1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <book xmlns:xi="http://www.w3.org/2001/XInclude">
22 <title>BIND 9 Administrator Reference Manual</title>
37 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
44 <holder>Internet Software Consortium.</holder>
46 <xi:include href="releaseinfo.xml"/>
49 <chapter id="Bv9ARM.ch01">
50 <title>Introduction</title>
52 The Internet Domain Name System (<acronym>DNS</acronym>)
53 consists of the syntax
54 to specify the names of entities in the Internet in a hierarchical
55 manner, the rules used for delegating authority over names, and the
56 system implementation that actually maps names to Internet
57 addresses. <acronym>DNS</acronym> data is maintained in a
59 hierarchical databases.
63 <title>Scope of Document</title>
66 The Berkeley Internet Name Domain
67 (<acronym>BIND</acronym>) implements a
68 domain name server for a number of operating systems. This
69 document provides basic information about the installation and
70 care of the Internet Systems Consortium (<acronym>ISC</acronym>)
71 <acronym>BIND</acronym> version 9 software package for
72 system administrators.
74 <xi:include href="pkgversion.xml"/>
78 <title>Organization of This Document</title>
80 In this document, <emphasis>Chapter 1</emphasis> introduces
81 the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
82 describes resource requirements for running <acronym>BIND</acronym> in various
83 environments. Information in <emphasis>Chapter 3</emphasis> is
84 <emphasis>task-oriented</emphasis> in its presentation and is
85 organized functionally, to aid in the process of installing the
86 <acronym>BIND</acronym> 9 software. The task-oriented
87 section is followed by
88 <emphasis>Chapter 4</emphasis>, which contains more advanced
89 concepts that the system administrator may need for implementing
90 certain options. <emphasis>Chapter 5</emphasis>
91 describes the <acronym>BIND</acronym> 9 lightweight
92 resolver. The contents of <emphasis>Chapter 6</emphasis> are
93 organized as in a reference manual to aid in the ongoing
94 maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
95 security considerations, and
96 <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
97 main body of the document is followed by several
98 <emphasis>appendices</emphasis> which contain useful reference
99 information, such as a <emphasis>bibliography</emphasis> and
100 historic information related to <acronym>BIND</acronym>
106 <title>Conventions Used in This Document</title>
109 In this document, we use the following general typographic
115 <colspec colname="1" colnum="1" colwidth="3.000in"/>
116 <colspec colname="2" colnum="2" colwidth="2.625in"/>
121 <emphasis>To describe:</emphasis>
126 <emphasis>We use the style:</emphasis>
133 a pathname, filename, URL, hostname,
134 mailing list name, or new term or concept
139 <filename>Fixed width</filename>
152 <userinput>Fixed Width Bold</userinput>
164 <computeroutput>Fixed Width</computeroutput>
173 The following conventions are used in descriptions of the
174 <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
175 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
176 <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
177 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
180 <entry colname="1" colsep="1" rowsep="1">
182 <emphasis>To describe:</emphasis>
185 <entry colname="2" rowsep="1">
187 <emphasis>We use the style:</emphasis>
192 <entry colname="1" colsep="1" rowsep="1">
197 <entry colname="2" rowsep="1">
199 <literal>Fixed Width</literal>
204 <entry colname="1" colsep="1" rowsep="1">
209 <entry colname="2" rowsep="1">
211 <varname>Fixed Width</varname>
216 <entry colname="1" colsep="1">
223 <optional>Text is enclosed in square brackets</optional>
233 <title>The Domain Name System (<acronym>DNS</acronym>)</title>
235 The purpose of this document is to explain the installation
236 and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
237 Name Domain) software package, and we
238 begin by reviewing the fundamentals of the Domain Name System
239 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
243 <title>DNS Fundamentals</title>
246 The Domain Name System (DNS) is a hierarchical, distributed
247 database. It stores information for mapping Internet host names to
249 addresses and vice versa, mail routing information, and other data
250 used by Internet applications.
254 Clients look up information in the DNS by calling a
255 <emphasis>resolver</emphasis> library, which sends queries to one or
256 more <emphasis>name servers</emphasis> and interprets the responses.
257 The <acronym>BIND</acronym> 9 software distribution
259 name server, <command>named</command>, and a resolver
260 library, <command>liblwres</command>. The older
261 <command>libbind</command> resolver library is also available
262 from ISC as a separate download.
