1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.82 2007/09/26 03:28:27 marka Exp $ -->
22 <book xmlns:xi="http://www.w3.org/2001/XInclude">
23 <title>BIND 9 Administrator Reference Manual</title>
31 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
38 <holder>Internet Software Consortium.</holder>
42 <chapter id="Bv9ARM.ch01">
43 <title>Introduction</title>
45 The Internet Domain Name System (<acronym>DNS</acronym>)
46 consists of the syntax
47 to specify the names of entities in the Internet in a hierarchical
48 manner, the rules used for delegating authority over names, and the
49 system implementation that actually maps names to Internet
50 addresses. <acronym>DNS</acronym> data is maintained in a
52 hierarchical databases.
56 <title>Scope of Document</title>
59 The Berkeley Internet Name Domain
60 (<acronym>BIND</acronym>) implements a
61 domain name server for a number of operating systems. This
62 document provides basic information about the installation and
63 care of the Internet Systems Consortium (<acronym>ISC</acronym>)
64 <acronym>BIND</acronym> version 9 software package for
65 system administrators.
69 This version of the manual corresponds to BIND version 9.4.
74 <title>Organization of This Document</title>
76 In this document, <emphasis>Section 1</emphasis> introduces
77 the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
78 describes resource requirements for running <acronym>BIND</acronym> in various
79 environments. Information in <emphasis>Section 3</emphasis> is
80 <emphasis>task-oriented</emphasis> in its presentation and is
81 organized functionally, to aid in the process of installing the
82 <acronym>BIND</acronym> 9 software. The task-oriented
83 section is followed by
84 <emphasis>Section 4</emphasis>, which contains more advanced
85 concepts that the system administrator may need for implementing
86 certain options. <emphasis>Section 5</emphasis>
87 describes the <acronym>BIND</acronym> 9 lightweight
88 resolver. The contents of <emphasis>Section 6</emphasis> are
89 organized as in a reference manual to aid in the ongoing
90 maintenance of the software. <emphasis>Section 7</emphasis> addresses
91 security considerations, and
92 <emphasis>Section 8</emphasis> contains troubleshooting help. The
93 main body of the document is followed by several
94 <emphasis>appendices</emphasis> which contain useful reference
95 information, such as a <emphasis>bibliography</emphasis> and
96 historic information related to <acronym>BIND</acronym>
102 <title>Conventions Used in This Document</title>
105 In this document, we use the following general typographic
111 <colspec colname="1" colnum="1" colwidth="3.000in"/>
112 <colspec colname="2" colnum="2" colwidth="2.625in"/>
117 <emphasis>To describe:</emphasis>
122 <emphasis>We use the style:</emphasis>
129 a pathname, filename, URL, hostname,
130 mailing list name, or new term or concept
135 <filename>Fixed width</filename>
148 <userinput>Fixed Width Bold</userinput>
160 <computeroutput>Fixed Width</computeroutput>
169 The following conventions are used in descriptions of the
170 <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
171 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
172 <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
173 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
176 <entry colname="1" colsep="1" rowsep="1">
178 <emphasis>To describe:</emphasis>
181 <entry colname="2" rowsep="1">
183 <emphasis>We use the style:</emphasis>
188 <entry colname="1" colsep="1" rowsep="1">
193 <entry colname="2" rowsep="1">
195 <literal>Fixed Width</literal>
200 <entry colname="1" colsep="1" rowsep="1">
205 <entry colname="2" rowsep="1">
207 <varname>Fixed Width</varname>
212 <entry colname="1" colsep="1">
219 <optional>Text is enclosed in square brackets</optional>
229 <title>The Domain Name System (<acronym>DNS</acronym>)</title>
231 The purpose of this document is to explain the installation
232 and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
233 Name Domain) software package, and we
234 begin by reviewing the fundamentals of the Domain Name System
235 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
239 <title>DNS Fundamentals</title>
242 The Domain Name System (DNS) is a hierarchical, distributed
243 database. It stores information for mapping Internet host names to
245 addresses and vice versa, mail routing information, and other data
246 used by Internet applications.
250 Clients look up information in the DNS by calling a
251 <emphasis>resolver</emphasis> library, which sends queries to one or
252 more <emphasis>name servers</emphasis> and interprets the responses.
253 The <acronym>BIND</acronym> 9 software distribution
255 name server, <command>named</command>, and two resolver
256 libraries, <command>liblwres</command> and <command>libbind</command>.
260 <title>Domains and Domain Names</title>
263 The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
264 organizational or administrative boundaries. Each node of the tree,
265 called a <emphasis>domain</emphasis>, is given a label. The domain
267 node is the concatenation of all the labels on the path from the
268 node to the <emphasis>root</emphasis> node. This is represented
269 in written form as a string of labels listed from right to left and
270 separated by dots. A label need only be unique within its parent
275 For example, a domain name for a host at the
276 company <emphasis>Example, Inc.</emphasis> could be
277 <literal>ourhost.example.com</literal>,
278 where <literal>com</literal> is the
279 top level domain to which
280 <literal>ourhost.example.com</literal> belongs,
281 <literal>example</literal> is
282 a subdomain of <literal>com</literal>, and
283 <literal>ourhost</literal> is the
288 For administrative purposes, the name space is partitioned into
289 areas called <emphasis>zones</emphasis>, each starting at a node and
290 extending down to the leaf nodes or to nodes where other zones
292 The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
293 <emphasis>DNS protocol</emphasis>.
297 The data associated with each domain name is stored in the
298 form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
299 Some of the supported resource record types are described in
300 <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
304 For more detailed information about the design of the DNS and
305 the DNS protocol, please refer to the standards documents listed in
306 <xref linkend="rfcs"/>.
313 To properly operate a name server, it is important to understand
314 the difference between a <emphasis>zone</emphasis>
315 and a <emphasis>domain</emphasis>.
319 As stated previously, a zone is a point of delegation in
320 the <acronym>DNS</acronym> tree. A zone consists of
321 those contiguous parts of the domain
322 tree for which a name server has complete information and over which
323 it has authority. It contains all domain names from a certain point
324 downward in the domain tree except those which are delegated to
325 other zones. A delegation point is marked by one or more
326 <emphasis>NS records</emphasis> in the
327 parent zone, which should be matched by equivalent NS records at
328 the root of the delegated zone.
332 For instance, consider the <literal>example.com</literal>
333 domain which includes names
334 such as <literal>host.aaa.example.com</literal> and
335 <literal>host.bbb.example.com</literal> even though
336 the <literal>example.com</literal> zone includes
337 only delegations for the <literal>aaa.example.com</literal> and
338 <literal>bbb.example.com</literal> zones. A zone can
340 exactly to a single domain, but could also include only part of a
341 domain, the rest of which could be delegated to other
342 name servers. Every name in the <acronym>DNS</acronym>
344 <emphasis>domain</emphasis>, even if it is
345 <emphasis>terminal</emphasis>, that is, has no
346 <emphasis>subdomains</emphasis>. Every subdomain is a domain and
347 every domain except the root is also a subdomain. The terminology is
348 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
350 gain a complete understanding of this difficult and subtle
355 Though <acronym>BIND</acronym> is called a "domain name
357 it deals primarily in terms of zones. The master and slave
358 declarations in the <filename>named.conf</filename> file
360 zones, not domains. When you ask some other site if it is willing to
361 be a slave server for your <emphasis>domain</emphasis>, you are
362 actually asking for slave service for some collection of zones.
367 <title>Authoritative Name Servers</title>
370 Each zone is served by at least
371 one <emphasis>authoritative name server</emphasis>,
372 which contains the complete data for the zone.
373 To make the DNS tolerant of server and network failures,
374 most zones have two or more authoritative servers, on
379 Responses from authoritative servers have the "authoritative
380 answer" (AA) bit set in the response packets. This makes them
381 easy to identify when debugging DNS configurations using tools like
382 <command>dig</command> (<xref linkend="diagnostic_tools"/>).
386 <title>The Primary Master</title>
389 The authoritative server where the master copy of the zone
390 data is maintained is called the
391 <emphasis>primary master</emphasis> server, or simply the
392 <emphasis>primary</emphasis>. Typically it loads the zone
393 contents from some local file edited by humans or perhaps
394 generated mechanically from some other local file which is
395 edited by humans. This file is called the
396 <emphasis>zone file</emphasis> or
397 <emphasis>master file</emphasis>.
401 In some cases, however, the master file may not be edited
402 by humans at all, but may instead be the result of
403 <emphasis>dynamic update</emphasis> operations.
408 <title>Slave Servers</title>
410 The other authoritative servers, the <emphasis>slave</emphasis>
411 servers (also known as <emphasis>secondary</emphasis> servers)
413 the zone contents from another server using a replication process
414 known as a <emphasis>zone transfer</emphasis>. Typically the data
416 transferred directly from the primary master, but it is also
418 to transfer it from another slave. In other words, a slave server
419 may itself act as a master to a subordinate slave server.
424 <title>Stealth Servers</title>
427 Usually all of the zone's authoritative servers are listed in
428 NS records in the parent zone. These NS records constitute
429 a <emphasis>delegation</emphasis> of the zone from the parent.
430 The authoritative servers are also listed in the zone file itself,
431 at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
432 of the zone. You can list servers in the zone's top-level NS
433 records that are not in the parent's NS delegation, but you cannot
434 list servers in the parent's delegation that are not present at
435 the zone's top level.
439 A <emphasis>stealth server</emphasis> is a server that is
440 authoritative for a zone but is not listed in that zone's NS
441 records. Stealth servers can be used for keeping a local copy of
443 zone to speed up access to the zone's records or to make sure that
445 zone is available even if all the "official" servers for the zone
451 A configuration where the primary master server itself is a
452 stealth server is often referred to as a "hidden primary"
453 configuration. One use for this configuration is when the primary
455 is behind a firewall and therefore unable to communicate directly
456 with the outside world.
464 <title>Caching Name Servers</title>
467 - Terminology here is inconsistent. Probably ought to
468 - convert to using "recursive name server" everywhere
469 - with just a note about "caching" terminology.
473 The resolver libraries provided by most operating systems are
474 <emphasis>stub resolvers</emphasis>, meaning that they are not
476 performing the full DNS resolution process by themselves by talking
477 directly to the authoritative servers. Instead, they rely on a
479 name server to perform the resolution on their behalf. Such a
481 is called a <emphasis>recursive</emphasis> name server; it performs
482 <emphasis>recursive lookups</emphasis> for local clients.
486 To improve performance, recursive servers cache the results of
487 the lookups they perform. Since the processes of recursion and
488 caching are intimately connected, the terms
489 <emphasis>recursive server</emphasis> and
490 <emphasis>caching server</emphasis> are often used synonymously.
494 The length of time for which a record may be retained in
495 the cache of a caching name server is controlled by the
496 Time To Live (TTL) field associated with each resource record.
500 <title>Forwarding</title>
503 Even a caching name server does not necessarily perform
504 the complete recursive lookup itself. Instead, it can
505 <emphasis>forward</emphasis> some or all of the queries
506 that it cannot satisfy from its cache to another caching name
508 commonly referred to as a <emphasis>forwarder</emphasis>.
512 There may be one or more forwarders,
513 and they are queried in turn until the list is exhausted or an
515 is found. Forwarders are typically used when you do not
516 wish all the servers at a given site to interact directly with the
518 the Internet servers. A typical scenario would involve a number
519 of internal <acronym>DNS</acronym> servers and an
520 Internet firewall. Servers unable
521 to pass packets through the firewall would forward to the server
522 that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
523 on the internal server's behalf.
530 <title>Name Servers in Multiple Roles</title>
533 The <acronym>BIND</acronym> name server can
534 simultaneously act as
535 a master for some zones, a slave for other zones, and as a caching
536 (recursive) server for a set of local clients.
540 However, since the functions of authoritative name service
541 and caching/recursive name service are logically separate, it is
542 often advantageous to run them on separate server machines.
544 A server that only provides authoritative name service
545 (an <emphasis>authoritative-only</emphasis> server) can run with
546 recursion disabled, improving reliability and security.
548 A server that is not authoritative for any zones and only provides
549 recursive service to local
550 clients (a <emphasis>caching-only</emphasis> server)
551 does not need to be reachable from the Internet at large and can
552 be placed inside a firewall.
560 <chapter id="Bv9ARM.ch02">
561 <title><acronym>BIND</acronym> Resource Requirements</title>
564 <title>Hardware requirements</title>
567 <acronym>DNS</acronym> hardware requirements have
568 traditionally been quite modest.
569 For many installations, servers that have been pensioned off from
570 active duty have performed admirably as <acronym>DNS</acronym> servers.
573 The DNSSEC features of <acronym>BIND</acronym> 9
574 may prove to be quite
575 CPU intensive however, so organizations that make heavy use of these
576 features may wish to consider larger systems for these applications.
577 <acronym>BIND</acronym> 9 is fully multithreaded, allowing
579 multiprocessor systems for installations that need it.
583 <title>CPU Requirements</title>
585 CPU requirements for <acronym>BIND</acronym> 9 range from
587 for serving of static zones without caching, to enterprise-class
588 machines if you intend to process many dynamic updates and DNSSEC
589 signed zones, serving many thousands of queries per second.
594 <title>Memory Requirements</title>
596 The memory of the server has to be large enough to fit the
597 cache and zones loaded off disk. The <command>max-cache-size</command>
598 option can be used to limit the amount of memory used by the cache,
599 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
601 Additionally, if additional section caching
602 (<xref linkend="acache"/>) is enabled,
603 the <command>max-acache-size</command> option can be used to
605 of memory used by the mechanism.
606 It is still good practice to have enough memory to load
607 all zone and cache data into memory — unfortunately, the best
609 to determine this for a given installation is to watch the name server
610 in operation. After a few weeks the server process should reach
611 a relatively stable size where entries are expiring from the cache as
612 fast as they are being inserted.
615 - Add something here about leaving overhead for attacks?
616 - How much overhead? Percentage?
621 <title>Name Server Intensive Environment Issues</title>
623 For name server intensive environments, there are two alternative
624 configurations that may be used. The first is where clients and
625 any second-level internal name servers query a main name server, which
626 has enough memory to build a large cache. This approach minimizes
627 the bandwidth used by external name lookups. The second alternative
628 is to set up second-level internal name servers to make queries
630 In this configuration, none of the individual machines needs to
631 have as much memory or CPU power as in the first alternative, but
632 this has the disadvantage of making many more external queries,
633 as none of the name servers share their cached data.
638 <title>Supported Operating Systems</title>
640 ISC <acronym>BIND</acronym> 9 compiles and runs on a large
642 of Unix-like operating system and on NT-derived versions of
643 Microsoft Windows such as Windows 2000 and Windows XP. For an
645 list of supported systems, see the README file in the top level
647 of the BIND 9 source distribution.
652 <chapter id="Bv9ARM.ch03">
653 <title>Name Server Configuration</title>
655 In this section we provide some suggested configurations along
656 with guidelines for their use. We suggest reasonable values for
657 certain option settings.
660 <sect1 id="sample_configuration">
661 <title>Sample Configurations</title>
663 <title>A Caching-only Name Server</title>
665 The following sample configuration is appropriate for a caching-only
666 name server for use by clients internal to a corporation. All
668 from outside clients are refused using the <command>allow-query</command>
669 option. Alternatively, the same effect could be achieved using
675 // Two corporate subnets we wish to allow queries from.
676 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
678 directory "/etc/namedb"; // Working directory
679 allow-query { corpnets; };
681 // Provide a reverse mapping for the loopback address 127.0.0.1
682 zone "0.0.127.in-addr.arpa" {
684 file "localhost.rev";
692 <title>An Authoritative-only Name Server</title>
694 This sample configuration is for an authoritative-only server
695 that is the master server for "<filename>example.com</filename>"
696 and a slave for the subdomain "<filename>eng.example.com</filename>".
701 directory "/etc/namedb"; // Working directory
702 allow-query-cache { none; }; // Do not allow access to cache
703 allow-query { any; }; // This is the default
704 recursion no; // Do not provide recursive service
707 // Provide a reverse mapping for the loopback address 127.0.0.1
708 zone "0.0.127.in-addr.arpa" {
710 file "localhost.rev";
713 // We are the master server for example.com
716 file "example.com.db";
717 // IP addresses of slave servers allowed to transfer example.com
723 // We are a slave server for eng.example.com
724 zone "eng.example.com" {
726 file "eng.example.com.bk";
727 // IP address of eng.example.com master server
728 masters { 192.168.4.12; };
736 <title>Load Balancing</title>
738 - Add explanation of why load balancing is fragile at best
739 - and completely pointless in the general case.
743 A primitive form of load balancing can be achieved in
744 the <acronym>DNS</acronym> by using multiple records
745 (such as multiple A records) for one name.
749 For example, if you have three WWW servers with network addresses
750 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
751 following means that clients will connect to each machine one third
755 <informaltable colsep="0" rowsep="0">
756 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
757 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
758 <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
759 <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
760 <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
761 <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
786 Resource Record (RR) Data
793 <literal>www</literal>
798 <literal>600</literal>
803 <literal>IN</literal>
813 <literal>10.0.0.1</literal>
823 <literal>600</literal>
828 <literal>IN</literal>
838 <literal>10.0.0.2</literal>
848 <literal>600</literal>
853 <literal>IN</literal>
863 <literal>10.0.0.3</literal>
871 When a resolver queries for these records, <acronym>BIND</acronym> will rotate
872 them and respond to the query with the records in a different
873 order. In the example above, clients will randomly receive
874 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
875 will use the first record returned and discard the rest.
878 For more detail on ordering responses, check the
879 <command>rrset-order</command> substatement in the
880 <command>options</command> statement, see
881 <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
887 <title>Name Server Operations</title>
890 <title>Tools for Use With the Name Server Daemon</title>
892 This section describes several indispensable diagnostic,
893 administrative and monitoring tools available to the system
894 administrator for controlling and debugging the name server
897 <sect3 id="diagnostic_tools">
898 <title>Diagnostic Tools</title>
900 The <command>dig</command>, <command>host</command>, and
901 <command>nslookup</command> programs are all command
903 for manually querying name servers. They differ in style and
909 <term id="dig"><command>dig</command></term>
912 The domain information groper (<command>dig</command>)
913 is the most versatile and complete of these lookup tools.
914 It has two modes: simple interactive
915 mode for a single query, and batch mode which executes a
917 each in a list of several query lines. All query options are
919 from the command line.
921 <cmdsynopsis label="Usage">
922 <command>dig</command>
923 <arg>@<replaceable>server</replaceable></arg>
924 <arg choice="plain"><replaceable>domain</replaceable></arg>
925 <arg><replaceable>query-type</replaceable></arg>
926 <arg><replaceable>query-class</replaceable></arg>
927 <arg>+<replaceable>query-option</replaceable></arg>
928 <arg>-<replaceable>dig-option</replaceable></arg>
929 <arg>%<replaceable>comment</replaceable></arg>
932 The usual simple use of dig will take the form
935 <command>dig @server domain query-type query-class</command>
938 For more information and a list of available commands and
939 options, see the <command>dig</command> man
946 <term><command>host</command></term>
949 The <command>host</command> utility emphasizes
951 and ease of use. By default, it converts
952 between host names and Internet addresses, but its
954 can be extended with the use of options.
956 <cmdsynopsis label="Usage">
957 <command>host</command>
958 <arg>-aCdlnrsTwv</arg>
959 <arg>-c <replaceable>class</replaceable></arg>
960 <arg>-N <replaceable>ndots</replaceable></arg>
961 <arg>-t <replaceable>type</replaceable></arg>
962 <arg>-W <replaceable>timeout</replaceable></arg>
963 <arg>-R <replaceable>retries</replaceable></arg>
964 <arg>-m <replaceable>flag</replaceable></arg>
967 <arg choice="plain"><replaceable>hostname</replaceable></arg>
968 <arg><replaceable>server</replaceable></arg>
971 For more information and a list of available commands and
972 options, see the <command>host</command> man
979 <term><command>nslookup</command></term>
981 <para><command>nslookup</command>
982 has two modes: interactive and
983 non-interactive. Interactive mode allows the user to
984 query name servers for information about various
985 hosts and domains or to print a list of hosts in a
986 domain. Non-interactive mode is used to print just
987 the name and requested information for a host or
990 <cmdsynopsis label="Usage">
991 <command>nslookup</command>
992 <arg rep="repeat">-option</arg>
994 <arg><replaceable>host-to-find</replaceable></arg>
995 <arg>- <arg>server</arg></arg>
999 Interactive mode is entered when no arguments are given (the
1000 default name server will be used) or when the first argument
1002 hyphen (`-') and the second argument is the host name or
1007 Non-interactive mode is used when the name or Internet
1009 of the host to be looked up is given as the first argument.
1011 optional second argument specifies the host name or address
1015 Due to its arcane user interface and frequently inconsistent
1016 behavior, we do not recommend the use of <command>nslookup</command>.
1017 Use <command>dig</command> instead.
1025 <sect3 id="admin_tools">
1026 <title>Administrative Tools</title>
1028 Administrative tools play an integral part in the management
1032 <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1034 <term><command>named-checkconf</command></term>
1037 The <command>named-checkconf</command> program
1038 checks the syntax of a <filename>named.conf</filename> file.
1040 <cmdsynopsis label="Usage">
1041 <command>named-checkconf</command>
1043 <arg>-t <replaceable>directory</replaceable></arg>
1044 <arg><replaceable>filename</replaceable></arg>
1048 <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1050 <term><command>named-checkzone</command></term>
1053 The <command>named-checkzone</command> program
1054 checks a master file for
1055 syntax and consistency.
1057 <cmdsynopsis label="Usage">
1058 <command>named-checkzone</command>
1060 <arg>-c <replaceable>class</replaceable></arg>
1061 <arg>-o <replaceable>output</replaceable></arg>
1062 <arg>-t <replaceable>directory</replaceable></arg>
1063 <arg>-w <replaceable>directory</replaceable></arg>
1064 <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1065 <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1066 <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1067 <arg choice="plain"><replaceable>zone</replaceable></arg>
1068 <arg><replaceable>filename</replaceable></arg>
1072 <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
1073 <term><command>named-compilezone</command></term>
1076 Similar to <command>named-checkzone,</command> but
1077 it always dumps the zone content to a specified file
1078 (typically in a different format).
1082 <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1084 <term><command>rndc</command></term>
1087 The remote name daemon control
1088 (<command>rndc</command>) program allows the
1090 administrator to control the operation of a name server.
1091 Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1092 supports all the commands of the BIND 8 <command>ndc</command>
1093 utility except <command>ndc start</command> and
1094 <command>ndc restart</command>, which were also
1095 not supported in <command>ndc</command>'s
1097 If you run <command>rndc</command> without any
1099 it will display a usage message as follows:
1101 <cmdsynopsis label="Usage">
1102 <command>rndc</command>
1103 <arg>-c <replaceable>config</replaceable></arg>
1104 <arg>-s <replaceable>server</replaceable></arg>
1105 <arg>-p <replaceable>port</replaceable></arg>
1106 <arg>-y <replaceable>key</replaceable></arg>
1107 <arg choice="plain"><replaceable>command</replaceable></arg>
1108 <arg rep="repeat"><replaceable>command</replaceable></arg>
1110 <para>The <command>command</command>
1111 is one of the following:
1117 <term><userinput>reload</userinput></term>
1120 Reload configuration file and zones.
1126 <term><userinput>reload <replaceable>zone</replaceable>
1127 <optional><replaceable>class</replaceable>
1128 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1131 Reload the given zone.
1137 <term><userinput>refresh <replaceable>zone</replaceable>
1138 <optional><replaceable>class</replaceable>
1139 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1142 Schedule zone maintenance for the given zone.
1148 <term><userinput>retransfer <replaceable>zone</replaceable>
1150 <optional><replaceable>class</replaceable>
1151 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1154 Retransfer the given zone from the master.
1161 <term><userinput>freeze
1162 <optional><replaceable>zone</replaceable>
1163 <optional><replaceable>class</replaceable>
1164 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1167 Suspend updates to a dynamic zone. If no zone is
1169 then all zones are suspended. This allows manual
1170 edits to be made to a zone normally updated by dynamic
1172 also causes changes in the journal file to be synced
1174 and the journal file to be removed. All dynamic
1175 update attempts will
1176 be refused while the zone is frozen.
1182 <term><userinput>thaw
1183 <optional><replaceable>zone</replaceable>
1184 <optional><replaceable>class</replaceable>
1185 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1188 Enable updates to a frozen dynamic zone. If no zone
1190 specified, then all frozen zones are enabled. This
1192 the server to reload the zone from disk, and
1193 re-enables dynamic updates
1194 after the load has completed. After a zone is thawed,
1196 will no longer be refused.
1202 <term><userinput>notify <replaceable>zone</replaceable>
1203 <optional><replaceable>class</replaceable>
1204 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1207 Resend NOTIFY messages for the zone.
1213 <term><userinput>reconfig</userinput></term>
1216 Reload the configuration file and load new zones,
1217 but do not reload existing zone files even if they
1219 This is faster than a full <command>reload</command> when there
1220 is a large number of zones because it avoids the need
1222 modification times of the zones files.
1228 <term><userinput>stats</userinput></term>
1231 Write server statistics to the statistics file.
1237 <term><userinput>querylog</userinput></term>
1240 Toggle query logging. Query logging can also be enabled
1241 by explicitly directing the <command>queries</command>
1242 <command>category</command> to a
1243 <command>channel</command> in the
1244 <command>logging</command> section of
1245 <filename>named.conf</filename> or by specifying
1246 <command>querylog yes;</command> in the
1247 <command>options</command> section of
1248 <filename>named.conf</filename>.
1254 <term><userinput>dumpdb
1255 <optional>-all|-cache|-zone</optional>
1256 <optional><replaceable>view ...</replaceable></optional></userinput></term>
1259 Dump the server's caches (default) and/or zones to
1261 dump file for the specified views. If no view is
1269 <term><userinput>stop <optional>-p</optional></userinput></term>
1272 Stop the server, making sure any recent changes
1273 made through dynamic update or IXFR are first saved to
1274 the master files of the updated zones.
1275 If -p is specified named's process id is returned.
1276 This allows an external process to determine when named
1277 had completed stopping.
1283 <term><userinput>halt <optional>-p</optional></userinput></term>
1286 Stop the server immediately. Recent changes
1287 made through dynamic update or IXFR are not saved to
1288 the master files, but will be rolled forward from the
1289 journal files when the server is restarted.
1290 If -p is specified named's process id is returned.
1291 This allows an external process to determine when named
1292 had completed halting.
1298 <term><userinput>trace</userinput></term>
1301 Increment the servers debugging level by one.
1307 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
1310 Sets the server's debugging level to an explicit
1317 <term><userinput>notrace</userinput></term>
1320 Sets the server's debugging level to 0.
1326 <term><userinput>flush</userinput></term>
1329 Flushes the server's cache.
1335 <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1338 Flushes the given name from the server's cache.
1344 <term><userinput>status</userinput></term>
1347 Display status of the server.
1348 Note that the number of zones includes the internal <command>bind/CH</command> zone
1349 and the default <command>./IN</command>
1350 hint zone if there is not an
1351 explicit root zone configured.
1357 <term><userinput>recursing</userinput></term>
1360 Dump the list of queries named is currently recursing
1369 A configuration file is required, since all
1370 communication with the server is authenticated with
1371 digital signatures that rely on a shared secret, and
1372 there is no way to provide that secret other than with a
1373 configuration file. The default location for the
1374 <command>rndc</command> configuration file is
1375 <filename>/etc/rndc.conf</filename>, but an
1377 location can be specified with the <option>-c</option>
1378 option. If the configuration file is not found,
1379 <command>rndc</command> will also look in
1380 <filename>/etc/rndc.key</filename> (or whatever
1381 <varname>sysconfdir</varname> was defined when
1382 the <acronym>BIND</acronym> build was
1384 The <filename>rndc.key</filename> file is
1386 running <command>rndc-confgen -a</command> as
1388 <xref linkend="controls_statement_definition_and_usage"/>.
1392 The format of the configuration file is similar to
1393 that of <filename>named.conf</filename>, but
1395 only four statements, the <command>options</command>,
1396 <command>key</command>, <command>server</command> and
1397 <command>include</command>
1398 statements. These statements are what associate the
1399 secret keys to the servers with which they are meant to
1400 be shared. The order of statements is not
1405 The <command>options</command> statement has
1407 <command>default-server</command>, <command>default-key</command>,
1408 and <command>default-port</command>.
1409 <command>default-server</command> takes a
1410 host name or address argument and represents the server
1412 be contacted if no <option>-s</option>
1413 option is provided on the command line.
1414 <command>default-key</command> takes
1415 the name of a key as its argument, as defined by a <command>key</command> statement.
1416 <command>default-port</command> specifies the
1418 <command>rndc</command> should connect if no
1419 port is given on the command line or in a
1420 <command>server</command> statement.
1424 The <command>key</command> statement defines a
1426 by <command>rndc</command> when authenticating
1428 <command>named</command>. Its syntax is
1430 <command>key</command> statement in named.conf.
1431 The keyword <userinput>key</userinput> is
1432 followed by a key name, which must be a valid
1433 domain name, though it need not actually be hierarchical;
1435 a string like "<userinput>rndc_key</userinput>" is a valid
1437 The <command>key</command> statement has two
1439 <command>algorithm</command> and <command>secret</command>.
1440 While the configuration parser will accept any string as the
1442 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1443 has any meaning. The secret is a base-64 encoded string
1444 as specified in RFC 3548.
1448 The <command>server</command> statement
1450 defined using the <command>key</command>
1451 statement with a server.
1452 The keyword <userinput>server</userinput> is followed by a
1453 host name or address. The <command>server</command> statement
1454 has two clauses: <command>key</command> and <command>port</command>.
1455 The <command>key</command> clause specifies the
1457 to be used when communicating with this server, and the
1458 <command>port</command> clause can be used to
1459 specify the port <command>rndc</command> should
1465 A sample minimal configuration file is as follows:
1470 algorithm "hmac-md5";
1471 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
1474 default-server 127.0.0.1;
1475 default-key rndc_key;
1480 This file, if installed as <filename>/etc/rndc.conf</filename>,
1481 would allow the command:
1485 <prompt>$ </prompt><userinput>rndc reload</userinput>
1489 to connect to 127.0.0.1 port 953 and cause the name server
1490 to reload, if a name server on the local machine were
1492 following controls statements:
1497 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
1502 and it had an identical key statement for
1503 <literal>rndc_key</literal>.
1507 Running the <command>rndc-confgen</command>
1509 conveniently create a <filename>rndc.conf</filename>
1510 file for you, and also display the
1511 corresponding <command>controls</command>
1512 statement that you need to
1513 add to <filename>named.conf</filename>.
1515 you can run <command>rndc-confgen -a</command>
1517 a <filename>rndc.key</filename> file and not
1519 <filename>named.conf</filename> at all.
