wildcard</varname>, <varname>self</varname>,
9040 <varname>selfsub</varname>, and <varname>selfwild</varname>.
9043 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9044 <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9045 <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9050 <varname>name</varname>
9052 </entry> <entry colname="2">
9054 Exact-match semantics. This rule matches
9055 when the name being updated is identical
9056 to the contents of the
9057 <replaceable>name</replaceable> field.
9064 <varname>subdomain</varname>
9066 </entry> <entry colname="2">
9068 This rule matches when the name being updated
9069 is a subdomain of, or identical to, the
9070 contents of the <replaceable>name</replaceable>
9078 <varname>wildcard</varname>
9080 </entry> <entry colname="2">
9082 The <replaceable>name</replaceable> field
9083 is subject to DNS wildcard expansion, and
9084 this rule matches when the name being updated
9085 name is a valid expansion of the wildcard.
9092 <varname>self</varname>
9097 This rule matches when the name being updated
9098 matches the contents of the
9099 <replaceable>identity</replaceable> field.
9100 The <replaceable>name</replaceable> field
9101 is ignored, but should be the same as the
9102 <replaceable>identity</replaceable> field.
9103 The <varname>self</varname> nametype is
9104 most useful when allowing using one key per
9105 name to update, where the key has the same
9106 name as the name to be updated. The
9107 <replaceable>identity</replaceable> would
9108 be specified as <constant>*</constant> (an asterisk) in
9116 <varname>selfsub</varname>
9118 </entry> <entry colname="2">
9120 This rule is similar to <varname>self</varname>
9121 except that subdomains of <varname>self</varname>
9122 can also be updated.
9129 <varname>selfwild</varname>
9131 </entry> <entry colname="2">
9133 This rule is similar to <varname>self</varname>
9134 except that only subdomains of
9135 <varname>self</varname> can be updated.
9144 In all cases, the <replaceable>name</replaceable>
9146 specify a fully-qualified domain name.
9150 If no types are explicitly specified, this rule matches all
9152 RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
9153 "ANY" (ANY matches all types except NSEC, which can never be
9155 Note that when an attempt is made to delete all records
9157 name, the rules are checked for each existing record type.
9163 <title>Zone File</title>
9164 <sect2 id="types_of_resource_records_and_when_to_use_them">
9165 <title>Types of Resource Records and When to Use Them</title>
9167 This section, largely borrowed from RFC 1034, describes the
9168 concept of a Resource Record (RR) and explains when each is used.
9169 Since the publication of RFC 1034, several new RRs have been
9171 and implemented in the DNS. These are also included.
9174 <title>Resource Records</title>
9177 A domain name identifies a node. Each node has a set of
9178 resource information, which may be empty. The set of resource
9179 information associated with a particular name is composed of
9180 separate RRs. The order of RRs in a set is not significant and
9181 need not be preserved by name servers, resolvers, or other
9182 parts of the DNS. However, sorting of multiple RRs is
9183 permitted for optimization purposes, for example, to specify
9184 that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
9188 The components of a Resource Record are:
9190 <informaltable colsep="0" rowsep="0">
9191 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9192 <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
9193 <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
9203 The domain name where the RR is found.
9215 An encoded 16-bit value that specifies
9216 the type of the resource record.
9228 The time-to-live of the RR. This field
9229 is a 32-bit integer in units of seconds, and is
9231 resolvers when they cache RRs. The TTL describes how
9233 be cached before it should be discarded.
9245 An encoded 16-bit value that identifies
9246 a protocol family or instance of a protocol.
9258 The resource data. The format of the
9259 data is type (and sometimes class) specific.
9267 The following are <emphasis>types</emphasis> of valid RRs:
9269 <informaltable colsep="0" rowsep="0">
9270 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9271 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9272 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9282 A host address. In the IN class, this is a
9283 32-bit IP address. Described in RFC 1035.
9295 IPv6 address. Described in RFC 1886.
9307 IPv6 address. This can be a partial
9308 address (a suffix) and an indirection to the name
9309 where the rest of the
9310 address (the prefix) can be found. Experimental.
9311 Described in RFC 2874.
9323 Location of AFS database servers.
9324 Experimental. Described in RFC 1183.
9336 Address prefix list. Experimental.
9337 Described in RFC 3123.
9349 Holds a digital certificate.
9350 Described in RFC 2538.
9362 Identifies the canonical name of an alias.
9363 Described in RFC 1035.
9375 Replaces the domain name specified with
9376 another name to be looked up, effectively aliasing an
9378 subtree of the domain name space rather than a single
9380 as in the case of the CNAME RR.
9381 Described in RFC 2672.
9393 Stores a public key associated with a signed
9394 DNS zone. Described in RFC 4034.
9406 Stores the hash of a public key associated with a
9407 signed DNS zone. Described in RFC 4034.
9419 Specifies the global position. Superseded by LOC.
9431 Identifies the CPU and OS used by a host.
9432 Described in RFC 1035.
9444 Representation of ISDN addresses.
9445 Experimental. Described in RFC 1183.
9457 Stores a public key associated with a
9458 DNS name. Used in original DNSSEC; replaced
9459 by DNSKEY in DNSSECbis, but still used with
9460 SIG(0). Described in RFCs 2535 and 2931.
9472 Identifies a key exchanger for this
9473 DNS name. Described in RFC 2230.
9485 For storing GPS info. Described in RFC 1876.
9498 Identifies a mail exchange for the domain with
9499 a 16-bit preference value (lower is better)
9500 followed by the host name of the mail exchange.
9501 Described in RFC 974, RFC 1035.
9513 Name authority pointer. Described in RFC 2915.
9525 A network service access point.
9526 Described in RFC 1706.
9538 The authoritative name server for the
9539 domain. Described in RFC 1035.
9551 Used in DNSSECbis to securely indicate that
9552 RRs with an owner name in a certain name interval do
9554 a zone and indicate what RR types are present for an
9556 Described in RFC 4034.
9568 Used in DNSSEC to securely indicate that
9569 RRs with an owner name in a certain name interval do
9571 a zone and indicate what RR types are present for an
9573 Used in original DNSSEC; replaced by NSEC in
9575 Described in RFC 2535.
9587 A pointer to another part of the domain
9588 name space. Described in RFC 1035.
9600 Provides mappings between RFC 822 and X.400
9601 addresses. Described in RFC 2163.
9613 Information on persons responsible
9614 for the domain. Experimental. Described in RFC 1183.
9626 Contains DNSSECbis signature data. Described
9639 Route-through binding for hosts that
9640 do not have their own direct wide area network
9642 Experimental. Described in RFC 1183.
9654 Contains DNSSEC signature data. Used in
9655 original DNSSEC; replaced by RRSIG in
9656 DNSSECbis, but still used for SIG(0).
9657 Described in RFCs 2535 and 2931.
9669 Identifies the start of a zone of authority.
9670 Described in RFC 1035.
9682 Information about well known network
9683 services (replaces WKS). Described in RFC 2782.
9695 Text records. Described in RFC 1035.
9707 Information about which well known
9708 network services, such as SMTP, that a domain
9709 supports. Historical.
9721 Representation of X.25 network addresses.
9722 Experimental. Described in RFC 1183.
9730 The following <emphasis>classes</emphasis> of resource records
9731 are currently valid in the DNS:
9733 <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9734 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9735 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9759 Chaosnet, a LAN protocol created at MIT in the
9761 Rarely used for its historical purpose, but reused for
9763 built-in server information zones, e.g.,
9764 <literal>version.bind</literal>.
9777 Hesiod, an information service
9778 developed by MIT's Project Athena. It is used to share
9780 about various systems databases, such as users,
9792 The owner name is often implicit, rather than forming an
9794 part of the RR. For example, many name servers internally form
9796 or hash structures for the name space, and chain RRs off nodes.
9797 The remaining RR parts are the fixed header (type, class, TTL)
9798 which is consistent for all RRs, and a variable part (RDATA)
9800 fits the needs of the resource being described.