266 <title>Domains and Domain Names</title>
269 The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
270 organizational or administrative boundaries. Each node of the tree,
271 called a <emphasis>domain</emphasis>, is given a label. The domain
273 node is the concatenation of all the labels on the path from the
274 node to the <emphasis>root</emphasis> node. This is represented
275 in written form as a string of labels listed from right to left and
276 separated by dots. A label need only be unique within its parent
281 For example, a domain name for a host at the
282 company <emphasis>Example, Inc.</emphasis> could be
283 <literal>ourhost.example.com</literal>,
284 where <literal>com</literal> is the
285 top level domain to which
286 <literal>ourhost.example.com</literal> belongs,
287 <literal>example</literal> is
288 a subdomain of <literal>com</literal>, and
289 <literal>ourhost</literal> is the
294 For administrative purposes, the name space is partitioned into
295 areas called <emphasis>zones</emphasis>, each starting at a node and
296 extending down to the leaf nodes or to nodes where other zones
298 The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
299 <emphasis>DNS protocol</emphasis>.
303 The data associated with each domain name is stored in the
304 form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
305 Some of the supported resource record types are described in
306 <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
310 For more detailed information about the design of the DNS and
311 the DNS protocol, please refer to the standards documents listed in
312 <xref linkend="rfcs"/>.
319 To properly operate a name server, it is important to understand
320 the difference between a <emphasis>zone</emphasis>
321 and a <emphasis>domain</emphasis>.
325 As stated previously, a zone is a point of delegation in
326 the <acronym>DNS</acronym> tree. A zone consists of
327 those contiguous parts of the domain
328 tree for which a name server has complete information and over which
329 it has authority. It contains all domain names from a certain point
330 downward in the domain tree except those which are delegated to
331 other zones. A delegation point is marked by one or more
332 <emphasis>NS records</emphasis> in the
333 parent zone, which should be matched by equivalent NS records at
334 the root of the delegated zone.
338 For instance, consider the <literal>example.com</literal>
339 domain which includes names
340 such as <literal>host.aaa.example.com</literal> and
341 <literal>host.bbb.example.com</literal> even though
342 the <literal>example.com</literal> zone includes
343 only delegations for the <literal>aaa.example.com</literal> and
344 <literal>bbb.example.com</literal> zones. A zone can
346 exactly to a single domain, but could also include only part of a
347 domain, the rest of which could be delegated to other
348 name servers. Every name in the <acronym>DNS</acronym>
350 <emphasis>domain</emphasis>, even if it is
351 <emphasis>terminal</emphasis>, that is, has no
352 <emphasis>subdomains</emphasis>. Every subdomain is a domain and
353 every domain except the root is also a subdomain. The terminology is
354 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
356 gain a complete understanding of this difficult and subtle
361 Though <acronym>BIND</acronym> is called a "domain name
363 it deals primarily in terms of zones. The master and slave
364 declarations in the <filename>named.conf</filename> file
366 zones, not domains. When you ask some other site if it is willing to
367 be a slave server for your <emphasis>domain</emphasis>, you are
368 actually asking for slave service for some collection of zones.
373 <title>Authoritative Name Servers</title>
376 Each zone is served by at least
377 one <emphasis>authoritative name server</emphasis>,
378 which contains the complete data for the zone.
379 To make the DNS tolerant of server and network failures,
380 most zones have two or more authoritative servers, on
385 Responses from authoritative servers have the "authoritative
386 answer" (AA) bit set in the response packets. This makes them
387 easy to identify when debugging DNS configurations using tools like
388 <command>dig</command> (<xref linkend="diagnostic_tools"/>).
392 <title>The Primary Master</title>
395 The authoritative server where the master copy of the zone
396 data is maintained is called the
397 <emphasis>primary master</emphasis> server, or simply the
398 <emphasis>primary</emphasis>. Typically it loads the zone
399 contents from some local file edited by humans or perhaps
400 generated mechanically from some other local file which is
401 edited by humans. This file is called the
402 <emphasis>zone file</emphasis> or
403 <emphasis>master file</emphasis>.
407 In some cases, however, the master file may not be edited
408 by humans at all, but may instead be the result of
409 <emphasis>dynamic update</emphasis> operations.
414 <title>Slave Servers</title>
416 The other authoritative servers, the <emphasis>slave</emphasis>
417 servers (also known as <emphasis>secondary</emphasis> servers)
419 the zone contents from another server using a replication process
420 known as a <emphasis>zone transfer</emphasis>. Typically the data
422 transferred directly from the primary master, but it is also
424 to transfer it from another slave. In other words, a slave server
425 may itself act as a master to a subordinate slave server.
430 <title>Stealth Servers</title>
433 Usually all of the zone's authoritative servers are listed in
434 NS records in the parent zone. These NS records constitute
435 a <emphasis>delegation</emphasis> of the zone from the parent.
436 The authoritative servers are also listed in the zone file itself,
437 at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
438 of the zone. You can list servers in the zone's top-level NS
439 records that are not in the parent's NS delegation, but you cannot
440 list servers in the parent's delegation that are not present at
441 the zone's top level.