1530 <title>Signals</title>
1532 Certain UNIX signals cause the name server to take specific
1533 actions, as described in the following table. These signals can
1534 be sent using the <command>kill</command> command.
1536 <informaltable frame="all">
1538 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1539 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1543 <para><command>SIGHUP</command></para>
1547 Causes the server to read <filename>named.conf</filename> and
1548 reload the database.
1554 <para><command>SIGTERM</command></para>
1558 Causes the server to clean up and exit.
1564 <para><command>SIGINT</command></para>
1568 Causes the server to clean up and exit.
1579 <chapter id="Bv9ARM.ch04">
1580 <title>Advanced DNS Features</title>
1584 <title>Notify</title>
1586 <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1587 servers to notify their slave servers of changes to a zone's data. In
1588 response to a <command>NOTIFY</command> from a master server, the
1589 slave will check to see that its version of the zone is the
1590 current version and, if not, initiate a zone transfer.
1594 For more information about <acronym>DNS</acronym>
1595 <command>NOTIFY</command>, see the description of the
1596 <command>notify</command> option in <xref linkend="boolean_options"/> and
1597 the description of the zone option <command>also-notify</command> in
1598 <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1599 protocol is specified in RFC 1996.
1603 As a slave zone can also be a master to other slaves, named,
1604 by default, sends <command>NOTIFY</command> messages for every zone
1605 it loads. Specifying <command>notify master-only;</command> will
1606 cause named to only send <command>NOTIFY</command> for master
1607 zones that it loads.
1612 <sect1 id="dynamic_update">
1613 <title>Dynamic Update</title>
1616 Dynamic Update is a method for adding, replacing or deleting
1617 records in a master server by sending it a special form of DNS
1618 messages. The format and meaning of these messages is specified
1623 Dynamic update is enabled by
1624 including an <command>allow-update</command> or
1625 <command>update-policy</command> clause in the
1626 <command>zone</command> statement.
1630 Updating of secure zones (zones using DNSSEC) follows
1631 RFC 3007: RRSIG and NSEC records affected by updates are automatically
1632 regenerated by the server using an online zone key.
1633 Update authorization is based
1634 on transaction signatures and an explicit server policy.
1637 <sect2 id="journal">
1638 <title>The journal file</title>
1641 All changes made to a zone using dynamic update are stored
1642 in the zone's journal file. This file is automatically created
1643 by the server when the first dynamic update takes place.
1644 The name of the journal file is formed by appending the extension
1645 <filename>.jnl</filename> to the name of the
1647 file unless specifically overridden. The journal file is in a
1648 binary format and should not be edited manually.
1652 The server will also occasionally write ("dump")
1653 the complete contents of the updated zone to its zone file.
1654 This is not done immediately after
1655 each dynamic update, because that would be too slow when a large
1656 zone is updated frequently. Instead, the dump is delayed by
1657 up to 15 minutes, allowing additional updates to take place.
1661 When a server is restarted after a shutdown or crash, it will replay
1662 the journal file to incorporate into the zone any updates that
1664 place after the last zone dump.
1668 Changes that result from incoming incremental zone transfers are
1670 journalled in a similar way.
1674 The zone files of dynamic zones cannot normally be edited by
1675 hand because they are not guaranteed to contain the most recent
1676 dynamic changes — those are only in the journal file.
1677 The only way to ensure that the zone file of a dynamic zone
1678 is up to date is to run <command>rndc stop</command>.
1682 If you have to make changes to a dynamic zone
1683 manually, the following procedure will work: Disable dynamic updates
1685 <command>rndc freeze <replaceable>zone</replaceable></command>.
1686 This will also remove the zone's <filename>.jnl</filename> file
1687 and update the master file. Edit the zone file. Run
1688 <command>rndc thaw <replaceable>zone</replaceable></command>
1689 to reload the changed zone and re-enable dynamic updates.
1696 <sect1 id="incremental_zone_transfers">
1697 <title>Incremental Zone Transfers (IXFR)</title>
1700 The incremental zone transfer (IXFR) protocol is a way for
1701 slave servers to transfer only changed data, instead of having to
1702 transfer the entire zone. The IXFR protocol is specified in RFC
1703 1995. See <xref linkend="proposed_standards"/>.
1707 When acting as a master, <acronym>BIND</acronym> 9
1708 supports IXFR for those zones
1709 where the necessary change history information is available. These
1710 include master zones maintained by dynamic update and slave zones
1711 whose data was obtained by IXFR. For manually maintained master
1712 zones, and for slave zones obtained by performing a full zone
1713 transfer (AXFR), IXFR is supported only if the option
1714 <command>ixfr-from-differences</command> is set
1715 to <userinput>yes</userinput>.
1719 When acting as a slave, <acronym>BIND</acronym> 9 will
1720 attempt to use IXFR unless
1721 it is explicitly disabled. For more information about disabling
1722 IXFR, see the description of the <command>request-ixfr</command> clause
1723 of the <command>server</command> statement.
1728 <title>Split DNS</title>
1730 Setting up different views, or visibility, of the DNS space to
1731 internal and external resolvers is usually referred to as a
1732 <emphasis>Split DNS</emphasis> setup. There are several
1733 reasons an organization would want to set up its DNS this way.
1736 One common reason for setting up a DNS system this way is
1737 to hide "internal" DNS information from "external" clients on the
1738 Internet. There is some debate as to whether or not this is actually
1740 Internal DNS information leaks out in many ways (via email headers,
1741 for example) and most savvy "attackers" can find the information
1742 they need using other means.
1743 However, since listing addresses of internal servers that
1744 external clients cannot possibly reach can result in
1745 connection delays and other annoyances, an organization may
1746 choose to use a Split DNS to present a consistent view of itself
1747 to the outside world.
1750 Another common reason for setting up a Split DNS system is
1751 to allow internal networks that are behind filters or in RFC 1918
1752 space (reserved IP space, as documented in RFC 1918) to resolve DNS
1753 on the Internet. Split DNS can also be used to allow mail from outside
1754 back in to the internal network.
1757 <title>Example split DNS setup</title>
1759 Let's say a company named <emphasis>Example, Inc.</emphasis>
1760 (<literal>example.com</literal>)
1761 has several corporate sites that have an internal network with
1763 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1764 or "outside" section of a network, that is available to the public.
1767 <emphasis>Example, Inc.</emphasis> wants its internal clients
1768 to be able to resolve external hostnames and to exchange mail with
1769 people on the outside. The company also wants its internal resolvers
1770 to have access to certain internal-only zones that are not available
1771 at all outside of the internal network.
1774 In order to accomplish this, the company will set up two sets
1775 of name servers. One set will be on the inside network (in the
1777 IP space) and the other set will be on bastion hosts, which are
1779 hosts that can talk to both sides of its network, in the DMZ.
1782 The internal servers will be configured to forward all queries,
1783 except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1784 and <filename>site2.example.com</filename>, to the servers
1786 DMZ. These internal servers will have complete sets of information
1787 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1788 and <filename>site2.internal</filename>.
1791 To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1792 the internal name servers must be configured to disallow all queries
1793 to these domains from any external hosts, including the bastion
1797 The external servers, which are on the bastion hosts, will
1798 be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1799 This could include things such as the host records for public servers
1800 (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1801 and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1804 In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1805 should have special MX records that contain wildcard (`*') records
1806 pointing to the bastion hosts. This is needed because external mail
1807 servers do not have any other way of looking up how to deliver mail
1808 to those internal hosts. With the wildcard records, the mail will
1809 be delivered to the bastion host, which can then forward it on to
1813 Here's an example of a wildcard MX record:
1815 <programlisting>* IN MX 10 external1.example.com.</programlisting>
1817 Now that they accept mail on behalf of anything in the internal
1818 network, the bastion hosts will need to know how to deliver mail
1819 to internal hosts. In order for this to work properly, the resolvers
1821 the bastion hosts will need to be configured to point to the internal
1822 name servers for DNS resolution.
1825 Queries for internal hostnames will be answered by the internal
1826 servers, and queries for external hostnames will be forwarded back
1827 out to the DNS servers on the bastion hosts.
1830 In order for all this to work properly, internal clients will
1831 need to be configured to query <emphasis>only</emphasis> the internal
1832 name servers for DNS queries. This could also be enforced via
1834 filtering on the network.
1837 If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1838 internal clients will now be able to:
1843 Look up any hostnames in the <literal>site1</literal>
1845 <literal>site2.example.com</literal> zones.
1850 Look up any hostnames in the <literal>site1.internal</literal> and
1851 <literal>site2.internal</literal> domains.
1855 <simpara>Look up any hostnames on the Internet.</simpara>
1858 <simpara>Exchange mail with both internal and external people.</simpara>
1862 Hosts on the Internet will be able to:
1867 Look up any hostnames in the <literal>site1</literal>
1869 <literal>site2.example.com</literal> zones.
1874 Exchange mail with anyone in the <literal>site1</literal> and
1875 <literal>site2.example.com</literal> zones.
1881 Here is an example configuration for the setup we just
1882 described above. Note that this is only configuration information;
1883 for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1887 Internal DNS server config:
1892 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1894 acl externals { <varname>bastion-ips-go-here</varname>; };
1900 forwarders { // forward to external servers
1901 <varname>bastion-ips-go-here</varname>;
1903 allow-transfer { none; }; // sample allow-transfer (no one)
1904 allow-query { internals; externals; }; // restrict query access
1905 allow-recursion { internals; }; // restrict recursion
1910 zone "site1.example.com" { // sample master zone
1912 file "m/site1.example.com";
1913 forwarders { }; // do normal iterative
1914 // resolution (do not forward)
1915 allow-query { internals; externals; };
1916 allow-transfer { internals; };
1919 zone "site2.example.com" { // sample slave zone
1921 file "s/site2.example.com";
1922 masters { 172.16.72.3; };
1924 allow-query { internals; externals; };
1925 allow-transfer { internals; };
1928 zone "site1.internal" {
1930 file "m/site1.internal";
1932 allow-query { internals; };
1933 allow-transfer { internals; }
1936 zone "site2.internal" {
1938 file "s/site2.internal";
1939 masters { 172.16.72.3; };
1941 allow-query { internals };
1942 allow-transfer { internals; }
1947 External (bastion host) DNS server config:
1951 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1953 acl externals { bastion-ips-go-here; };
1958 allow-transfer { none; }; // sample allow-transfer (no one)
1959 allow-query { any; }; // default query access
1960 allow-query-cache { internals; externals; }; // restrict cache access
1961 allow-recursion { internals; externals; }; // restrict recursion
1966 zone "site1.example.com" { // sample slave zone
1968 file "m/site1.foo.com";
1969 allow-transfer { internals; externals; };
1972 zone "site2.example.com" {
1974 file "s/site2.foo.com";
1975 masters { another_bastion_host_maybe; };
1976 allow-transfer { internals; externals; }
1981 In the <filename>resolv.conf</filename> (or equivalent) on
1982 the bastion host(s):
1987 nameserver 172.16.72.2
1988 nameserver 172.16.72.3
1989 nameserver 172.16.72.4
1997 This is a short guide to setting up Transaction SIGnatures
1998 (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
1999 to the configuration file as well as what changes are required for
2000 different features, including the process of creating transaction
2001 keys and using transaction signatures with <acronym>BIND</acronym>.
2004 <acronym>BIND</acronym> primarily supports TSIG for server
2005 to server communication.
2006 This includes zone transfer, notify, and recursive query messages.
2007 Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2012 TSIG can also be useful for dynamic update. A primary
2013 server for a dynamic zone should control access to the dynamic
2014 update service, but IP-based access control is insufficient.
2015 The cryptographic access control provided by TSIG
2016 is far superior. The <command>nsupdate</command>
2017 program supports TSIG via the <option>-k</option> and
2018 <option>-y</option> command line options or inline by use
2019 of the <command>key</command>.
2023 <title>Generate Shared Keys for Each Pair of Hosts</title>
2025 A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2026 An arbitrary key name is chosen: "host1-host2.". The key name must
2027 be the same on both hosts.
2030 <title>Automatic Generation</title>
2032 The following command will generate a 128-bit (16 byte) HMAC-MD5
2033 key as described above. Longer keys are better, but shorter keys
2034 are easier to read. Note that the maximum key length is 512 bits;
2035 keys longer than that will be digested with MD5 to produce a
2039 <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
2042 The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
2043 Nothing directly uses this file, but the base-64 encoded string
2044 following "<literal>Key:</literal>"
2045 can be extracted from the file and used as a shared secret:
2047 <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2049 The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2050 be used as the shared secret.
2054 <title>Manual Generation</title>
2056 The shared secret is simply a random sequence of bits, encoded
2057 in base-64. Most ASCII strings are valid base-64 strings (assuming
2058 the length is a multiple of 4 and only valid characters are used),
2059 so the shared secret can be manually generated.
2062 Also, a known string can be run through <command>mmencode</command> or
2063 a similar program to generate base-64 encoded data.
2068 <title>Copying the Shared Secret to Both Machines</title>
2070 This is beyond the scope of DNS. A secure transport mechanism
2071 should be used. This could be secure FTP, ssh, telephone, etc.
2075 <title>Informing the Servers of the Key's Existence</title>
2077 Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2079 both servers. The following is added to each server's <filename>named.conf</filename> file:
2085 secret "La/E5CjG9O+os1jq0a2jdA==";
2090 The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
2091 The secret is the one generated above. Since this is a secret, it
2092 is recommended that either <filename>named.conf</filename> be non-world
2093 readable, or the key directive be added to a non-world readable
2094 file that is included by
2095 <filename>named.conf</filename>.
2098 At this point, the key is recognized. This means that if the
2099 server receives a message signed by this key, it can verify the
2100 signature. If the signature is successfully verified, the
2101 response is signed by the same key.
2106 <title>Instructing the Server to Use the Key</title>
2108 Since keys are shared between two hosts only, the server must
2109 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2110 for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2116 keys { host1-host2. ;};
2121 Multiple keys may be present, but only the first is used.
2122 This directive does not contain any secrets, so it may be in a
2127 If <emphasis>host1</emphasis> sends a message that is a request
2128 to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2129 expect any responses to signed messages to be signed with the same
2133 A similar statement must be present in <emphasis>host2</emphasis>'s
2134 configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2135 sign request messages to <emphasis>host1</emphasis>.
2139 <title>TSIG Key Based Access Control</title>
2141 <acronym>BIND</acronym> allows IP addresses and ranges
2142 to be specified in ACL
2144 <command>allow-{ query | transfer | update }</command>
2146 This has been extended to allow TSIG keys also. The above key would
2147 be denoted <command>key host1-host2.</command>
2150 An example of an allow-update directive would be:
2154 allow-update { key host1-host2. ;};
2158 This allows dynamic updates to succeed only if the request
2159 was signed by a key named
2160 "<command>host1-host2.</command>".
2163 You may want to read about the more
2164 powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
2169 <title>Errors</title>
2172 The processing of TSIG signed messages can result in
2173 several errors. If a signed message is sent to a non-TSIG aware
2174 server, a FORMERR (format error) will be returned, since the server will not
2175 understand the record. This is a result of misconfiguration,
2176 since the server must be explicitly configured to send a TSIG
2177 signed message to a specific server.
2181 If a TSIG aware server receives a message signed by an
2182 unknown key, the response will be unsigned with the TSIG
2183 extended error code set to BADKEY. If a TSIG aware server
2184 receives a message with a signature that does not validate, the
2185 response will be unsigned with the TSIG extended error code set
2186 to BADSIG. If a TSIG aware server receives a message with a time
2187 outside of the allowed range, the response will be signed with
2188 the TSIG extended error code set to BADTIME, and the time values
2189 will be adjusted so that the response can be successfully
2190 verified. In any of these cases, the message's rcode (response code) is set to
2191 NOTAUTH (not authenticated).
2199 <para><command>TKEY</command>
2200 is a mechanism for automatically generating a shared secret
2201 between two hosts. There are several "modes" of
2202 <command>TKEY</command> that specify how the key is generated
2203 or assigned. <acronym>BIND</acronym> 9 implements only one of
2204 these modes, the Diffie-Hellman key exchange. Both hosts are
2205 required to have a Diffie-Hellman KEY record (although this
2206 record is not required to be present in a zone). The
2207 <command>TKEY</command> process must use signed messages,
2208 signed either by TSIG or SIG(0). The result of
2209 <command>TKEY</command> is a shared secret that can be used to
2210 sign messages with TSIG. <command>TKEY</command> can also be
2211 used to delete shared secrets that it had previously
2216 The <command>TKEY</command> process is initiated by a
2218 or server by sending a signed <command>TKEY</command>
2220 (including any appropriate KEYs) to a TKEY-aware server. The
2221 server response, if it indicates success, will contain a
2222 <command>TKEY</command> record and any appropriate keys.
2224 this exchange, both participants have enough information to
2225 determine the shared secret; the exact process depends on the
2226 <command>TKEY</command> mode. When using the
2228 <command>TKEY</command> mode, Diffie-Hellman keys are
2230 and the shared secret is derived by both participants.
2235 <title>SIG(0)</title>
2238 <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2239 transaction signatures as specified in RFC 2535 and RFC2931.
2241 uses public/private keys to authenticate messages. Access control
2242 is performed in the same manner as TSIG keys; privileges can be
2243 granted or denied based on the key name.
2247 When a SIG(0) signed message is received, it will only be
2248 verified if the key is known and trusted by the server; the server
2249 will not attempt to locate and/or validate the key.
2253 SIG(0) signing of multiple-message TCP streams is not
2258 The only tool shipped with <acronym>BIND</acronym> 9 that
2259 generates SIG(0) signed messages is <command>nsupdate</command>.
2264 <title>DNSSEC</title>
2267 Cryptographic authentication of DNS information is possible
2268 through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2269 defined in RFC 4033, RFC 4034, and RFC 4035.
2270 This section describes the creation and use of DNSSEC signed zones.
2274 In order to set up a DNSSEC secure zone, there are a series
2275 of steps which must be followed. <acronym>BIND</acronym>
2278 that are used in this process, which are explained in more detail
2279 below. In all cases, the <option>-h</option> option prints a
2280 full list of parameters. Note that the DNSSEC tools require the
2281 keyset files to be in the working directory or the
2282 directory specified by the <option>-d</option> option, and
2283 that the tools shipped with BIND 9.2.x and earlier are not compatible
2284 with the current ones.
2288 There must also be communication with the administrators of
2289 the parent and/or child zone to transmit keys. A zone's security
2290 status must be indicated by the parent zone for a DNSSEC capable
2291 resolver to trust its data. This is done through the presence
2292 or absence of a <literal>DS</literal> record at the
2298 For other servers to trust data in this zone, they must
2299 either be statically configured with this zone's zone key or the
2300 zone key of another zone above this one in the DNS tree.
2304 <title>Generating Keys</title>
2307 The <command>dnssec-keygen</command> program is used to
2312 A secure zone must contain one or more zone keys. The
2313 zone keys will sign all other records in the zone, as well as
2314 the zone keys of any secure delegated zones. Zone keys must
2315 have the same name as the zone, a name type of
2316 <command>ZONE</command>, and must be usable for
2318 It is recommended that zone keys use a cryptographic algorithm
2319 designated as "mandatory to implement" by the IETF; currently
2320 the only one is RSASHA1.
2324 The following command will generate a 768-bit RSASHA1 key for
2325 the <filename>child.example</filename> zone:
2329 <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2333 Two output files will be produced:
2334 <filename>Kchild.example.+005+12345.key</filename> and
2335 <filename>Kchild.example.+005+12345.private</filename>
2337 12345 is an example of a key tag). The key filenames contain
2338 the key name (<filename>child.example.</filename>),
2340 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2342 The private key (in the <filename>.private</filename>
2344 used to generate signatures, and the public key (in the
2345 <filename>.key</filename> file) is used for signature
2350 To generate another key with the same properties (but with
2351 a different key tag), repeat the above command.
2355 The public keys should be inserted into the zone file by
2356 including the <filename>.key</filename> files using
2357 <command>$INCLUDE</command> statements.
2362 <title>Signing the Zone</title>
2365 The <command>dnssec-signzone</command> program is used
2371 Any <filename>keyset</filename> files corresponding
2372 to secure subzones should be present. The zone signer will
2373 generate <literal>NSEC</literal> and <literal>RRSIG</literal>
2374 records for the zone, as well as <literal>DS</literal>
2376 the child zones if <literal>'-d'</literal> is specified.
2377 If <literal>'-d'</literal> is not specified, then
2379 the secure child zones need to be added manually.
2383 The following command signs the zone, assuming it is in a
2384 file called <filename>zone.child.example</filename>. By
2385 default, all zone keys which have an available private key are
2386 used to generate signatures.
2390 <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2394 One output file is produced:
2395 <filename>zone.child.example.signed</filename>. This
2397 should be referenced by <filename>named.conf</filename>
2399 input file for the zone.
2402 <para><command>dnssec-signzone</command>
2403 will also produce a keyset and dsset files and optionally a
2404 dlvset file. These are used to provide the parent zone
2405 administrators with the <literal>DNSKEYs</literal> (or their
2406 corresponding <literal>DS</literal> records) that are the
2407 secure entry point to the zone.
2413 <title>Configuring Servers</title>
2416 To enable <command>named</command> to respond appropriately
2417 to DNS requests from DNSSEC aware clients,
2418 <command>dnssec-enable</command> must be set to yes.
2422 To enable <command>named</command> to validate answers from
2423 other servers both <command>dnssec-enable</command> and
2424 <command>dnssec-validation</command> must be set and some
2425 <command>trusted-keys</command> must be configured
2426 into <filename>named.conf</filename>.
2430 <command>trusted-keys</command> are copies of DNSKEY RRs
2431 for zones that are used to form the first link in the
2432 cryptographic chain of trust. All keys listed in
2433 <command>trusted-keys</command> (and corresponding zones)
2434 are deemed to exist and only the listed keys will be used
2435 to validated the DNSKEY RRset that they are from.
2439 <command>trusted-keys</command> are described in more detail
2440 later in this document.
2444 Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2445 9 does not verify signatures on load, so zone keys for
2446 authoritative zones do not need to be specified in the
2451 After DNSSEC gets established, a typical DNSSEC configuration
2452 will look something like the following. It has a one or
2453 more public keys for the root. This allows answers from
2454 outside the organization to be validated. It will also
2455 have several keys for parts of the namespace the organization
2456 controls. These are here to ensure that named is immune
2457 to compromises in the DNSSEC components of the security
2465 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2466 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2467 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2468 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2469 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2470 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2471 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2473 /* Key for our organization's forward zone */
2474 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2475 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2476 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2477 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2478 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2479 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2480 SCThlHf3xiYleDbt/o1OTQ09A0=";
2482 /* Key for our reverse zone. */
2483 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2484 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2485 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2486 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2487 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2488 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2489 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2490 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2496 dnssec-validation yes;
2501 None of the keys listed in this example are valid. In particular,
2502 the root key is not valid.
2509 <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2512 <acronym>BIND</acronym> 9 fully supports all currently
2513 defined forms of IPv6
2514 name to address and address to name lookups. It will also use
2515 IPv6 addresses to make queries when running on an IPv6 capable
2520 For forward lookups, <acronym>BIND</acronym> 9 supports
2521 only AAAA records. RFC 3363 deprecated the use of A6 records,
2522 and client-side support for A6 records was accordingly removed
2523 from <acronym>BIND</acronym> 9.
2524 However, authoritative <acronym>BIND</acronym> 9 name servers still
2525 load zone files containing A6 records correctly, answer queries
2526 for A6 records, and accept zone transfer for a zone containing A6
2531 For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2532 the traditional "nibble" format used in the
2533 <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2534 <emphasis>ip6.int</emphasis> domain.
2535 Older versions of <acronym>BIND</acronym> 9
2536 supported the "binary label" (also known as "bitstring") format,
2537 but support of binary labels has been completely removed per
2539 Many applications in <acronym>BIND</acronym> 9 do not understand
2540 the binary label format at all any more, and will return an
2542 In particular, an authoritative <acronym>BIND</acronym> 9
2543 name server will not load a zone file containing binary labels.
2547 For an overview of the format and structure of IPv6 addresses,
2548 see <xref linkend="ipv6addresses"/>.
2552 <title>Address Lookups Using AAAA Records</title>
2555 The IPv6 AAAA record is a parallel to the IPv4 A record,
2556 and, unlike the deprecated A6 record, specifies the entire
2557 IPv6 address in a single record. For example,
2561 $ORIGIN example.com.
2562 host 3600 IN AAAA 2001:db8::1
2566 Use of IPv4-in-IPv6 mapped addresses is not recommended.
2567 If a host has an IPv4 address, use an A record, not
2568 a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2573 <title>Address to Name Lookups Using Nibble Format</title>
2576 When looking up an address in nibble format, the address
2577 components are simply reversed, just as in IPv4, and
2578 <literal>ip6.arpa.</literal> is appended to the
2580 For example, the following would provide reverse name lookup for
2582 <literal>2001:db8::1</literal>.
2586 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
2587 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
2594 <chapter id="Bv9ARM.ch05">
2595 <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2597 <title>The Lightweight Resolver Library</title>
2599 Traditionally applications have been linked with a stub resolver
2600 library that sends recursive DNS queries to a local caching name
2604 IPv6 once introduced new complexity into the resolution process,
2605 such as following A6 chains and DNAME records, and simultaneous
2606 lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2607 then removed, these are hard or impossible
2608 to implement in a traditional stub resolver.
2611 <acronym>BIND</acronym> 9 therefore can also provide resolution
2612 services to local clients
2613 using a combination of a lightweight resolver library and a resolver
2614 daemon process running on the local host. These communicate using
2615 a simple UDP-based protocol, the "lightweight resolver protocol"
2616 that is distinct from and simpler than the full DNS protocol.
2620 <title>Running a Resolver Daemon</title>
2623 To use the lightweight resolver interface, the system must
2624 run the resolver daemon <command>lwresd</command> or a
2626 name server configured with a <command>lwres</command>
2631 By default, applications using the lightweight resolver library will
2633 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2635 address can be overridden by <command>lwserver</command>
2637 <filename>/etc/resolv.conf</filename>.
2641 The daemon currently only looks in the DNS, but in the future
2642 it may use other sources such as <filename>/etc/hosts</filename>,
2647 The <command>lwresd</command> daemon is essentially a
2648 caching-only name server that responds to requests using the
2650 resolver protocol rather than the DNS protocol. Because it needs
2651 to run on each host, it is designed to require no or minimal
2653 Unless configured otherwise, it uses the name servers listed on
2654 <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2655 as forwarders, but is also capable of doing the resolution
2660 The <command>lwresd</command> daemon may also be
2662 <filename>named.conf</filename> style configuration file,
2664 <filename>/etc/lwresd.conf</filename> by default. A name
2666 be configured to act as a lightweight resolver daemon using the
2667 <command>lwres</command> statement in <filename>named.conf</filename>.
2673 <chapter id="Bv9ARM.ch06">
2674 <title><acronym>BIND</acronym> 9 Configuration Reference</title>
2677 <acronym>BIND</acronym> 9 configuration is broadly similar
2678 to <acronym>BIND</acronym> 8; however, there are a few new
2680 of configuration, such as views. <acronym>BIND</acronym>
2681 8 configuration files should work with few alterations in <acronym>BIND</acronym>
2682 9, although more complex configurations should be reviewed to check
2683 if they can be more efficiently implemented using the new features
2684 found in <acronym>BIND</acronym> 9.
2688 <acronym>BIND</acronym> 4 configuration files can be
2689 converted to the new format
2690 using the shell script
2691 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2693 <sect1 id="configuration_file_elements">
2694 <title>Configuration File Elements</title>
2696 Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2699 <informaltable colsep="0" rowsep="0">
2700 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2701 <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2702 <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2707 <varname>acl_name</varname>
2712 The name of an <varname>address_match_list</varname> as
2713 defined by the <command>acl</command> statement.
2720 <varname>address_match_list</varname>
2725 A list of one or more
2726 <varname>ip_addr</varname>,
2727 <varname>ip_prefix</varname>, <varname>key_id</varname>,
2728 or <varname>acl_name</varname> elements, see
2729 <xref linkend="address_match_lists"/>.
2736 <varname>masters_list</varname>
2741 A named list of one or more <varname>ip_addr</varname>
2742 with optional <varname>key_id</varname> and/or
2743 <varname>ip_port</varname>.
2744 A <varname>masters_list</varname> may include other
2745 <varname>masters_lists</varname>.
2752 <varname>domain_name</varname>
2757 A quoted string which will be used as
2758 a DNS name, for example "<literal>my.test.domain</literal>".
2765 <varname>dotted_decimal</varname>
2770 One to four integers valued 0 through
2771 255 separated by dots (`.'), such as <command>123</command>,
2772 <command>45.67</command> or <command>89.123.45.67</command>.
2779 <varname>ip4_addr</varname>
2784 An IPv4 address with exactly four elements
2785 in <varname>dotted_decimal</varname> notation.
2792 <varname>ip6_addr</varname>
2797 An IPv6 address, such as <command>2001:db8::1234</command>.
2798 IPv6 scoped addresses that have ambiguity on their scope
2800 disambiguated by an appropriate zone ID with the percent
2803 It is strongly recommended to use string zone names rather
2805 numeric identifiers, in order to be robust against system
2806 configuration changes.
2807 However, since there is no standard mapping for such names
2809 identifier values, currently only interface names as link
2811 are supported, assuming one-to-one mapping between
2812 interfaces and links.
2813 For example, a link-local address <command>fe80::1</command> on the
2814 link attached to the interface <command>ne0</command>
2815 can be specified as <command>fe80::1%ne0</command>.
2816 Note that on most systems link-local addresses always have
2818 ambiguity, and need to be disambiguated.
2825 <varname>ip_addr</varname>
2830 An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2837 <varname>ip_port</varname>
2842 An IP port <varname>number</varname>.
2843 The <varname>number</varname> is limited to 0
2844 through 65535, with values
2845 below 1024 typically restricted to use by processes running
2847 In some cases, an asterisk (`*') character can be used as a
2849 select a random high-numbered port.
2856 <varname>ip_prefix</varname>
2861 An IP network specified as an <varname>ip_addr</varname>,
2862 followed by a slash (`/') and then the number of bits in the
2864 Trailing zeros in a <varname>ip_addr</varname>
2866 For example, <command>127/8</command> is the
2867 network <command>127.0.0.0</command> with
2868 netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2869 network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2876 <varname>key_id</varname>
2881 A <varname>domain_name</varname> representing
2882 the name of a shared key, to be used for transaction
2890 <varname>key_list</varname>
2895 A list of one or more
2896 <varname>key_id</varname>s,
2897 separated by semicolons and ending with a semicolon.
2904 <varname>number</varname>
2909 A non-negative 32-bit integer
2910 (i.e., a number between 0 and 4294967295, inclusive).