9803 The meaning of the TTL field is a time limit on how long an
9804 RR can be kept in a cache. This limit does not apply to
9806 data in zones; it is also timed out, but by the refreshing
9808 for the zone. The TTL is assigned by the administrator for the
9809 zone where the data originates. While short TTLs can be used to
9810 minimize caching, and a zero TTL prohibits caching, the
9812 of Internet performance suggest that these times should be on
9814 order of days for the typical host. If a change can be
9816 the TTL can be reduced prior to the change to minimize
9818 during the change, and then increased back to its former value
9823 The data in the RDATA section of RRs is carried as a combination
9824 of binary strings and domain names. The domain names are
9826 used as "pointers" to other data in the DNS.
9830 <title>Textual expression of RRs</title>
9832 RRs are represented in binary form in the packets of the DNS
9833 protocol, and are usually represented in highly encoded form
9835 stored in a name server or resolver. In the examples provided
9837 RFC 1034, a style similar to that used in master files was
9839 in order to show the contents of RRs. In this format, most RRs
9840 are shown on a single line, although continuation lines are
9845 The start of the line gives the owner of the RR. If a line
9846 begins with a blank, then the owner is assumed to be the same as
9847 that of the previous RR. Blank lines are often included for
9851 Following the owner, we list the TTL, type, and class of the
9852 RR. Class and type use the mnemonics defined above, and TTL is
9853 an integer before the type field. In order to avoid ambiguity
9855 parsing, type and class mnemonics are disjoint, TTLs are
9857 and the type mnemonic is always last. The IN class and TTL
9859 are often omitted from examples in the interests of clarity.
9862 The resource data or RDATA section of the RR are given using
9863 knowledge of the typical representation for the data.
9866 For example, we might show the RRs carried in a message as:
9868 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9869 <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
9870 <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
9871 <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
9876 <literal>ISI.EDU.</literal>
9881 <literal>MX</literal>
9886 <literal>10 VENERA.ISI.EDU.</literal>
9896 <literal>MX</literal>
9901 <literal>10 VAXA.ISI.EDU</literal>
9908 <literal>VENERA.ISI.EDU</literal>
9913 <literal>A</literal>
9918 <literal>128.9.0.32</literal>
9928 <literal>A</literal>
9933 <literal>10.1.0.52</literal>
9940 <literal>VAXA.ISI.EDU</literal>
9945 <literal>A</literal>
9950 <literal>10.2.0.27</literal>
9960 <literal>A</literal>
9965 <literal>128.9.0.33</literal>
9973 The MX RRs have an RDATA section which consists of a 16-bit
9974 number followed by a domain name. The address RRs use a
9976 IP address format to contain a 32-bit internet address.
9979 The above example shows six RRs, with two RRs at each of three
9983 Similarly we might see:
9985 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9986 <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
9987 <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
9988 <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
9993 <literal>XX.LCS.MIT.EDU.</literal>
9998 <literal>IN A</literal>
10001 <entry colname="3">
10003 <literal>10.0.0.44</literal>
10008 <entry colname="1"/>
10009 <entry colname="2">
10011 <literal>CH A</literal>
10014 <entry colname="3">
10016 <literal>MIT.EDU. 2420</literal>
10024 This example shows two addresses for
10025 <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10031 <title>Discussion of MX Records</title>
10034 As described above, domain servers store information as a
10035 series of resource records, each of which contains a particular
10036 piece of information about a given domain name (which is usually,
10037 but not always, a host). The simplest way to think of a RR is as
10038 a typed pair of data, a domain name matched with a relevant datum,
10039 and stored with some additional type information to help systems
10040 determine when the RR is relevant.
10044 MX records are used to control delivery of email. The data
10045 specified in the record is a priority and a domain name. The
10047 controls the order in which email delivery is attempted, with the
10048 lowest number first. If two priorities are the same, a server is
10049 chosen randomly. If no servers at a given priority are responding,
10050 the mail transport agent will fall back to the next largest
10052 Priority numbers do not have any absolute meaning — they are
10054 only respective to other MX records for that domain name. The
10056 name given is the machine to which the mail will be delivered.
10057 It <emphasis>must</emphasis> have an associated address record
10058 (A or AAAA) — CNAME is not sufficient.
10061 For a given domain, if there is both a CNAME record and an
10062 MX record, the MX record is in error, and will be ignored.
10064 the mail will be delivered to the server specified in the MX
10066 pointed to by the CNAME.
10071 <informaltable colsep="0" rowsep="0">
10072 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10073 <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10074 <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10075 <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10076 <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10077 <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10080 <entry colname="1">
10082 <literal>example.com.</literal>
10085 <entry colname="2">
10087 <literal>IN</literal>
10090 <entry colname="3">
10092 <literal>MX</literal>
10095 <entry colname="4">
10097 <literal>10</literal>
10100 <entry colname="5">
10102 <literal>mail.example.com.</literal>
10107 <entry colname="1">
10110 <entry colname="2">
10112 <literal>IN</literal>
10115 <entry colname="3">
10117 <literal>MX</literal>
10120 <entry colname="4">
10122 <literal>10</literal>
10125 <entry colname="5">
10127 <literal>mail2.example.com.</literal>
10132 <entry colname="1">
10135 <entry colname="2">
10137 <literal>IN</literal>
10140 <entry colname="3">
10142 <literal>MX</literal>
10145 <entry colname="4">
10147 <literal>20</literal>
10150 <entry colname="5">
10152 <literal>mail.backup.org.</literal>
10157 <entry colname="1">
10159 <literal>mail.example.com.</literal>
10162 <entry colname="2">
10164 <literal>IN</literal>
10167 <entry colname="3">
10169 <literal>A</literal>
10172 <entry colname="4">
10174 <literal>10.0.0.1</literal>
10177 <entry colname="5">
10182 <entry colname="1">
10184 <literal>mail2.example.com.</literal>
10187 <entry colname="2">
10189 <literal>IN</literal>
10192 <entry colname="3">
10194 <literal>A</literal>
10197 <entry colname="4">
10199 <literal>10.0.0.2</literal>
10202 <entry colname="5">
10208 </informaltable><para>
10209 Mail delivery will be attempted to <literal>mail.example.com</literal> and
10210 <literal>mail2.example.com</literal> (in
10211 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
10215 <sect2 id="Setting_TTLs">
10216 <title>Setting TTLs</title>
10218 The time-to-live of the RR field is a 32-bit integer represented
10219 in units of seconds, and is primarily used by resolvers when they
10220 cache RRs. The TTL describes how long a RR can be cached before it
10221 should be discarded. The following three types of TTL are
10223 used in a zone file.
10225 <informaltable colsep="0" rowsep="0">
10226 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10227 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
10228 <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
10231 <entry colname="1">
10236 <entry colname="2">
10238 The last field in the SOA is the negative
10239 caching TTL. This controls how long other servers will
10240 cache no-such-domain
10241 (NXDOMAIN) responses from you.
10244 The maximum time for
10245 negative caching is 3 hours (3h).
10250 <entry colname="1">
10255 <entry colname="2">
10257 The $TTL directive at the top of the
10258 zone file (before the SOA) gives a default TTL for every
10260 a specific TTL set.
10265 <entry colname="1">
10270 <entry colname="2">
10272 Each RR can have a TTL as the second
10273 field in the RR, which will control how long other
10283 All of these TTLs default to units of seconds, though units
10284 can be explicitly specified, for example, <literal>1h30m</literal>.
10288 <title>Inverse Mapping in IPv4</title>
10290 Reverse name resolution (that is, translation from IP address
10291 to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
10292 and PTR records. Entries in the in-addr.arpa domain are made in
10293 least-to-most significant order, read left to right. This is the
10294 opposite order to the way IP addresses are usually written. Thus,
10295 a machine with an IP address of 10.1.2.3 would have a
10297 in-addr.arpa name of
10298 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10299 whose data field is the name of the machine or, optionally,
10301 PTR records if the machine has more than one name. For example,
10302 in the <optional>example.com</optional> domain:
10304 <informaltable colsep="0" rowsep="0">
10305 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10306 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
10307 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
10310 <entry colname="1">
10312 <literal>$ORIGIN</literal>
10315 <entry colname="2">
10317 <literal>2.1.10.in-addr.arpa</literal>
10322 <entry colname="1">
10324 <literal>3</literal>
10327 <entry colname="2">
10329 <literal>IN PTR foo.example.com.</literal>
10338 The <command>$ORIGIN</command> lines in the examples
10339 are for providing context to the examples only — they do not
10341 appear in the actual usage. They are only used here to indicate
10342 that the example is relative to the listed origin.