445 A <emphasis>stealth server</emphasis> is a server that is
446 authoritative for a zone but is not listed in that zone's NS
447 records. Stealth servers can be used for keeping a local copy of
449 zone to speed up access to the zone's records or to make sure that
451 zone is available even if all the "official" servers for the zone
457 A configuration where the primary master server itself is a
458 stealth server is often referred to as a "hidden primary"
459 configuration. One use for this configuration is when the primary
461 is behind a firewall and therefore unable to communicate directly
462 with the outside world.
470 <title>Caching Name Servers</title>
473 - Terminology here is inconsistent. Probably ought to
474 - convert to using "recursive name server" everywhere
475 - with just a note about "caching" terminology.
479 The resolver libraries provided by most operating systems are
480 <emphasis>stub resolvers</emphasis>, meaning that they are not
482 performing the full DNS resolution process by themselves by talking
483 directly to the authoritative servers. Instead, they rely on a
485 name server to perform the resolution on their behalf. Such a
487 is called a <emphasis>recursive</emphasis> name server; it performs
488 <emphasis>recursive lookups</emphasis> for local clients.
492 To improve performance, recursive servers cache the results of
493 the lookups they perform. Since the processes of recursion and
494 caching are intimately connected, the terms
495 <emphasis>recursive server</emphasis> and
496 <emphasis>caching server</emphasis> are often used synonymously.
500 The length of time for which a record may be retained in
501 the cache of a caching name server is controlled by the
502 Time To Live (TTL) field associated with each resource record.
506 <title>Forwarding</title>
509 Even a caching name server does not necessarily perform
510 the complete recursive lookup itself. Instead, it can
511 <emphasis>forward</emphasis> some or all of the queries
512 that it cannot satisfy from its cache to another caching name
514 commonly referred to as a <emphasis>forwarder</emphasis>.
518 There may be one or more forwarders,
519 and they are queried in turn until the list is exhausted or an
521 is found. Forwarders are typically used when you do not
522 wish all the servers at a given site to interact directly with the
524 the Internet servers. A typical scenario would involve a number
525 of internal <acronym>DNS</acronym> servers and an
526 Internet firewall. Servers unable
527 to pass packets through the firewall would forward to the server
528 that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
529 on the internal server's behalf.
536 <title>Name Servers in Multiple Roles</title>
539 The <acronym>BIND</acronym> name server can
540 simultaneously act as
541 a master for some zones, a slave for other zones, and as a caching
542 (recursive) server for a set of local clients.
546 However, since the functions of authoritative name service
547 and caching/recursive name service are logically separate, it is
548 often advantageous to run them on separate server machines.
550 A server that only provides authoritative name service
551 (an <emphasis>authoritative-only</emphasis> server) can run with
552 recursion disabled, improving reliability and security.
554 A server that is not authoritative for any zones and only provides
555 recursive service to local
556 clients (a <emphasis>caching-only</emphasis> server)
557 does not need to be reachable from the Internet at large and can
558 be placed inside a firewall.
566 <chapter id="Bv9ARM.ch02">
567 <title><acronym>BIND</acronym> Resource Requirements</title>
570 <title>Hardware requirements</title>
573 <acronym>DNS</acronym> hardware requirements have
574 traditionally been quite modest.
575 For many installations, servers that have been pensioned off from
576 active duty have performed admirably as <acronym>DNS</acronym> servers.
579 The DNSSEC features of <acronym>BIND</acronym> 9
580 may prove to be quite
581 CPU intensive however, so organizations that make heavy use of these
582 features may wish to consider larger systems for these applications.
583 <acronym>BIND</acronym> 9 is fully multithreaded, allowing
585 multiprocessor systems for installations that need it.
589 <title>CPU Requirements</title>
591 CPU requirements for <acronym>BIND</acronym> 9 range from
593 for serving of static zones without caching, to enterprise-class
594 machines if you intend to process many dynamic updates and DNSSEC
595 signed zones, serving many thousands of queries per second.
600 <title>Memory Requirements</title>
602 The memory of the server has to be large enough to fit the
603 cache and zones loaded off disk. The <command>max-cache-size</command>
604 option can be used to limit the amount of memory used by the cache,
605 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
607 Additionally, if additional section caching
608 (<xref linkend="acache"/>) is enabled,
609 the <command>max-acache-size</command> option can be used to
611 of memory used by the mechanism.
612 It is still good practice to have enough memory to load
613 all zone and cache data into memory — unfortunately, the best
615 to determine this for a given installation is to watch the name server
616 in operation. After a few weeks the server process should reach
617 a relatively stable size where entries are expiring from the cache as
618 fast as they are being inserted.
621 - Add something here about leaving overhead for attacks?
622 - How much overhead? Percentage?