2911 Its acceptable value might further
2912 be limited by the context in which it is used.
2919 <varname>path_name</varname>
2924 A quoted string which will be used as
2925 a pathname, such as <filename>zones/master/my.test.domain</filename>.
2932 <varname>size_spec</varname>
2937 A number, the word <userinput>unlimited</userinput>,
2938 or the word <userinput>default</userinput>.
2941 An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
2942 use, or the maximum available amount. A <varname>default size_spec</varname> uses
2943 the limit that was in force when the server was started.
2946 A <varname>number</varname> can optionally be
2947 followed by a scaling factor:
2948 <userinput>K</userinput> or <userinput>k</userinput>
2950 <userinput>M</userinput> or <userinput>m</userinput>
2952 <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
2953 which scale by 1024, 1024*1024, and 1024*1024*1024
2957 The value must be representable as a 64-bit unsigned integer
2958 (0 to 18446744073709551615, inclusive).
2959 Using <varname>unlimited</varname> is the best
2961 to safely set a really large number.
2968 <varname>yes_or_no</varname>
2973 Either <userinput>yes</userinput> or <userinput>no</userinput>.
2974 The words <userinput>true</userinput> and <userinput>false</userinput> are
2975 also accepted, as are the numbers <userinput>1</userinput>
2976 and <userinput>0</userinput>.
2983 <varname>dialup_option</varname>
2988 One of <userinput>yes</userinput>,
2989 <userinput>no</userinput>, <userinput>notify</userinput>,
2990 <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
2991 <userinput>passive</userinput>.
2992 When used in a zone, <userinput>notify-passive</userinput>,
2993 <userinput>refresh</userinput>, and <userinput>passive</userinput>
2994 are restricted to slave and stub zones.
3001 <sect2 id="address_match_lists">
3002 <title>Address Match Lists</title>
3004 <title>Syntax</title>
3006 <programlisting><varname>address_match_list</varname> = address_match_list_element ;
3007 <optional> address_match_list_element; ... </optional>
3008 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
3009 key key_id | acl_name | { address_match_list } )
3014 <title>Definition and Usage</title>
3016 Address match lists are primarily used to determine access
3017 control for various server operations. They are also used in
3018 the <command>listen-on</command> and <command>sortlist</command>
3019 statements. The elements
3020 which constitute an address match list can be any of the
3025 <simpara>an IP address (IPv4 or IPv6)</simpara>
3028 <simpara>an IP prefix (in `/' notation)</simpara>
3032 a key ID, as defined by the <command>key</command>
3037 <simpara>the name of an address match list defined with
3038 the <command>acl</command> statement
3042 <simpara>a nested address match list enclosed in braces</simpara>
3047 Elements can be negated with a leading exclamation mark (`!'),
3048 and the match list names "any", "none", "localhost", and
3050 are predefined. More information on those names can be found in
3051 the description of the acl statement.
3055 The addition of the key clause made the name of this syntactic
3056 element something of a misnomer, since security keys can be used
3057 to validate access without regard to a host or network address.
3059 the term "address match list" is still used throughout the
3064 When a given IP address or prefix is compared to an address
3065 match list, the list is traversed in order until an element
3067 The interpretation of a match depends on whether the list is being
3069 for access control, defining listen-on ports, or in a sortlist,
3070 and whether the element was negated.
3074 When used as an access control list, a non-negated match
3075 allows access and a negated match denies access. If
3076 there is no match, access is denied. The clauses
3077 <command>allow-notify</command>,
3078 <command>allow-query</command>,
3079 <command>allow-query-cache</command>,
3080 <command>allow-transfer</command>,
3081 <command>allow-update</command>,
3082 <command>allow-update-forwarding</command>, and
3083 <command>blackhole</command> all use address match
3084 lists. Similarly, the listen-on option will cause the
3085 server to not accept queries on any of the machine's
3086 addresses which do not match the list.
3090 Because of the first-match aspect of the algorithm, an element
3091 that defines a subset of another element in the list should come
3092 before the broader element, regardless of whether either is
3095 <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
3097 completely useless because the algorithm will match any lookup for
3098 1.2.3.13 to the 1.2.3/24 element.
3099 Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3100 that problem by having 1.2.3.13 blocked by the negation but all
3101 other 1.2.3.* hosts fall through.
3107 <title>Comment Syntax</title>
3110 The <acronym>BIND</acronym> 9 comment syntax allows for
3112 anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3113 file. To appeal to programmers of all kinds, they can be written
3114 in the C, C++, or shell/perl style.
3118 <title>Syntax</title>
3121 <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3122 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3123 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3127 <title>Definition and Usage</title>
3129 Comments may appear anywhere that whitespace may appear in
3130 a <acronym>BIND</acronym> configuration file.
3133 C-style comments start with the two characters /* (slash,
3134 star) and end with */ (star, slash). Because they are completely
3135 delimited with these characters, they can be used to comment only
3136 a portion of a line or to span multiple lines.
3139 C-style comments cannot be nested. For example, the following
3140 is not valid because the entire comment ends with the first */:
3144 <programlisting>/* This is the start of a comment.
3145 This is still part of the comment.
3146 /* This is an incorrect attempt at nesting a comment. */
3147 This is no longer in any comment. */
3153 C++-style comments start with the two characters // (slash,
3154 slash) and continue to the end of the physical line. They cannot
3155 be continued across multiple physical lines; to have one logical
3156 comment span multiple lines, each line must use the // pair.
3163 <programlisting>// This is the start of a comment. The next line
3164 // is a new comment, even though it is logically
3165 // part of the previous comment.
3170 Shell-style (or perl-style, if you prefer) comments start
3171 with the character <literal>#</literal> (number sign)
3172 and continue to the end of the
3173 physical line, as in C++ comments.
3181 <programlisting># This is the start of a comment. The next line
3182 # is a new comment, even though it is logically
3183 # part of the previous comment.
3190 You cannot use the semicolon (`;') character
3191 to start a comment such as you would in a zone file. The
3192 semicolon indicates the end of a configuration
3200 <sect1 id="Configuration_File_Grammar">
3201 <title>Configuration File Grammar</title>
3204 A <acronym>BIND</acronym> 9 configuration consists of
3205 statements and comments.
3206 Statements end with a semicolon. Statements and comments are the
3207 only elements that can appear without enclosing braces. Many
3208 statements contain a block of sub-statements, which are also
3209 terminated with a semicolon.
3213 The following statements are supported:
3216 <informaltable colsep="0" rowsep="0">
3217 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3218 <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3219 <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3223 <para><command>acl</command></para>
3227 defines a named IP address
3228 matching list, for access control and other uses.
3234 <para><command>controls</command></para>
3238 declares control channels to be used
3239 by the <command>rndc</command> utility.
3245 <para><command>include</command></para>
3255 <para><command>key</command></para>
3259 specifies key information for use in
3260 authentication and authorization using TSIG.
3266 <para><command>logging</command></para>
3270 specifies what the server logs, and where
3271 the log messages are sent.
3277 <para><command>lwres</command></para>
3281 configures <command>named</command> to
3282 also act as a light-weight resolver daemon (<command>lwresd</command>).
3288 <para><command>masters</command></para>
3292 defines a named masters list for
3293 inclusion in stub and slave zone masters clauses.
3299 <para><command>options</command></para>
3303 controls global server configuration
3304 options and sets defaults for other statements.
3310 <para><command>server</command></para>
3314 sets certain configuration options on
3321 <para><command>trusted-keys</command></para>
3325 defines trusted DNSSEC keys.
3331 <para><command>view</command></para>
3341 <para><command>zone</command></para>
3354 The <command>logging</command> and
3355 <command>options</command> statements may only occur once
3361 <title><command>acl</command> Statement Grammar</title>
3363 <programlisting><command>acl</command> acl-name {
3370 <title><command>acl</command> Statement Definition and
3374 The <command>acl</command> statement assigns a symbolic
3375 name to an address match list. It gets its name from a primary
3376 use of address match lists: Access Control Lists (ACLs).
3380 Note that an address match list's name must be defined
3381 with <command>acl</command> before it can be used
3383 forward references are allowed.
3387 The following ACLs are built-in:
3390 <informaltable colsep="0" rowsep="0">
3391 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3392 <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3393 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3397 <para><command>any</command></para>
3407 <para><command>none</command></para>
3417 <para><command>localhost</command></para>
3421 Matches the IPv4 and IPv6 addresses of all network
3422 interfaces on the system.
3428 <para><command>localnets</command></para>
3432 Matches any host on an IPv4 or IPv6 network
3433 for which the system has an interface.
3434 Some systems do not provide a way to determine the prefix
3436 local IPv6 addresses.
3437 In such a case, <command>localnets</command>
3438 only matches the local
3439 IPv6 addresses, just like <command>localhost</command>.
3449 <title><command>controls</command> Statement Grammar</title>
3451 <programlisting><command>controls</command> {
3452 [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3453 keys { <replaceable>key_list</replaceable> }; ]
3455 [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
3462 <sect2 id="controls_statement_definition_and_usage">
3463 <title><command>controls</command> Statement Definition and
3467 The <command>controls</command> statement declares control
3468 channels to be used by system administrators to control the
3469 operation of the name server. These control channels are
3470 used by the <command>rndc</command> utility to send
3471 commands to and retrieve non-DNS results from a name server.
3475 An <command>inet</command> control channel is a TCP socket
3476 listening at the specified <command>ip_port</command> on the
3477 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3478 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3479 interpreted as the IPv4 wildcard address; connections will be
3480 accepted on any of the system's IPv4 addresses.
3481 To listen on the IPv6 wildcard address,
3482 use an <command>ip_addr</command> of <literal>::</literal>.
3483 If you will only use <command>rndc</command> on the local host,
3484 using the loopback address (<literal>127.0.0.1</literal>
3485 or <literal>::1</literal>) is recommended for maximum security.
3489 If no port is specified, port 953 is used. The asterisk
3490 "<literal>*</literal>" cannot be used for <command>ip_port</command>.
3494 The ability to issue commands over the control channel is
3495 restricted by the <command>allow</command> and
3496 <command>keys</command> clauses.
3497 Connections to the control channel are permitted based on the
3498 <command>address_match_list</command>. This is for simple
3499 IP address based filtering only; any <command>key_id</command>
3500 elements of the <command>address_match_list</command>
3505 A <command>unix</command> control channel is a UNIX domain
3506 socket listening at the specified path in the file system.
3507 Access to the socket is specified by the <command>perm</command>,
3508 <command>owner</command> and <command>group</command> clauses.
3509 Note on some platforms (SunOS and Solaris) the permissions
3510 (<command>perm</command>) are applied to the parent directory
3511 as the permissions on the socket itself are ignored.
3515 The primary authorization mechanism of the command
3516 channel is the <command>key_list</command>, which
3517 contains a list of <command>key_id</command>s.
3518 Each <command>key_id</command> in the <command>key_list</command>
3519 is authorized to execute commands over the control channel.
3520 See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3521 for information about configuring keys in <command>rndc</command>.
3525 If no <command>controls</command> statement is present,
3526 <command>named</command> will set up a default
3527 control channel listening on the loopback address 127.0.0.1
3528 and its IPv6 counterpart ::1.
3529 In this case, and also when the <command>controls</command> statement
3530 is present but does not have a <command>keys</command> clause,
3531 <command>named</command> will attempt to load the command channel key
3532 from the file <filename>rndc.key</filename> in
3533 <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3534 was specified as when <acronym>BIND</acronym> was built).
3535 To create a <filename>rndc.key</filename> file, run
3536 <userinput>rndc-confgen -a</userinput>.
3540 The <filename>rndc.key</filename> feature was created to
3541 ease the transition of systems from <acronym>BIND</acronym> 8,
3542 which did not have digital signatures on its command channel
3543 messages and thus did not have a <command>keys</command> clause.
3545 It makes it possible to use an existing <acronym>BIND</acronym> 8
3546 configuration file in <acronym>BIND</acronym> 9 unchanged,
3547 and still have <command>rndc</command> work the same way
3548 <command>ndc</command> worked in BIND 8, simply by executing the
3549 command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3554 Since the <filename>rndc.key</filename> feature
3555 is only intended to allow the backward-compatible usage of
3556 <acronym>BIND</acronym> 8 configuration files, this
3558 have a high degree of configurability. You cannot easily change
3559 the key name or the size of the secret, so you should make a
3560 <filename>rndc.conf</filename> with your own key if you
3562 those things. The <filename>rndc.key</filename> file
3564 permissions set such that only the owner of the file (the user that
3565 <command>named</command> is running as) can access it.
3567 desire greater flexibility in allowing other users to access
3568 <command>rndc</command> commands, then you need to create
3570 <filename>rndc.conf</filename> file and make it group
3572 that contains the users who should have access.
3576 To disable the command channel, use an empty
3577 <command>controls</command> statement:
3578 <command>controls { };</command>.
3583 <title><command>include</command> Statement Grammar</title>
3584 <programlisting>include <replaceable>filename</replaceable>;</programlisting>
3587 <title><command>include</command> Statement Definition and
3591 The <command>include</command> statement inserts the
3592 specified file at the point where the <command>include</command>
3593 statement is encountered. The <command>include</command>
3594 statement facilitates the administration of configuration
3596 by permitting the reading or writing of some things but not
3597 others. For example, the statement could include private keys
3598 that are readable only by the name server.
3603 <title><command>key</command> Statement Grammar</title>
3605 <programlisting>key <replaceable>key_id</replaceable> {
3606 algorithm <replaceable>string</replaceable>;
3607 secret <replaceable>string</replaceable>;
3614 <title><command>key</command> Statement Definition and Usage</title>
3617 The <command>key</command> statement defines a shared
3618 secret key for use with TSIG (see <xref linkend="tsig"/>)
3619 or the command channel
3620 (see <xref linkend="controls_statement_definition_and_usage"/>).
3624 The <command>key</command> statement can occur at the
3626 of the configuration file or inside a <command>view</command>
3627 statement. Keys defined in top-level <command>key</command>
3628 statements can be used in all views. Keys intended for use in
3629 a <command>controls</command> statement
3630 (see <xref linkend="controls_statement_definition_and_usage"/>)
3631 must be defined at the top level.
3635 The <replaceable>key_id</replaceable>, also known as the
3636 key name, is a domain name uniquely identifying the key. It can
3637 be used in a <command>server</command>
3638 statement to cause requests sent to that
3639 server to be signed with this key, or in address match lists to
3640 verify that incoming requests have been signed with a key
3641 matching this name, algorithm, and secret.
3645 The <replaceable>algorithm_id</replaceable> is a string
3646 that specifies a security/authentication algorithm. Named
3647 supports <literal>hmac-md5</literal>,
3648 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3649 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3650 and <literal>hmac-sha512</literal> TSIG authentication.
3651 Truncated hashes are supported by appending the minimum
3652 number of required bits preceded by a dash, e.g.
3653 <literal>hmac-sha1-80</literal>. The
3654 <replaceable>secret_string</replaceable> is the secret
3655 to be used by the algorithm, and is treated as a base-64
3661 <title><command>logging</command> Statement Grammar</title>
3663 <programlisting><command>logging</command> {
3664 [ <command>channel</command> <replaceable>channel_name</replaceable> {
3665 ( <command>file</command> <replaceable>path name</replaceable>
3666 [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
3667 [ <command>size</command> <replaceable>size spec</replaceable> ]
3668 | <command>syslog</command> <replaceable>syslog_facility</replaceable>
3669 | <command>stderr</command>
3670 | <command>null</command> );
3671 [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
3672 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
3673 [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
3674 [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
3675 [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
3677 [ <command>category</command> <replaceable>category_name</replaceable> {
3678 <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
3687 <title><command>logging</command> Statement Definition and
3691 The <command>logging</command> statement configures a
3693 variety of logging options for the name server. Its <command>channel</command> phrase
3694 associates output methods, format options and severity levels with
3695 a name that can then be used with the <command>category</command> phrase
3696 to select how various classes of messages are logged.
3699 Only one <command>logging</command> statement is used to
3701 as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3702 the logging configuration will be:
3705 <programlisting>logging {
3706 category default { default_syslog; default_debug; };
3707 category unmatched { null; };
3712 In <acronym>BIND</acronym> 9, the logging configuration
3713 is only established when
3714 the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3715 established as soon as the <command>logging</command>
3717 was parsed. When the server is starting up, all logging messages
3718 regarding syntax errors in the configuration file go to the default
3719 channels, or to standard error if the "<option>-g</option>" option
3724 <title>The <command>channel</command> Phrase</title>
3727 All log output goes to one or more <emphasis>channels</emphasis>;
3728 you can make as many of them as you want.
3732 Every channel definition must include a destination clause that
3733 says whether messages selected for the channel go to a file, to a
3734 particular syslog facility, to the standard error stream, or are
3735 discarded. It can optionally also limit the message severity level
3736 that will be accepted by the channel (the default is
3737 <command>info</command>), and whether to include a
3738 <command>named</command>-generated time stamp, the
3740 and/or severity level (the default is not to include any).
3744 The <command>null</command> destination clause
3745 causes all messages sent to the channel to be discarded;
3746 in that case, other options for the channel are meaningless.
3750 The <command>file</command> destination clause directs
3752 to a disk file. It can include limitations
3753 both on how large the file is allowed to become, and how many
3755 of the file will be saved each time the file is opened.
3759 If you use the <command>versions</command> log file
3761 <command>named</command> will retain that many backup
3762 versions of the file by
3763 renaming them when opening. For example, if you choose to keep
3765 of the file <filename>lamers.log</filename>, then just
3767 <filename>lamers.log.1</filename> is renamed to
3768 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3769 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3770 renamed to <filename>lamers.log.0</filename>.
3771 You can say <command>versions unlimited</command> to
3773 the number of versions.
3774 If a <command>size</command> option is associated with
3776 then renaming is only done when the file being opened exceeds the
3777 indicated size. No backup versions are kept by default; any
3779 log file is simply appended.
3783 The <command>size</command> option for files is used
3785 growth. If the file ever exceeds the size, then <command>named</command> will
3786 stop writing to the file unless it has a <command>versions</command> option
3787 associated with it. If backup versions are kept, the files are
3789 described above and a new one begun. If there is no
3790 <command>versions</command> option, no more data will
3791 be written to the log
3792 until some out-of-band mechanism removes or truncates the log to
3794 maximum size. The default behavior is not to limit the size of
3800 Example usage of the <command>size</command> and
3801 <command>versions</command> options:
3804 <programlisting>channel an_example_channel {
3805 file "example.log" versions 3 size 20m;
3812 The <command>syslog</command> destination clause
3814 channel to the system log. Its argument is a
3815 syslog facility as described in the <command>syslog</command> man
3816 page. Known facilities are <command>kern</command>, <command>user</command>,
3817 <command>mail</command>, <command>daemon</command>, <command>auth</command>,
3818 <command>syslog</command>, <command>lpr</command>, <command>news</command>,
3819 <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3820 <command>ftp</command>, <command>local0</command>, <command>local1</command>,
3821 <command>local2</command>, <command>local3</command>, <command>local4</command>,
3822 <command>local5</command>, <command>local6</command> and
3823 <command>local7</command>, however not all facilities
3825 all operating systems.
3826 How <command>syslog</command> will handle messages
3828 this facility is described in the <command>syslog.conf</command> man
3829 page. If you have a system which uses a very old version of <command>syslog</command> that
3830 only uses two arguments to the <command>openlog()</command> function,
3831 then this clause is silently ignored.
3834 The <command>severity</command> clause works like <command>syslog</command>'s
3835 "priorities", except that they can also be used if you are writing
3836 straight to a file rather than using <command>syslog</command>.
3837 Messages which are not at least of the severity level given will
3838 not be selected for the channel; messages of higher severity
3843 If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3844 will also determine what eventually passes through. For example,
3845 defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3846 only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3847 cause messages of severity <command>info</command> and
3848 <command>notice</command> to
3849 be dropped. If the situation were reversed, with <command>named</command> writing
3850 messages of only <command>warning</command> or higher,
3851 then <command>syslogd</command> would
3852 print all messages it received from the channel.
3856 The <command>stderr</command> destination clause
3858 channel to the server's standard error stream. This is intended
3860 use when the server is running as a foreground process, for
3862 when debugging a configuration.
3866 The server can supply extensive debugging information when
3867 it is in debugging mode. If the server's global debug level is
3869 than zero, then debugging mode will be active. The global debug
3870 level is set either by starting the <command>named</command> server
3871 with the <option>-d</option> flag followed by a positive integer,
3872 or by running <command>rndc trace</command>.
3873 The global debug level
3874 can be set to zero, and debugging mode turned off, by running <command>rndc
3875 notrace</command>. All debugging messages in the server have a debug
3876 level, and higher debug levels give more detailed output. Channels
3877 that specify a specific debug severity, for example:
3880 <programlisting>channel specific_debug_level {
3887 will get debugging output of level 3 or less any time the
3888 server is in debugging mode, regardless of the global debugging
3889 level. Channels with <command>dynamic</command>
3891 server's global debug level to determine what messages to print.
3894 If <command>print-time</command> has been turned on,
3896 the date and time will be logged. <command>print-time</command> may
3897 be specified for a <command>syslog</command> channel,
3899 pointless since <command>syslog</command> also prints
3901 time. If <command>print-category</command> is
3903 category of the message will be logged as well. Finally, if <command>print-severity</command> is
3904 on, then the severity level of the message will be logged. The <command>print-</command> options may
3905 be used in any combination, and will always be printed in the
3907 order: time, category, severity. Here is an example where all
3908 three <command>print-</command> options
3913 <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
3917 There are four predefined channels that are used for
3918 <command>named</command>'s default logging as follows.
3920 used is described in <xref linkend="the_category_phrase"/>.
3923 <programlisting>channel default_syslog {
3924 syslog daemon; // send to syslog's daemon
3926 severity info; // only send priority info
3930 channel default_debug {
3931 file "named.run"; // write to named.run in
3932 // the working directory
3933 // Note: stderr is used instead
3935 // if the server is started
3936 // with the '-f' option.
3937 severity dynamic; // log at the server's
3938 // current debug level
3941 channel default_stderr {
3942 stderr; // writes to stderr
3943 severity info; // only send priority info
3948 null; // toss anything sent to
3954 The <command>default_debug</command> channel has the
3956 property that it only produces output when the server's debug
3958 nonzero. It normally writes to a file called <filename>named.run</filename>
3959 in the server's working directory.
3963 For security reasons, when the "<option>-u</option>"
3964 command line option is used, the <filename>named.run</filename> file
3965 is created only after <command>named</command> has
3967 new UID, and any debug output generated while <command>named</command> is
3968 starting up and still running as root is discarded. If you need
3969 to capture this output, you must run the server with the "<option>-g</option>"
3970 option and redirect standard error to a file.
3974 Once a channel is defined, it cannot be redefined. Thus you
3975 cannot alter the built-in channels directly, but you can modify
3976 the default logging by pointing categories at channels you have
3981 <sect3 id="the_category_phrase">
3982 <title>The <command>category</command> Phrase</title>
3985 There are many categories, so you can send the logs you want
3986 to see wherever you want, without seeing logs you don't want. If
3987 you don't specify a list of channels for a category, then log
3989 in that category will be sent to the <command>default</command> category
3990 instead. If you don't specify a default category, the following
3991 "default default" is used:
3994 <programlisting>category default { default_syslog; default_debug; };
3998 As an example, let's say you want to log security events to
3999 a file, but you also want keep the default logging behavior. You'd
4000 specify the following:
4003 <programlisting>channel my_security_channel {
4004 file "my_security_file";
4008 my_security_channel;
4014 To discard all messages in a category, specify the <command>null</command> channel:
4017 <programlisting>category xfer-out { null; };
4018 category notify { null; };
4022 Following are the available categories and brief descriptions
4023 of the types of log information they contain. More
4024 categories may be added in future <acronym>BIND</acronym> releases.
4026 <informaltable colsep="0" rowsep="0">
4027 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4028 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4029 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4033 <para><command>default</command></para>
4037 The default category defines the logging
4038 options for those categories where no specific
4039 configuration has been
4046 <para><command>general</command></para>
4050 The catch-all. Many things still aren't
4051 classified into categories, and they all end up here.
4057 <para><command>database</command></para>
4061 Messages relating to the databases used
4062 internally by the name server to store zone and cache
4069 <para><command>security</command></para>
4073 Approval and denial of requests.
4079 <para><command>config</command></para>
4083 Configuration file parsing and processing.
4089 <para><command>resolver</command></para>
4093 DNS resolution, such as the recursive
4094 lookups performed on behalf of clients by a caching name
4101 <para><command>xfer-in</command></para>
4105 Zone transfers the server is receiving.
4111 <para><command>xfer-out</command></para>
4115 Zone transfers the server is sending.
4121 <para><command>notify</command></para>
4125 The NOTIFY protocol.
4131 <para><command>client</command></para>
4135 Processing of client requests.
4141 <para><command>unmatched</command></para>
4145 Messages that named was unable to determine the
4146 class of or for which there was no matching <command>view</command>.
4147 A one line summary is also logged to the <command>client</command> category.
4148 This category is best sent to a file or stderr, by
4149 default it is sent to
4150 the <command>null</command> channel.
4156 <para><command>network</command></para>
4166 <para><command>update</command></para>
4176 <para><command>update-security</command></para>
4180 Approval and denial of update requests.
4186 <para><command>queries</command></para>
4190 Specify where queries should be logged to.
4193 At startup, specifying the category <command>queries</command> will also
4194 enable query logging unless <command>querylog</command> option has been
4198 The query log entry reports the client's IP address and
4199 port number, and the
4200 query name, class and type. It also reports whether the
4202 flag was set (+ if set, - if not set), EDNS was in use
4204 query was signed (S).
4207 <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
4210 <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
4216 <para><command>dispatch</command></para>
4220 Dispatching of incoming packets to the
4221 server modules where they are to be processed.
4227 <para><command>dnssec</command></para>
4231 DNSSEC and TSIG protocol processing.
4237 <para><command>lame-servers</command></para>
4241 Lame servers. These are misconfigurations
4242 in remote servers, discovered by BIND 9 when trying to
4244 those servers during resolution.
4250 <para><command>delegation-only</command></para>
4254 Delegation only. Logs queries that have have
4255 been forced to NXDOMAIN as the result of a
4256 delegation-only zone or
4257 a <command>delegation-only</command> in a
4258 hint or stub zone declaration.
4269 <title><command>lwres</command> Statement Grammar</title>
4272 This is the grammar of the <command>lwres</command>
4273 statement in the <filename>named.conf</filename> file:
4276 <programlisting><command>lwres</command> {
4277 <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4278 <optional> view <replaceable>view_name</replaceable>; </optional>
4279 <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
4280 <optional> ndots <replaceable>number</replaceable>; </optional>
4286 <title><command>lwres</command> Statement Definition and Usage</title>
4289 The <command>lwres</command> statement configures the
4291 server to also act as a lightweight resolver server. (See
4292 <xref linkend="lwresd"/>.) There may be multiple
4293 <command>lwres</command> statements configuring
4294 lightweight resolver servers with different properties.
4298 The <command>listen-on</command> statement specifies a
4300 addresses (and ports) that this instance of a lightweight resolver
4302 should accept requests on. If no port is specified, port 921 is
4304 If this statement is omitted, requests will be accepted on
4310 The <command>view</command> statement binds this
4312 lightweight resolver daemon to a view in the DNS namespace, so that
4314 response will be constructed in the same manner as a normal DNS
4316 matching this view. If this statement is omitted, the default view
4318 used, and if there is no default view, an error is triggered.
4322 The <command>search</command> statement is equivalent to
4324 <command>search</command> statement in
4325 <filename>/etc/resolv.conf</filename>. It provides a
4327 which are appended to relative names in queries.
4331 The <command>ndots</command> statement is equivalent to
4333 <command>ndots</command> statement in
4334 <filename>/etc/resolv.conf</filename>. It indicates the
4336 number of dots in a relative domain name that should result in an
4337 exact match lookup before search path elements are appended.
4341 <title><command>masters</command> Statement Grammar</title>
4344 <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
4350 <title><command>masters</command> Statement Definition and
4352 <para><command>masters</command>
4353 lists allow for a common set of masters to be easily used by
4354 multiple stub and slave zones.
4359 <title><command>options</command> Statement Grammar</title>
4362 This is the grammar of the <command>options</command>
4363 statement in the <filename>named.conf</filename> file:
4366 <programlisting>options {
4367 <optional> version <replaceable>version_string</replaceable>; </optional>
4368 <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
4369 <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
4370 <optional> directory <replaceable>path_name</replaceable>; </optional>
4371 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
4372 <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4373 <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
4374 <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4375 <optional> cache-file <replaceable>path_name</replaceable>; </optional>
4376 <optional> dump-file <replaceable>path_name</replaceable>; </optional>
4377 <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
4378 <optional> pid-file <replaceable>path_name</replaceable>; </optional>
4379 <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
4380 <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
4381 <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
4382 <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
4383 <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
4384 <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
4385 <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
4386 <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
4387 <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
4388 <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
4389 <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
4390 <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
4391 <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
4392 <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
4393 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
4394 <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
4395 <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
4396 <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
4397 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
4398 <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4399 <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
4400 <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
4401 <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4402 <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
4403 <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
4404 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4405 <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4406 ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4407 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4409 <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4410 ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4411 <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4412 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4413 <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4414 <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4415 <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4416 <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
4417 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
4418 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4419 <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4420 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
4421 <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4422 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
4423 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4424 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4425 <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
4426 <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
4427 <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4428 <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4429 <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4430 <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4431 <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4432 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4433 <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4434 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4435 <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4436 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4437 <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4438 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4439 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
4440 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
4441 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
4442 <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
4443 <optional> tcp-clients <replaceable>number</replaceable>; </optional>
4444 <optional> recursive-clients <replaceable>number</replaceable>; </optional>
4445 <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
4446 <optional> serial-queries <replaceable>number</replaceable>; </optional>
4447 <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
4448 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
4449 <optional> transfers-in <replaceable>number</replaceable>; </optional>
4450 <optional> transfers-out <replaceable>number</replaceable>; </optional>
4451 <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
4452 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4453 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4454 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4455 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4456 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4457 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
4458 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4459 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4460 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4461 <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
4462 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
4463 <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
4464 <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
4465 <optional> files <replaceable>size_spec</replaceable> ; </optional>
4466 <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
4467 <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
4468 <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
4469 <optional> interface-interval <replaceable>number</replaceable>; </optional>
4470 <optional> statistics-interval <replaceable>number</replaceable>; </optional>
4471 <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
4472 <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
4473 <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
4474 <optional> lame-ttl <replaceable>number</replaceable>; </optional>
4475 <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
4476 <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
4477 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
4478 <optional> min-roots <replaceable>number</replaceable>; </optional>
4479 <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4480 <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4481 <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4482 <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
4483 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
4484 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4485 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4486 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4487 <optional> port <replaceable>ip_port</replaceable>; </optional>
4488 <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
4489 <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
4490 <optional> random-device <replaceable>path_name</replaceable> ; </optional>
4491 <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
4492 <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
4493 <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
4494 <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4495 <optional> max-udp-size <replaceable>number</replaceable>; </optional>
4496 <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
4497 <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
4498 <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4499 <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4500 <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4501 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4502 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4503 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4504 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4505 <optional> empty-server <replaceable>name</replaceable> ; </optional>
4506 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
4507 <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4508 <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4509 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4510 <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
4516 <sect2 id="options">
4517 <title><command>options</command> Statement Definition and
4521 The <command>options</command> statement sets up global
4523 to be used by <acronym>BIND</acronym>. This statement
4525 once in a configuration file. If there is no <command>options</command>
4526 statement, an options block with each option set to its default will
4533 <term><command>directory</command></term>
4536 The working directory of the server.
4537 Any non-absolute pathnames in the configuration file will be
4539 as relative to this directory. The default location for most
4541 output files (e.g. <filename>named.run</filename>)
4543 If a directory is not specified, the working directory
4544 defaults to `<filename>.</filename>', the directory from
4546 was started. The directory specified should be an absolute
4553 <term><command>key-directory</command></term>
4556 When performing dynamic update of secure zones, the
4557 directory where the public and private key files should be
4559 if different than the current working directory. The
4561 must be an absolute path.