10347 <title>Other Zone File Directives</title>
10349 The Master File Format was initially defined in RFC 1035 and
10350 has subsequently been extended. While the Master File Format
10352 is class independent all records in a Master File must be of the
10357 Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
10358 and <command>$TTL.</command>
10361 <title>The <command>$ORIGIN</command> Directive</title>
10363 Syntax: <command>$ORIGIN</command>
10364 <replaceable>domain-name</replaceable>
10365 <optional><replaceable>comment</replaceable></optional>
10367 <para><command>$ORIGIN</command>
10368 sets the domain name that will be appended to any
10369 unqualified records. When a zone is first read in there
10370 is an implicit <command>$ORIGIN</command>
10371 <<varname>zone-name</varname>><command>.</command>
10372 The current <command>$ORIGIN</command> is appended to
10373 the domain specified in the <command>$ORIGIN</command>
10374 argument if it is not absolute.
10378 $ORIGIN example.com.
10379 WWW CNAME MAIN-SERVER
10387 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10392 <title>The <command>$INCLUDE</command> Directive</title>
10394 Syntax: <command>$INCLUDE</command>
10395 <replaceable>filename</replaceable>
10397 <replaceable>origin</replaceable> </optional>
10398 <optional> <replaceable>comment</replaceable> </optional>
10401 Read and process the file <filename>filename</filename> as
10402 if it were included into the file at this point. If <command>origin</command> is
10403 specified the file is processed with <command>$ORIGIN</command> set
10404 to that value, otherwise the current <command>$ORIGIN</command> is
10408 The origin and the current domain name
10409 revert to the values they had prior to the <command>$INCLUDE</command> once
10410 the file has been read.
10414 RFC 1035 specifies that the current origin should be restored
10416 an <command>$INCLUDE</command>, but it is silent
10417 on whether the current
10418 domain name should also be restored. BIND 9 restores both of
10420 This could be construed as a deviation from RFC 1035, a
10426 <title>The <command>$TTL</command> Directive</title>
10428 Syntax: <command>$TTL</command>
10429 <replaceable>default-ttl</replaceable>
10431 <replaceable>comment</replaceable> </optional>
10434 Set the default Time To Live (TTL) for subsequent records
10435 with undefined TTLs. Valid TTLs are of the range 0-2147483647
10438 <para><command>$TTL</command>
10439 is defined in RFC 2308.
10444 <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
10446 Syntax: <command>$GENERATE</command>
10447 <replaceable>range</replaceable>
10448 <replaceable>lhs</replaceable>
10449 <optional><replaceable>ttl</replaceable></optional>
10450 <optional><replaceable>class</replaceable></optional>
10451 <replaceable>type</replaceable>
10452 <replaceable>rhs</replaceable>
10453 <optional><replaceable>comment</replaceable></optional>
10455 <para><command>$GENERATE</command>
10456 is used to create a series of resource records that only
10457 differ from each other by an
10458 iterator. <command>$GENERATE</command> can be used to
10459 easily generate the sets of records required to support
10460 sub /24 reverse delegations described in RFC 2317:
10461 Classless IN-ADDR.ARPA delegation.
10464 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
10465 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
10466 $GENERATE 1-127 $ CNAME $.0</programlisting>
10472 <programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
10473 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
10474 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
10475 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
10477 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
10480 <informaltable colsep="0" rowsep="0">
10481 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10482 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10483 <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
10486 <entry colname="1">
10487 <para><command>range</command></para>
10489 <entry colname="2">
10491 This can be one of two forms: start-stop
10492 or start-stop/step. If the first form is used, then step
10494 1. All of start, stop and step must be positive.
10499 <entry colname="1">
10500 <para><command>lhs</command></para>
10502 <entry colname="2">
10504 describes the owner name of the resource records
10505 to be created. Any single <command>$</command>
10507 symbols within the <command>lhs</command> side
10508 are replaced by the iterator value.
10510 To get a $ in the output, you need to escape the
10511 <command>$</command> using a backslash
10512 <command>\</command>,
10513 e.g. <command>\$</command>. The
10514 <command>$</command> may optionally be followed
10515 by modifiers which change the offset from the
10516 iterator, field width and base.
10518 Modifiers are introduced by a
10519 <command>{</command> (left brace) immediately following the
10520 <command>$</command> as
10521 <command>${offset[,width[,base]]}</command>.
10522 For example, <command>${-20,3,d}</command>
10523 subtracts 20 from the current value, prints the
10524 result as a decimal in a zero-padded field of
10527 Available output forms are decimal
10528 (<command>d</command>), octal
10529 (<command>o</command>) and hexadecimal
10530 (<command>x</command> or <command>X</command>
10531 for uppercase). The default modifier is
10532 <command>${0,0,d}</command>. If the
10533 <command>lhs</command> is not absolute, the
10534 current <command>$ORIGIN</command> is appended
10538 For compatibility with earlier versions, <command>$$</command> is still
10539 recognized as indicating a literal $ in the output.
10544 <entry colname="1">
10545 <para><command>ttl</command></para>
10547 <entry colname="2">
10549 Specifies the time-to-live of the generated records. If
10550 not specified this will be inherited using the
10551 normal ttl inheritance rules.
10553 <para><command>class</command>
10554 and <command>ttl</command> can be
10555 entered in either order.
10560 <entry colname="1">
10561 <para><command>class</command></para>
10563 <entry colname="2">
10565 Specifies the class of the generated records.
10566 This must match the zone class if it is
10569 <para><command>class</command>
10570 and <command>ttl</command> can be
10571 entered in either order.
10576 <entry colname="1">
10577 <para><command>type</command></para>
10579 <entry colname="2">
10581 At present the only supported types are
10582 PTR, CNAME, DNAME, A, AAAA and NS.
10587 <entry colname="1">
10588 <para><command>rhs</command></para>
10590 <entry colname="2">
10592 <command>rhs</command> is a domain name. It is processed
10601 The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
10602 and not part of the standard zone file format.
10605 BIND 8 does not support the optional TTL and CLASS fields.
10609 <sect2 id="zonefile_format">
10610 <title>Additional File Formats</title>
10612 In addition to the standard textual format, BIND 9
10613 supports the ability to read or dump to zone files in
10614 other formats. The <constant>raw</constant> format is
10615 currently available as an additional format. It is a
10616 binary format representing BIND 9's internal data
10617 structure directly, thereby remarkably improving the
10621 For a primary server, a zone file in the
10622 <constant>raw</constant> format is expected to be
10623 generated from a textual zone file by the
10624 <command>named-compilezone</command> command. For a
10625 secondary server or for a dynamic zone, it is automatically
10626 generated (if this format is specified by the
10627 <command>masterfile-format</command> option) when
10628 <command>named</command> dumps the zone contents after
10629 zone transfer or when applying prior updates.
10632 If a zone file in a binary format needs manual modification,
10633 it first must be converted to a textual form by the
10634 <command>named-compilezone</command> command. All
10635 necessary modification should go to the text file, which
10636 should then be converted to the binary form by the
10637 <command>named-compilezone</command> command again.
10640 Although the <constant>raw</constant> format uses the
10641 network byte order and avoids architecture-dependent
10642 data alignment so that it is as much portable as
10643 possible, it is primarily expected to be used inside
10644 the same single system. In order to export a zone
10645 file in the <constant>raw</constant> format or make a
10646 portable backup of the file, it is recommended to
10647 convert the file to the standard textual representation.