627 <title>Name Server Intensive Environment Issues</title>
629 For name server intensive environments, there are two alternative
630 configurations that may be used. The first is where clients and
631 any second-level internal name servers query a main name server, which
632 has enough memory to build a large cache. This approach minimizes
633 the bandwidth used by external name lookups. The second alternative
634 is to set up second-level internal name servers to make queries
636 In this configuration, none of the individual machines needs to
637 have as much memory or CPU power as in the first alternative, but
638 this has the disadvantage of making many more external queries,
639 as none of the name servers share their cached data.
644 <title>Supported Operating Systems</title>
646 ISC <acronym>BIND</acronym> 9 compiles and runs on a large
648 of Unix-like operating systems and on
649 Microsoft Windows Server 2003 and 2008, and Windows XP and Vista.
651 list of supported systems, see the README file in the top level
653 of the BIND 9 source distribution.
658 <chapter id="Bv9ARM.ch03">
659 <title>Name Server Configuration</title>
661 In this chapter we provide some suggested configurations along
662 with guidelines for their use. We suggest reasonable values for
663 certain option settings.
666 <sect1 id="sample_configuration">
667 <title>Sample Configurations</title>
669 <title>A Caching-only Name Server</title>
671 The following sample configuration is appropriate for a caching-only
672 name server for use by clients internal to a corporation. All
674 from outside clients are refused using the <command>allow-query</command>
675 option. Alternatively, the same effect could be achieved using
681 // Two corporate subnets we wish to allow queries from.
682 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
685 directory "/etc/namedb";
687 allow-query { corpnets; };
689 // Provide a reverse mapping for the loopback
691 zone "0.0.127.in-addr.arpa" {
693 file "localhost.rev";
701 <title>An Authoritative-only Name Server</title>
703 This sample configuration is for an authoritative-only server
704 that is the master server for "<filename>example.com</filename>"
705 and a slave for the subdomain "<filename>eng.example.com</filename>".
711 directory "/etc/namedb";
712 // Do not allow access to cache
713 allow-query-cache { none; };
714 // This is the default
715 allow-query { any; };
716 // Do not provide recursive service
720 // Provide a reverse mapping for the loopback
722 zone "0.0.127.in-addr.arpa" {
724 file "localhost.rev";
727 // We are the master server for example.com
730 file "example.com.db";
731 // IP addresses of slave servers allowed to
732 // transfer example.com
738 // We are a slave server for eng.example.com
739 zone "eng.example.com" {
741 file "eng.example.com.bk";
742 // IP address of eng.example.com master server
743 masters { 192.168.4.12; };
751 <title>Load Balancing</title>
753 - Add explanation of why load balancing is fragile at best
754 - and completely pointless in the general case.
758 A primitive form of load balancing can be achieved in
759 the <acronym>DNS</acronym> by using multiple records
760 (such as multiple A records) for one name.
764 For example, if you have three WWW servers with network addresses
765 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
766 following means that clients will connect to each machine one third
770 <informaltable colsep="0" rowsep="0">
771 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
772 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
773 <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
774 <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
775 <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
776 <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
801 Resource Record (RR) Data
808 <literal>www</literal>
813 <literal>600</literal>
818 <literal>IN</literal>
828 <literal>10.0.0.1</literal>
838 <literal>600</literal>
843 <literal>IN</literal>
853 <literal>10.0.0.2</literal>
863 <literal>600</literal>
868 <literal>IN</literal>
878 <literal>10.0.0.3</literal>
886 When a resolver queries for these records, <acronym>BIND</acronym> will rotate
887 them and respond to the query with the records in a different
888 order. In the example above, clients will randomly receive
889 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
890 will use the first record returned and discard the rest.
893 For more detail on ordering responses, check the
894 <command>rrset-order</command> sub-statement in the
895 <command>options</command> statement, see
896 <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
902 <title>Name Server Operations</title>
905 <title>Tools for Use With the Name Server Daemon</title>
907 This section describes several indispensable diagnostic,
908 administrative and monitoring tools available to the system
909 administrator for controlling and debugging the name server
912 <sect3 id="diagnostic_tools">
913 <title>Diagnostic Tools</title>
915 The <command>dig</command>, <command>host</command>, and
916 <command>nslookup</command> programs are all command
918 for manually querying name servers. They differ in style and
924 <term id="dig"><command>dig</command></term>
927 The domain information groper (<command>dig</command>)
928 is the most versatile and complete of these lookup tools.
929 It has two modes: simple interactive
930 mode for a single query, and batch mode which executes a
932 each in a list of several query lines. All query options are
934 from the command line.
936 <cmdsynopsis label="Usage">
937 <command>dig</command>
938 <arg>@<replaceable>server</replaceable></arg>
939 <arg choice="plain"><replaceable>domain</replaceable></arg>
940 <arg><replaceable>query-type</replaceable></arg>
941 <arg><replaceable>query-class</replaceable></arg>
942 <arg>+<replaceable>query-option</replaceable></arg>
943 <arg>-<replaceable>dig-option</replaceable></arg>
944 <arg>%<replaceable>comment</replaceable></arg>
947 The usual simple use of <command>dig</command> will take the form
950 <command>dig @server domain query-type query-class</command>
953 For more information and a list of available commands and
954 options, see the <command>dig</command> man
961 <term><command>host</command></term>
964 The <command>host</command> utility emphasizes
966 and ease of use. By default, it converts
967 between host names and Internet addresses, but its
969 can be extended with the use of options.