4567 <term><command>named-xfer</command></term>
4570 <emphasis>This option is obsolete.</emphasis>
4571 It was used in <acronym>BIND</acronym> 8 to
4572 specify the pathname to the <command>named-xfer</command> program.
4573 In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
4574 needed; its functionality is built into the name server.
4581 <term><command>tkey-domain</command></term>
4584 The domain appended to the names of all
4585 shared keys generated with
4586 <command>TKEY</command>. When a client
4587 requests a <command>TKEY</command> exchange, it
4588 may or may not specify
4589 the desired name for the key. If present, the name of the
4591 key will be "<varname>client specified part</varname>" +
4592 "<varname>tkey-domain</varname>".
4593 Otherwise, the name of the shared key will be "<varname>random hex
4594 digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
4595 the <command>domainname</command> should be the
4603 <term><command>tkey-dhkey</command></term>
4606 The Diffie-Hellman key used by the server
4607 to generate shared keys with clients using the Diffie-Hellman
4609 of <command>TKEY</command>. The server must be
4611 public and private keys from files in the working directory.
4613 most cases, the keyname should be the server's host name.
4619 <term><command>cache-file</command></term>
4622 This is for testing only. Do not use.
4628 <term><command>dump-file</command></term>
4631 The pathname of the file the server dumps
4632 the database to when instructed to do so with
4633 <command>rndc dumpdb</command>.
4634 If not specified, the default is <filename>named_dump.db</filename>.
4640 <term><command>memstatistics-file</command></term>
4643 The pathname of the file the server writes memory
4644 usage statistics to on exit. If specified the
4645 statistics will be written to the file on exit.
4648 In <acronym>BIND</acronym> 9.5 and later this will
4649 default to <filename>named.memstats</filename>.
4650 <acronym>BIND</acronym> 9.5 will also introduce
4651 <command>memstatistics</command> to control the
4658 <term><command>pid-file</command></term>
4661 The pathname of the file the server writes its process ID
4662 in. If not specified, the default is <filename>/var/run/named.pid</filename>.
4663 The pid-file is used by programs that want to send signals to
4665 name server. Specifying <command>pid-file none</command> disables the
4666 use of a PID file — no file will be written and any
4667 existing one will be removed. Note that <command>none</command>
4668 is a keyword, not a filename, and therefore is not enclosed
4676 <term><command>recursing-file</command></term>
4679 The pathname of the file the server dumps
4680 the queries that are currently recursing when instructed
4681 to do so with <command>rndc recursing</command>.
4682 If not specified, the default is <filename>named.recursing</filename>.
4688 <term><command>statistics-file</command></term>
4691 The pathname of the file the server appends statistics
4692 to when instructed to do so using <command>rndc stats</command>.
4693 If not specified, the default is <filename>named.stats</filename> in the
4694 server's current directory. The format of the file is
4696 in <xref linkend="statsfile"/>.
4702 <term><command>port</command></term>
4705 The UDP/TCP port number the server uses for
4706 receiving and sending DNS protocol traffic.
4707 The default is 53. This option is mainly intended for server
4709 a server using a port other than 53 will not be able to
4717 <term><command>random-device</command></term>
4720 The source of entropy to be used by the server. Entropy is
4722 for DNSSEC operations, such as TKEY transactions and dynamic
4724 zones. This options specifies the device (or file) from which
4726 entropy. If this is a file, operations requiring entropy will
4728 file has been exhausted. If not specified, the default value
4730 <filename>/dev/random</filename>
4731 (or equivalent) when present, and none otherwise. The
4732 <command>random-device</command> option takes
4734 the initial configuration load at server startup time and
4735 is ignored on subsequent reloads.
4741 <term><command>preferred-glue</command></term>
4744 If specified, the listed type (A or AAAA) will be emitted
4746 in the additional section of a query response.
4747 The default is not to prefer any type (NONE).
4753 <term><command>root-delegation-only</command></term>
4756 Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
4761 Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
4767 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
4775 <term><command>disable-algorithms</command></term>
4778 Disable the specified DNSSEC algorithms at and below the
4780 Multiple <command>disable-algorithms</command>
4781 statements are allowed.
4782 Only the most specific will be applied.
4788 <term><command>dnssec-lookaside</command></term>
4791 When set, <command>dnssec-lookaside</command>
4793 validator with an alternate method to validate DNSKEY records
4795 top of a zone. When a DNSKEY is at or below a domain
4797 deepest <command>dnssec-lookaside</command>, and
4798 the normal dnssec validation
4799 has left the key untrusted, the trust-anchor will be append to
4801 name and a DLV record will be looked up to see if it can
4803 key. If the DLV record validates a DNSKEY (similarly to the
4805 record does) the DNSKEY RRset is deemed to be trusted.
4811 <term><command>dnssec-must-be-secure</command></term>
4814 Specify hierarchies which must be or may not be secure (signed and
4816 If <userinput>yes</userinput>, then named will only accept
4819 If <userinput>no</userinput>, then normal dnssec validation
4821 allowing for insecure answers to be accepted.
4822 The specified domain must be under a <command>trusted-key</command> or
4823 <command>dnssec-lookaside</command> must be
4831 <sect3 id="boolean_options">
4832 <title>Boolean Options</title>
4837 <term><command>auth-nxdomain</command></term>
4840 If <userinput>yes</userinput>, then the <command>AA</command> bit
4841 is always set on NXDOMAIN responses, even if the server is
4843 authoritative. The default is <userinput>no</userinput>;
4845 a change from <acronym>BIND</acronym> 8. If you
4846 are using very old DNS software, you
4847 may need to set it to <userinput>yes</userinput>.
4853 <term><command>deallocate-on-exit</command></term>
4856 This option was used in <acronym>BIND</acronym>
4857 8 to enable checking
4858 for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
4865 <term><command>dialup</command></term>
4868 If <userinput>yes</userinput>, then the
4869 server treats all zones as if they are doing zone transfers
4871 a dial-on-demand dialup link, which can be brought up by
4873 originating from this server. This has different effects
4875 to zone type and concentrates the zone maintenance so that
4877 happens in a short interval, once every <command>heartbeat-interval</command> and
4878 hopefully during the one call. It also suppresses some of
4880 zone maintenance traffic. The default is <userinput>no</userinput>.
4883 The <command>dialup</command> option
4884 may also be specified in the <command>view</command> and
4885 <command>zone</command> statements,
4886 in which case it overrides the global <command>dialup</command>
4890 If the zone is a master zone, then the server will send out a
4892 request to all the slaves (default). This should trigger the
4894 number check in the slave (providing it supports NOTIFY)
4896 to verify the zone while the connection is active.
4897 The set of servers to which NOTIFY is sent can be controlled
4899 <command>notify</command> and <command>also-notify</command>.
4903 zone is a slave or stub zone, then the server will suppress
4905 "zone up to date" (refresh) queries and only perform them
4907 <command>heartbeat-interval</command> expires in
4912 Finer control can be achieved by using
4913 <userinput>notify</userinput> which only sends NOTIFY
4915 <userinput>notify-passive</userinput> which sends NOTIFY
4917 suppresses the normal refresh queries, <userinput>refresh</userinput>
4918 which suppresses normal refresh processing and sends refresh
4920 when the <command>heartbeat-interval</command>
4922 <userinput>passive</userinput> which just disables normal
4927 <informaltable colsep="0" rowsep="0">
4928 <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4929 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4930 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
4931 <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
4932 <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
4958 <para><command>no</command> (default)</para>
4978 <para><command>yes</command></para>
4998 <para><command>notify</command></para>
5018 <para><command>refresh</command></para>
5038 <para><command>passive</command></para>
5058 <para><command>notify-passive</command></para>
5081 Note that normal NOTIFY processing is not affected by
5082 <command>dialup</command>.
5089 <term><command>fake-iquery</command></term>
5092 In <acronym>BIND</acronym> 8, this option
5093 enabled simulating the obsolete DNS query type
5094 IQUERY. <acronym>BIND</acronym> 9 never does
5101 <term><command>fetch-glue</command></term>
5104 This option is obsolete.
5105 In BIND 8, <userinput>fetch-glue yes</userinput>
5106 caused the server to attempt to fetch glue resource records
5108 didn't have when constructing the additional
5109 data section of a response. This is now considered a bad
5111 and BIND 9 never does it.
5117 <term><command>flush-zones-on-shutdown</command></term>
5120 When the nameserver exits due receiving SIGTERM,
5121 flush or do not flush any pending zone writes. The default
5123 <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5129 <term><command>has-old-clients</command></term>
5132 This option was incorrectly implemented
5133 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5134 To achieve the intended effect
5136 <command>has-old-clients</command> <userinput>yes</userinput>, specify
5137 the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5138 and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5144 <term><command>host-statistics</command></term>
5147 In BIND 8, this enables keeping of
5148 statistics for every host that the name server interacts
5150 Not implemented in BIND 9.
5156 <term><command>maintain-ixfr-base</command></term>
5159 <emphasis>This option is obsolete</emphasis>.
5160 It was used in <acronym>BIND</acronym> 8 to
5161 determine whether a transaction log was
5162 kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5163 log whenever possible. If you need to disable outgoing
5165 transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5171 <term><command>minimal-responses</command></term>
5174 If <userinput>yes</userinput>, then when generating
5175 responses the server will only add records to the authority
5176 and additional data sections when they are required (e.g.
5177 delegations, negative responses). This may improve the
5178 performance of the server.
5179 The default is <userinput>no</userinput>.
5185 <term><command>multiple-cnames</command></term>
5188 This option was used in <acronym>BIND</acronym> 8 to allow
5189 a domain name to have multiple CNAME records in violation of
5190 the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5191 always strictly enforces the CNAME rules both in master
5192 files and dynamic updates.
5198 <term><command>notify</command></term>
5201 If <userinput>yes</userinput> (the default),
5202 DNS NOTIFY messages are sent when a zone the server is
5204 changes, see <xref linkend="notify"/>. The messages are
5206 servers listed in the zone's NS records (except the master
5208 in the SOA MNAME field), and to any servers listed in the
5209 <command>also-notify</command> option.
5212 If <userinput>master-only</userinput>, notifies are only
5215 If <userinput>explicit</userinput>, notifies are sent only
5217 servers explicitly listed using <command>also-notify</command>.
5218 If <userinput>no</userinput>, no notifies are sent.
5221 The <command>notify</command> option may also be
5222 specified in the <command>zone</command>
5224 in which case it overrides the <command>options notify</command> statement.
5225 It would only be necessary to turn off this option if it
5233 <term><command>recursion</command></term>
5236 If <userinput>yes</userinput>, and a
5237 DNS query requests recursion, then the server will attempt
5239 all the work required to answer the query. If recursion is
5241 and the server does not already know the answer, it will
5243 referral response. The default is
5244 <userinput>yes</userinput>.
5245 Note that setting <command>recursion no</command> does not prevent
5246 clients from getting data from the server's cache; it only
5247 prevents new data from being cached as an effect of client
5249 Caching may still occur as an effect the server's internal
5250 operation, such as NOTIFY address lookups.
5251 See also <command>fetch-glue</command> above.
5257 <term><command>rfc2308-type1</command></term>
5260 Setting this to <userinput>yes</userinput> will
5261 cause the server to send NS records along with the SOA
5263 answers. The default is <userinput>no</userinput>.
5267 Not yet implemented in <acronym>BIND</acronym>
5275 <term><command>use-id-pool</command></term>
5278 <emphasis>This option is obsolete</emphasis>.
5279 <acronym>BIND</acronym> 9 always allocates query
5286 <term><command>zone-statistics</command></term>
5289 If <userinput>yes</userinput>, the server will collect
5290 statistical data on all zones (unless specifically turned
5292 on a per-zone basis by specifying <command>zone-statistics no</command>
5293 in the <command>zone</command> statement).
5294 These statistics may be accessed
5295 using <command>rndc stats</command>, which will
5296 dump them to the file listed
5297 in the <command>statistics-file</command>. See
5298 also <xref linkend="statsfile"/>.
5304 <term><command>use-ixfr</command></term>
5307 <emphasis>This option is obsolete</emphasis>.
5308 If you need to disable IXFR to a particular server or
5310 the information on the <command>provide-ixfr</command> option
5311 in <xref linkend="server_statement_definition_and_usage"/>.
5313 <xref linkend="incremental_zone_transfers"/>.
5319 <term><command>provide-ixfr</command></term>
5322 See the description of
5323 <command>provide-ixfr</command> in
5324 <xref linkend="server_statement_definition_and_usage"/>.
5330 <term><command>request-ixfr</command></term>
5333 See the description of
5334 <command>request-ixfr</command> in
5335 <xref linkend="server_statement_definition_and_usage"/>.
5341 <term><command>treat-cr-as-space</command></term>
5344 This option was used in <acronym>BIND</acronym>
5346 the server treat carriage return ("<command>\r</command>") characters the same way
5347 as a space or tab character,
5348 to facilitate loading of zone files on a UNIX system that
5350 on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5351 and NT/DOS "<command>\r\n</command>" newlines
5352 are always accepted,
5353 and the option is ignored.
5359 <term><command>additional-from-auth</command></term>
5360 <term><command>additional-from-cache</command></term>
5364 These options control the behavior of an authoritative
5366 answering queries which have additional data, or when
5372 When both of these options are set to <userinput>yes</userinput>
5374 query is being answered from authoritative data (a zone
5375 configured into the server), the additional data section of
5377 reply will be filled in using data from other authoritative
5379 and from the cache. In some situations this is undesirable,
5381 as when there is concern over the correctness of the cache,
5383 in servers where slave zones may be added and modified by
5384 untrusted third parties. Also, avoiding
5385 the search for this additional data will speed up server
5387 at the possible expense of additional queries to resolve
5389 otherwise be provided in the additional section.
5393 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5394 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5395 records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5396 if known, even though they are not in the example.com zone.
5397 Setting these options to <command>no</command>
5398 disables this behavior and makes
5399 the server only search for additional data in the zone it
5404 These options are intended for use in authoritative-only
5405 servers, or in authoritative-only views. Attempts to set
5406 them to <command>no</command> without also
5408 <command>recursion no</command> will cause the
5410 ignore the options and log a warning message.
5414 Specifying <command>additional-from-cache no</command> actually
5415 disables the use of the cache not only for additional data
5417 but also when looking up the answer. This is usually the
5419 behavior in an authoritative-only server where the
5421 the cached data is an issue.
5425 When a name server is non-recursively queried for a name
5427 below the apex of any served zone, it normally answers with
5429 "upwards referral" to the root servers or the servers of
5431 known parent of the query name. Since the data in an
5433 comes from the cache, the server will not be able to provide
5435 referrals when <command>additional-from-cache no</command>
5436 has been specified. Instead, it will respond to such
5438 with REFUSED. This should not cause any problems since
5439 upwards referrals are not required for the resolution
5447 <term><command>match-mapped-addresses</command></term>
5450 If <userinput>yes</userinput>, then an
5451 IPv4-mapped IPv6 address will match any address match
5452 list entries that match the corresponding IPv4 address.
5453 Enabling this option is sometimes useful on IPv6-enabled
5455 systems, to work around a kernel quirk that causes IPv4
5456 TCP connections such as zone transfers to be accepted
5457 on an IPv6 socket using mapped addresses, causing
5458 address match lists designed for IPv4 to fail to match.
5459 The use of this option for any other purpose is discouraged.
5465 <term><command>ixfr-from-differences</command></term>
5468 When <userinput>yes</userinput> and the server loads a new version of a master
5469 zone from its zone file or receives a new version of a slave
5470 file by a non-incremental zone transfer, it will compare
5471 the new version to the previous one and calculate a set
5472 of differences. The differences are then logged in the
5473 zone's journal file such that the changes can be transmitted
5474 to downstream slaves as an incremental zone transfer.
5477 By allowing incremental zone transfers to be used for
5478 non-dynamic zones, this option saves bandwidth at the
5479 expense of increased CPU and memory consumption at the
5481 In particular, if the new version of a zone is completely
5482 different from the previous one, the set of differences
5483 will be of a size comparable to the combined size of the
5484 old and new zone version, and the server will need to
5485 temporarily allocate memory to hold this complete
5488 <para><command>ixfr-from-differences</command>
5489 also accepts <command>master</command> and
5490 <command>slave</command> at the view and options
5492 <command>ixfr-from-differences</command> to apply to
5493 all <command>master</command> or
5494 <command>slave</command> zones respectively.
5500 <term><command>multi-master</command></term>
5503 This should be set when you have multiple masters for a zone
5505 addresses refer to different machines. If <userinput>yes</userinput>, named will
5507 when the serial number on the master is less than what named
5509 has. The default is <userinput>no</userinput>.
5515 <term><command>dnssec-enable</command></term>
5518 Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
5519 named behaves as if it does not support DNSSEC.
5520 The default is <userinput>yes</userinput>.
5526 <term><command>dnssec-validation</command></term>
5529 Enable DNSSEC validation in named.
5530 Note <command>dnssec-enable</command> also needs to be
5531 set to <userinput>yes</userinput> to be effective.
5532 The default is <userinput>no</userinput>.
5538 <term><command>dnssec-accept-expired</command></term>
5541 Accept expired signatures when verifying DNSSEC signatures.
5542 The default is <userinput>no</userinput>.
5543 Setting this option to "yes" leaves named vulnerable to replay attacks.
5549 <term><command>querylog</command></term>
5552 Specify whether query logging should be started when named
5554 If <command>querylog</command> is not specified,
5555 then the query logging
5556 is determined by the presence of the logging category <command>queries</command>.
5562 <term><command>check-names</command></term>
5565 This option is used to restrict the character set and syntax
5567 certain domain names in master files and/or DNS responses
5569 from the network. The default varies according to usage
5571 <command>master</command> zones the default is <command>fail</command>.
5572 For <command>slave</command> zones the default
5573 is <command>warn</command>.
5574 For answers received from the network (<command>response</command>)
5575 the default is <command>ignore</command>.
5578 The rules for legal hostnames and mail domains are derived
5579 from RFC 952 and RFC 821 as modified by RFC 1123.
5581 <para><command>check-names</command>
5582 applies to the owner names of A, AAA and MX records.
5583 It also applies to the domain names in the RDATA of NS, SOA
5585 It also applies to the RDATA of PTR records where the owner
5586 name indicated that it is a reverse lookup of a hostname
5587 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
5593 <term><command>check-mx</command></term>
5596 Check whether the MX record appears to refer to a IP address.
5597 The default is to <command>warn</command>. Other possible
5598 values are <command>fail</command> and
5599 <command>ignore</command>.
5605 <term><command>check-wildcard</command></term>
5608 This option is used to check for non-terminal wildcards.
5609 The use of non-terminal wildcards is almost always as a
5611 to understand the wildcard matching algorithm (RFC 1034).
5613 affects master zones. The default (<command>yes</command>) is to check
5614 for non-terminal wildcards and issue a warning.
5620 <term><command>check-integrity</command></term>
5623 Perform post load zone integrity checks on master
5624 zones. This checks that MX and SRV records refer
5625 to address (A or AAAA) records and that glue
5626 address records exist for delegated zones. For
5627 MX and SRV records only in-zone hostnames are
5628 checked (for out-of-zone hostnames use named-checkzone).
5629 For NS records only names below top of zone are
5630 checked (for out-of-zone names and glue consistency
5631 checks use named-checkzone). The default is
5632 <command>yes</command>.
5638 <term><command>check-mx-cname</command></term>
5641 If <command>check-integrity</command> is set then
5642 fail, warn or ignore MX records that refer
5643 to CNAMES. The default is to <command>warn</command>.
5649 <term><command>check-srv-cname</command></term>
5652 If <command>check-integrity</command> is set then
5653 fail, warn or ignore SRV records that refer
5654 to CNAMES. The default is to <command>warn</command>.
5660 <term><command>check-sibling</command></term>
5663 When performing integrity checks, also check that
5664 sibling glue exists. The default is <command>yes</command>.
5670 <term><command>zero-no-soa-ttl</command></term>
5673 When returning authoritative negative responses to
5674 SOA queries set the TTL of the SOA recored returned in
5675 the authority section to zero.
5676 The default is <command>yes</command>.
5682 <term><command>zero-no-soa-ttl-cache</command></term>
5685 When caching a negative response to a SOA query
5686 set the TTL to zero.
5687 The default is <command>no</command>.
5693 <term><command>update-check-ksk</command></term>
5696 When regenerating the RRSIGs following a UPDATE
5697 request to a secure zone, check the KSK flag on
5698 the DNSKEY RR to determine if this key should be
5699 used to generate the RRSIG. This flag is ignored
5700 if there are not DNSKEY RRs both with and without
5702 The default is <command>yes</command>.
5712 <title>Forwarding</title>
5714 The forwarding facility can be used to create a large site-wide
5715 cache on a few servers, reducing traffic over links to external
5716 name servers. It can also be used to allow queries by servers that
5717 do not have direct access to the Internet, but wish to look up
5719 names anyway. Forwarding occurs only on those queries for which
5720 the server is not authoritative and does not have the answer in
5726 <term><command>forward</command></term>
5729 This option is only meaningful if the
5730 forwarders list is not empty. A value of <varname>first</varname>,
5731 the default, causes the server to query the forwarders
5733 if that doesn't answer the question, the server will then
5735 the answer itself. If <varname>only</varname> is
5737 server will only query the forwarders.
5743 <term><command>forwarders</command></term>
5746 Specifies the IP addresses to be used
5747 for forwarding. The default is the empty list (no
5756 Forwarding can also be configured on a per-domain basis, allowing
5757 for the global forwarding options to be overridden in a variety
5758 of ways. You can set particular domains to use different
5760 or have a different <command>forward only/first</command> behavior,
5761 or not forward at all, see <xref linkend="zone_statement_grammar"/>.
5766 <title>Dual-stack Servers</title>
5768 Dual-stack servers are used as servers of last resort to work
5770 problems in reachability due the lack of support for either IPv4
5772 on the host machine.
5777 <term><command>dual-stack-servers</command></term>
5780 Specifies host names or addresses of machines with access to
5781 both IPv4 and IPv6 transports. If a hostname is used, the
5783 to resolve the name using only the transport it has. If the
5785 stacked, then the <command>dual-stack-servers</command> have no effect unless
5786 access to a transport has been disabled on the command line
5787 (e.g. <command>named -4</command>).
5794 <sect3 id="access_control">
5795 <title>Access Control</title>
5798 Access to the server can be restricted based on the IP address
5799 of the requesting system. See <xref linkend="address_match_lists"/> for
5800 details on how to specify IP address lists.
5806 <term><command>allow-notify</command></term>
5809 Specifies which hosts are allowed to
5810 notify this server, a slave, of zone changes in addition
5811 to the zone masters.
5812 <command>allow-notify</command> may also be
5814 <command>zone</command> statement, in which case
5816 <command>options allow-notify</command>
5817 statement. It is only meaningful
5818 for a slave zone. If not specified, the default is to
5819 process notify messages
5820 only from a zone's master.
5826 <term><command>allow-query</command></term>
5829 Specifies which hosts are allowed to ask ordinary
5830 DNS questions. <command>allow-query</command> may
5831 also be specified in the <command>zone</command>
5832 statement, in which case it overrides the
5833 <command>options allow-query</command> statement.
5834 If not specified, the default is to allow queries
5839 <command>allow-query-cache</command> is now
5840 used to specify access to the cache.
5847 <term><command>allow-query-cache</command></term>
5850 Specifies which hosts are allowed to get answers
5851 from the cache. If <command>allow-query-cache</command>
5852 is not set then <command>allow-recursion</command>
5853 is used if set, otherwise <command>allow-query</command>
5854 is used if set, otherwise the default
5855 (<command>localnets;</command>
5856 <command>localhost;</command>) is used.
5862 <term><command>allow-recursion</command></term>
5865 Specifies which hosts are allowed to make recursive
5866 queries through this server. If
5867 <command>allow-recursion</command> is not set
5868 then <command>allow-query-cache</command> is
5869 used if set, otherwise <command>allow-query</command>
5870 is used if set, otherwise the default
5871 (<command>localnets;</command>
5872 <command>localhost;</command>) is used.
5878 <term><command>allow-update</command></term>
5881 Specifies which hosts are allowed to
5882 submit Dynamic DNS updates for master zones. The default is
5884 updates from all hosts. Note that allowing updates based
5885 on the requestor's IP address is insecure; see
5886 <xref linkend="dynamic_update_security"/> for details.
5892 <term><command>allow-update-forwarding</command></term>
5895 Specifies which hosts are allowed to
5896 submit Dynamic DNS updates to slave zones to be forwarded to
5898 master. The default is <userinput>{ none; }</userinput>,
5900 means that no update forwarding will be performed. To
5902 update forwarding, specify
5903 <userinput>allow-update-forwarding { any; };</userinput>.
5904 Specifying values other than <userinput>{ none; }</userinput> or
5905 <userinput>{ any; }</userinput> is usually
5906 counterproductive, since
5907 the responsibility for update access control should rest
5909 master server, not the slaves.
5912 Note that enabling the update forwarding feature on a slave
5914 may expose master servers relying on insecure IP address
5916 access control to attacks; see <xref linkend="dynamic_update_security"/>
5923 <term><command>allow-v6-synthesis</command></term>
5926 This option was introduced for the smooth transition from
5928 to A6 and from "nibble labels" to binary labels.
5929 However, since both A6 and binary labels were then
5931 this option was also deprecated.
5932 It is now ignored with some warning messages.
5938 <term><command>allow-transfer</command></term>
5941 Specifies which hosts are allowed to
5942 receive zone transfers from the server. <command>allow-transfer</command> may
5943 also be specified in the <command>zone</command>
5945 case it overrides the <command>options allow-transfer</command> statement.
5946 If not specified, the default is to allow transfers to all
5953 <term><command>blackhole</command></term>
5956 Specifies a list of addresses that the
5957 server will not accept queries from or use to resolve a
5959 from these addresses will not be responded to. The default
5960 is <userinput>none</userinput>.
5970 <title>Interfaces</title>
5972 The interfaces and ports that the server will answer queries
5973 from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
5974 an optional port, and an <varname>address_match_list</varname>.
5975 The server will listen on all interfaces allowed by the address
5976 match list. If a port is not specified, port 53 will be used.
5979 Multiple <command>listen-on</command> statements are
5984 <programlisting>listen-on { 5.6.7.8; };
5985 listen-on port 1234 { !1.2.3.4; 1.2/16; };
5989 will enable the name server on port 53 for the IP address
5990 5.6.7.8, and on port 1234 of an address on the machine in net
5991 1.2 that is not 1.2.3.4.
5995 If no <command>listen-on</command> is specified, the
5996 server will listen on port 53 on all interfaces.
6000 The <command>listen-on-v6</command> option is used to
6001 specify the interfaces and the ports on which the server will
6003 for incoming queries sent using IPv6.
6007 When <programlisting>{ any; }</programlisting> is
6009 as the <varname>address_match_list</varname> for the
6010 <command>listen-on-v6</command> option,
6011 the server does not bind a separate socket to each IPv6 interface
6012 address as it does for IPv4 if the operating system has enough API
6013 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6015 Instead, it listens on the IPv6 wildcard address.
6016 If the system only has incomplete API support for IPv6, however,
6017 the behavior is the same as that for IPv4.
6021 A list of particular IPv6 addresses can also be specified, in
6023 the server listens on a separate socket for each specified
6025 regardless of whether the desired API is supported by the system.
6029 Multiple <command>listen-on-v6</command> options can
6034 <programlisting>listen-on-v6 { any; };
6035 listen-on-v6 port 1234 { !2001:db8::/32; any; };
6039 will enable the name server on port 53 for any IPv6 addresses
6040 (with a single wildcard socket),
6041 and on port 1234 of IPv6 addresses that is not in the prefix
6042 2001:db8::/32 (with separate sockets for each matched address.)
6046 To make the server not listen on any IPv6 address, use
6049 <programlisting>listen-on-v6 { none; };
6053 If no <command>listen-on-v6</command> option is
6055 the server will not listen on any IPv6 address.
6060 <title>Query Address</title>
6062 If the server doesn't know the answer to a question, it will
6063 query other name servers. <command>query-source</command> specifies
6064 the address and port used for such queries. For queries sent over
6065 IPv6, there is a separate <command>query-source-v6</command> option.
6066 If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6067 a wildcard IP address (<command>INADDR_ANY</command>)
6069 If <command>port</command> is <command>*</command> or is omitted,
6070 a random unprivileged port will be used. The <command>avoid-v4-udp-ports</command>
6071 and <command>avoid-v6-udp-ports</command> options can be used
6073 from selecting certain ports. The defaults are:
6076 <programlisting>query-source address * port *;
6077 query-source-v6 address * port *;
6082 The address specified in the <command>query-source</command> option
6083 is used for both UDP and TCP queries, but the port applies only
6085 UDP queries. TCP queries always use a random
6091 Solaris 2.5.1 and earlier does not support setting the source
6092 address for TCP sockets.
6097 See also <command>transfer-source</command> and
6098 <command>notify-source</command>.
6103 <sect3 id="zone_transfers">
6104 <title>Zone Transfers</title>
6106 <acronym>BIND</acronym> has mechanisms in place to
6107 facilitate zone transfers
6108 and set limits on the amount of load that transfers place on the
6109 system. The following options apply to zone transfers.