10652 <chapter id="Bv9ARM.ch07">
10653 <title><acronym>BIND</acronym> 9 Security Considerations</title>
10654 <sect1 id="Access_Control_Lists">
10655 <title>Access Control Lists</title>
10657 Access Control Lists (ACLs), are address match lists that
10658 you can set up and nickname for future use in <command>allow-notify</command>,
10659 <command>allow-query</command>, <command>allow-recursion</command>,
10660 <command>blackhole</command>, <command>allow-transfer</command>,
10664 Using ACLs allows you to have finer control over who can access
10665 your name server, without cluttering up your config files with huge
10666 lists of IP addresses.
10669 It is a <emphasis>good idea</emphasis> to use ACLs, and to
10670 control access to your server. Limiting access to your server by
10671 outside parties can help prevent spoofing and denial of service (DoS) attacks against
10675 Here is an example of how to properly apply ACLs:
10679 // Set up an ACL named "bogusnets" that will block RFC1918 space
10680 // and some reserved space, which is commonly used in spoofing attacks.
10682 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10683 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
10686 // Set up an ACL called our-nets. Replace this with the real IP numbers.
10687 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
10691 allow-query { our-nets; };
10692 allow-recursion { our-nets; };
10694 blackhole { bogusnets; };
10698 zone "example.com" {
10700 file "m/example.com";
10701 allow-query { any; };
10706 This allows recursive queries of the server from the outside
10707 unless recursion has been previously disabled.
10710 For more information on how to use ACLs to protect your server,
10711 see the <emphasis>AUSCERT</emphasis> advisory at:
10714 <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
10715 >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
10719 <title><command>Chroot</command> and <command>Setuid</command></title>
10721 On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
10722 (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
10723 option. This can help improve system security by placing <acronym>BIND</acronym> in
10724 a "sandbox", which will limit the damage done if a server is
10728 Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
10729 ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
10730 We suggest running as an unprivileged user when using the <command>chroot</command> feature.
10733 Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
10734 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
10738 <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
10742 <title>The <command>chroot</command> Environment</title>
10745 In order for a <command>chroot</command> environment
10747 work properly in a particular directory
10748 (for example, <filename>/var/named</filename>),
10749 you will need to set up an environment that includes everything
10750 <acronym>BIND</acronym> needs to run.
10751 From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
10752 the root of the filesystem. You will need to adjust the values of
10754 like <command>directory</command> and <command>pid-file</command> to account
10758 Unlike with earlier versions of BIND, you typically will
10759 <emphasis>not</emphasis> need to compile <command>named</command>
10760 statically nor install shared libraries under the new root.
10761 However, depending on your operating system, you may need
10762 to set up things like
10763 <filename>/dev/zero</filename>,
10764 <filename>/dev/random</filename>,
10765 <filename>/dev/log</filename>, and
10766 <filename>/etc/localtime</filename>.
10771 <title>Using the <command>setuid</command> Function</title>
10774 Prior to running the <command>named</command> daemon,
10776 the <command>touch</command> utility (to change file
10778 modification times) or the <command>chown</command>
10780 set the user id and/or group id) on files
10781 to which you want <acronym>BIND</acronym>
10785 Note that if the <command>named</command> daemon is running as an
10786 unprivileged user, it will not be able to bind to new restricted
10787 ports if the server is reloaded.
10792 <sect1 id="dynamic_update_security">
10793 <title>Dynamic Update Security</title>
10796 Access to the dynamic
10797 update facility should be strictly limited. In earlier versions of
10798 <acronym>BIND</acronym>, the only way to do this was
10800 address of the host requesting the update, by listing an IP address
10802 network prefix in the <command>allow-update</command>
10804 This method is insecure since the source address of the update UDP
10806 is easily forged. Also note that if the IP addresses allowed by the
10807 <command>allow-update</command> option include the
10809 server which performs forwarding of dynamic updates, the master can
10811 trivially attacked by sending the update to the slave, which will
10812 forward it to the master with its own source IP address causing the
10813 master to approve it without question.
10817 For these reasons, we strongly recommend that updates be
10818 cryptographically authenticated by means of transaction signatures
10819 (TSIG). That is, the <command>allow-update</command>
10821 list only TSIG key names, not IP addresses or network
10822 prefixes. Alternatively, the new <command>update-policy</command>
10823 option can be used.
10827 Some sites choose to keep all dynamically-updated DNS data
10828 in a subdomain and delegate that subdomain to a separate zone. This
10829 way, the top-level zone containing critical data such as the IP
10831 of public web and mail servers need not allow dynamic update at
10838 <chapter id="Bv9ARM.ch08">
10839 <title>Troubleshooting</title>
10841 <title>Common Problems</title>
10843 <title>It's not working; how can I figure out what's wrong?</title>
10846 The best solution to solving installation and
10847 configuration issues is to take preventative measures by setting
10848 up logging files beforehand. The log files provide a
10849 source of hints and information that can be used to figure out
10850 what went wrong and how to fix the problem.
10856 <title>Incrementing and Changing the Serial Number</title>
10859 Zone serial numbers are just numbers — they aren't
10860 date related. A lot of people set them to a number that
10861 represents a date, usually of the form YYYYMMDDRR.
10862 Occasionally they will make a mistake and set them to a
10863 "date in the future" then try to correct them by setting
10864 them to the "current date". This causes problems because
10865 serial numbers are used to indicate that a zone has been
10866 updated. If the serial number on the slave server is
10867 lower than the serial number on the master, the slave
10868 server will attempt to update its copy of the zone.
10872 Setting the serial number to a lower number on the master
10873 server than the slave server means that the slave will not perform
10874 updates to its copy of the zone.
10878 The solution to this is to add 2147483647 (2^31-1) to the
10879 number, reload the zone and make sure all slaves have updated to
10880 the new zone serial number, then reset the number to what you want
10881 it to be, and reload the zone again.
10886 <title>Where Can I Get Help?</title>
10889 The Internet Systems Consortium
10890 (<acronym>ISC</acronym>) offers a wide range
10891 of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
10892 levels of premium support are available and each level includes
10893 support for all <acronym>ISC</acronym> programs,
10894 significant discounts on products
10895 and training, and a recognized priority on bug fixes and
10896 non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
10897 support agreement package which includes services ranging from bug
10898 fix announcements to remote support. It also includes training in
10899 <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
10903 To discuss arrangements for support, contact
10904 <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
10905 <acronym>ISC</acronym> web page at
10906 <ulink url="http://www.isc.org/services/support/"
10907 >http://www.isc.org/services/support/</ulink>
10912 <appendix id="Bv9ARM.ch09">
10913 <title>Appendices</title>
10915 <title>Acknowledgments</title>
10916 <sect2 id="historical_dns_information">
10917 <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
10920 Although the "official" beginning of the Domain Name
10921 System occurred in 1984 with the publication of RFC 920, the
10922 core of the new system was described in 1983 in RFCs 882 and
10923 883. From 1984 to 1987, the ARPAnet (the precursor to today's
10924 Internet) became a testbed of experimentation for developing the
10925 new naming/addressing scheme in a rapidly expanding,
10926 operational network environment. New RFCs were written and
10927 published in 1987 that modified the original documents to
10928 incorporate improvements based on the working model. RFC 1034,
10929 "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
10930 Names-Implementation and Specification" were published and
10931 became the standards upon which all <acronym>DNS</acronym> implementations are
10936 The first working domain name server, called "Jeeves", was
10937 written in 1983-84 by Paul Mockapetris for operation on DEC
10939 machines located at the University of Southern California's
10941 Sciences Institute (USC-ISI) and SRI International's Network
10943 Center (SRI-NIC). A <acronym>DNS</acronym> server for
10944 Unix machines, the Berkeley Internet
10945 Name Domain (<acronym>BIND</acronym>) package, was
10946 written soon after by a group of
10947 graduate students at the University of California at Berkeley
10949 a grant from the US Defense Advanced Research Projects
10954 Versions of <acronym>BIND</acronym> through
10955 4.8.3 were maintained by the Computer
10956 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
10957 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
10958 project team. After that, additional work on the software package
10959 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
10961 employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
10962 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
10963 during that time: Doug Kingston, Craig Partridge, Smoot
10965 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
10966 handled by Mike Karels and Øivind Kure.