971 <cmdsynopsis label="Usage">
972 <command>host</command>
973 <arg>-aCdlnrsTwv</arg>
974 <arg>-c <replaceable>class</replaceable></arg>
975 <arg>-N <replaceable>ndots</replaceable></arg>
976 <arg>-t <replaceable>type</replaceable></arg>
977 <arg>-W <replaceable>timeout</replaceable></arg>
978 <arg>-R <replaceable>retries</replaceable></arg>
979 <arg>-m <replaceable>flag</replaceable></arg>
982 <arg choice="plain"><replaceable>hostname</replaceable></arg>
983 <arg><replaceable>server</replaceable></arg>
986 For more information and a list of available commands and
987 options, see the <command>host</command> man
994 <term><command>nslookup</command></term>
996 <para><command>nslookup</command>
997 has two modes: interactive and
998 non-interactive. Interactive mode allows the user to
999 query name servers for information about various
1000 hosts and domains or to print a list of hosts in a
1001 domain. Non-interactive mode is used to print just
1002 the name and requested information for a host or
1005 <cmdsynopsis label="Usage">
1006 <command>nslookup</command>
1007 <arg rep="repeat">-option</arg>
1009 <arg><replaceable>host-to-find</replaceable></arg>
1010 <arg>- <arg>server</arg></arg>
1014 Interactive mode is entered when no arguments are given (the
1015 default name server will be used) or when the first argument
1017 hyphen (`-') and the second argument is the host name or
1022 Non-interactive mode is used when the name or Internet
1024 of the host to be looked up is given as the first argument.
1026 optional second argument specifies the host name or address
1030 Due to its arcane user interface and frequently inconsistent
1031 behavior, we do not recommend the use of <command>nslookup</command>.
1032 Use <command>dig</command> instead.
1040 <sect3 id="admin_tools">
1041 <title>Administrative Tools</title>
1043 Administrative tools play an integral part in the management
1047 <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1049 <term><command>named-checkconf</command></term>
1052 The <command>named-checkconf</command> program
1053 checks the syntax of a <filename>named.conf</filename> file.
1055 <cmdsynopsis label="Usage">
1056 <command>named-checkconf</command>
1058 <arg>-t <replaceable>directory</replaceable></arg>
1059 <arg><replaceable>filename</replaceable></arg>
1063 <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1065 <term><command>named-checkzone</command></term>
1068 The <command>named-checkzone</command> program
1069 checks a master file for
1070 syntax and consistency.
1072 <cmdsynopsis label="Usage">
1073 <command>named-checkzone</command>
1075 <arg>-c <replaceable>class</replaceable></arg>
1076 <arg>-o <replaceable>output</replaceable></arg>
1077 <arg>-t <replaceable>directory</replaceable></arg>
1078 <arg>-w <replaceable>directory</replaceable></arg>
1079 <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1080 <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1081 <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1082 <arg choice="plain"><replaceable>zone</replaceable></arg>
1083 <arg><replaceable>filename</replaceable></arg>
1087 <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
1088 <term><command>named-compilezone</command></term>
1091 Similar to <command>named-checkzone,</command> but
1092 it always dumps the zone content to a specified file
1093 (typically in a different format).
1097 <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1099 <term><command>rndc</command></term>
1102 The remote name daemon control
1103 (<command>rndc</command>) program allows the
1105 administrator to control the operation of a name server.
1106 Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1107 supports all the commands of the BIND 8 <command>ndc</command>
1108 utility except <command>ndc start</command> and
1109 <command>ndc restart</command>, which were also
1110 not supported in <command>ndc</command>'s
1112 If you run <command>rndc</command> without any
1114 it will display a usage message as follows:
1116 <cmdsynopsis label="Usage">
1117 <command>rndc</command>
1118 <arg>-c <replaceable>config</replaceable></arg>
1119 <arg>-s <replaceable>server</replaceable></arg>
1120 <arg>-p <replaceable>port</replaceable></arg>
1121 <arg>-y <replaceable>key</replaceable></arg>
1122 <arg choice="plain"><replaceable>command</replaceable></arg>
1123 <arg rep="repeat"><replaceable>command</replaceable></arg>
1126 <para>See <xref linkend="man.rndc"/> for details of
1127 the available <command>rndc</command> commands.