6115 <term><command>also-notify</command></term>
6118 Defines a global list of IP addresses of name servers
6119 that are also sent NOTIFY messages whenever a fresh copy of
6121 zone is loaded, in addition to the servers listed in the
6123 This helps to ensure that copies of the zones will
6124 quickly converge on stealth servers. If an <command>also-notify</command> list
6125 is given in a <command>zone</command> statement,
6127 the <command>options also-notify</command>
6128 statement. When a <command>zone notify</command>
6130 is set to <command>no</command>, the IP
6131 addresses in the global <command>also-notify</command> list will
6132 not be sent NOTIFY messages for that zone. The default is
6134 list (no global notification list).
6140 <term><command>max-transfer-time-in</command></term>
6143 Inbound zone transfers running longer than
6144 this many minutes will be terminated. The default is 120
6146 (2 hours). The maximum value is 28 days (40320 minutes).
6152 <term><command>max-transfer-idle-in</command></term>
6155 Inbound zone transfers making no progress
6156 in this many minutes will be terminated. The default is 60
6158 (1 hour). The maximum value is 28 days (40320 minutes).
6164 <term><command>max-transfer-time-out</command></term>
6167 Outbound zone transfers running longer than
6168 this many minutes will be terminated. The default is 120
6170 (2 hours). The maximum value is 28 days (40320 minutes).
6176 <term><command>max-transfer-idle-out</command></term>
6179 Outbound zone transfers making no progress
6180 in this many minutes will be terminated. The default is 60
6182 hour). The maximum value is 28 days (40320 minutes).
6188 <term><command>serial-query-rate</command></term>
6191 Slave servers will periodically query master servers
6192 to find out if zone serial numbers have changed. Each such
6194 a minute amount of the slave server's network bandwidth. To
6196 amount of bandwidth used, BIND 9 limits the rate at which
6198 sent. The value of the <command>serial-query-rate</command> option,
6199 an integer, is the maximum number of queries sent per
6207 <term><command>serial-queries</command></term>
6210 In BIND 8, the <command>serial-queries</command>
6212 set the maximum number of concurrent serial number queries
6213 allowed to be outstanding at any given time.
6214 BIND 9 does not limit the number of outstanding
6215 serial queries and ignores the <command>serial-queries</command> option.
6216 Instead, it limits the rate at which the queries are sent
6217 as defined using the <command>serial-query-rate</command> option.
6223 <term><command>transfer-format</command></term>
6227 Zone transfers can be sent using two different formats,
6228 <command>one-answer</command> and
6229 <command>many-answers</command>.
6230 The <command>transfer-format</command> option is used
6231 on the master server to determine which format it sends.
6232 <command>one-answer</command> uses one DNS message per
6233 resource record transferred.
6234 <command>many-answers</command> packs as many resource
6235 records as possible into a message.
6236 <command>many-answers</command> is more efficient, but is
6237 only supported by relatively new slave servers,
6238 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6239 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6240 The <command>many-answers</command> format is also supported by
6241 recent Microsoft Windows nameservers.
6242 The default is <command>many-answers</command>.
6243 <command>transfer-format</command> may be overridden on a
6244 per-server basis by using the <command>server</command>
6252 <term><command>transfers-in</command></term>
6255 The maximum number of inbound zone transfers
6256 that can be running concurrently. The default value is <literal>10</literal>.
6257 Increasing <command>transfers-in</command> may
6258 speed up the convergence
6259 of slave zones, but it also may increase the load on the
6266 <term><command>transfers-out</command></term>
6269 The maximum number of outbound zone transfers
6270 that can be running concurrently. Zone transfer requests in
6272 of the limit will be refused. The default value is <literal>10</literal>.
6278 <term><command>transfers-per-ns</command></term>
6281 The maximum number of inbound zone transfers
6282 that can be concurrently transferring from a given remote
6284 The default value is <literal>2</literal>.
6285 Increasing <command>transfers-per-ns</command>
6287 speed up the convergence of slave zones, but it also may
6289 the load on the remote name server. <command>transfers-per-ns</command> may
6290 be overridden on a per-server basis by using the <command>transfers</command> phrase
6291 of the <command>server</command> statement.
6297 <term><command>transfer-source</command></term>
6299 <para><command>transfer-source</command>
6300 determines which local address will be bound to IPv4
6301 TCP connections used to fetch zones transferred
6302 inbound by the server. It also determines the
6303 source IPv4 address, and optionally the UDP port,
6304 used for the refresh queries and forwarded dynamic
6305 updates. If not set, it defaults to a system
6306 controlled value which will usually be the address
6307 of the interface "closest to" the remote end. This
6308 address must appear in the remote end's
6309 <command>allow-transfer</command> option for the
6310 zone being transferred, if one is specified. This
6312 <command>transfer-source</command> for all zones,
6313 but can be overridden on a per-view or per-zone
6314 basis by including a
6315 <command>transfer-source</command> statement within
6316 the <command>view</command> or
6317 <command>zone</command> block in the configuration
6322 Solaris 2.5.1 and earlier does not support setting the
6323 source address for TCP sockets.
6330 <term><command>transfer-source-v6</command></term>
6333 The same as <command>transfer-source</command>,
6334 except zone transfers are performed using IPv6.
6340 <term><command>alt-transfer-source</command></term>
6343 An alternate transfer source if the one listed in
6344 <command>transfer-source</command> fails and
6345 <command>use-alt-transfer-source</command> is
6349 If you do not wish the alternate transfer source
6350 to be used, you should set
6351 <command>use-alt-transfer-source</command>
6352 appropriately and you should not depend upon
6353 getting a answer back to the first refresh
6360 <term><command>alt-transfer-source-v6</command></term>
6363 An alternate transfer source if the one listed in
6364 <command>transfer-source-v6</command> fails and
6365 <command>use-alt-transfer-source</command> is
6372 <term><command>use-alt-transfer-source</command></term>
6375 Use the alternate transfer sources or not. If views are
6376 specified this defaults to <command>no</command>
6377 otherwise it defaults to
6378 <command>yes</command> (for BIND 8
6385 <term><command>notify-source</command></term>
6387 <para><command>notify-source</command>
6388 determines which local source address, and
6389 optionally UDP port, will be used to send NOTIFY
6390 messages. This address must appear in the slave
6391 server's <command>masters</command> zone clause or
6392 in an <command>allow-notify</command> clause. This
6393 statement sets the <command>notify-source</command>
6394 for all zones, but can be overridden on a per-zone or
6395 per-view basis by including a
6396 <command>notify-source</command> statement within
6397 the <command>zone</command> or
6398 <command>view</command> block in the configuration
6403 Solaris 2.5.1 and earlier does not support setting the
6404 source address for TCP sockets.
6411 <term><command>notify-source-v6</command></term>
6414 Like <command>notify-source</command>,
6415 but applies to notify messages sent to IPv6 addresses.
6425 <title>Bad UDP Port Lists</title>
6426 <para><command>avoid-v4-udp-ports</command>
6427 and <command>avoid-v6-udp-ports</command> specify a list
6428 of IPv4 and IPv6 UDP ports that will not be used as system
6429 assigned source ports for UDP sockets. These lists
6430 prevent named from choosing as its random source port a
6431 port that is blocked by your firewall. If a query went
6432 out with such a source port, the answer would not get by
6433 the firewall and the name server would have to query
6439 <title>Operating System Resource Limits</title>
6442 The server's usage of many system resources can be limited.
6443 Scaled values are allowed when specifying resource limits. For
6444 example, <command>1G</command> can be used instead of
6445 <command>1073741824</command> to specify a limit of
6447 gigabyte. <command>unlimited</command> requests
6448 unlimited use, or the
6449 maximum available amount. <command>default</command>
6451 that was in force when the server was started. See the description
6452 of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
6456 The following options set operating system resource limits for
6457 the name server process. Some operating systems don't support
6459 any of the limits. On such systems, a warning will be issued if
6461 unsupported limit is used.
6467 <term><command>coresize</command></term>
6470 The maximum size of a core dump. The default
6471 is <literal>default</literal>.
6477 <term><command>datasize</command></term>
6480 The maximum amount of data memory the server
6481 may use. The default is <literal>default</literal>.
6482 This is a hard limit on server memory usage.
6483 If the server attempts to allocate memory in excess of this
6484 limit, the allocation will fail, which may in turn leave
6485 the server unable to perform DNS service. Therefore,
6486 this option is rarely useful as a way of limiting the
6487 amount of memory used by the server, but it can be used
6488 to raise an operating system data size limit that is
6489 too small by default. If you wish to limit the amount
6490 of memory used by the server, use the
6491 <command>max-cache-size</command> and
6492 <command>recursive-clients</command>
6499 <term><command>files</command></term>
6502 The maximum number of files the server
6503 may have open concurrently. The default is <literal>unlimited</literal>.
6509 <term><command>stacksize</command></term>
6512 The maximum amount of stack memory the server
6513 may use. The default is <literal>default</literal>.
6523 <title>Server Resource Limits</title>
6526 The following options set limits on the server's
6527 resource consumption that are enforced internally by the
6528 server rather than the operating system.
6534 <term><command>max-ixfr-log-size</command></term>
6537 This option is obsolete; it is accepted
6538 and ignored for BIND 8 compatibility. The option
6539 <command>max-journal-size</command> performs a
6540 similar function in BIND 9.
6546 <term><command>max-journal-size</command></term>
6549 Sets a maximum size for each journal file
6550 (see <xref linkend="journal"/>). When the journal file
6552 the specified size, some of the oldest transactions in the
6554 will be automatically removed. The default is
6555 <literal>unlimited</literal>.
6561 <term><command>host-statistics-max</command></term>
6564 In BIND 8, specifies the maximum number of host statistics
6566 Not implemented in BIND 9.
6572 <term><command>recursive-clients</command></term>
6575 The maximum number of simultaneous recursive lookups
6576 the server will perform on behalf of clients. The default
6578 <literal>1000</literal>. Because each recursing
6580 bit of memory, on the order of 20 kilobytes, the value of
6582 <command>recursive-clients</command> option may
6583 have to be decreased
6584 on hosts with limited memory.
6590 <term><command>tcp-clients</command></term>
6593 The maximum number of simultaneous client TCP
6594 connections that the server will accept.
6595 The default is <literal>100</literal>.
6601 <term><command>max-cache-size</command></term>
6604 The maximum amount of memory to use for the
6605 server's cache, in bytes. When the amount of data in the
6607 reaches this limit, the server will cause records to expire
6608 prematurely so that the limit is not exceeded. In a server
6610 multiple views, the limit applies separately to the cache of
6612 view. The default is <literal>unlimited</literal>, meaning that
6613 records are purged from the cache only when their TTLs
6620 <term><command>tcp-listen-queue</command></term>
6623 The listen queue depth. The default and minimum is 3.
6624 If the kernel supports the accept filter "dataready" this
6626 many TCP connections that will be queued in kernel space
6628 some data before being passed to accept. Values less than 3
6640 <title>Periodic Task Intervals</title>
6645 <term><command>cleaning-interval</command></term>
6648 The server will remove expired resource records
6649 from the cache every <command>cleaning-interval</command> minutes.
6650 The default is 60 minutes. The maximum value is 28 days
6652 If set to 0, no periodic cleaning will occur.
6658 <term><command>heartbeat-interval</command></term>
6661 The server will perform zone maintenance tasks
6662 for all zones marked as <command>dialup</command> whenever this
6663 interval expires. The default is 60 minutes. Reasonable
6665 to 1 day (1440 minutes). The maximum value is 28 days
6667 If set to 0, no zone maintenance for these zones will occur.
6673 <term><command>interface-interval</command></term>
6676 The server will scan the network interface list
6677 every <command>interface-interval</command>
6678 minutes. The default
6679 is 60 minutes. The maximum value is 28 days (40320 minutes).
6680 If set to 0, interface scanning will only occur when
6681 the configuration file is loaded. After the scan, the
6683 begin listening for queries on any newly discovered
6684 interfaces (provided they are allowed by the
6685 <command>listen-on</command> configuration), and
6687 stop listening on interfaces that have gone away.
6693 <term><command>statistics-interval</command></term>
6696 Name server statistics will be logged
6697 every <command>statistics-interval</command>
6698 minutes. The default is
6699 60. The maximum value is 28 days (40320 minutes).
6700 If set to 0, no statistics will be logged.
6703 Not yet implemented in
6704 <acronym>BIND</acronym> 9.
6714 <sect3 id="topology">
6715 <title>Topology</title>
6718 All other things being equal, when the server chooses a name
6720 to query from a list of name servers, it prefers the one that is
6721 topologically closest to itself. The <command>topology</command> statement
6722 takes an <command>address_match_list</command> and
6724 in a special way. Each top-level list element is assigned a
6726 Non-negated elements get a distance based on their position in the
6727 list, where the closer the match is to the start of the list, the
6728 shorter the distance is between it and the server. A negated match
6729 will be assigned the maximum distance from the server. If there
6730 is no match, the address will get a distance which is further than
6731 any non-negated list element, and closer than any negated element.
6735 <programlisting>topology {
6742 will prefer servers on network 10 the most, followed by hosts
6743 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
6744 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
6745 is preferred least of all.
6748 The default topology is
6751 <programlisting> topology { localhost; localnets; };
6756 The <command>topology</command> option
6757 is not implemented in <acronym>BIND</acronym> 9.
6762 <sect3 id="the_sortlist_statement">
6764 <title>The <command>sortlist</command> Statement</title>
6767 The response to a DNS query may consist of multiple resource
6768 records (RRs) forming a resource records set (RRset).
6769 The name server will normally return the
6770 RRs within the RRset in an indeterminate order
6771 (but see the <command>rrset-order</command>
6772 statement in <xref linkend="rrset_ordering"/>).
6773 The client resolver code should rearrange the RRs as appropriate,
6774 that is, using any addresses on the local net in preference to
6776 However, not all resolvers can do this or are correctly
6778 When a client is using a local server, the sorting can be performed
6779 in the server, based on the client's address. This only requires
6780 configuring the name servers, not all the clients.
6784 The <command>sortlist</command> statement (see below)
6786 an <command>address_match_list</command> and
6788 more specifically than the <command>topology</command>
6790 does (<xref linkend="topology"/>).
6791 Each top level statement in the <command>sortlist</command> must
6792 itself be an explicit <command>address_match_list</command> with
6793 one or two elements. The first element (which may be an IP
6795 an IP prefix, an ACL name or a nested <command>address_match_list</command>)
6796 of each top level list is checked against the source address of
6797 the query until a match is found.
6800 Once the source address of the query has been matched, if
6801 the top level statement contains only one element, the actual
6803 element that matched the source address is used to select the
6805 in the response to move to the beginning of the response. If the
6806 statement is a list of two elements, then the second element is
6807 treated the same as the <command>address_match_list</command> in
6808 a <command>topology</command> statement. Each top
6810 is assigned a distance and the address in the response with the
6812 distance is moved to the beginning of the response.
6815 In the following example, any queries received from any of
6816 the addresses of the host itself will get responses preferring
6818 on any of the locally connected networks. Next most preferred are
6820 on the 192.168.1/24 network, and after that either the
6823 192.168.3/24 network with no preference shown between these two
6824 networks. Queries received from a host on the 192.168.1/24 network
6825 will prefer other addresses on that network to the 192.168.2/24
6827 192.168.3/24 networks. Queries received from a host on the
6829 or the 192.168.5/24 network will only prefer other addresses on
6830 their directly connected networks.
6833 <programlisting>sortlist {
6834 { localhost; // IF the local host
6835 { localnets; // THEN first fit on the
6836 192.168.1/24; // following nets
6837 { 192.168.2/24; 192.168.3/24; }; }; };
6838 { 192.168.1/24; // IF on class C 192.168.1
6839 { 192.168.1/24; // THEN use .1, or .2 or .3
6840 { 192.168.2/24; 192.168.3/24; }; }; };
6841 { 192.168.2/24; // IF on class C 192.168.2
6842 { 192.168.2/24; // THEN use .2, or .1 or .3
6843 { 192.168.1/24; 192.168.3/24; }; }; };
6844 { 192.168.3/24; // IF on class C 192.168.3
6845 { 192.168.3/24; // THEN use .3, or .1 or .2
6846 { 192.168.1/24; 192.168.2/24; }; }; };
6847 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
6852 The following example will give reasonable behavior for the
6853 local host and hosts on directly connected networks. It is similar
6854 to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
6855 to queries from the local host will favor any of the directly
6857 networks. Responses sent to queries from any other hosts on a
6859 connected network will prefer addresses on that same network.
6861 to other queries will not be sorted.
6864 <programlisting>sortlist {
6865 { localhost; localnets; };
6871 <sect3 id="rrset_ordering">
6872 <title id="rrset_ordering_title">RRset Ordering</title>
6874 When multiple records are returned in an answer it may be
6875 useful to configure the order of the records placed into the
6877 The <command>rrset-order</command> statement permits
6879 of the ordering of the records in a multiple record response.
6880 See also the <command>sortlist</command> statement,
6881 <xref linkend="the_sortlist_statement"/>.
6885 An <command>order_spec</command> is defined as
6889 <optional>class <replaceable>class_name</replaceable></optional>
6890 <optional>type <replaceable>type_name</replaceable></optional>
6891 <optional>name <replaceable>"domain_name"</replaceable></optional>
6892 order <replaceable>ordering</replaceable>
6895 If no class is specified, the default is <command>ANY</command>.
6896 If no type is specified, the default is <command>ANY</command>.
6897 If no name is specified, the default is "<command>*</command>" (asterisk).
6900 The legal values for <command>ordering</command> are:
6902 <informaltable colsep="0" rowsep="0">
6903 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
6904 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
6905 <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
6909 <para><command>fixed</command></para>
6913 Records are returned in the order they
6914 are defined in the zone file.
6920 <para><command>random</command></para>
6924 Records are returned in some random order.
6930 <para><command>cyclic</command></para>
6934 Records are returned in a round-robin
6946 <programlisting>rrset-order {
6947 class IN type A name "host.example.com" order random;
6953 will cause any responses for type A records in class IN that
6954 have "<literal>host.example.com</literal>" as a
6955 suffix, to always be returned
6956 in random order. All other records are returned in cyclic order.
6959 If multiple <command>rrset-order</command> statements
6961 they are not combined — the last one applies.
6966 The <command>rrset-order</command> statement
6967 is not yet fully implemented in <acronym>BIND</acronym> 9.
6968 BIND 9 currently does not fully support "fixed" ordering.
6974 <title>Tuning</title>
6979 <term><command>lame-ttl</command></term>
6982 Sets the number of seconds to cache a
6983 lame server indication. 0 disables caching. (This is
6984 <emphasis role="bold">NOT</emphasis> recommended.)
6985 The default is <literal>600</literal> (10 minutes) and the
6987 <literal>1800</literal> (30 minutes).
6994 <term><command>max-ncache-ttl</command></term>
6997 To reduce network traffic and increase performance,
6998 the server stores negative answers. <command>max-ncache-ttl</command> is
6999 used to set a maximum retention time for these answers in
7001 in seconds. The default
7002 <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7003 <command>max-ncache-ttl</command> cannot exceed
7005 be silently truncated to 7 days if set to a greater value.
7011 <term><command>max-cache-ttl</command></term>
7014 Sets the maximum time for which the server will
7015 cache ordinary (positive) answers. The default is
7022 <term><command>min-roots</command></term>
7025 The minimum number of root servers that
7026 is required for a request for the root servers to be
7027 accepted. The default
7028 is <userinput>2</userinput>.
7032 Not implemented in <acronym>BIND</acronym> 9.
7039 <term><command>sig-validity-interval</command></term>
7042 Specifies the number of days into the
7043 future when DNSSEC signatures automatically generated as a
7045 of dynamic updates (<xref linkend="dynamic_update"/>)
7046 will expire. The default is <literal>30</literal> days.
7047 The maximum value is 10 years (3660 days). The signature
7048 inception time is unconditionally set to one hour before the
7050 to allow for a limited amount of clock skew.
7056 <term><command>min-refresh-time</command></term>
7057 <term><command>max-refresh-time</command></term>
7058 <term><command>min-retry-time</command></term>
7059 <term><command>max-retry-time</command></term>
7062 These options control the server's behavior on refreshing a
7064 (querying for SOA changes) or retrying failed transfers.
7065 Usually the SOA values for the zone are used, but these
7067 are set by the master, giving slave server administrators
7069 control over their contents.
7072 These options allow the administrator to set a minimum and
7074 refresh and retry time either per-zone, per-view, or
7076 These options are valid for slave and stub zones,
7077 and clamp the SOA refresh and retry times to the specified
7084 <term><command>edns-udp-size</command></term>
7087 Sets the advertised EDNS UDP buffer size in bytes. Valid
7088 values are 512 to 4096 (values outside this range
7089 will be silently adjusted). The default value is
7090 4096. The usual reason for setting edns-udp-size to
7091 a non-default value is to get UDP answers to pass
7092 through broken firewalls that block fragmented
7093 packets and/or block UDP packets that are greater
7100 <term><command>max-udp-size</command></term>
7103 Sets the maximum EDNS UDP message size named will
7104 send in bytes. Valid values are 512 to 4096 (values outside
7105 this range will be silently adjusted). The default
7106 value is 4096. The usual reason for setting
7107 max-udp-size to a non-default value is to get UDP
7108 answers to pass through broken firewalls that
7109 block fragmented packets and/or block UDP packets
7110 that are greater than 512 bytes.
7111 This is independent of the advertised receive
7112 buffer (<command>edns-udp-size</command>).
7118 <term><command>masterfile-format</command></term>
7121 the file format of zone files (see
7122 <xref linkend="zonefile_format"/>).
7123 The default value is <constant>text</constant>, which is the
7124 standard textual representation. Files in other formats
7125 than <constant>text</constant> are typically expected
7126 to be generated by the <command>named-compilezone</command> tool.
7127 Note that when a zone file in a different format than
7128 <constant>text</constant> is loaded, <command>named</command>
7129 may omit some of the checks which would be performed for a
7130 file in the <constant>text</constant> format. In particular,
7131 <command>check-names</command> checks do not apply
7132 for the <constant>raw</constant> format. This means
7133 a zone file in the <constant>raw</constant> format
7134 must be generated with the same check level as that
7135 specified in the <command>named</command> configuration
7136 file. This statement sets the
7137 <command>masterfile-format</command> for all zones,
7138 but can be overridden on a per-zone or per-view basis
7139 by including a <command>masterfile-format</command>
7140 statement within the <command>zone</command> or
7141 <command>view</command> block in the configuration
7148 <term><command>clients-per-query</command></term>
7149 <term><command>max-clients-per-query</command></term>
7152 initial value (minimum) and maximum number of recursive
7153 simultanious clients for any given query
7154 (<qname,qtype,qclass>) that the server will accept
7155 before dropping additional clients. named will attempt to
7156 self tune this value and changes will be logged. The
7157 default values are 10 and 100.
7160 This value should reflect how many queries come in for
7161 a given name in the time it takes to resolve that name.
7162 If the number of queries exceed this value, named will
7163 assume that it is dealing with a non-responsive zone
7164 and will drop additional queries. If it gets a response
7165 after dropping queries, it will raise the estimate. The
7166 estimate will then be lowered in 20 minutes if it has
7170 If <command>clients-per-query</command> is set to zero,
7171 then there is no limit on the number of clients per query
7172 and no queries will be dropped.
7175 If <command>max-clients-per-query</command> is set to zero,
7176 then there is no upper bound other than imposed by
7177 <command>recursive-clients</command>.
7183 <term><command>notify-delay</command></term>
7186 The delay, in seconds, between sending sets of notify
7187 messages for a zone. The default is zero.
7195 <sect3 id="builtin">
7196 <title>Built-in server information zones</title>
7199 The server provides some helpful diagnostic information
7200 through a number of built-in zones under the
7201 pseudo-top-level-domain <literal>bind</literal> in the
7202 <command>CHAOS</command> class. These zones are part
7204 built-in view (see <xref linkend="view_statement_grammar"/>) of
7206 <command>CHAOS</command> which is separate from the
7208 class <command>IN</command>; therefore, any global
7210 such as <command>allow-query</command> do not apply
7212 If you feel the need to disable these zones, use the options
7213 below, or hide the built-in <command>CHAOS</command>
7215 defining an explicit view of class <command>CHAOS</command>
7216 that matches all clients.
7222 <term><command>version</command></term>
7225 The version the server should report
7226 via a query of the name <literal>version.bind</literal>
7227 with type <command>TXT</command>, class <command>CHAOS</command>.
7228 The default is the real version number of this server.
7229 Specifying <command>version none</command>
7230 disables processing of the queries.
7236 <term><command>hostname</command></term>
7239 The hostname the server should report via a query of
7240 the name <filename>hostname.bind</filename>
7241 with type <command>TXT</command>, class <command>CHAOS</command>.
7242 This defaults to the hostname of the machine hosting the
7244 found by the gethostname() function. The primary purpose of such queries
7246 identify which of a group of anycast servers is actually
7247 answering your queries. Specifying <command>hostname none;</command>
7248 disables processing of the queries.
7254 <term><command>server-id</command></term>
7257 The ID of the server should report via a query of
7258 the name <filename>ID.SERVER</filename>
7259 with type <command>TXT</command>, class <command>CHAOS</command>.
7260 The primary purpose of such queries is to
7261 identify which of a group of anycast servers is actually
7262 answering your queries. Specifying <command>server-id none;</command>
7263 disables processing of the queries.
7264 Specifying <command>server-id hostname;</command> will cause named to
7265 use the hostname as found by the gethostname() function.
7266 The default <command>server-id</command> is <command>none</command>.
7276 <title>Built-in Empty Zones</title>
7278 Named has some built-in empty zones (SOA and NS records only).
7279 These are for zones that should normally be answered locally
7280 and which queries should not be sent to the Internet's root
7281 servers. The official servers which cover these namespaces
7282 return NXDOMAIN responses to these queries. In particular,
7283 these cover the reverse namespace for addresses from RFC 1918 and
7284 RFC 3330. They also include the reverse namespace for IPv6 local
7285 address (locally assigned), IPv6 link local addresses, the IPv6
7286 loopback address and the IPv6 unknown addresss.
7289 Named will attempt to determine if a built in zone already exists
7290 or is active (covered by a forward-only forwarding declaration)
7291 and will not not create a empty zone in that case.
7294 The current list of empty zones is:
7296 <listitem>10.IN-ADDR.ARPA</listitem>
7297 <listitem>127.IN-ADDR.ARPA</listitem>
7298 <listitem>254.169.IN-ADDR.ARPA</listitem>
7299 <listitem>16.172.IN-ADDR.ARPA</listitem>
7300 <listitem>17.172.IN-ADDR.ARPA</listitem>
7301 <listitem>18.172.IN-ADDR.ARPA</listitem>
7302 <listitem>19.172.IN-ADDR.ARPA</listitem>
7303 <listitem>20.172.IN-ADDR.ARPA</listitem>
7304 <listitem>21.172.IN-ADDR.ARPA</listitem>
7305 <listitem>22.172.IN-ADDR.ARPA</listitem>
7306 <listitem>23.172.IN-ADDR.ARPA</listitem>
7307 <listitem>24.172.IN-ADDR.ARPA</listitem>
7308 <listitem>25.172.IN-ADDR.ARPA</listitem>
7309 <listitem>26.172.IN-ADDR.ARPA</listitem>
7310 <listitem>27.172.IN-ADDR.ARPA</listitem>
7311 <listitem>28.172.IN-ADDR.ARPA</listitem>
7312 <listitem>29.172.IN-ADDR.ARPA</listitem>
7313 <listitem>30.172.IN-ADDR.ARPA</listitem>
7314 <listitem>31.172.IN-ADDR.ARPA</listitem>
7315 <listitem>168.192.IN-ADDR.ARPA</listitem>
7316 <listitem>2.0.192.IN-ADDR.ARPA</listitem>
7317 <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7318 <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7319 <listitem>D.F.IP6.ARPA</listitem>
7320 <listitem>8.E.F.IP6.ARPA</listitem>
7321 <listitem>9.E.F.IP6.ARPA</listitem>
7322 <listitem>A.E.F.IP6.ARPA</listitem>
7323 <listitem>B.E.F.IP6.ARPA</listitem>
7327 Empty zones are settable at the view level and only apply to
7328 views of class IN. Disabled empty zones are only inherited
7329 from options if there are no disabled empty zones specified
7330 at the view level. To override the options list of disabled
7331 zones, you can disable the root zone at the view level, for example:
7333 disable-empty-zone ".";
7337 If you are using the address ranges covered here, you should
7338 already have reverse zones covering the addresses you use.
7339 In practice this appears to not be the case with many queries
7340 being made to the infrastructure servers for names in these
7341 spaces. So many in fact that sacrificial servers were needed
7342 to be deployed to channel the query load away from the
7343 infrastructure servers.
7346 The real parent servers for these zones should disable all
7347 empty zone under the parent zone they serve. For the real
7348 root servers, this is all built in empty zones. This will
7349 enable them to return referrals to deeper in the tree.
7353 <term><command>empty-server</command></term>
7356 Specify what server name will appear in the returned
7357 SOA record for empty zones. If none is specified, then
7358 the zone's name will be used.
7364 <term><command>empty-contact</command></term>
7367 Specify what contact name will appear in the returned
7368 SOA record for empty zones. If none is specified, then
7375 <term><command>empty-zones-enable</command></term>
7378 Enable or disable all empty zones. By default they
7385 <term><command>disable-empty-zone</command></term>
7388 Disable individual empty zones. By default none are
7389 disabled. This option can be specified multiple times.
7396 <sect3 id="statsfile">
7397 <title>The Statistics File</title>
7400 The statistics file generated by <acronym>BIND</acronym> 9
7401 is similar, but not identical, to that
7402 generated by <acronym>BIND</acronym> 8.
7405 The statistics dump begins with a line, like:
7408 <command>+++ Statistics Dump +++ (973798949)</command>
7411 The number in parentheses is a standard
7412 Unix-style timestamp, measured as seconds since January 1, 1970.
7414 that line are a series of lines containing a counter type, the
7416 counter, optionally a zone name, and optionally a view name.
7417 The lines without view and zone listed are global statistics for
7419 Lines with a zone and view name for the given view and zone (the
7421 omitted for the default view).
7424 The statistics dump ends with the line where the
7425 number is identical to the number in the beginning line; for example:
7428 <command>--- Statistics Dump --- (973798949)</command>
7431 The following statistics counters are maintained:
7433 <informaltable colsep="0" rowsep="0">
7434 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7435 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
7436 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
7440 <para><command>success</command></para>
7445 successful queries made to the server or zone. A
7447 is defined as query which returns a NOERROR response
7455 <para><command>referral</command></para>
7459 The number of queries which resulted
7460 in referral responses.
7466 <para><command>nxrrset</command></para>
7470 The number of queries which resulted in
7471 NOERROR responses with no data.
7477 <para><command>nxdomain</command></para>
7482 of queries which resulted in NXDOMAIN responses.
7488 <para><command>failure</command></para>
7492 The number of queries which resulted in a
7493 failure response other than those above.