10969 <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
10970 released by Digital Equipment
10971 Corporation (now Compaq Computer Corporation). Paul Vixie, then
10972 a DEC employee, became <acronym>BIND</acronym>'s
10973 primary caretaker. He was assisted
10974 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
10976 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
10977 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
10978 Wolfhugel, and others.
10981 In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
10982 Vixie Enterprises. Paul
10983 Vixie became <acronym>BIND</acronym>'s principal
10984 architect/programmer.
10987 <acronym>BIND</acronym> versions from 4.9.3 onward
10988 have been developed and maintained
10989 by the Internet Systems Consortium and its predecessor,
10990 the Internet Software Consortium, with support being provided
10994 As co-architects/programmers, Bob Halley and
10995 Paul Vixie released the first production-ready version of
10996 <acronym>BIND</acronym> version 8 in May 1997.
10999 BIND version 9 was released in September 2000 and is a
11000 major rewrite of nearly all aspects of the underlying
11004 BIND version 4 is officially deprecated and BIND version
11005 8 development is considered maintenance-only in favor
11006 of BIND version 9. No additional development is done
11007 on BIND version 4 or BIND version 8 other than for
11008 security-related patches.
11011 <acronym>BIND</acronym> development work is made
11012 possible today by the sponsorship
11013 of several corporations, and by the tireless work efforts of
11014 numerous individuals.
11019 <title>General <acronym>DNS</acronym> Reference Information</title>
11020 <sect2 id="ipv6addresses">
11021 <title>IPv6 addresses (AAAA)</title>
11023 IPv6 addresses are 128-bit identifiers for interfaces and
11024 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
11025 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
11026 an identifier for a single interface;
11027 <emphasis>Anycast</emphasis>,
11028 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
11029 an identifier for a set of interfaces. Here we describe the global
11030 Unicast address scheme. For more information, see RFC 3587,
11031 "Global Unicast Address Format."
11034 IPv6 unicast addresses consist of a
11035 <emphasis>global routing prefix</emphasis>, a
11036 <emphasis>subnet identifier</emphasis>, and an
11037 <emphasis>interface identifier</emphasis>.
11040 The global routing prefix is provided by the
11041 upstream provider or ISP, and (roughly) corresponds to the
11042 IPv4 <emphasis>network</emphasis> section
11043 of the address range.
11045 The subnet identifier is for local subnetting, much the
11046 same as subnetting an
11047 IPv4 /16 network into /24 subnets.
11049 The interface identifier is the address of an individual
11050 interface on a given network; in IPv6, addresses belong to
11051 interfaces rather than to machines.
11054 The subnetting capability of IPv6 is much more flexible than
11055 that of IPv4: subnetting can be carried out on bit boundaries,
11056 in much the same way as Classless InterDomain Routing
11057 (CIDR), and the DNS PTR representation ("nibble" format)
11058 makes setting up reverse zones easier.
11061 The Interface Identifier must be unique on the local link,
11062 and is usually generated automatically by the IPv6
11063 implementation, although it is usually possible to
11064 override the default setting if necessary. A typical IPv6
11065 address might look like:
11066 <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
11069 IPv6 address specifications often contain long strings
11070 of zeros, so the architects have included a shorthand for
11072 them. The double colon (`::') indicates the longest possible
11074 of zeros that can fit, and can be used only once in an address.
11078 <sect1 id="bibliography">
11079 <title>Bibliography (and Suggested Reading)</title>
11081 <title>Request for Comments (RFCs)</title>
11083 Specification documents for the Internet protocol suite, including
11084 the <acronym>DNS</acronym>, are published as part of
11085 the Request for Comments (RFCs)
11086 series of technical notes. The standards themselves are defined
11087 by the Internet Engineering Task Force (IETF) and the Internet
11088 Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
11091 <ulink url="ftp://www.isi.edu/in-notes/">
11092 ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
11096 (where <replaceable>xxxx</replaceable> is
11097 the number of the RFC). RFCs are also available via the Web at:
11100 <ulink url="http://www.ietf.org/rfc/"
11101 >http://www.ietf.org/rfc/</ulink>.
11105 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
11106 <title>Standards</title>
11108 <abbrev>RFC974</abbrev>
11110 <surname>Partridge</surname>
11111 <firstname>C.</firstname>
11113 <title>Mail Routing and the Domain System</title>
11114 <pubdate>January 1986</pubdate>
11117 <abbrev>RFC1034</abbrev>
11119 <surname>Mockapetris</surname>
11120 <firstname>P.V.</firstname>
11122 <title>Domain Names — Concepts and Facilities</title>
11123 <pubdate>November 1987</pubdate>
11126 <abbrev>RFC1035</abbrev>
11128 <surname>Mockapetris</surname>
11129 <firstname>P. V.</firstname>
11130 </author> <title>Domain Names — Implementation and
11131 Specification</title>
11132 <pubdate>November 1987</pubdate>
11135 <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
11137 <title>Proposed Standards</title>
11138 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
11140 <abbrev>RFC2181</abbrev>
11142 <surname>Elz</surname>
11143 <firstname>R., R. Bush</firstname>
11145 <title>Clarifications to the <acronym>DNS</acronym>
11146 Specification</title>
11147 <pubdate>July 1997</pubdate>
11150 <abbrev>RFC2308</abbrev>
11152 <surname>Andrews</surname>
11153 <firstname>M.</firstname>
11155 <title>Negative Caching of <acronym>DNS</acronym>
11157 <pubdate>March 1998</pubdate>
11160 <abbrev>RFC1995</abbrev>
11162 <surname>Ohta</surname>
11163 <firstname>M.</firstname>
11165 <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
11166 <pubdate>August 1996</pubdate>
11169 <abbrev>RFC1996</abbrev>
11171 <surname>Vixie</surname>
11172 <firstname>P.</firstname>
11174 <title>A Mechanism for Prompt Notification of Zone Changes</title>
11175 <pubdate>August 1996</pubdate>
11178 <abbrev>RFC2136</abbrev>
11181 <surname>Vixie</surname>
11182 <firstname>P.</firstname>
11185 <firstname>S.</firstname>
11186 <surname>Thomson</surname>
11189 <firstname>Y.</firstname>
11190 <surname>Rekhter</surname>
11193 <firstname>J.</firstname>
11194 <surname>Bound</surname>
11197 <title>Dynamic Updates in the Domain Name System</title>
11198 <pubdate>April 1997</pubdate>
11201 <abbrev>RFC2671</abbrev>
11204 <firstname>P.</firstname>
11205 <surname>Vixie</surname>
11208 <title>Extension Mechanisms for DNS (EDNS0)</title>
11209 <pubdate>August 1997</pubdate>
11212 <abbrev>RFC2672</abbrev>
11215 <firstname>M.</firstname>
11216 <surname>Crawford</surname>