1131 <command>rndc</command> requires a configuration file,
1133 communication with the server is authenticated with
1134 digital signatures that rely on a shared secret, and
1135 there is no way to provide that secret other than with a
1136 configuration file. The default location for the
1137 <command>rndc</command> configuration file is
1138 <filename>/etc/rndc.conf</filename>, but an
1140 location can be specified with the <option>-c</option>
1141 option. If the configuration file is not found,
1142 <command>rndc</command> will also look in
1143 <filename>/etc/rndc.key</filename> (or whatever
1144 <varname>sysconfdir</varname> was defined when
1145 the <acronym>BIND</acronym> build was
1147 The <filename>rndc.key</filename> file is
1149 running <command>rndc-confgen -a</command> as
1151 <xref linkend="controls_statement_definition_and_usage"/>.
1155 The format of the configuration file is similar to
1156 that of <filename>named.conf</filename>, but
1158 only four statements, the <command>options</command>,
1159 <command>key</command>, <command>server</command> and
1160 <command>include</command>
1161 statements. These statements are what associate the
1162 secret keys to the servers with which they are meant to
1163 be shared. The order of statements is not
1168 The <command>options</command> statement has
1170 <command>default-server</command>, <command>default-key</command>,
1171 and <command>default-port</command>.
1172 <command>default-server</command> takes a
1173 host name or address argument and represents the server
1175 be contacted if no <option>-s</option>
1176 option is provided on the command line.
1177 <command>default-key</command> takes
1178 the name of a key as its argument, as defined by a <command>key</command> statement.
1179 <command>default-port</command> specifies the
1181 <command>rndc</command> should connect if no
1182 port is given on the command line or in a
1183 <command>server</command> statement.
1187 The <command>key</command> statement defines a
1189 by <command>rndc</command> when authenticating
1191 <command>named</command>. Its syntax is
1193 <command>key</command> statement in <filename>named.conf</filename>.
1194 The keyword <userinput>key</userinput> is
1195 followed by a key name, which must be a valid
1196 domain name, though it need not actually be hierarchical;
1198 a string like "<userinput>rndc_key</userinput>" is a valid
1200 The <command>key</command> statement has two
1202 <command>algorithm</command> and <command>secret</command>.
1203 While the configuration parser will accept any string as the
1205 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1206 has any meaning. The secret is a base-64 encoded string
1207 as specified in RFC 3548.
1211 The <command>server</command> statement
1213 defined using the <command>key</command>
1214 statement with a server.
1215 The keyword <userinput>server</userinput> is followed by a
1216 host name or address. The <command>server</command> statement
1217 has two clauses: <command>key</command> and <command>port</command>.
1218 The <command>key</command> clause specifies the
1220 to be used when communicating with this server, and the
1221 <command>port</command> clause can be used to
1222 specify the port <command>rndc</command> should
1228 A sample minimal configuration file is as follows:
1233 algorithm "hmac-md5";
1235 "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
1238 default-server 127.0.0.1;
1239 default-key rndc_key;
1244 This file, if installed as <filename>/etc/rndc.conf</filename>,
1245 would allow the command:
1249 <prompt>$ </prompt><userinput>rndc reload</userinput>
1253 to connect to 127.0.0.1 port 953 and cause the name server
1254 to reload, if a name server on the local machine were
1256 following controls statements:
1262 allow { localhost; } keys { rndc_key; };
1267 and it had an identical key statement for
1268 <literal>rndc_key</literal>.
1272 Running the <command>rndc-confgen</command>
1274 conveniently create a <filename>rndc.conf</filename>
1275 file for you, and also display the
1276 corresponding <command>controls</command>
1277 statement that you need to
1278 add to <filename>named.conf</filename>.
1280 you can run <command>rndc-confgen -a</command>
1282 a <filename>rndc.key</filename> file and not
1284 <filename>named.conf</filename> at all.
1295 <title>Signals</title>
1297 Certain UNIX signals cause the name server to take specific
1298 actions, as described in the following table. These signals can
1299 be sent using the <command>kill</command> command.
1301 <informaltable frame="all">
1303 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1304 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1308 <para><command>SIGHUP</command></para>
1312 Causes the server to read <filename>named.conf</filename> and
1313 reload the database.
1319 <para><command>SIGTERM</command></para>
1323 Causes the server to clean up and exit.
1329 <para><command>SIGINT</command></para>
1333 Causes the server to clean up and exit.
1344 <chapter id="Bv9ARM.ch04">
1345 <title>Advanced DNS Features</title>
1349 <title>Notify</title>
1351 <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1352 servers to notify their slave servers of changes to a zone's data. In
1353 response to a <command>NOTIFY</command> from a master server, the
1354 slave will check to see that its version of the zone is the
1355 current version and, if not, initiate a zone transfer.
1359 For more information about <acronym>DNS</acronym>
1360 <command>NOTIFY</command>, see the description of the
1361 <command>notify</command> option in <xref linkend="boolean_options"/> and
1362 the description of the zone option <command>also-notify</command> in
1363 <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1364 protocol is specified in RFC 1996.