7499 <para><command>recursion</command></para>
7503 The number of queries which caused the server
7504 to perform recursion in order to find the final answer.
7510 <para><command>duplicate</command></para>
7514 The number of queries which the server attempted to
7515 recurse but discover a existing query with the same
7516 IP address, port, query id, name, type and class
7517 already being processed.
7523 <para><command>dropped</command></para>
7527 The number of queries for which the server
7528 discovered a excessive number of existing
7529 recursive queries for the same name, type and
7530 class and were subsequently dropped.
7539 Each query received by the server will cause exactly one of
7540 <command>success</command>,
7541 <command>referral</command>,
7542 <command>nxrrset</command>,
7543 <command>nxdomain</command>, or
7544 <command>failure</command>
7545 to be incremented, and may additionally cause the
7546 <command>recursion</command> counter to be
7553 <title>Additional Section Caching</title>
7556 The additional section cache, also called <command>acache</command>,
7557 is an internal cache to improve the response performance of BIND 9.
7558 When additional section caching is enabled, BIND 9 will
7559 cache an internal short-cut to the additional section content for
7561 Note that <command>acache</command> is an internal caching
7562 mechanism of BIND 9, and is not related to the DNS caching
7567 Additional section caching does not change the
7568 response content (except the RRsets ordering of the additional
7569 section, see below), but can improve the response performance
7571 It is particularly effective when BIND 9 acts as an authoritative
7572 server for a zone that has many delegations with many glue RRs.
7576 In order to obtain the maximum performance improvement
7577 from additional section caching, setting
7578 <command>additional-from-cache</command>
7579 to <command>no</command> is recommended, since the current
7580 implementation of <command>acache</command>
7581 does not short-cut of additional section information from the
7586 One obvious disadvantage of <command>acache</command> is
7587 that it requires much more
7588 memory for the internal cached data.
7589 Thus, if the response performance does not matter and memory
7590 consumption is much more critical, the
7591 <command>acache</command> mechanism can be
7592 disabled by setting <command>acache-enable</command> to
7593 <command>no</command>.
7594 It is also possible to specify the upper limit of memory
7596 for acache by using <command>max-acache-size</command>.
7600 Additional section caching also has a minor effect on the
7601 RRset ordering in the additional section.
7602 Without <command>acache</command>,
7603 <command>cyclic</command> order is effective for the additional
7604 section as well as the answer and authority sections.
7605 However, additional section caching fixes the ordering when it
7606 first caches an RRset for the additional section, and the same
7607 ordering will be kept in succeeding responses, regardless of the
7608 setting of <command>rrset-order</command>.
7609 The effect of this should be minor, however, since an
7610 RRset in the additional section
7611 typically only contains a small number of RRs (and in many cases
7612 it only contains a single RR), in which case the
7613 ordering does not matter much.
7617 The following is a summary of options related to
7618 <command>acache</command>.
7624 <term><command>acache-enable</command></term>
7627 If <command>yes</command>, additional section caching is
7628 enabled. The default value is <command>no</command>.
7634 <term><command>acache-cleaning-interval</command></term>
7637 The server will remove stale cache entries, based on an LRU
7639 algorithm, every <command>acache-cleaning-interval</command> minutes.
7640 The default is 60 minutes.
7641 If set to 0, no periodic cleaning will occur.
7647 <term><command>max-acache-size</command></term>
7650 The maximum amount of memory in bytes to use for the server's acache.
7651 When the amount of data in the acache reaches this limit,
7653 will clean more aggressively so that the limit is not
7655 In a server with multiple views, the limit applies
7657 acache of each view.
7658 The default is <literal>unlimited</literal>,
7660 entries are purged from the acache only at the
7661 periodic cleaning time.
7672 <sect2 id="server_statement_grammar">
7673 <title><command>server</command> Statement Grammar</title>
7675 <programlisting>server <replaceable>ip_addr[/prefixlen]</replaceable> {
7676 <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
7677 <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
7678 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
7679 <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
7680 <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
7681 <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
7682 <optional> transfers <replaceable>number</replaceable> ; </optional>
7683 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
7684 <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
7685 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7686 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7687 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7688 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7689 <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7690 <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7696 <sect2 id="server_statement_definition_and_usage">
7697 <title><command>server</command> Statement Definition and
7701 The <command>server</command> statement defines
7703 to be associated with a remote name server. If a prefix length is
7704 specified, then a range of servers is covered. Only the most
7706 server clause applies regardless of the order in
7707 <filename>named.conf</filename>.
7711 The <command>server</command> statement can occur at
7712 the top level of the
7713 configuration file or inside a <command>view</command>
7715 If a <command>view</command> statement contains
7716 one or more <command>server</command> statements, only
7718 apply to the view and any top-level ones are ignored.
7719 If a view contains no <command>server</command>
7721 any top-level <command>server</command> statements are
7727 If you discover that a remote server is giving out bad data,
7728 marking it as bogus will prevent further queries to it. The
7730 value of <command>bogus</command> is <command>no</command>.
7733 The <command>provide-ixfr</command> clause determines
7735 the local server, acting as master, will respond with an
7737 zone transfer when the given remote server, a slave, requests it.
7738 If set to <command>yes</command>, incremental transfer
7740 whenever possible. If set to <command>no</command>,
7742 to the remote server will be non-incremental. If not set, the
7744 of the <command>provide-ixfr</command> option in the
7746 global options block is used as a default.
7750 The <command>request-ixfr</command> clause determines
7752 the local server, acting as a slave, will request incremental zone
7753 transfers from the given remote server, a master. If not set, the
7754 value of the <command>request-ixfr</command> option in
7756 global options block is used as a default.
7760 IXFR requests to servers that do not support IXFR will
7762 fall back to AXFR. Therefore, there is no need to manually list
7763 which servers support IXFR and which ones do not; the global
7765 of <command>yes</command> should always work.
7766 The purpose of the <command>provide-ixfr</command> and
7767 <command>request-ixfr</command> clauses is
7768 to make it possible to disable the use of IXFR even when both
7770 and slave claim to support it, for example if one of the servers
7771 is buggy and crashes or corrupts data when IXFR is used.
7775 The <command>edns</command> clause determines whether
7776 the local server will attempt to use EDNS when communicating
7777 with the remote server. The default is <command>yes</command>.
7781 The <command>edns-udp-size</command> option sets the EDNS UDP size
7782 that is advertised by named when querying the remote server.
7783 Valid values are 512 to 4096 bytes (values outside this range will be
7784 silently adjusted). This option is useful when you wish to
7785 advertises a different value to this server than the value you
7786 advertise globally, for example, when there is a firewall at the
7787 remote site that is blocking large replies.
7791 The <command>max-udp-size</command> option sets the
7792 maximum EDNS UDP message size named will send. Valid
7793 values are 512 to 4096 bytes (values outside this range will
7794 be silently adjusted). This option is useful when you
7795 know that there is a firewall that is blocking large
7800 The server supports two zone transfer methods. The first, <command>one-answer</command>,
7801 uses one DNS message per resource record transferred. <command>many-answers</command> packs
7802 as many resource records as possible into a message. <command>many-answers</command> is
7803 more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
7804 8.x, and patched versions of <acronym>BIND</acronym>
7805 4.9.5. You can specify which method
7806 to use for a server with the <command>transfer-format</command> option.
7807 If <command>transfer-format</command> is not
7808 specified, the <command>transfer-format</command>
7810 by the <command>options</command> statement will be
7814 <para><command>transfers</command>
7815 is used to limit the number of concurrent inbound zone
7816 transfers from the specified server. If no
7817 <command>transfers</command> clause is specified, the
7818 limit is set according to the
7819 <command>transfers-per-ns</command> option.
7823 The <command>keys</command> clause identifies a
7824 <command>key_id</command> defined by the <command>key</command> statement,
7825 to be used for transaction security (TSIG, <xref linkend="tsig"/>)
7826 when talking to the remote server.
7827 When a request is sent to the remote server, a request signature
7828 will be generated using the key specified here and appended to the
7829 message. A request originating from the remote server is not
7831 to be signed by this key.
7835 Although the grammar of the <command>keys</command>
7837 allows for multiple keys, only a single key per server is
7843 The <command>transfer-source</command> and
7844 <command>transfer-source-v6</command> clauses specify
7845 the IPv4 and IPv6 source
7846 address to be used for zone transfer with the remote server,
7848 For an IPv4 remote server, only <command>transfer-source</command> can
7850 Similarly, for an IPv6 remote server, only
7851 <command>transfer-source-v6</command> can be
7853 For more details, see the description of
7854 <command>transfer-source</command> and
7855 <command>transfer-source-v6</command> in
7856 <xref linkend="zone_transfers"/>.
7860 The <command>notify-source</command> and
7861 <command>notify-source-v6</command> clauses specify the
7862 IPv4 and IPv6 source address to be used for notify
7863 messages sent to remote servers, respectively. For an
7864 IPv4 remote server, only <command>notify-source</command>
7865 can be specified. Similarly, for an IPv6 remote server,
7866 only <command>notify-source-v6</command> can be specified.
7870 The <command>query-source</command> and
7871 <command>query-source-v6</command> clauses specify the
7872 IPv4 and IPv6 source address to be used for queries
7873 sent to remote servers, respectively. For an IPv4
7874 remote server, only <command>query-source</command> can
7875 be specified. Similarly, for an IPv6 remote server,
7876 only <command>query-source-v6</command> can be specified.
7882 <title><command>trusted-keys</command> Statement Grammar</title>
7884 <programlisting>trusted-keys {
7885 <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
7886 <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
7892 <title><command>trusted-keys</command> Statement Definition
7895 The <command>trusted-keys</command> statement defines
7896 DNSSEC security roots. DNSSEC is described in <xref
7897 linkend="DNSSEC"/>. A security root is defined when the
7898 public key for a non-authoritative zone is known, but
7899 cannot be securely obtained through DNS, either because
7900 it is the DNS root zone or because its parent zone is
7901 unsigned. Once a key has been configured as a trusted
7902 key, it is treated as if it had been validated and
7903 proven secure. The resolver attempts DNSSEC validation
7904 on all DNS data in subdomains of a security root.
7907 All keys (and corresponding zones) listed in
7908 <command>trusted-keys</command> are deemed to exist regardless
7909 of what parent zones say. Similarly for all keys listed in
7910 <command>trusted-keys</command> only those keys are
7911 used to validate the DNSKEY RRset. The parent's DS RRset
7915 The <command>trusted-keys</command> statement can contain
7916 multiple key entries, each consisting of the key's
7917 domain name, flags, protocol, algorithm, and the Base-64
7918 representation of the key data.
7922 <sect2 id="view_statement_grammar">
7923 <title><command>view</command> Statement Grammar</title>
7925 <programlisting>view <replaceable>view_name</replaceable>
7926 <optional><replaceable>class</replaceable></optional> {
7927 match-clients { <replaceable>address_match_list</replaceable> };
7928 match-destinations { <replaceable>address_match_list</replaceable> };
7929 match-recursive-only <replaceable>yes_or_no</replaceable> ;
7930 <optional> <replaceable>view_option</replaceable>; ...</optional>
7931 <optional> <replaceable>zone_statement</replaceable>; ...</optional>
7937 <title><command>view</command> Statement Definition and Usage</title>
7940 The <command>view</command> statement is a powerful
7942 of <acronym>BIND</acronym> 9 that lets a name server
7943 answer a DNS query differently
7944 depending on who is asking. It is particularly useful for
7946 split DNS setups without having to run multiple servers.
7950 Each <command>view</command> statement defines a view
7952 DNS namespace that will be seen by a subset of clients. A client
7954 a view if its source IP address matches the
7955 <varname>address_match_list</varname> of the view's
7956 <command>match-clients</command> clause and its
7957 destination IP address matches
7958 the <varname>address_match_list</varname> of the
7960 <command>match-destinations</command> clause. If not
7962 <command>match-clients</command> and <command>match-destinations</command>
7963 default to matching all addresses. In addition to checking IP
7965 <command>match-clients</command> and <command>match-destinations</command>
7966 can also take <command>keys</command> which provide an
7968 client to select the view. A view can also be specified
7969 as <command>match-recursive-only</command>, which
7970 means that only recursive
7971 requests from matching clients will match that view.
7972 The order of the <command>view</command> statements is
7974 a client request will be resolved in the context of the first
7975 <command>view</command> that it matches.
7979 Zones defined within a <command>view</command>
7981 be only be accessible to clients that match the <command>view</command>.
7982 By defining a zone of the same name in multiple views, different
7983 zone data can be given to different clients, for example,
7985 and "external" clients in a split DNS setup.
7989 Many of the options given in the <command>options</command> statement
7990 can also be used within a <command>view</command>
7992 apply only when resolving queries with that view. When no
7994 value is given, the value in the <command>options</command> statement
7995 is used as a default. Also, zone options can have default values
7997 in the <command>view</command> statement; these
7998 view-specific defaults
7999 take precedence over those in the <command>options</command> statement.
8003 Views are class specific. If no class is given, class IN
8004 is assumed. Note that all non-IN views must contain a hint zone,
8005 since only the IN class has compiled-in default hints.
8009 If there are no <command>view</command> statements in
8011 file, a default view that matches any client is automatically
8013 in class IN. Any <command>zone</command> statements
8015 the top level of the configuration file are considered to be part
8017 this default view, and the <command>options</command>
8019 apply to the default view. If any explicit <command>view</command>
8020 statements are present, all <command>zone</command>
8022 occur inside <command>view</command> statements.
8026 Here is an example of a typical split DNS setup implemented
8027 using <command>view</command> statements:
8030 <programlisting>view "internal" {
8031 // This should match our internal networks.
8032 match-clients { 10.0.0.0/8; };
8034 // Provide recursive service to internal clients only.
8037 // Provide a complete view of the example.com zone
8038 // including addresses of internal hosts.
8039 zone "example.com" {
8041 file "example-internal.db";
8046 // Match all clients not matched by the previous view.
8047 match-clients { any; };
8049 // Refuse recursive service to external clients.
8052 // Provide a restricted view of the example.com zone
8053 // containing only publicly accessible hosts.
8054 zone "example.com" {
8056 file "example-external.db";
8062 <sect2 id="zone_statement_grammar">
8063 <title><command>zone</command>
8064 Statement Grammar</title>
8066 <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8068 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8069 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8070 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
8071 <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
8072 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8073 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8074 <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8075 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
8076 <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
8077 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8078 <optional> file <replaceable>string</replaceable> ; </optional>
8079 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8080 <optional> journal <replaceable>string</replaceable> ; </optional>
8081 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8082 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8083 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8084 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8085 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8086 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8087 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8088 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8089 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8090 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8091 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8092 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8093 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8094 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8095 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
8096 <optional> database <replaceable>string</replaceable> ; </optional>
8097 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8098 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8099 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8100 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8101 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
8102 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8105 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8107 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8108 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8109 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8110 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8111 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8112 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8113 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8114 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8115 <optional> file <replaceable>string</replaceable> ; </optional>
8116 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8117 <optional> journal <replaceable>string</replaceable> ; </optional>
8118 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8119 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8120 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8121 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8122 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8123 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8124 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8125 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8126 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8127 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8128 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8129 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8130 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8131 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8132 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8133 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8134 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8135 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8136 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8137 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8138 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8139 <optional> database <replaceable>string</replaceable> ; </optional>
8140 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8141 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8142 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8143 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8144 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8145 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8148 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8150 file <replaceable>string</replaceable> ;
8151 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8152 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8155 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8157 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8158 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8159 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8160 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8161 <optional> file <replaceable>string</replaceable> ; </optional>
8162 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8163 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8164 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8165 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8166 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8167 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8168 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8169 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8170 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8171 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8172 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8173 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8174 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8175 <optional> database <replaceable>string</replaceable> ; </optional>
8176 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8177 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8178 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8179 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8180 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8183 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8185 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8186 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8187 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8190 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8191 type delegation-only;
8198 <title><command>zone</command> Statement Definition and Usage</title>
8200 <title>Zone Types</title>
8201 <informaltable colsep="0" rowsep="0">
8202 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8203 <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8204 <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8205 <colspec colname="1" colnum="1" colsep="0"/>
8206 <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8211 <varname>master</varname>
8216 The server has a master copy of the data
8217 for the zone and will be able to provide authoritative
8226 <varname>slave</varname>
8231 A slave zone is a replica of a master
8232 zone. The <command>masters</command> list
8233 specifies one or more IP addresses
8234 of master servers that the slave contacts to update
8235 its copy of the zone.
8236 Masters list elements can also be names of other
8238 By default, transfers are made from port 53 on the
8240 be changed for all servers by specifying a port number
8242 list of IP addresses, or on a per-server basis after
8244 Authentication to the master can also be done with
8245 per-server TSIG keys.
8246 If a file is specified, then the
8247 replica will be written to this file whenever the zone
8249 and reloaded from this file on a server restart. Use
8251 recommended, since it often speeds server startup and
8253 a needless waste of bandwidth. Note that for large
8255 tens or hundreds of thousands) of zones per server, it
8257 use a two-level naming scheme for zone filenames. For
8259 a slave server for the zone <literal>example.com</literal> might place
8260 the zone contents into a file called
8261 <filename>ex/example.com</filename> where <filename>ex/</filename> is
8262 just the first two letters of the zone name. (Most
8264 behave very slowly if you put 100 000 files into
8265 a single directory.)
8272 <varname>stub</varname>
8277 A stub zone is similar to a slave zone,
8278 except that it replicates only the NS records of a
8280 of the entire zone. Stub zones are not a standard part
8282 they are a feature specific to the <acronym>BIND</acronym> implementation.
8286 Stub zones can be used to eliminate the need for glue
8288 in a parent zone at the expense of maintaining a stub
8290 a set of name server addresses in <filename>named.conf</filename>.
8291 This usage is not recommended for new configurations,
8293 supports it only in a limited way.
8294 In <acronym>BIND</acronym> 4/8, zone
8295 transfers of a parent zone
8296 included the NS records from stub children of that
8298 that, in some cases, users could get away with
8299 configuring child stubs
8300 only in the master server for the parent zone. <acronym>BIND</acronym>
8301 9 never mixes together zone data from different zones
8303 way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
8304 zone has child stub zones configured, all the slave
8306 parent zone also need to have the same child stub
8312 Stub zones can also be used as a way of forcing the
8314 of a given domain to use a particular set of
8315 authoritative servers.
8316 For example, the caching name servers on a private
8318 RFC1918 addressing may be configured with stub zones
8320 <literal>10.in-addr.arpa</literal>
8321 to use a set of internal name servers as the
8323 servers for that domain.
8330 <varname>forward</varname>
8335 A "forward zone" is a way to configure
8336 forwarding on a per-domain basis. A <command>zone</command> statement
8337 of type <command>forward</command> can
8338 contain a <command>forward</command>
8339 and/or <command>forwarders</command>
8341 which will apply to queries within the domain given by
8343 name. If no <command>forwarders</command>
8344 statement is present or
8345 an empty list for <command>forwarders</command> is given, then no
8346 forwarding will be done for the domain, canceling the
8348 any forwarders in the <command>options</command> statement. Thus
8349 if you want to use this type of zone to change the
8351 global <command>forward</command> option
8352 (that is, "forward first"
8353 to, then "forward only", or vice versa, but want to
8355 servers as set globally) you need to re-specify the
8363 <varname>hint</varname>
8368 The initial set of root name servers is
8369 specified using a "hint zone". When the server starts
8371 the root hints to find a root name server and get the
8373 list of root name servers. If no hint zone is
8375 IN, the server uses a compiled-in default set of root
8377 Classes other than IN have no built-in defaults hints.
8384 <varname>delegation-only</varname>
8389 This is used to enforce the delegation-only
8390 status of infrastructure zones (e.g. COM, NET, ORG).
8392 is received without an explicit or implicit delegation
8394 section will be treated as NXDOMAIN. This does not
8396 apex. This should not be applied to leaf zones.
8399 <varname>delegation-only</varname> has no
8400 effect on answers received
8411 <title>Class</title>
8413 The zone's name may optionally be followed by a class. If
8414 a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
8415 is assumed. This is correct for the vast majority of cases.
8418 The <literal>hesiod</literal> class is
8419 named for an information service from MIT's Project Athena. It
8421 used to share information about various systems databases, such
8422 as users, groups, printers and so on. The keyword
8423 <literal>HS</literal> is
8424 a synonym for hesiod.
8427 Another MIT development is Chaosnet, a LAN protocol created
8428 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
8433 <title>Zone Options</title>
8438 <term><command>allow-notify</command></term>
8441 See the description of
8442 <command>allow-notify</command> in <xref linkend="access_control"/>.
8448 <term><command>allow-query</command></term>
8451 See the description of
8452 <command>allow-query</command> in <xref linkend="access_control"/>.
8458 <term><command>allow-transfer</command></term>
8461 See the description of <command>allow-transfer</command>
8462 in <xref linkend="access_control"/>.
8468 <term><command>allow-update</command></term>
8471 See the description of <command>allow-update</command>
8472 in <xref linkend="access_control"/>.
8478 <term><command>update-policy</command></term>
8481 Specifies a "Simple Secure Update" policy. See
8482 <xref linkend="dynamic_update_policies"/>.
8488 <term><command>allow-update-forwarding</command></term>
8491 See the description of <command>allow-update-forwarding</command>
8492 in <xref linkend="access_control"/>.
8498 <term><command>also-notify</command></term>
8501 Only meaningful if <command>notify</command>
8503 active for this zone. The set of machines that will
8505 <literal>DNS NOTIFY</literal> message
8506 for this zone is made up of all the listed name servers
8508 the primary master) for the zone plus any IP addresses
8510 with <command>also-notify</command>. A port
8512 with each <command>also-notify</command>
8513 address to send the notify
8514 messages to a port other than the default of 53.
8515 <command>also-notify</command> is not
8516 meaningful for stub zones.
8517 The default is the empty list.
8523 <term><command>check-names</command></term>
8526 This option is used to restrict the character set and
8528 certain domain names in master files and/or DNS responses
8530 network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
8531 zones the default is <command>warn</command>.
8537 <term><command>check-mx</command></term>
8540 See the description of
8541 <command>check-mx</command> in <xref linkend="boolean_options"/>.
8547 <term><command>check-wildcard</command></term>
8550 See the description of
8551 <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
8557 <term><command>check-integrity</command></term>
8560 See the description of
8561 <command>check-integrity</command> in <xref linkend="boolean_options"/>.
8567 <term><command>check-sibling</command></term>
8570 See the description of
8571 <command>check-sibling</command> in <xref linkend="boolean_options"/>.
8577 <term><command>zero-no-soa-ttl</command></term>
8580 See the description of
8581 <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
8587 <term><command>update-check-ksk</command></term>
8590 See the description of
8591 <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
8597 <term><command>database</command></term>
8600 Specify the type of database to be used for storing the
8601 zone data. The string following the <command>database</command> keyword
8602 is interpreted as a list of whitespace-delimited words.
8604 identifies the database type, and any subsequent words are
8606 as arguments to the database to be interpreted in a way
8608 to the database type.
8611 The default is <userinput>"rbt"</userinput>, BIND 9's
8613 red-black-tree database. This database does not take
8617 Other values are possible if additional database drivers
8618 have been linked into the server. Some sample drivers are
8620 with the distribution but none are linked in by default.
8626 <term><command>dialup</command></term>
8629 See the description of
8630 <command>dialup</command> in <xref linkend="boolean_options"/>.
8636 <term><command>delegation-only</command></term>
8639 The flag only applies to hint and stub zones. If set
8640 to <userinput>yes</userinput>, then the zone will also be
8642 is also a delegation-only type zone.
8648 <term><command>forward</command></term>
8651 Only meaningful if the zone has a forwarders
8652 list. The <command>only</command> value causes
8654 after trying the forwarders and getting no answer, while <command>first</command> would
8655 allow a normal lookup to be tried.
8661 <term><command>forwarders</command></term>
8664 Used to override the list of global forwarders.
8665 If it is not specified in a zone of type <command>forward</command>,
8666 no forwarding is done for the zone and the global options are
8673 <term><command>ixfr-base</command></term>
8676 Was used in <acronym>BIND</acronym> 8 to
8678 of the transaction log (journal) file for dynamic update
8680 <acronym>BIND</acronym> 9 ignores the option
8681 and constructs the name of the journal
8682 file by appending "<filename>.jnl</filename>"
8690 <term><command>ixfr-tmp-file</command></term>
8693 Was an undocumented option in <acronym>BIND</acronym> 8.
8694 Ignored in <acronym>BIND</acronym> 9.
8700 <term><command>journal</command></term>
8703 Allow the default journal's filename to be overridden.
8704 The default is the zone's filename with "<filename>.jnl</filename>" appended.
8705 This is applicable to <command>master</command> and <command>slave</command> zones.
8711 <term><command>max-transfer-time-in</command></term>
8714 See the description of
8715 <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
8721 <term><command>max-transfer-idle-in</command></term>
8724 See the description of
8725 <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
8731 <term><command>max-transfer-time-out</command></term>
8734 See the description of
8735 <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
8741 <term><command>max-transfer-idle-out</command></term>
8744 See the description of
8745 <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
8751 <term><command>notify</command></term>
8754 See the description of
8755 <command>notify</command> in <xref linkend="boolean_options"/>.
8761 <term><command>notify-delay</command></term>
8764 See the description of
8765 <command>notify-delay</command> in <xref linkend="tuning"/>.
8771 <term><command>pubkey</command></term>
8774 In <acronym>BIND</acronym> 8, this option was
8775 intended for specifying
8776 a public zone key for verification of signatures in DNSSEC
8778 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
8779 on load and ignores the option.
8785 <term><command>zone-statistics</command></term>
8788 If <userinput>yes</userinput>, the server will keep
8790 information for this zone, which can be dumped to the
8791 <command>statistics-file</command> defined in
8798 <term><command>sig-validity-interval</command></term>
8801 See the description of
8802 <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
8808 <term><command>transfer-source</command></term>
8811 See the description of
8812 <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
8818 <term><command>transfer-source-v6</command></term>
8821 See the description of
8822 <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
8828 <term><command>alt-transfer-source</command></term>
8831 See the description of
8832 <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
8838 <term><command>alt-transfer-source-v6</command></term>
8841 See the description of
8842 <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
8848 <term><command>use-alt-transfer-source</command></term>
8851 See the description of
8852 <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
8859 <term><command>notify-source</command></term>
8862 See the description of
8863 <command>notify-source</command> in <xref linkend="zone_transfers"/>.
8869 <term><command>notify-source-v6</command></term>
8872 See the description of
8873 <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
8879 <term><command>min-refresh-time</command></term>
8880 <term><command>max-refresh-time</command></term>
8881 <term><command>min-retry-time</command></term>
8882 <term><command>max-retry-time</command></term>
8885 See the description in <xref linkend="tuning"/>.
8891 <term><command>ixfr-from-differences</command></term>
8894 See the description of
8895 <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
8901 <term><command>key-directory</command></term>
8904 See the description of
8905 <command>key-directory</command> in <xref linkend="options"/>.
8911 <term><command>multi-master</command></term>
8914 See the description of <command>multi-master</command> in
8915 <xref linkend="boolean_options"/>.
8921 <term><command>masterfile-format</command></term>
8924 See the description of <command>masterfile-format</command>
8925 in <xref linkend="tuning"/>.
8933 <sect3 id="dynamic_update_policies">
8934 <title>Dynamic Update Policies</title>
8936 <acronym>BIND</acronym> 9 supports two alternative
8937 methods of granting clients
8938 the right to perform dynamic updates to a zone,
8939 configured by the <command>allow-update</command>
8941 <command>update-policy</command> option,
8945 The <command>allow-update</command> clause works the
8947 way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
8948 permission to update any record of any name in the zone.
8951 The <command>update-policy</command> clause is new
8952 in <acronym>BIND</acronym>
8953 9 and allows more fine-grained control over what updates are
8955 A set of rules is specified, where each rule either grants or
8957 permissions for one or more names to be updated by one or more
8959 If the dynamic update request message is signed (that is, it
8961 either a TSIG or SIG(0) record), the identity of the signer can
8965 Rules are specified in the <command>update-policy</command> zone
8966 option, and are only meaningful for master zones. When the <command>update-policy</command> statement
8967 is present, it is a configuration error for the <command>allow-update</command> statement
8968 to be present. The <command>update-policy</command>
8970 examines the signer of a message; the source address is not
8974 This is how a rule definition looks:
8978 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
8982 Each rule grants or denies privileges. Once a message has
8983 successfully matched a rule, the operation is immediately
8985 or denied and no further rules are examined. A rule is matched
8986 when the signer matches the identity field, the name matches the
8987 name field in accordance with the nametype field, and the type
8989 the types specified in the type field.
8993 The identity field specifies a name or a wildcard name.
8995 is the name of the TSIG or SIG(0) key used to sign the update
8997 TKEY exchange has been used to create a shared secret, the
8999 shared secret is the same as the identity of the key used to
9001 TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
9002 wildcard name, it is subject to DNS wildcard expansion, so the
9004 to multiple identities. The <replaceable>identity</replaceable> field must
9005 contain a fully-qualified domain name.
9009 The <replaceable>nametype</replaceable> field has 6
9011 <varname>name</varname>, <varname>subdomain</varname>,
9012 <varname>wildcard</varname>, <varname>self</varname>,
9013 <varname>selfsub</varname>, and <varname>selfwild</varname>.
9016 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9017 <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9018 <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9023 <varname>name</varname>
9025 </entry> <entry colname="2">
9027 Exact-match semantics. This rule matches
9028 when the name being updated is identical
9029 to the contents of the
9030 <replaceable>name</replaceable> field.
9037 <varname>subdomain</varname>
9039 </entry> <entry colname="2">
9041 This rule matches when the name being updated
9042 is a subdomain of, or identical to, the
9043 contents of the <replaceable>name</replaceable>
9051 <varname>wildcard</varname>
9053 </entry> <entry colname="2">
9055 The <replaceable>name</replaceable> field
9056 is subject to DNS wildcard expansion, and
9057 this rule matches when the name being updated
9058 name is a valid expansion of the wildcard.
9065 <varname>self</varname>
9070 This rule matches when the name being updated
9071 matches the contents of the
9072 <replaceable>identity</replaceable> field.
9073 The <replaceable>name</replaceable> field
9074 is ignored, but should be the same as the
9075 <replaceable>identity</replaceable> field.
9076 The <varname>self</varname> nametype is
9077 most useful when allowing using one key per
9078 name to update, where the key has the same
9079 name as the name to be updated. The
9080 <replaceable>identity</replaceable> would
9081 be specified as <constant>*</constant> (an asterisk) in
9089 <varname>selfsub</varname>
9091 </entry> <entry colname="2">
9093 This rule is similar to <varname>self</varname>
9094 except that subdomains of <varname>self</varname>
9095 can also be updated.