11219 <title>Non-Terminal DNS Name Redirection</title>
11220 <pubdate>August 1999</pubdate>
11223 <abbrev>RFC2845</abbrev>
11226 <surname>Vixie</surname>
11227 <firstname>P.</firstname>
11230 <firstname>O.</firstname>
11231 <surname>Gudmundsson</surname>
11234 <firstname>D.</firstname>
11235 <surname>Eastlake</surname>
11236 <lineage>3rd</lineage>
11239 <firstname>B.</firstname>
11240 <surname>Wellington</surname>
11243 <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
11244 <pubdate>May 2000</pubdate>
11247 <abbrev>RFC2930</abbrev>
11250 <firstname>D.</firstname>
11251 <surname>Eastlake</surname>
11252 <lineage>3rd</lineage>
11255 <title>Secret Key Establishment for DNS (TKEY RR)</title>
11256 <pubdate>September 2000</pubdate>
11259 <abbrev>RFC2931</abbrev>
11262 <firstname>D.</firstname>
11263 <surname>Eastlake</surname>
11264 <lineage>3rd</lineage>
11267 <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
11268 <pubdate>September 2000</pubdate>
11271 <abbrev>RFC3007</abbrev>
11274 <firstname>B.</firstname>
11275 <surname>Wellington</surname>
11278 <title>Secure Domain Name System (DNS) Dynamic Update</title>
11279 <pubdate>November 2000</pubdate>
11282 <abbrev>RFC3645</abbrev>
11285 <firstname>S.</firstname>
11286 <surname>Kwan</surname>
11289 <firstname>P.</firstname>
11290 <surname>Garg</surname>
11293 <firstname>J.</firstname>
11294 <surname>Gilroy</surname>
11297 <firstname>L.</firstname>
11298 <surname>Esibov</surname>
11301 <firstname>J.</firstname>
11302 <surname>Westhead</surname>
11305 <firstname>R.</firstname>
11306 <surname>Hall</surname>
11309 <title>Generic Security Service Algorithm for Secret
11310 Key Transaction Authentication for DNS
11312 <pubdate>October 2003</pubdate>
11316 <title><acronym>DNS</acronym> Security Proposed Standards</title>
11318 <abbrev>RFC3225</abbrev>
11321 <firstname>D.</firstname>
11322 <surname>Conrad</surname>
11325 <title>Indicating Resolver Support of DNSSEC</title>
11326 <pubdate>December 2001</pubdate>
11329 <abbrev>RFC3833</abbrev>
11332 <firstname>D.</firstname>
11333 <surname>Atkins</surname>
11336 <firstname>R.</firstname>
11337 <surname>Austein</surname>
11340 <title>Threat Analysis of the Domain Name System (DNS)</title>
11341 <pubdate>August 2004</pubdate>
11344 <abbrev>RFC4033</abbrev>
11347 <firstname>R.</firstname>
11348 <surname>Arends</surname>
11351 <firstname>R.</firstname>
11352 <surname>Austein</surname>
11355 <firstname>M.</firstname>
11356 <surname>Larson</surname>
11359 <firstname>D.</firstname>
11360 <surname>Massey</surname>
11363 <firstname>S.</firstname>
11364 <surname>Rose</surname>
11367 <title>DNS Security Introduction and Requirements</title>
11368 <pubdate>March 2005</pubdate>
11371 <abbrev>RFC4044</abbrev>
11374 <firstname>R.</firstname>
11375 <surname>Arends</surname>
11378 <firstname>R.</firstname>
11379 <surname>Austein</surname>
11382 <firstname>M.</firstname>
11383 <surname>Larson</surname>
11386 <firstname>D.</firstname>
11387 <surname>Massey</surname>
11390 <firstname>S.</firstname>
11391 <surname>Rose</surname>
11394 <title>Resource Records for the DNS Security Extensions</title>
11395 <pubdate>March 2005</pubdate>
11398 <abbrev>RFC4035</abbrev>
11401 <firstname>R.</firstname>
11402 <surname>Arends</surname>
11405 <firstname>R.</firstname>
11406 <surname>Austein</surname>
11409 <firstname>M.</firstname>
11410 <surname>Larson</surname>
11413 <firstname>D.</firstname>
11414 <surname>Massey</surname>
11417 <firstname>S.</firstname>
11418 <surname>Rose</surname>
11421 <title>Protocol Modifications for the DNS
11422 Security Extensions</title>
11423 <pubdate>March 2005</pubdate>
11427 <title>Other Important RFCs About <acronym>DNS</acronym>
11428 Implementation</title>
11430 <abbrev>RFC1535</abbrev>
11432 <surname>Gavron</surname>
11433 <firstname>E.</firstname>
11435 <title>A Security Problem and Proposed Correction With Widely
11436 Deployed <acronym>DNS</acronym> Software.</title>
11437 <pubdate>October 1993</pubdate>
11440 <abbrev>RFC1536</abbrev>
11443 <surname>Kumar</surname>
11444 <firstname>A.</firstname>
11447 <firstname>J.</firstname>
11448 <surname>Postel</surname>
11451 <firstname>C.</firstname>
11452 <surname>Neuman</surname>
11455 <firstname>P.</firstname>
11456 <surname>Danzig</surname>
11459 <firstname>S.</firstname>
11460 <surname>Miller</surname>
11463 <title>Common <acronym>DNS</acronym> Implementation
11464 Errors and Suggested Fixes</title>
11465 <pubdate>October 1993</pubdate>
11468 <abbrev>RFC1982</abbrev>
11471 <surname>Elz</surname>
11472 <firstname>R.</firstname>
11475 <firstname>R.</firstname>
11476 <surname>Bush</surname>
11479 <title>Serial Number Arithmetic</title>
11480 <pubdate>August 1996</pubdate>
11483 <abbrev>RFC4074</abbrev>
11486 <surname>Morishita</surname>
11487 <firstname>Y.</firstname>
11490 <firstname>T.</firstname>
11491 <surname>Jinmei</surname>
11494 <title>Common Misbehaviour Against <acronym>DNS</acronym>
11495 Queries for IPv6 Addresses</title>
11496 <pubdate>May 2005</pubdate>
11500 <title>Resource Record Types</title>
11502 <abbrev>RFC1183</abbrev>
11505 <surname>Everhart</surname>
11506 <firstname>C.F.</firstname>
11509 <firstname>L. A.</firstname>
11510 <surname>Mamakos</surname>
11513 <firstname>R.</firstname>
11514 <surname>Ullmann</surname>
11517 <firstname>P.</firstname>
11518 <surname>Mockapetris</surname>
11521 <title>New <acronym>DNS</acronym> RR Definitions</title>
11522 <pubdate>October 1990</pubdate>
11525 <abbrev>RFC1706</abbrev>
11528 <surname>Manning</surname>
11529 <firstname>B.</firstname>
11532 <firstname>R.</firstname>
11533 <surname>Colella</surname>
11536 <title><acronym>DNS</acronym> NSAP Resource Records</title>
11537 <pubdate>October 1994</pubdate>
11540 <abbrev>RFC2168</abbrev>
11543 <surname>Daniel</surname>
11544 <firstname>R.</firstname>
11547 <firstname>M.</firstname>
11548 <surname>Mealling</surname>
11551 <title>Resolution of Uniform Resource Identifiers using
11552 the Domain Name System</title>
11553 <pubdate>June 1997</pubdate>
11556 <abbrev>RFC1876</abbrev>
11559 <surname>Davis</surname>
11560 <firstname>C.</firstname>
11563 <firstname>P.</firstname>
11564 <surname>Vixie</surname>
11567 <firstname>T.</firstname>
11568 <firstname>Goodwin</firstname>
11571 <firstname>I.</firstname>
11572 <surname>Dickinson</surname>
11575 <title>A Means for Expressing Location Information in the
11577 Name System</title>
11578 <pubdate>January 1996</pubdate>
11581 <abbrev>RFC2052</abbrev>
11584 <surname>Gulbrandsen</surname>
11585 <firstname>A.</firstname>
11588 <firstname>P.</firstname>
11589 <surname>Vixie</surname>
11592 <title>A <acronym>DNS</acronym> RR for Specifying the
11595 <pubdate>October 1996</pubdate>
11598 <abbrev>RFC2163</abbrev>
11600 <surname>Allocchio</surname>
11601 <firstname>A.</firstname>
11603 <title>Using the Internet <acronym>DNS</acronym> to
11605 Conformant Global Address Mapping</title>
11606 <pubdate>January 1998</pubdate>
11609 <abbrev>RFC2230</abbrev>
11611 <surname>Atkinson</surname>
11612 <firstname>R.</firstname>
11614 <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