1368 As a slave zone can also be a master to other slaves, <command>named</command>,
1369 by default, sends <command>NOTIFY</command> messages for every zone
1370 it loads. Specifying <command>notify master-only;</command> will
1371 cause <command>named</command> to only send <command>NOTIFY</command> for master
1372 zones that it loads.
1377 <sect1 id="dynamic_update">
1378 <title>Dynamic Update</title>
1381 Dynamic Update is a method for adding, replacing or deleting
1382 records in a master server by sending it a special form of DNS
1383 messages. The format and meaning of these messages is specified
1388 Dynamic update is enabled by including an
1389 <command>allow-update</command> or an <command>update-policy</command>
1390 clause in the <command>zone</command> statement.
1394 If the zone's <command>update-policy</command> is set to
1395 <userinput>local</userinput>, updates to the zone
1396 will be permitted for the key <varname>local-ddns</varname>,
1397 which will be generated by <command>named</command> at startup.
1398 See <xref linkend="dynamic_update_policies"/> for more details.
1402 Dynamic updates using Kerberos signed requests can be made
1403 using the TKEY/GSS protocol by setting either the
1404 <command>tkey-gssapi-keytab</command> option, or alternatively
1405 by setting both the <command>tkey-gssapi-credential</command>
1406 and <command>tkey-domain</command> options. Once enabled,
1407 Kerberos signed requests will be matched against the update
1408 policies for the zone, using the Kerberos principal as the
1409 signer for the request.
1413 Updating of secure zones (zones using DNSSEC) follows RFC
1414 3007: RRSIG, NSEC and NSEC3 records affected by updates are
1415 automatically regenerated by the server using an online
1416 zone key. Update authorization is based on transaction
1417 signatures and an explicit server policy.
1420 <sect2 id="journal">
1421 <title>The journal file</title>
1424 All changes made to a zone using dynamic update are stored
1425 in the zone's journal file. This file is automatically created
1426 by the server when the first dynamic update takes place.
1427 The name of the journal file is formed by appending the extension
1428 <filename>.jnl</filename> to the name of the
1430 file unless specifically overridden. The journal file is in a
1431 binary format and should not be edited manually.
1435 The server will also occasionally write ("dump")
1436 the complete contents of the updated zone to its zone file.
1437 This is not done immediately after
1438 each dynamic update, because that would be too slow when a large
1439 zone is updated frequently. Instead, the dump is delayed by
1440 up to 15 minutes, allowing additional updates to take place.
1441 During the dump process, transient files will be created
1442 with the extensions <filename>.jnw</filename> and
1443 <filename>.jbk</filename>; under ordinary circumstances, these
1444 will be removed when the dump is complete, and can be safely
1449 When a server is restarted after a shutdown or crash, it will replay
1450 the journal file to incorporate into the zone any updates that
1452 place after the last zone dump.
1456 Changes that result from incoming incremental zone transfers are
1458 journalled in a similar way.
1462 The zone files of dynamic zones cannot normally be edited by
1463 hand because they are not guaranteed to contain the most recent
1464 dynamic changes — those are only in the journal file.
1465 The only way to ensure that the zone file of a dynamic zone
1466 is up to date is to run <command>rndc stop</command>.
1470 If you have to make changes to a dynamic zone
1471 manually, the following procedure will work:
1472 Disable dynamic updates to the zone using
1473 <command>rndc freeze <replaceable>zone</replaceable></command>.
1474 This will update the zone's master file with the changes
1475 stored in its <filename>.jnl</filename> file.
1476 Edit the zone file. Run
1477 <command>rndc thaw <replaceable>zone</replaceable></command>
1478 to reload the changed zone and re-enable dynamic updates.
1482 <command>rndc sync <replaceable>zone</replaceable></command>
1483 will update the zone file with changes from the journal file
1484 without stopping dynamic updates; this may be useful for viewing
1485 the current zone state. To remove the <filename>.jnl</filename>
1486 file after updating the zone file, use
1487 <command>rndc sync -clean</command>.
1494 <sect1 id="incremental_zone_transfers">
1495 <title>Incremental Zone Transfers (IXFR)</title>
1498 The incremental zone transfer (IXFR) protocol is a way for
1499 slave servers to transfer only changed data, instead of having to
1500 transfer the entire zone. The IXFR protocol is specified in RFC
1501 1995. See <xref linkend="proposed_standards"/>.
1505 When acting as a master, <acronym>BIND</acronym> 9
1506 supports IXFR for those zones
1507 where the necessary change history information is available. These
1508 include master zones maintained by dynamic update and slave zones
1509 whose data was obtained by IXFR. For manually maintained master
1510 zones, and for slave zones obtained by performing a full zone
1511 transfer (AXFR), IXFR is supported only if the option
1512 <command>ixfr-from-differences</command> is set
1513 to <userinput>yes</userinput>.