9102 <varname>selfwild</varname>
9104 </entry> <entry colname="2">
9106 This rule is similar to <varname>self</varname>
9107 except that only subdomains of
9108 <varname>self</varname> can be updated.
9117 In all cases, the <replaceable>name</replaceable>
9119 specify a fully-qualified domain name.
9123 If no types are explicitly specified, this rule matches all
9125 RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
9126 "ANY" (ANY matches all types except NSEC, which can never be
9128 Note that when an attempt is made to delete all records
9130 name, the rules are checked for each existing record type.
9136 <title>Zone File</title>
9137 <sect2 id="types_of_resource_records_and_when_to_use_them">
9138 <title>Types of Resource Records and When to Use Them</title>
9140 This section, largely borrowed from RFC 1034, describes the
9141 concept of a Resource Record (RR) and explains when each is used.
9142 Since the publication of RFC 1034, several new RRs have been
9144 and implemented in the DNS. These are also included.
9147 <title>Resource Records</title>
9150 A domain name identifies a node. Each node has a set of
9151 resource information, which may be empty. The set of resource
9152 information associated with a particular name is composed of
9153 separate RRs. The order of RRs in a set is not significant and
9154 need not be preserved by name servers, resolvers, or other
9155 parts of the DNS. However, sorting of multiple RRs is
9156 permitted for optimization purposes, for example, to specify
9157 that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
9161 The components of a Resource Record are:
9163 <informaltable colsep="0" rowsep="0">
9164 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9165 <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
9166 <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
9176 The domain name where the RR is found.
9188 An encoded 16-bit value that specifies
9189 the type of the resource record.
9201 The time-to-live of the RR. This field
9202 is a 32-bit integer in units of seconds, and is
9204 resolvers when they cache RRs. The TTL describes how
9206 be cached before it should be discarded.
9218 An encoded 16-bit value that identifies
9219 a protocol family or instance of a protocol.
9231 The resource data. The format of the
9232 data is type (and sometimes class) specific.
9240 The following are <emphasis>types</emphasis> of valid RRs:
9242 <informaltable colsep="0" rowsep="0">
9243 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9244 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9245 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9255 A host address. In the IN class, this is a
9256 32-bit IP address. Described in RFC 1035.
9268 IPv6 address. Described in RFC 1886.
9280 IPv6 address. This can be a partial
9281 address (a suffix) and an indirection to the name
9282 where the rest of the
9283 address (the prefix) can be found. Experimental.
9284 Described in RFC 2874.
9296 Location of AFS database servers.
9297 Experimental. Described in RFC 1183.
9309 Address prefix list. Experimental.
9310 Described in RFC 3123.
9322 Holds a digital certificate.
9323 Described in RFC 2538.
9335 Identifies the canonical name of an alias.
9336 Described in RFC 1035.
9348 Replaces the domain name specified with
9349 another name to be looked up, effectively aliasing an
9351 subtree of the domain name space rather than a single
9353 as in the case of the CNAME RR.
9354 Described in RFC 2672.
9366 Stores a public key associated with a signed
9367 DNS zone. Described in RFC 4034.
9379 Stores the hash of a public key associated with a
9380 signed DNS zone. Described in RFC 4034.
9392 Specifies the global position. Superseded by LOC.
9404 Identifies the CPU and OS used by a host.
9405 Described in RFC 1035.
9417 Representation of ISDN addresses.
9418 Experimental. Described in RFC 1183.
9430 Stores a public key associated with a
9431 DNS name. Used in original DNSSEC; replaced
9432 by DNSKEY in DNSSECbis, but still used with
9433 SIG(0). Described in RFCs 2535 and 2931.
9445 Identifies a key exchanger for this
9446 DNS name. Described in RFC 2230.
9458 For storing GPS info. Described in RFC 1876.
9471 Identifies a mail exchange for the domain with
9472 a 16-bit preference value (lower is better)
9473 followed by the host name of the mail exchange.
9474 Described in RFC 974, RFC 1035.
9486 Name authority pointer. Described in RFC 2915.
9498 A network service access point.
9499 Described in RFC 1706.
9511 The authoritative name server for the
9512 domain. Described in RFC 1035.
9524 Used in DNSSECbis to securely indicate that
9525 RRs with an owner name in a certain name interval do
9527 a zone and indicate what RR types are present for an
9529 Described in RFC 4034.
9541 Used in DNSSEC to securely indicate that
9542 RRs with an owner name in a certain name interval do
9544 a zone and indicate what RR types are present for an
9546 Used in original DNSSEC; replaced by NSEC in
9548 Described in RFC 2535.
9560 A pointer to another part of the domain
9561 name space. Described in RFC 1035.
9573 Provides mappings between RFC 822 and X.400
9574 addresses. Described in RFC 2163.
9586 Information on persons responsible
9587 for the domain. Experimental. Described in RFC 1183.
9599 Contains DNSSECbis signature data. Described
9612 Route-through binding for hosts that
9613 do not have their own direct wide area network
9615 Experimental. Described in RFC 1183.
9627 Contains DNSSEC signature data. Used in
9628 original DNSSEC; replaced by RRSIG in
9629 DNSSECbis, but still used for SIG(0).
9630 Described in RFCs 2535 and 2931.
9642 Identifies the start of a zone of authority.
9643 Described in RFC 1035.
9655 Information about well known network
9656 services (replaces WKS). Described in RFC 2782.
9668 Text records. Described in RFC 1035.
9680 Information about which well known
9681 network services, such as SMTP, that a domain
9682 supports. Historical.
9694 Representation of X.25 network addresses.
9695 Experimental. Described in RFC 1183.
9703 The following <emphasis>classes</emphasis> of resource records
9704 are currently valid in the DNS:
9706 <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9707 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9708 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9732 Chaosnet, a LAN protocol created at MIT in the
9734 Rarely used for its historical purpose, but reused for
9736 built-in server information zones, e.g.,
9737 <literal>version.bind</literal>.
9750 Hesiod, an information service
9751 developed by MIT's Project Athena. It is used to share
9753 about various systems databases, such as users,
9765 The owner name is often implicit, rather than forming an
9767 part of the RR. For example, many name servers internally form
9769 or hash structures for the name space, and chain RRs off nodes.
9770 The remaining RR parts are the fixed header (type, class, TTL)
9771 which is consistent for all RRs, and a variable part (RDATA)
9773 fits the needs of the resource being described.
9776 The meaning of the TTL field is a time limit on how long an
9777 RR can be kept in a cache. This limit does not apply to
9779 data in zones; it is also timed out, but by the refreshing
9781 for the zone. The TTL is assigned by the administrator for the
9782 zone where the data originates. While short TTLs can be used to
9783 minimize caching, and a zero TTL prohibits caching, the
9785 of Internet performance suggest that these times should be on
9787 order of days for the typical host. If a change can be
9789 the TTL can be reduced prior to the change to minimize
9791 during the change, and then increased back to its former value
9796 The data in the RDATA section of RRs is carried as a combination
9797 of binary strings and domain names. The domain names are
9799 used as "pointers" to other data in the DNS.
9803 <title>Textual expression of RRs</title>
9805 RRs are represented in binary form in the packets of the DNS
9806 protocol, and are usually represented in highly encoded form
9808 stored in a name server or resolver. In the examples provided
9810 RFC 1034, a style similar to that used in master files was
9812 in order to show the contents of RRs. In this format, most RRs
9813 are shown on a single line, although continuation lines are
9818 The start of the line gives the owner of the RR. If a line
9819 begins with a blank, then the owner is assumed to be the same as
9820 that of the previous RR. Blank lines are often included for
9824 Following the owner, we list the TTL, type, and class of the
9825 RR. Class and type use the mnemonics defined above, and TTL is
9826 an integer before the type field. In order to avoid ambiguity
9828 parsing, type and class mnemonics are disjoint, TTLs are
9830 and the type mnemonic is always last. The IN class and TTL
9832 are often omitted from examples in the interests of clarity.
9835 The resource data or RDATA section of the RR are given using
9836 knowledge of the typical representation for the data.
9839 For example, we might show the RRs carried in a message as:
9841 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9842 <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
9843 <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
9844 <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
9849 <literal>ISI.EDU.</literal>
9854 <literal>MX</literal>
9859 <literal>10 VENERA.ISI.EDU.</literal>
9869 <literal>MX</literal>
9874 <literal>10 VAXA.ISI.EDU</literal>
9881 <literal>VENERA.ISI.EDU</literal>
9886 <literal>A</literal>
9891 <literal>128.9.0.32</literal>
9901 <literal>A</literal>
9906 <literal>10.1.0.52</literal>
9913 <literal>VAXA.ISI.EDU</literal>
9918 <literal>A</literal>
9923 <literal>10.2.0.27</literal>
9933 <literal>A</literal>
9938 <literal>128.9.0.33</literal>
9946 The MX RRs have an RDATA section which consists of a 16-bit
9947 number followed by a domain name. The address RRs use a
9949 IP address format to contain a 32-bit internet address.
9952 The above example shows six RRs, with two RRs at each of three
9956 Similarly we might see:
9958 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9959 <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
9960 <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
9961 <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
9966 <literal>XX.LCS.MIT.EDU.</literal>
9971 <literal>IN A</literal>
9976 <literal>10.0.0.44</literal>
9981 <entry colname="1"/>
9984 <literal>CH A</literal>
9989 <literal>MIT.EDU. 2420</literal>
9997 This example shows two addresses for
9998 <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10004 <title>Discussion of MX Records</title>
10007 As described above, domain servers store information as a
10008 series of resource records, each of which contains a particular
10009 piece of information about a given domain name (which is usually,
10010 but not always, a host). The simplest way to think of a RR is as
10011 a typed pair of data, a domain name matched with a relevant datum,
10012 and stored with some additional type information to help systems
10013 determine when the RR is relevant.
10017 MX records are used to control delivery of email. The data
10018 specified in the record is a priority and a domain name. The
10020 controls the order in which email delivery is attempted, with the
10021 lowest number first. If two priorities are the same, a server is
10022 chosen randomly. If no servers at a given priority are responding,
10023 the mail transport agent will fall back to the next largest
10025 Priority numbers do not have any absolute meaning — they are
10027 only respective to other MX records for that domain name. The
10029 name given is the machine to which the mail will be delivered.
10030 It <emphasis>must</emphasis> have an associated address record
10031 (A or AAAA) — CNAME is not sufficient.
10034 For a given domain, if there is both a CNAME record and an
10035 MX record, the MX record is in error, and will be ignored.
10037 the mail will be delivered to the server specified in the MX
10039 pointed to by the CNAME.
10044 <informaltable colsep="0" rowsep="0">
10045 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10046 <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10047 <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10048 <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10049 <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10050 <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10053 <entry colname="1">
10055 <literal>example.com.</literal>
10058 <entry colname="2">
10060 <literal>IN</literal>
10063 <entry colname="3">
10065 <literal>MX</literal>
10068 <entry colname="4">
10070 <literal>10</literal>
10073 <entry colname="5">
10075 <literal>mail.example.com.</literal>
10080 <entry colname="1">
10083 <entry colname="2">
10085 <literal>IN</literal>
10088 <entry colname="3">
10090 <literal>MX</literal>
10093 <entry colname="4">
10095 <literal>10</literal>
10098 <entry colname="5">
10100 <literal>mail2.example.com.</literal>
10105 <entry colname="1">
10108 <entry colname="2">
10110 <literal>IN</literal>
10113 <entry colname="3">
10115 <literal>MX</literal>
10118 <entry colname="4">
10120 <literal>20</literal>
10123 <entry colname="5">
10125 <literal>mail.backup.org.</literal>
10130 <entry colname="1">
10132 <literal>mail.example.com.</literal>
10135 <entry colname="2">
10137 <literal>IN</literal>
10140 <entry colname="3">
10142 <literal>A</literal>
10145 <entry colname="4">
10147 <literal>10.0.0.1</literal>
10150 <entry colname="5">
10155 <entry colname="1">
10157 <literal>mail2.example.com.</literal>
10160 <entry colname="2">
10162 <literal>IN</literal>
10165 <entry colname="3">
10167 <literal>A</literal>
10170 <entry colname="4">
10172 <literal>10.0.0.2</literal>
10175 <entry colname="5">
10181 </informaltable><para>
10182 Mail delivery will be attempted to <literal>mail.example.com</literal> and
10183 <literal>mail2.example.com</literal> (in
10184 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
10188 <sect2 id="Setting_TTLs">
10189 <title>Setting TTLs</title>
10191 The time-to-live of the RR field is a 32-bit integer represented
10192 in units of seconds, and is primarily used by resolvers when they
10193 cache RRs. The TTL describes how long a RR can be cached before it
10194 should be discarded. The following three types of TTL are
10196 used in a zone file.
10198 <informaltable colsep="0" rowsep="0">
10199 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10200 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
10201 <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
10204 <entry colname="1">
10209 <entry colname="2">
10211 The last field in the SOA is the negative
10212 caching TTL. This controls how long other servers will
10213 cache no-such-domain
10214 (NXDOMAIN) responses from you.
10217 The maximum time for
10218 negative caching is 3 hours (3h).
10223 <entry colname="1">
10228 <entry colname="2">
10230 The $TTL directive at the top of the
10231 zone file (before the SOA) gives a default TTL for every
10233 a specific TTL set.
10238 <entry colname="1">
10243 <entry colname="2">
10245 Each RR can have a TTL as the second
10246 field in the RR, which will control how long other
10256 All of these TTLs default to units of seconds, though units
10257 can be explicitly specified, for example, <literal>1h30m</literal>.
10261 <title>Inverse Mapping in IPv4</title>
10263 Reverse name resolution (that is, translation from IP address
10264 to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
10265 and PTR records. Entries in the in-addr.arpa domain are made in
10266 least-to-most significant order, read left to right. This is the
10267 opposite order to the way IP addresses are usually written. Thus,
10268 a machine with an IP address of 10.1.2.3 would have a
10270 in-addr.arpa name of
10271 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10272 whose data field is the name of the machine or, optionally,
10274 PTR records if the machine has more than one name. For example,
10275 in the <optional>example.com</optional> domain:
10277 <informaltable colsep="0" rowsep="0">
10278 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10279 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
10280 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
10283 <entry colname="1">
10285 <literal>$ORIGIN</literal>
10288 <entry colname="2">
10290 <literal>2.1.10.in-addr.arpa</literal>
10295 <entry colname="1">
10297 <literal>3</literal>
10300 <entry colname="2">
10302 <literal>IN PTR foo.example.com.</literal>
10311 The <command>$ORIGIN</command> lines in the examples
10312 are for providing context to the examples only — they do not
10314 appear in the actual usage. They are only used here to indicate
10315 that the example is relative to the listed origin.
10320 <title>Other Zone File Directives</title>
10322 The Master File Format was initially defined in RFC 1035 and
10323 has subsequently been extended. While the Master File Format
10325 is class independent all records in a Master File must be of the
10330 Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
10331 and <command>$TTL.</command>
10334 <title>The <command>$ORIGIN</command> Directive</title>
10336 Syntax: <command>$ORIGIN</command>
10337 <replaceable>domain-name</replaceable>
10338 <optional><replaceable>comment</replaceable></optional>
10340 <para><command>$ORIGIN</command>
10341 sets the domain name that will be appended to any
10342 unqualified records. When a zone is first read in there
10343 is an implicit <command>$ORIGIN</command>
10344 <<varname>zone-name</varname>><command>.</command>
10345 The current <command>$ORIGIN</command> is appended to
10346 the domain specified in the <command>$ORIGIN</command>
10347 argument if it is not absolute.
10351 $ORIGIN example.com.
10352 WWW CNAME MAIN-SERVER
10360 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10365 <title>The <command>$INCLUDE</command> Directive</title>
10367 Syntax: <command>$INCLUDE</command>
10368 <replaceable>filename</replaceable>
10370 <replaceable>origin</replaceable> </optional>
10371 <optional> <replaceable>comment</replaceable> </optional>
10374 Read and process the file <filename>filename</filename> as
10375 if it were included into the file at this point. If <command>origin</command> is
10376 specified the file is processed with <command>$ORIGIN</command> set
10377 to that value, otherwise the current <command>$ORIGIN</command> is
10381 The origin and the current domain name
10382 revert to the values they had prior to the <command>$INCLUDE</command> once
10383 the file has been read.
10387 RFC 1035 specifies that the current origin should be restored
10389 an <command>$INCLUDE</command>, but it is silent
10390 on whether the current
10391 domain name should also be restored. BIND 9 restores both of
10393 This could be construed as a deviation from RFC 1035, a
10399 <title>The <command>$TTL</command> Directive</title>
10401 Syntax: <command>$TTL</command>
10402 <replaceable>default-ttl</replaceable>
10404 <replaceable>comment</replaceable> </optional>
10407 Set the default Time To Live (TTL) for subsequent records
10408 with undefined TTLs. Valid TTLs are of the range 0-2147483647
10411 <para><command>$TTL</command>
10412 is defined in RFC 2308.
10417 <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
10419 Syntax: <command>$GENERATE</command>
10420 <replaceable>range</replaceable>
10421 <replaceable>lhs</replaceable>
10422 <optional><replaceable>ttl</replaceable></optional>
10423 <optional><replaceable>class</replaceable></optional>
10424 <replaceable>type</replaceable>
10425 <replaceable>rhs</replaceable>
10426 <optional><replaceable>comment</replaceable></optional>
10428 <para><command>$GENERATE</command>
10429 is used to create a series of resource records that only
10430 differ from each other by an
10431 iterator. <command>$GENERATE</command> can be used to
10432 easily generate the sets of records required to support
10433 sub /24 reverse delegations described in RFC 2317:
10434 Classless IN-ADDR.ARPA delegation.
10437 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
10438 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
10439 $GENERATE 1-127 $ CNAME $.0</programlisting>
10445 <programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
10446 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
10447 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
10448 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
10450 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
10453 <informaltable colsep="0" rowsep="0">
10454 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10455 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10456 <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
10459 <entry colname="1">
10460 <para><command>range</command></para>
10462 <entry colname="2">
10464 This can be one of two forms: start-stop
10465 or start-stop/step. If the first form is used, then step
10467 1. All of start, stop and step must be positive.
10472 <entry colname="1">
10473 <para><command>lhs</command></para>
10475 <entry colname="2">
10477 describes the owner name of the resource records
10478 to be created. Any single <command>$</command>
10480 symbols within the <command>lhs</command> side
10481 are replaced by the iterator value.
10483 To get a $ in the output, you need to escape the
10484 <command>$</command> using a backslash
10485 <command>\</command>,
10486 e.g. <command>\$</command>. The
10487 <command>$</command> may optionally be followed
10488 by modifiers which change the offset from the
10489 iterator, field width and base.
10491 Modifiers are introduced by a
10492 <command>{</command> (left brace) immediately following the
10493 <command>$</command> as
10494 <command>${offset[,width[,base]]}</command>.
10495 For example, <command>${-20,3,d}</command>
10496 subtracts 20 from the current value, prints the
10497 result as a decimal in a zero-padded field of
10500 Available output forms are decimal
10501 (<command>d</command>), octal
10502 (<command>o</command>) and hexadecimal
10503 (<command>x</command> or <command>X</command>
10504 for uppercase). The default modifier is
10505 <command>${0,0,d}</command>. If the
10506 <command>lhs</command> is not absolute, the
10507 current <command>$ORIGIN</command> is appended
10511 For compatibility with earlier versions, <command>$$</command> is still
10512 recognized as indicating a literal $ in the output.
10517 <entry colname="1">
10518 <para><command>ttl</command></para>
10520 <entry colname="2">
10522 Specifies the time-to-live of the generated records. If
10523 not specified this will be inherited using the
10524 normal ttl inheritance rules.
10526 <para><command>class</command>
10527 and <command>ttl</command> can be
10528 entered in either order.
10533 <entry colname="1">
10534 <para><command>class</command></para>
10536 <entry colname="2">
10538 Specifies the class of the generated records.
10539 This must match the zone class if it is
10542 <para><command>class</command>
10543 and <command>ttl</command> can be
10544 entered in either order.
10549 <entry colname="1">
10550 <para><command>type</command></para>
10552 <entry colname="2">
10554 At present the only supported types are
10555 PTR, CNAME, DNAME, A, AAAA and NS.
10560 <entry colname="1">
10561 <para><command>rhs</command></para>
10563 <entry colname="2">
10565 <command>rhs</command> is a domain name. It is processed
10574 The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
10575 and not part of the standard zone file format.
10578 BIND 8 does not support the optional TTL and CLASS fields.
10582 <sect2 id="zonefile_format">
10583 <title>Additional File Formats</title>
10585 In addition to the standard textual format, BIND 9
10586 supports the ability to read or dump to zone files in
10587 other formats. The <constant>raw</constant> format is
10588 currently available as an additional format. It is a
10589 binary format representing BIND 9's internal data
10590 structure directly, thereby remarkably improving the
10594 For a primary server, a zone file in the
10595 <constant>raw</constant> format is expected to be
10596 generated from a textual zone file by the
10597 <command>named-compilezone</command> command. For a
10598 secondary server or for a dynamic zone, it is automatically
10599 generated (if this format is specified by the
10600 <command>masterfile-format</command> option) when
10601 <command>named</command> dumps the zone contents after
10602 zone transfer or when applying prior updates.
10605 If a zone file in a binary format needs manual modification,
10606 it first must be converted to a textual form by the
10607 <command>named-compilezone</command> command. All
10608 necessary modification should go to the text file, which
10609 should then be converted to the binary form by the
10610 <command>named-compilezone</command> command again.
10613 Although the <constant>raw</constant> format uses the
10614 network byte order and avoids architecture-dependent
10615 data alignment so that it is as much portable as
10616 possible, it is primarily expected to be used inside
10617 the same single system. In order to export a zone
10618 file in the <constant>raw</constant> format or make a
10619 portable backup of the file, it is recommended to
10620 convert the file to the standard textual representation.
10625 <chapter id="Bv9ARM.ch07">
10626 <title><acronym>BIND</acronym> 9 Security Considerations</title>
10627 <sect1 id="Access_Control_Lists">
10628 <title>Access Control Lists</title>
10630 Access Control Lists (ACLs), are address match lists that
10631 you can set up and nickname for future use in <command>allow-notify</command>,
10632 <command>allow-query</command>, <command>allow-recursion</command>,
10633 <command>blackhole</command>, <command>allow-transfer</command>,
10637 Using ACLs allows you to have finer control over who can access
10638 your name server, without cluttering up your config files with huge
10639 lists of IP addresses.
10642 It is a <emphasis>good idea</emphasis> to use ACLs, and to
10643 control access to your server. Limiting access to your server by
10644 outside parties can help prevent spoofing and denial of service (DoS) attacks against
10648 Here is an example of how to properly apply ACLs:
10652 // Set up an ACL named "bogusnets" that will block RFC1918 space
10653 // and some reserved space, which is commonly used in spoofing attacks.
10655 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10656 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
10659 // Set up an ACL called our-nets. Replace this with the real IP numbers.
10660 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
10664 allow-query { our-nets; };
10665 allow-recursion { our-nets; };
10667 blackhole { bogusnets; };
10671 zone "example.com" {
10673 file "m/example.com";
10674 allow-query { any; };
10679 This allows recursive queries of the server from the outside
10680 unless recursion has been previously disabled.
10683 For more information on how to use ACLs to protect your server,
10684 see the <emphasis>AUSCERT</emphasis> advisory at:
10687 <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
10688 >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
10692 <title><command>Chroot</command> and <command>Setuid</command></title>
10694 On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
10695 (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
10696 option. This can help improve system security by placing <acronym>BIND</acronym> in
10697 a "sandbox", which will limit the damage done if a server is
10701 Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
10702 ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
10703 We suggest running as an unprivileged user when using the <command>chroot</command> feature.
10706 Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
10707 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
10711 <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
10715 <title>The <command>chroot</command> Environment</title>
10718 In order for a <command>chroot</command> environment
10720 work properly in a particular directory
10721 (for example, <filename>/var/named</filename>),
10722 you will need to set up an environment that includes everything
10723 <acronym>BIND</acronym> needs to run.
10724 From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
10725 the root of the filesystem. You will need to adjust the values of
10727 like <command>directory</command> and <command>pid-file</command> to account
10731 Unlike with earlier versions of BIND, you typically will
10732 <emphasis>not</emphasis> need to compile <command>named</command>
10733 statically nor install shared libraries under the new root.
10734 However, depending on your operating system, you may need
10735 to set up things like
10736 <filename>/dev/zero</filename>,
10737 <filename>/dev/random</filename>,
10738 <filename>/dev/log</filename>, and
10739 <filename>/etc/localtime</filename>.
10744 <title>Using the <command>setuid</command> Function</title>
10747 Prior to running the <command>named</command> daemon,
10749 the <command>touch</command> utility (to change file
10751 modification times) or the <command>chown</command>
10753 set the user id and/or group id) on files
10754 to which you want <acronym>BIND</acronym>
10758 Note that if the <command>named</command> daemon is running as an
10759 unprivileged user, it will not be able to bind to new restricted
10760 ports if the server is reloaded.
10765 <sect1 id="dynamic_update_security">
10766 <title>Dynamic Update Security</title>
10769 Access to the dynamic
10770 update facility should be strictly limited. In earlier versions of
10771 <acronym>BIND</acronym>, the only way to do this was
10773 address of the host requesting the update, by listing an IP address
10775 network prefix in the <command>allow-update</command>
10777 This method is insecure since the source address of the update UDP
10779 is easily forged. Also note that if the IP addresses allowed by the
10780 <command>allow-update</command> option include the
10782 server which performs forwarding of dynamic updates, the master can
10784 trivially attacked by sending the update to the slave, which will
10785 forward it to the master with its own source IP address causing the
10786 master to approve it without question.
10790 For these reasons, we strongly recommend that updates be
10791 cryptographically authenticated by means of transaction signatures
10792 (TSIG). That is, the <command>allow-update</command>
10794 list only TSIG key names, not IP addresses or network
10795 prefixes. Alternatively, the new <command>update-policy</command>
10796 option can be used.
10800 Some sites choose to keep all dynamically-updated DNS data
10801 in a subdomain and delegate that subdomain to a separate zone. This
10802 way, the top-level zone containing critical data such as the IP
10804 of public web and mail servers need not allow dynamic update at
10811 <chapter id="Bv9ARM.ch08">
10812 <title>Troubleshooting</title>
10814 <title>Common Problems</title>
10816 <title>It's not working; how can I figure out what's wrong?</title>
10819 The best solution to solving installation and
10820 configuration issues is to take preventative measures by setting
10821 up logging files beforehand. The log files provide a
10822 source of hints and information that can be used to figure out
10823 what went wrong and how to fix the problem.
10829 <title>Incrementing and Changing the Serial Number</title>
10832 Zone serial numbers are just numbers — they aren't
10833 date related. A lot of people set them to a number that
10834 represents a date, usually of the form YYYYMMDDRR.
10835 Occasionally they will make a mistake and set them to a
10836 "date in the future" then try to correct them by setting
10837 them to the "current date". This causes problems because
10838 serial numbers are used to indicate that a zone has been
10839 updated. If the serial number on the slave server is
10840 lower than the serial number on the master, the slave
10841 server will attempt to update its copy of the zone.
10845 Setting the serial number to a lower number on the master
10846 server than the slave server means that the slave will not perform
10847 updates to its copy of the zone.
10851 The solution to this is to add 2147483647 (2^31-1) to the
10852 number, reload the zone and make sure all slaves have updated to
10853 the new zone serial number, then reset the number to what you want
10854 it to be, and reload the zone again.
10859 <title>Where Can I Get Help?</title>
10862 The Internet Systems Consortium
10863 (<acronym>ISC</acronym>) offers a wide range
10864 of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
10865 levels of premium support are available and each level includes
10866 support for all <acronym>ISC</acronym> programs,
10867 significant discounts on products
10868 and training, and a recognized priority on bug fixes and
10869 non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
10870 support agreement package which includes services ranging from bug
10871 fix announcements to remote support. It also includes training in
10872 <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
10876 To discuss arrangements for support, contact
10877 <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
10878 <acronym>ISC</acronym> web page at
10879 <ulink url="http://www.isc.org/services/support/"
10880 >http://www.isc.org/services/support/</ulink>
10885 <appendix id="Bv9ARM.ch09">
10886 <title>Appendices</title>
10888 <title>Acknowledgments</title>
10889 <sect2 id="historical_dns_information">
10890 <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
10893 Although the "official" beginning of the Domain Name
10894 System occurred in 1984 with the publication of RFC 920, the
10895 core of the new system was described in 1983 in RFCs 882 and
10896 883. From 1984 to 1987, the ARPAnet (the precursor to today's
10897 Internet) became a testbed of experimentation for developing the
10898 new naming/addressing scheme in a rapidly expanding,
10899 operational network environment. New RFCs were written and
10900 published in 1987 that modified the original documents to
10901 incorporate improvements based on the working model. RFC 1034,
10902 "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
10903 Names-Implementation and Specification" were published and
10904 became the standards upon which all <acronym>DNS</acronym> implementations are
10909 The first working domain name server, called "Jeeves", was
10910 written in 1983-84 by Paul Mockapetris for operation on DEC
10912 machines located at the University of Southern California's
10914 Sciences Institute (USC-ISI) and SRI International's Network
10916 Center (SRI-NIC). A <acronym>DNS</acronym> server for
10917 Unix machines, the Berkeley Internet
10918 Name Domain (<acronym>BIND</acronym>) package, was
10919 written soon after by a group of
10920 graduate students at the University of California at Berkeley
10922 a grant from the US Defense Advanced Research Projects
10927 Versions of <acronym>BIND</acronym> through
10928 4.8.3 were maintained by the Computer
10929 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
10930 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
10931 project team. After that, additional work on the software package
10932 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
10934 employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
10935 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
10936 during that time: Doug Kingston, Craig Partridge, Smoot
10938 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
10939 handled by Mike Karels and Øivind Kure.
10942 <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
10943 released by Digital Equipment
10944 Corporation (now Compaq Computer Corporation). Paul Vixie, then
10945 a DEC employee, became <acronym>BIND</acronym>'s
10946 primary caretaker. He was assisted
10947 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
10949 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
10950 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
10951 Wolfhugel, and others.
10954 In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
10955 Vixie Enterprises. Paul
10956 Vixie became <acronym>BIND</acronym>'s principal
10957 architect/programmer.
10960 <acronym>BIND</acronym> versions from 4.9.3 onward
10961 have been developed and maintained
10962 by the Internet Systems Consortium and its predecessor,
10963 the Internet Software Consortium, with support being provided
10967 As co-architects/programmers, Bob Halley and
10968 Paul Vixie released the first production-ready version of
10969 <acronym>BIND</acronym> version 8 in May 1997.