11615 <pubdate>October 1997</pubdate>
11618 <abbrev>RFC2536</abbrev>
11620 <surname>Eastlake</surname>
11621 <firstname>D.</firstname>
11622 <lineage>3rd</lineage>
11624 <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
11625 <pubdate>March 1999</pubdate>
11628 <abbrev>RFC2537</abbrev>
11630 <surname>Eastlake</surname>
11631 <firstname>D.</firstname>
11632 <lineage>3rd</lineage>
11634 <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
11635 <pubdate>March 1999</pubdate>
11638 <abbrev>RFC2538</abbrev>
11641 <surname>Eastlake</surname>
11642 <firstname>D.</firstname>
11643 <lineage>3rd</lineage>
11646 <surname>Gudmundsson</surname>
11647 <firstname>O.</firstname>
11650 <title>Storing Certificates in the Domain Name System (DNS)</title>
11651 <pubdate>March 1999</pubdate>
11654 <abbrev>RFC2539</abbrev>
11657 <surname>Eastlake</surname>
11658 <firstname>D.</firstname>
11659 <lineage>3rd</lineage>
11662 <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
11663 <pubdate>March 1999</pubdate>
11666 <abbrev>RFC2540</abbrev>
11669 <surname>Eastlake</surname>
11670 <firstname>D.</firstname>
11671 <lineage>3rd</lineage>
11674 <title>Detached Domain Name System (DNS) Information</title>
11675 <pubdate>March 1999</pubdate>
11678 <abbrev>RFC2782</abbrev>
11680 <surname>Gulbrandsen</surname>
11681 <firstname>A.</firstname>
11684 <surname>Vixie</surname>
11685 <firstname>P.</firstname>
11688 <surname>Esibov</surname>
11689 <firstname>L.</firstname>
11691 <title>A DNS RR for specifying the location of services (DNS SRV)</title>
11692 <pubdate>February 2000</pubdate>
11695 <abbrev>RFC2915</abbrev>
11697 <surname>Mealling</surname>
11698 <firstname>M.</firstname>
11701 <surname>Daniel</surname>
11702 <firstname>R.</firstname>
11704 <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
11705 <pubdate>September 2000</pubdate>
11708 <abbrev>RFC3110</abbrev>
11710 <surname>Eastlake</surname>
11711 <firstname>D.</firstname>
11712 <lineage>3rd</lineage>
11714 <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
11715 <pubdate>May 2001</pubdate>
11718 <abbrev>RFC3123</abbrev>
11720 <surname>Koch</surname>
11721 <firstname>P.</firstname>
11723 <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
11724 <pubdate>June 2001</pubdate>
11727 <abbrev>RFC3596</abbrev>
11730 <surname>Thomson</surname>
11731 <firstname>S.</firstname>
11734 <firstname>C.</firstname>
11735 <surname>Huitema</surname>
11738 <firstname>V.</firstname>
11739 <surname>Ksinant</surname>
11742 <firstname>M.</firstname>
11743 <surname>Souissi</surname>
11746 <title><acronym>DNS</acronym> Extensions to support IP
11748 <pubdate>October 2003</pubdate>
11751 <abbrev>RFC3597</abbrev>
11753 <surname>Gustafsson</surname>
11754 <firstname>A.</firstname>
11756 <title>Handling of Unknown DNS Resource Record (RR) Types</title>
11757 <pubdate>September 2003</pubdate>
11761 <title><acronym>DNS</acronym> and the Internet</title>
11763 <abbrev>RFC1101</abbrev>
11765 <surname>Mockapetris</surname>
11766 <firstname>P. V.</firstname>
11768 <title><acronym>DNS</acronym> Encoding of Network Names
11769 and Other Types</title>
11770 <pubdate>April 1989</pubdate>
11773 <abbrev>RFC1123</abbrev>
11775 <surname>Braden</surname>
11776 <surname>R.</surname>
11778 <title>Requirements for Internet Hosts - Application and
11780 <pubdate>October 1989</pubdate>
11783 <abbrev>RFC1591</abbrev>
11785 <surname>Postel</surname>
11786 <firstname>J.</firstname>
11788 <title>Domain Name System Structure and Delegation</title>
11789 <pubdate>March 1994</pubdate>
11792 <abbrev>RFC2317</abbrev>
11795 <surname>Eidnes</surname>
11796 <firstname>H.</firstname>
11799 <firstname>G.</firstname>
11800 <surname>de Groot</surname>
11803 <firstname>P.</firstname>
11804 <surname>Vixie</surname>
11807 <title>Classless IN-ADDR.ARPA Delegation</title>
11808 <pubdate>March 1998</pubdate>
11811 <abbrev>RFC2826</abbrev>
11814 <surname>Internet Architecture Board</surname>
11817 <title>IAB Technical Comment on the Unique DNS Root</title>
11818 <pubdate>May 2000</pubdate>
11821 <abbrev>RFC2929</abbrev>
11824 <surname>Eastlake</surname>
11825 <firstname>D.</firstname>
11826 <lineage>3rd</lineage>
11829 <surname>Brunner-Williams</surname>
11830 <firstname>E.</firstname>
11833 <surname>Manning</surname>
11834 <firstname>B.</firstname>
11837 <title>Domain Name System (DNS) IANA Considerations</title>
11838 <pubdate>September 2000</pubdate>
11842 <title><acronym>DNS</acronym> Operations</title>
11844 <abbrev>RFC1033</abbrev>
11846 <surname>Lottor</surname>
11847 <firstname>M.</firstname>
11849 <title>Domain administrators operations guide.</title>
11850 <pubdate>November 1987</pubdate>
11853 <abbrev>RFC1537</abbrev>
11855 <surname>Beertema</surname>
11856 <firstname>P.</firstname>
11858 <title>Common <acronym>DNS</acronym> Data File
11859 Configuration Errors</title>
11860 <pubdate>October 1993</pubdate>
11863 <abbrev>RFC1912</abbrev>
11865 <surname>Barr</surname>
11866 <firstname>D.</firstname>
11868 <title>Common <acronym>DNS</acronym> Operational and
11869 Configuration Errors</title>
11870 <pubdate>February 1996</pubdate>
11873 <abbrev>RFC2010</abbrev>
11876 <surname>Manning</surname>
11877 <firstname>B.</firstname>
11880 <firstname>P.</firstname>
11881 <surname>Vixie</surname>
11884 <title>Operational Criteria for Root Name Servers.</title>
11885 <pubdate>October 1996</pubdate>
11888 <abbrev>RFC2219</abbrev>
11891 <surname>Hamilton</surname>
11892 <firstname>M.</firstname>
11895 <firstname>R.</firstname>
11896 <surname>Wright</surname>
11899 <title>Use of <acronym>DNS</acronym> Aliases for
11900 Network Services.</title>
11901 <pubdate>October 1997</pubdate>
11905 <title>Internationalized Domain Names</title>
11907 <abbrev>RFC2825</abbrev>
11910 <surname>IAB</surname>
11913 <surname>Daigle</surname>
11914 <firstname>R.</firstname>
11917 <title>A Tangled Web: Issues of I18N, Domain Names,
11918 and the Other Internet protocols</title>
11919 <pubdate>May 2000</pubdate>
11922 <abbrev>RFC3490</abbrev>
11925 <surname>Faltstrom</surname>
11926 <firstname>P.</firstname>
11929 <surname>Hoffman</surname>
11930 <firstname>P.</firstname>
11933 <surname>Costello</surname>
11934 <firstname>A.</firstname>
11937 <title>Internationalizing Domain Names in Applications (IDNA)</title>
11938 <pubdate>March 2003</pubdate>
11941 <abbrev>RFC3491</abbrev>
11944 <surname>Hoffman</surname>
11945 <firstname>P.</firstname>
11948 <surname>Blanchet</surname>
11949 <firstname>M.</firstname>
11952 <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
11953 <pubdate>March 2003</pubdate>
11956 <abbrev>RFC3492</abbrev>
11959 <surname>Costello</surname>
11960 <firstname>A.</firstname>
11963 <title>Punycode: A Bootstring encoding of Unicode
11964 for Internationalized Domain Names in
11965 Applications (IDNA)</title>
11966 <pubdate>March 2003</pubdate>
11970 <title>Other <acronym>DNS</acronym>-related RFCs</title>
11973 Note: the following list of RFCs, although
11974 <acronym>DNS</acronym>-related, are not
11975 concerned with implementing software.