10972 BIND version 9 was released in September 2000 and is a
10973 major rewrite of nearly all aspects of the underlying
10977 BIND version 4 is officially deprecated and BIND version
10978 8 development is considered maintenance-only in favor
10979 of BIND version 9. No additional development is done
10980 on BIND version 4 or BIND version 8 other than for
10981 security-related patches.
10984 <acronym>BIND</acronym> development work is made
10985 possible today by the sponsorship
10986 of several corporations, and by the tireless work efforts of
10987 numerous individuals.
10992 <title>General <acronym>DNS</acronym> Reference Information</title>
10993 <sect2 id="ipv6addresses">
10994 <title>IPv6 addresses (AAAA)</title>
10996 IPv6 addresses are 128-bit identifiers for interfaces and
10997 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
10998 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
10999 an identifier for a single interface;
11000 <emphasis>Anycast</emphasis>,
11001 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
11002 an identifier for a set of interfaces. Here we describe the global
11003 Unicast address scheme. For more information, see RFC 3587,
11004 "Global Unicast Address Format."
11007 IPv6 unicast addresses consist of a
11008 <emphasis>global routing prefix</emphasis>, a
11009 <emphasis>subnet identifier</emphasis>, and an
11010 <emphasis>interface identifier</emphasis>.
11013 The global routing prefix is provided by the
11014 upstream provider or ISP, and (roughly) corresponds to the
11015 IPv4 <emphasis>network</emphasis> section
11016 of the address range.
11018 The subnet identifier is for local subnetting, much the
11019 same as subnetting an
11020 IPv4 /16 network into /24 subnets.
11022 The interface identifier is the address of an individual
11023 interface on a given network; in IPv6, addresses belong to
11024 interfaces rather than to machines.
11027 The subnetting capability of IPv6 is much more flexible than
11028 that of IPv4: subnetting can be carried out on bit boundaries,
11029 in much the same way as Classless InterDomain Routing
11030 (CIDR), and the DNS PTR representation ("nibble" format)
11031 makes setting up reverse zones easier.
11034 The Interface Identifier must be unique on the local link,
11035 and is usually generated automatically by the IPv6
11036 implementation, although it is usually possible to
11037 override the default setting if necessary. A typical IPv6
11038 address might look like:
11039 <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
11042 IPv6 address specifications often contain long strings
11043 of zeros, so the architects have included a shorthand for
11045 them. The double colon (`::') indicates the longest possible
11047 of zeros that can fit, and can be used only once in an address.
11051 <sect1 id="bibliography">
11052 <title>Bibliography (and Suggested Reading)</title>
11054 <title>Request for Comments (RFCs)</title>
11056 Specification documents for the Internet protocol suite, including
11057 the <acronym>DNS</acronym>, are published as part of
11058 the Request for Comments (RFCs)
11059 series of technical notes. The standards themselves are defined
11060 by the Internet Engineering Task Force (IETF) and the Internet
11061 Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
11064 <ulink url="ftp://www.isi.edu/in-notes/">
11065 ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
11069 (where <replaceable>xxxx</replaceable> is
11070 the number of the RFC). RFCs are also available via the Web at:
11073 <ulink url="http://www.ietf.org/rfc/"
11074 >http://www.ietf.org/rfc/</ulink>.
11078 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
11079 <title>Standards</title>
11081 <abbrev>RFC974</abbrev>
11083 <surname>Partridge</surname>
11084 <firstname>C.</firstname>
11086 <title>Mail Routing and the Domain System</title>
11087 <pubdate>January 1986</pubdate>
11090 <abbrev>RFC1034</abbrev>
11092 <surname>Mockapetris</surname>
11093 <firstname>P.V.</firstname>
11095 <title>Domain Names — Concepts and Facilities</title>
11096 <pubdate>November 1987</pubdate>
11099 <abbrev>RFC1035</abbrev>
11101 <surname>Mockapetris</surname>
11102 <firstname>P. V.</firstname>
11103 </author> <title>Domain Names — Implementation and
11104 Specification</title>
11105 <pubdate>November 1987</pubdate>
11108 <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
11110 <title>Proposed Standards</title>
11111 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
11113 <abbrev>RFC2181</abbrev>
11115 <surname>Elz</surname>
11116 <firstname>R., R. Bush</firstname>
11118 <title>Clarifications to the <acronym>DNS</acronym>
11119 Specification</title>
11120 <pubdate>July 1997</pubdate>
11123 <abbrev>RFC2308</abbrev>
11125 <surname>Andrews</surname>
11126 <firstname>M.</firstname>
11128 <title>Negative Caching of <acronym>DNS</acronym>
11130 <pubdate>March 1998</pubdate>
11133 <abbrev>RFC1995</abbrev>
11135 <surname>Ohta</surname>
11136 <firstname>M.</firstname>
11138 <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
11139 <pubdate>August 1996</pubdate>
11142 <abbrev>RFC1996</abbrev>
11144 <surname>Vixie</surname>
11145 <firstname>P.</firstname>
11147 <title>A Mechanism for Prompt Notification of Zone Changes</title>
11148 <pubdate>August 1996</pubdate>
11151 <abbrev>RFC2136</abbrev>
11154 <surname>Vixie</surname>
11155 <firstname>P.</firstname>
11158 <firstname>S.</firstname>
11159 <surname>Thomson</surname>
11162 <firstname>Y.</firstname>
11163 <surname>Rekhter</surname>
11166 <firstname>J.</firstname>
11167 <surname>Bound</surname>
11170 <title>Dynamic Updates in the Domain Name System</title>
11171 <pubdate>April 1997</pubdate>
11174 <abbrev>RFC2671</abbrev>
11177 <firstname>P.</firstname>
11178 <surname>Vixie</surname>
11181 <title>Extension Mechanisms for DNS (EDNS0)</title>
11182 <pubdate>August 1997</pubdate>
11185 <abbrev>RFC2672</abbrev>
11188 <firstname>M.</firstname>
11189 <surname>Crawford</surname>
11192 <title>Non-Terminal DNS Name Redirection</title>
11193 <pubdate>August 1999</pubdate>
11196 <abbrev>RFC2845</abbrev>
11199 <surname>Vixie</surname>
11200 <firstname>P.</firstname>
11203 <firstname>O.</firstname>
11204 <surname>Gudmundsson</surname>
11207 <firstname>D.</firstname>
11208 <surname>Eastlake</surname>
11209 <lineage>3rd</lineage>
11212 <firstname>B.</firstname>
11213 <surname>Wellington</surname>
11216 <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
11217 <pubdate>May 2000</pubdate>
11220 <abbrev>RFC2930</abbrev>
11223 <firstname>D.</firstname>
11224 <surname>Eastlake</surname>
11225 <lineage>3rd</lineage>
11228 <title>Secret Key Establishment for DNS (TKEY RR)</title>
11229 <pubdate>September 2000</pubdate>
11232 <abbrev>RFC2931</abbrev>
11235 <firstname>D.</firstname>
11236 <surname>Eastlake</surname>
11237 <lineage>3rd</lineage>
11240 <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
11241 <pubdate>September 2000</pubdate>
11244 <abbrev>RFC3007</abbrev>
11247 <firstname>B.</firstname>
11248 <surname>Wellington</surname>
11251 <title>Secure Domain Name System (DNS) Dynamic Update</title>
11252 <pubdate>November 2000</pubdate>
11255 <abbrev>RFC3645</abbrev>
11258 <firstname>S.</firstname>
11259 <surname>Kwan</surname>
11262 <firstname>P.</firstname>
11263 <surname>Garg</surname>
11266 <firstname>J.</firstname>
11267 <surname>Gilroy</surname>
11270 <firstname>L.</firstname>
11271 <surname>Esibov</surname>
11274 <firstname>J.</firstname>
11275 <surname>Westhead</surname>
11278 <firstname>R.</firstname>
11279 <surname>Hall</surname>
11282 <title>Generic Security Service Algorithm for Secret
11283 Key Transaction Authentication for DNS
11285 <pubdate>October 2003</pubdate>
11289 <title><acronym>DNS</acronym> Security Proposed Standards</title>
11291 <abbrev>RFC3225</abbrev>
11294 <firstname>D.</firstname>
11295 <surname>Conrad</surname>
11298 <title>Indicating Resolver Support of DNSSEC</title>
11299 <pubdate>December 2001</pubdate>
11302 <abbrev>RFC3833</abbrev>
11305 <firstname>D.</firstname>
11306 <surname>Atkins</surname>
11309 <firstname>R.</firstname>
11310 <surname>Austein</surname>
11313 <title>Threat Analysis of the Domain Name System (DNS)</title>
11314 <pubdate>August 2004</pubdate>
11317 <abbrev>RFC4033</abbrev>
11320 <firstname>R.</firstname>
11321 <surname>Arends</surname>
11324 <firstname>R.</firstname>
11325 <surname>Austein</surname>
11328 <firstname>M.</firstname>
11329 <surname>Larson</surname>
11332 <firstname>D.</firstname>
11333 <surname>Massey</surname>
11336 <firstname>S.</firstname>
11337 <surname>Rose</surname>
11340 <title>DNS Security Introduction and Requirements</title>
11341 <pubdate>March 2005</pubdate>
11344 <abbrev>RFC4044</abbrev>
11347 <firstname>R.</firstname>
11348 <surname>Arends</surname>
11351 <firstname>R.</firstname>
11352 <surname>Austein</surname>
11355 <firstname>M.</firstname>
11356 <surname>Larson</surname>
11359 <firstname>D.</firstname>
11360 <surname>Massey</surname>
11363 <firstname>S.</firstname>
11364 <surname>Rose</surname>
11367 <title>Resource Records for the DNS Security Extensions</title>
11368 <pubdate>March 2005</pubdate>
11371 <abbrev>RFC4035</abbrev>
11374 <firstname>R.</firstname>
11375 <surname>Arends</surname>
11378 <firstname>R.</firstname>
11379 <surname>Austein</surname>
11382 <firstname>M.</firstname>
11383 <surname>Larson</surname>
11386 <firstname>D.</firstname>
11387 <surname>Massey</surname>
11390 <firstname>S.</firstname>
11391 <surname>Rose</surname>
11394 <title>Protocol Modifications for the DNS
11395 Security Extensions</title>
11396 <pubdate>March 2005</pubdate>
11400 <title>Other Important RFCs About <acronym>DNS</acronym>
11401 Implementation</title>
11403 <abbrev>RFC1535</abbrev>
11405 <surname>Gavron</surname>
11406 <firstname>E.</firstname>
11408 <title>A Security Problem and Proposed Correction With Widely
11409 Deployed <acronym>DNS</acronym> Software.</title>
11410 <pubdate>October 1993</pubdate>
11413 <abbrev>RFC1536</abbrev>
11416 <surname>Kumar</surname>
11417 <firstname>A.</firstname>
11420 <firstname>J.</firstname>
11421 <surname>Postel</surname>
11424 <firstname>C.</firstname>
11425 <surname>Neuman</surname>
11428 <firstname>P.</firstname>
11429 <surname>Danzig</surname>
11432 <firstname>S.</firstname>
11433 <surname>Miller</surname>
11436 <title>Common <acronym>DNS</acronym> Implementation
11437 Errors and Suggested Fixes</title>
11438 <pubdate>October 1993</pubdate>
11441 <abbrev>RFC1982</abbrev>
11444 <surname>Elz</surname>
11445 <firstname>R.</firstname>
11448 <firstname>R.</firstname>
11449 <surname>Bush</surname>
11452 <title>Serial Number Arithmetic</title>
11453 <pubdate>August 1996</pubdate>
11456 <abbrev>RFC4074</abbrev>
11459 <surname>Morishita</surname>
11460 <firstname>Y.</firstname>
11463 <firstname>T.</firstname>
11464 <surname>Jinmei</surname>
11467 <title>Common Misbehaviour Against <acronym>DNS</acronym>
11468 Queries for IPv6 Addresses</title>
11469 <pubdate>May 2005</pubdate>
11473 <title>Resource Record Types</title>
11475 <abbrev>RFC1183</abbrev>
11478 <surname>Everhart</surname>
11479 <firstname>C.F.</firstname>
11482 <firstname>L. A.</firstname>
11483 <surname>Mamakos</surname>
11486 <firstname>R.</firstname>
11487 <surname>Ullmann</surname>
11490 <firstname>P.</firstname>
11491 <surname>Mockapetris</surname>
11494 <title>New <acronym>DNS</acronym> RR Definitions</title>
11495 <pubdate>October 1990</pubdate>
11498 <abbrev>RFC1706</abbrev>
11501 <surname>Manning</surname>
11502 <firstname>B.</firstname>
11505 <firstname>R.</firstname>
11506 <surname>Colella</surname>
11509 <title><acronym>DNS</acronym> NSAP Resource Records</title>
11510 <pubdate>October 1994</pubdate>
11513 <abbrev>RFC2168</abbrev>
11516 <surname>Daniel</surname>
11517 <firstname>R.</firstname>
11520 <firstname>M.</firstname>
11521 <surname>Mealling</surname>
11524 <title>Resolution of Uniform Resource Identifiers using
11525 the Domain Name System</title>
11526 <pubdate>June 1997</pubdate>
11529 <abbrev>RFC1876</abbrev>
11532 <surname>Davis</surname>
11533 <firstname>C.</firstname>
11536 <firstname>P.</firstname>
11537 <surname>Vixie</surname>
11540 <firstname>T.</firstname>
11541 <firstname>Goodwin</firstname>
11544 <firstname>I.</firstname>
11545 <surname>Dickinson</surname>
11548 <title>A Means for Expressing Location Information in the
11550 Name System</title>
11551 <pubdate>January 1996</pubdate>
11554 <abbrev>RFC2052</abbrev>
11557 <surname>Gulbrandsen</surname>
11558 <firstname>A.</firstname>
11561 <firstname>P.</firstname>
11562 <surname>Vixie</surname>
11565 <title>A <acronym>DNS</acronym> RR for Specifying the
11568 <pubdate>October 1996</pubdate>
11571 <abbrev>RFC2163</abbrev>
11573 <surname>Allocchio</surname>
11574 <firstname>A.</firstname>
11576 <title>Using the Internet <acronym>DNS</acronym> to
11578 Conformant Global Address Mapping</title>
11579 <pubdate>January 1998</pubdate>
11582 <abbrev>RFC2230</abbrev>
11584 <surname>Atkinson</surname>
11585 <firstname>R.</firstname>
11587 <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
11588 <pubdate>October 1997</pubdate>
11591 <abbrev>RFC2536</abbrev>
11593 <surname>Eastlake</surname>
11594 <firstname>D.</firstname>
11595 <lineage>3rd</lineage>
11597 <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
11598 <pubdate>March 1999</pubdate>
11601 <abbrev>RFC2537</abbrev>
11603 <surname>Eastlake</surname>
11604 <firstname>D.</firstname>
11605 <lineage>3rd</lineage>
11607 <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
11608 <pubdate>March 1999</pubdate>
11611 <abbrev>RFC2538</abbrev>
11614 <surname>Eastlake</surname>
11615 <firstname>D.</firstname>
11616 <lineage>3rd</lineage>
11619 <surname>Gudmundsson</surname>
11620 <firstname>O.</firstname>
11623 <title>Storing Certificates in the Domain Name System (DNS)</title>
11624 <pubdate>March 1999</pubdate>
11627 <abbrev>RFC2539</abbrev>
11630 <surname>Eastlake</surname>
11631 <firstname>D.</firstname>
11632 <lineage>3rd</lineage>
11635 <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
11636 <pubdate>March 1999</pubdate>
11639 <abbrev>RFC2540</abbrev>
11642 <surname>Eastlake</surname>
11643 <firstname>D.</firstname>
11644 <lineage>3rd</lineage>
11647 <title>Detached Domain Name System (DNS) Information</title>
11648 <pubdate>March 1999</pubdate>
11651 <abbrev>RFC2782</abbrev>
11653 <surname>Gulbrandsen</surname>
11654 <firstname>A.</firstname>
11657 <surname>Vixie</surname>
11658 <firstname>P.</firstname>
11661 <surname>Esibov</surname>
11662 <firstname>L.</firstname>
11664 <title>A DNS RR for specifying the location of services (DNS SRV)</title>
11665 <pubdate>February 2000</pubdate>
11668 <abbrev>RFC2915</abbrev>
11670 <surname>Mealling</surname>
11671 <firstname>M.</firstname>
11674 <surname>Daniel</surname>
11675 <firstname>R.</firstname>
11677 <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
11678 <pubdate>September 2000</pubdate>
11681 <abbrev>RFC3110</abbrev>
11683 <surname>Eastlake</surname>
11684 <firstname>D.</firstname>
11685 <lineage>3rd</lineage>
11687 <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
11688 <pubdate>May 2001</pubdate>
11691 <abbrev>RFC3123</abbrev>
11693 <surname>Koch</surname>
11694 <firstname>P.</firstname>
11696 <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
11697 <pubdate>June 2001</pubdate>
11700 <abbrev>RFC3596</abbrev>
11703 <surname>Thomson</surname>
11704 <firstname>S.</firstname>
11707 <firstname>C.</firstname>
11708 <surname>Huitema</surname>
11711 <firstname>V.</firstname>
11712 <surname>Ksinant</surname>
11715 <firstname>M.</firstname>
11716 <surname>Souissi</surname>
11719 <title><acronym>DNS</acronym> Extensions to support IP
11721 <pubdate>October 2003</pubdate>
11724 <abbrev>RFC3597</abbrev>
11726 <surname>Gustafsson</surname>
11727 <firstname>A.</firstname>
11729 <title>Handling of Unknown DNS Resource Record (RR) Types</title>
11730 <pubdate>September 2003</pubdate>
11734 <title><acronym>DNS</acronym> and the Internet</title>
11736 <abbrev>RFC1101</abbrev>
11738 <surname>Mockapetris</surname>
11739 <firstname>P. V.</firstname>
11741 <title><acronym>DNS</acronym> Encoding of Network Names
11742 and Other Types</title>
11743 <pubdate>April 1989</pubdate>
11746 <abbrev>RFC1123</abbrev>
11748 <surname>Braden</surname>
11749 <surname>R.</surname>
11751 <title>Requirements for Internet Hosts - Application and
11753 <pubdate>October 1989</pubdate>
11756 <abbrev>RFC1591</abbrev>
11758 <surname>Postel</surname>
11759 <firstname>J.</firstname>
11761 <title>Domain Name System Structure and Delegation</title>
11762 <pubdate>March 1994</pubdate>
11765 <abbrev>RFC2317</abbrev>
11768 <surname>Eidnes</surname>
11769 <firstname>H.</firstname>
11772 <firstname>G.</firstname>
11773 <surname>de Groot</surname>
11776 <firstname>P.</firstname>
11777 <surname>Vixie</surname>
11780 <title>Classless IN-ADDR.ARPA Delegation</title>
11781 <pubdate>March 1998</pubdate>
11784 <abbrev>RFC2826</abbrev>
11787 <surname>Internet Architecture Board</surname>
11790 <title>IAB Technical Comment on the Unique DNS Root</title>
11791 <pubdate>May 2000</pubdate>
11794 <abbrev>RFC2929</abbrev>
11797 <surname>Eastlake</surname>
11798 <firstname>D.</firstname>
11799 <lineage>3rd</lineage>
11802 <surname>Brunner-Williams</surname>
11803 <firstname>E.</firstname>
11806 <surname>Manning</surname>
11807 <firstname>B.</firstname>
11810 <title>Domain Name System (DNS) IANA Considerations</title>
11811 <pubdate>September 2000</pubdate>
11815 <title><acronym>DNS</acronym> Operations</title>
11817 <abbrev>RFC1033</abbrev>
11819 <surname>Lottor</surname>
11820 <firstname>M.</firstname>
11822 <title>Domain administrators operations guide.</title>
11823 <pubdate>November 1987</pubdate>
11826 <abbrev>RFC1537</abbrev>
11828 <surname>Beertema</surname>
11829 <firstname>P.</firstname>
11831 <title>Common <acronym>DNS</acronym> Data File
11832 Configuration Errors</title>
11833 <pubdate>October 1993</pubdate>
11836 <abbrev>RFC1912</abbrev>
11838 <surname>Barr</surname>
11839 <firstname>D.</firstname>
11841 <title>Common <acronym>DNS</acronym> Operational and
11842 Configuration Errors</title>
11843 <pubdate>February 1996</pubdate>
11846 <abbrev>RFC2010</abbrev>
11849 <surname>Manning</surname>
11850 <firstname>B.</firstname>
11853 <firstname>P.</firstname>
11854 <surname>Vixie</surname>
11857 <title>Operational Criteria for Root Name Servers.</title>
11858 <pubdate>October 1996</pubdate>
11861 <abbrev>RFC2219</abbrev>
11864 <surname>Hamilton</surname>
11865 <firstname>M.</firstname>
11868 <firstname>R.</firstname>
11869 <surname>Wright</surname>
11872 <title>Use of <acronym>DNS</acronym> Aliases for
11873 Network Services.</title>
11874 <pubdate>October 1997</pubdate>
11878 <title>Internationalized Domain Names</title>
11880 <abbrev>RFC2825</abbrev>
11883 <surname>IAB</surname>
11886 <surname>Daigle</surname>
11887 <firstname>R.</firstname>
11890 <title>A Tangled Web: Issues of I18N, Domain Names,
11891 and the Other Internet protocols</title>
11892 <pubdate>May 2000</pubdate>
11895 <abbrev>RFC3490</abbrev>
11898 <surname>Faltstrom</surname>
11899 <firstname>P.</firstname>
11902 <surname>Hoffman</surname>
11903 <firstname>P.</firstname>
11906 <surname>Costello</surname>
11907 <firstname>A.</firstname>
11910 <title>Internationalizing Domain Names in Applications (IDNA)</title>
11911 <pubdate>March 2003</pubdate>
11914 <abbrev>RFC3491</abbrev>
11917 <surname>Hoffman</surname>
11918 <firstname>P.</firstname>
11921 <surname>Blanchet</surname>
11922 <firstname>M.</firstname>
11925 <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
11926 <pubdate>March 2003</pubdate>
11929 <abbrev>RFC3492</abbrev>
11932 <surname>Costello</surname>
11933 <firstname>A.</firstname>
11936 <title>Punycode: A Bootstring encoding of Unicode
11937 for Internationalized Domain Names in
11938 Applications (IDNA)</title>
11939 <pubdate>March 2003</pubdate>
11943 <title>Other <acronym>DNS</acronym>-related RFCs</title>
11946 Note: the following list of RFCs, although
11947 <acronym>DNS</acronym>-related, are not
11948 concerned with implementing software.
11952 <abbrev>RFC1464</abbrev>
11954 <surname>Rosenbaum</surname>
11955 <firstname>R.</firstname>
11957 <title>Using the Domain Name System To Store Arbitrary String
11959 <pubdate>May 1993</pubdate>
11962 <abbrev>RFC1713</abbrev>
11964 <surname>Romao</surname>
11965 <firstname>A.</firstname>
11967 <title>Tools for <acronym>DNS</acronym> Debugging</title>
11968 <pubdate>November 1994</pubdate>
11971 <abbrev>RFC1794</abbrev>
11973 <surname>Brisco</surname>
11974 <firstname>T.</firstname>
11976 <title><acronym>DNS</acronym> Support for Load
11978 <pubdate>April 1995</pubdate>
11981 <abbrev>RFC2240</abbrev>
11983 <surname>Vaughan</surname>
11984 <firstname>O.</firstname>
11986 <title>A Legal Basis for Domain Name Allocation</title>
11987 <pubdate>November 1997</pubdate>
11990 <abbrev>RFC2345</abbrev>
11993 <surname>Klensin</surname>
11994 <firstname>J.</firstname>
11997 <firstname>T.</firstname>
11998 <surname>Wolf</surname>
12001 <firstname>G.</firstname>
12002 <surname>Oglesby</surname>
12005 <title>Domain Names and Company Name Retrieval</title>
12006 <pubdate>May 1998</pubdate>
12009 <abbrev>RFC2352</abbrev>
12011 <surname>Vaughan</surname>
12012 <firstname>O.</firstname>
12014 <title>A Convention For Using Legal Names as Domain Names</title>
12015 <pubdate>May 1998</pubdate>
12018 <abbrev>RFC3071</abbrev>
12021 <surname>Klensin</surname>
12022 <firstname>J.</firstname>
12025 <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
12026 <pubdate>February 2001</pubdate>
12029 <abbrev>RFC3258</abbrev>
12032 <surname>Hardie</surname>
12033 <firstname>T.</firstname>
12036 <title>Distributing Authoritative Name Servers via
12037 Shared Unicast Addresses</title>
12038 <pubdate>April 2002</pubdate>
12041 <abbrev>RFC3901</abbrev>
12044 <surname>Durand</surname>
12045 <firstname>A.</firstname>
12048 <firstname>J.</firstname>
12049 <surname>Ihren</surname>
12052 <title>DNS IPv6 Transport Operational Guidelines</title>
12053 <pubdate>September 2004</pubdate>
12057 <title>Obsolete and Unimplemented Experimental RFC</title>
12059 <abbrev>RFC1712</abbrev>
12062 <surname>Farrell</surname>
12063 <firstname>C.</firstname>
12066 <firstname>M.</firstname>
12067 <surname>Schulze</surname>
12070 <firstname>S.</firstname>
12071 <surname>Pleitner</surname>
12074 <firstname>D.</firstname>
12075 <surname>Baldoni</surname>
12078 <title><acronym>DNS</acronym> Encoding of Geographical
12080 <pubdate>November 1994</pubdate>
12083 <abbrev>RFC2673</abbrev>
12086 <surname>Crawford</surname>
12087 <firstname>M.</firstname>
12090 <title>Binary Labels in the Domain Name System</title>
12091 <pubdate>August 1999</pubdate>
12094 <abbrev>RFC2874</abbrev>
12097 <surname>Crawford</surname>
12098 <firstname>M.</firstname>
12101 <surname>Huitema</surname>
12102 <firstname>C.</firstname>
12105 <title>DNS Extensions to Support IPv6 Address Aggregation
12106 and Renumbering</title>
12107 <pubdate>July 2000</pubdate>
12111 <title>Obsoleted DNS Security RFCs</title>
12114 Most of these have been consolidated into RFC4033,
12115 RFC4034 and RFC4035 which collectively describe DNSSECbis.
12119 <abbrev>RFC2065</abbrev>
12122 <surname>Eastlake</surname>
12123 <lineage>3rd</lineage>
12124 <firstname>D.</firstname>
12127 <firstname>C.</firstname>
12128 <surname>Kaufman</surname>
12131 <title>Domain Name System Security Extensions</title>
12132 <pubdate>January 1997</pubdate>
12135 <abbrev>RFC2137</abbrev>
12137 <surname>Eastlake</surname>
12138 <lineage>3rd</lineage>
12139 <firstname>D.</firstname>
12141 <title>Secure Domain Name System Dynamic Update</title>
12142 <pubdate>April 1997</pubdate>
12145 <abbrev>RFC2535</abbrev>
12148 <surname>Eastlake</surname>
12149 <lineage>3rd</lineage>
12150 <firstname>D.</firstname>
12153 <title>Domain Name System Security Extensions</title>
12154 <pubdate>March 1999</pubdate>
12157 <abbrev>RFC3008</abbrev>
12160 <surname>Wellington</surname>
12161 <firstname>B.</firstname>
12164 <title>Domain Name System Security (DNSSEC)
12165 Signing Authority</title>
12166 <pubdate>November 2000</pubdate>
12169 <abbrev>RFC3090</abbrev>
12172 <surname>Lewis</surname>
12173 <firstname>E.</firstname>
12176 <title>DNS Security Extension Clarification on Zone Status</title>
12177 <pubdate>March 2001</pubdate>
12180 <abbrev>RFC3445</abbrev>
12183 <surname>Massey</surname>
12184 <firstname>D.</firstname>
12187 <surname>Rose</surname>
12188 <firstname>S.</firstname>
12191 <title>Limiting the Scope of the KEY Resource Record (RR)</title>
12192 <pubdate>December 2002</pubdate>
12195 <abbrev>RFC3655</abbrev>
12198 <surname>Wellington</surname>
12199 <firstname>B.</firstname>
12202 <surname>Gudmundsson</surname>
12203 <firstname>O.</firstname>
12206 <title>Redefinition of DNS Authenticated Data (AD) bit</title>
12207 <pubdate>November 2003</pubdate>
12210 <abbrev>RFC3658</abbrev>
12213 <surname>Gudmundsson</surname>
12214 <firstname>O.</firstname>
12217 <title>Delegation Signer (DS) Resource Record (RR)</title>
12218 <pubdate>December 2003</pubdate>
12221 <abbrev>RFC3755</abbrev>
12224 <surname>Weiler</surname>
12225 <firstname>S.</firstname>
12228 <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
12229 <pubdate>May 2004</pubdate>
12232 <abbrev>RFC3757</abbrev>
12235 <surname>Kolkman</surname>
12236 <firstname>O.</firstname>
12239 <surname>Schlyter</surname>
12240 <firstname>J.</firstname>
12243 <surname>Lewis</surname>
12244 <firstname>E.</firstname>
12247 <title>Domain Name System KEY (DNSKEY) Resource Record
12248 (RR) Secure Entry Point (SEP) Flag</title>
12249 <pubdate>April 2004</pubdate>
12252 <abbrev>RFC3845</abbrev>
12255 <surname>Schlyter</surname>
12256 <firstname>J.</firstname>
12259 <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
12260 <pubdate>August 2004</pubdate>
12265 <sect2 id="internet_drafts">
12266 <title>Internet Drafts</title>
12268 Internet Drafts (IDs) are rough-draft working documents of
12269 the Internet Engineering Task Force. They are, in essence, RFCs
12270 in the preliminary stages of development. Implementors are
12272 to regard IDs as archival, and they should not be quoted or cited
12273 in any formal documents unless accompanied by the disclaimer that
12274 they are "works in progress." IDs have a lifespan of six months
12275 after which they are deleted unless updated by their authors.
12279 <title>Other Documents About <acronym>BIND</acronym></title>
12285 <surname>Albitz</surname>
12286 <firstname>Paul</firstname>
12289 <firstname>Cricket</firstname>
12290 <surname>Liu</surname>
12293 <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
12296 <holder>Sebastopol, CA: O'Reilly and Associates</holder>
12304 <reference id="Bv9ARM.ch10">
12305 <title>Manual pages</title>
12306 <xi:include href="../../bin/dig/dig.docbook"/>
12307 <xi:include href="../../bin/dig/host.docbook"/>
12308 <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
12309 <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
12310 <xi:include href="../../bin/check/named-checkconf.docbook"/>
12311 <xi:include href="../../bin/check/named-checkzone.docbook"/>
12312 <xi:include href="../../bin/named/named.docbook"/>
12313 <!-- named.conf.docbook and others? -->
12314 <!-- nsupdate gives db2latex indigestion, markup problems? -->
12315 <xi:include href="../../bin/rndc/rndc.docbook"/>
12316 <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
12317 <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>