11979 <abbrev>RFC1464</abbrev>
11981 <surname>Rosenbaum</surname>
11982 <firstname>R.</firstname>
11984 <title>Using the Domain Name System To Store Arbitrary String
11986 <pubdate>May 1993</pubdate>
11989 <abbrev>RFC1713</abbrev>
11991 <surname>Romao</surname>
11992 <firstname>A.</firstname>
11994 <title>Tools for <acronym>DNS</acronym> Debugging</title>
11995 <pubdate>November 1994</pubdate>
11998 <abbrev>RFC1794</abbrev>
12000 <surname>Brisco</surname>
12001 <firstname>T.</firstname>
12003 <title><acronym>DNS</acronym> Support for Load
12005 <pubdate>April 1995</pubdate>
12008 <abbrev>RFC2240</abbrev>
12010 <surname>Vaughan</surname>
12011 <firstname>O.</firstname>
12013 <title>A Legal Basis for Domain Name Allocation</title>
12014 <pubdate>November 1997</pubdate>
12017 <abbrev>RFC2345</abbrev>
12020 <surname>Klensin</surname>
12021 <firstname>J.</firstname>
12024 <firstname>T.</firstname>
12025 <surname>Wolf</surname>
12028 <firstname>G.</firstname>
12029 <surname>Oglesby</surname>
12032 <title>Domain Names and Company Name Retrieval</title>
12033 <pubdate>May 1998</pubdate>
12036 <abbrev>RFC2352</abbrev>
12038 <surname>Vaughan</surname>
12039 <firstname>O.</firstname>
12041 <title>A Convention For Using Legal Names as Domain Names</title>
12042 <pubdate>May 1998</pubdate>
12045 <abbrev>RFC3071</abbrev>
12048 <surname>Klensin</surname>
12049 <firstname>J.</firstname>
12052 <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
12053 <pubdate>February 2001</pubdate>
12056 <abbrev>RFC3258</abbrev>
12059 <surname>Hardie</surname>
12060 <firstname>T.</firstname>
12063 <title>Distributing Authoritative Name Servers via
12064 Shared Unicast Addresses</title>
12065 <pubdate>April 2002</pubdate>
12068 <abbrev>RFC3901</abbrev>
12071 <surname>Durand</surname>
12072 <firstname>A.</firstname>
12075 <firstname>J.</firstname>
12076 <surname>Ihren</surname>
12079 <title>DNS IPv6 Transport Operational Guidelines</title>
12080 <pubdate>September 2004</pubdate>
12084 <title>Obsolete and Unimplemented Experimental RFC</title>
12086 <abbrev>RFC1712</abbrev>
12089 <surname>Farrell</surname>
12090 <firstname>C.</firstname>
12093 <firstname>M.</firstname>
12094 <surname>Schulze</surname>
12097 <firstname>S.</firstname>
12098 <surname>Pleitner</surname>
12101 <firstname>D.</firstname>
12102 <surname>Baldoni</surname>
12105 <title><acronym>DNS</acronym> Encoding of Geographical
12107 <pubdate>November 1994</pubdate>
12110 <abbrev>RFC2673</abbrev>
12113 <surname>Crawford</surname>
12114 <firstname>M.</firstname>
12117 <title>Binary Labels in the Domain Name System</title>
12118 <pubdate>August 1999</pubdate>
12121 <abbrev>RFC2874</abbrev>
12124 <surname>Crawford</surname>
12125 <firstname>M.</firstname>
12128 <surname>Huitema</surname>
12129 <firstname>C.</firstname>
12132 <title>DNS Extensions to Support IPv6 Address Aggregation
12133 and Renumbering</title>
12134 <pubdate>July 2000</pubdate>
12138 <title>Obsoleted DNS Security RFCs</title>
12141 Most of these have been consolidated into RFC4033,
12142 RFC4034 and RFC4035 which collectively describe DNSSECbis.
12146 <abbrev>RFC2065</abbrev>
12149 <surname>Eastlake</surname>
12150 <lineage>3rd</lineage>
12151 <firstname>D.</firstname>
12154 <firstname>C.</firstname>
12155 <surname>Kaufman</surname>
12158 <title>Domain Name System Security Extensions</title>
12159 <pubdate>January 1997</pubdate>
12162 <abbrev>RFC2137</abbrev>
12164 <surname>Eastlake</surname>
12165 <lineage>3rd</lineage>
12166 <firstname>D.</firstname>
12168 <title>Secure Domain Name System Dynamic Update</title>
12169 <pubdate>April 1997</pubdate>
12172 <abbrev>RFC2535</abbrev>
12175 <surname>Eastlake</surname>
12176 <lineage>3rd</lineage>
12177 <firstname>D.</firstname>
12180 <title>Domain Name System Security Extensions</title>
12181 <pubdate>March 1999</pubdate>
12184 <abbrev>RFC3008</abbrev>
12187 <surname>Wellington</surname>
12188 <firstname>B.</firstname>
12191 <title>Domain Name System Security (DNSSEC)
12192 Signing Authority</title>
12193 <pubdate>November 2000</pubdate>
12196 <abbrev>RFC3090</abbrev>
12199 <surname>Lewis</surname>
12200 <firstname>E.</firstname>
12203 <title>DNS Security Extension Clarification on Zone Status</title>
12204 <pubdate>March 2001</pubdate>
12207 <abbrev>RFC3445</abbrev>
12210 <surname>Massey</surname>
12211 <firstname>D.</firstname>
12214 <surname>Rose</surname>
12215 <firstname>S.</firstname>
12218 <title>Limiting the Scope of the KEY Resource Record (RR)</title>
12219 <pubdate>December 2002</pubdate>
12222 <abbrev>RFC3655</abbrev>
12225 <surname>Wellington</surname>
12226 <firstname>B.</firstname>
12229 <surname>Gudmundsson</surname>
12230 <firstname>O.</firstname>
12233 <title>Redefinition of DNS Authenticated Data (AD) bit</title>
12234 <pubdate>November 2003</pubdate>
12237 <abbrev>RFC3658</abbrev>
12240 <surname>Gudmundsson</surname>
12241 <firstname>O.</firstname>
12244 <title>Delegation Signer (DS) Resource Record (RR)</title>
12245 <pubdate>December 2003</pubdate>
12248 <abbrev>RFC3755</abbrev>
12251 <surname>Weiler</surname>
12252 <firstname>S.</firstname>
12255 <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
12256 <pubdate>May 2004</pubdate>
12259 <abbrev>RFC3757</abbrev>
12262 <surname>Kolkman</surname>
12263 <firstname>O.</firstname>
12266 <surname>Schlyter</surname>
12267 <firstname>J.</firstname>
12270 <surname>Lewis</surname>
12271 <firstname>E.</firstname>
12274 <title>Domain Name System KEY (DNSKEY) Resource Record
12275 (RR) Secure Entry Point (SEP) Flag</title>
12276 <pubdate>April 2004</pubdate>
12279 <abbrev>RFC3845</abbrev>
12282 <surname>Schlyter</surname>
12283 <firstname>J.</firstname>
12286 <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
12287 <pubdate>August 2004</pubdate>
12292 <sect2 id="internet_drafts">
12293 <title>Internet Drafts</title>
12295 Internet Drafts (IDs) are rough-draft working documents of
12296 the Internet Engineering Task Force. They are, in essence, RFCs
12297 in the preliminary stages of development. Implementors are
12299 to regard IDs as archival, and they should not be quoted or cited
12300 in any formal documents unless accompanied by the disclaimer that
12301 they are "works in progress." IDs have a lifespan of six months
12302 after which they are deleted unless updated by their authors.
12306 <title>Other Documents About <acronym>BIND</acronym></title>
12312 <surname>Albitz</surname>
12313 <firstname>Paul</firstname>
12316 <firstname>Cricket</firstname>
12317 <surname>Liu</surname>
12320 <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
12323 <holder>Sebastopol, CA: O'Reilly and Associates</holder>
12331 <reference id="Bv9ARM.ch10">
12332 <title>Manual pages</title>
12333 <xi:include href="../../bin/dig/dig.docbook"/>
12334 <xi:include href="../../bin/dig/host.docbook"/>
12335 <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
12336 <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
12337 <xi:include href="../../bin/check/named-checkconf.docbook"/>
12338 <xi:include href="../../bin/check/named-checkzone.docbook"/>
12339 <xi:include href="../../bin/named/named.docbook"/>
12340 <!-- named.conf.docbook and others? -->
12341 <!-- nsupdate gives db2latex indigestion, markup problems? -->
12342 <xi:include href="../../bin/rndc/rndc.docbook"/>
12343 <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
12344 <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>