1517 When acting as a slave, <acronym>BIND</acronym> 9 will
1518 attempt to use IXFR unless
1519 it is explicitly disabled. For more information about disabling
1520 IXFR, see the description of the <command>request-ixfr</command> clause
1521 of the <command>server</command> statement.
1526 <title>Split DNS</title>
1528 Setting up different views, or visibility, of the DNS space to
1529 internal and external resolvers is usually referred to as a
1530 <emphasis>Split DNS</emphasis> setup. There are several
1531 reasons an organization would want to set up its DNS this way.
1534 One common reason for setting up a DNS system this way is
1535 to hide "internal" DNS information from "external" clients on the
1536 Internet. There is some debate as to whether or not this is actually
1538 Internal DNS information leaks out in many ways (via email headers,
1539 for example) and most savvy "attackers" can find the information
1540 they need using other means.
1541 However, since listing addresses of internal servers that
1542 external clients cannot possibly reach can result in
1543 connection delays and other annoyances, an organization may
1544 choose to use a Split DNS to present a consistent view of itself
1545 to the outside world.
1548 Another common reason for setting up a Split DNS system is
1549 to allow internal networks that are behind filters or in RFC 1918
1550 space (reserved IP space, as documented in RFC 1918) to resolve DNS
1551 on the Internet. Split DNS can also be used to allow mail from outside
1552 back in to the internal network.
1555 <title>Example split DNS setup</title>
1557 Let's say a company named <emphasis>Example, Inc.</emphasis>
1558 (<literal>example.com</literal>)
1559 has several corporate sites that have an internal network with
1561 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1562 or "outside" section of a network, that is available to the public.
1565 <emphasis>Example, Inc.</emphasis> wants its internal clients
1566 to be able to resolve external hostnames and to exchange mail with
1567 people on the outside. The company also wants its internal resolvers
1568 to have access to certain internal-only zones that are not available
1569 at all outside of the internal network.
1572 In order to accomplish this, the company will set up two sets
1573 of name servers. One set will be on the inside network (in the
1575 IP space) and the other set will be on bastion hosts, which are
1577 hosts that can talk to both sides of its network, in the DMZ.
1580 The internal servers will be configured to forward all queries,
1581 except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1582 and <filename>site2.example.com</filename>, to the servers
1584 DMZ. These internal servers will have complete sets of information
1585 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>, <filename>site1.internal</filename>,
1586 and <filename>site2.internal</filename>.
1589 To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1590 the internal name servers must be configured to disallow all queries
1591 to these domains from any external hosts, including the bastion
1595 The external servers, which are on the bastion hosts, will
1596 be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1597 This could include things such as the host records for public servers
1598 (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1599 and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1602 In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1603 should have special MX records that contain wildcard (`*') records
1604 pointing to the bastion hosts. This is needed because external mail
1605 servers do not have any other way of looking up how to deliver mail
1606 to those internal hosts. With the wildcard records, the mail will
1607 be delivered to the bastion host, which can then forward it on to
1611 Here's an example of a wildcard MX record:
1613 <programlisting>* IN MX 10 external1.example.com.</programlisting>
1615 Now that they accept mail on behalf of anything in the internal
1616 network, the bastion hosts will need to know how to deliver mail
1617 to internal hosts. In order for this to work properly, the resolvers
1619 the bastion hosts will need to be configured to point to the internal
1620 name servers for DNS resolution.
1623 Queries for internal hostnames will be answered by the internal
1624 servers, and queries for external hostnames will be forwarded back
1625 out to the DNS servers on the bastion hosts.
1628 In order for all this to work properly, internal clients will
1629 need to be configured to query <emphasis>only</emphasis> the internal
1630 name servers for DNS queries. This could also be enforced via
1632 filtering on the network.
1635 If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1636 internal clients will now be able to:
1641 Look up any hostnames in the <literal>site1</literal>
1643 <literal>site2.example.com</literal> zones.
1648 Look up any hostnames in the <literal>site1.internal</literal> and
1649 <literal>site2.internal</literal> domains.
1653 <simpara>Look up any hostnames on the Internet.</simpara>
1656 <simpara>Exchange mail with both internal and external people.</simpara>
1660 Hosts on the Internet will be able to:
1665 Look up any hostnames in the <literal>site1</literal>
1667 <literal>site2.example.com</literal> zones.
1672 Exchange mail with anyone in the <literal>site1</literal> and
1673 <literal>site2.example.com</literal> zones.
1679 Here is an example configuration for the setup we just
1680 described above. Note that this is only configuration information;
1681 for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1685 Internal DNS server config:
1690 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1692 acl externals { <varname>bastion-ips-go-here</varname>; };
1698 // forward to external servers
1700 <varname>bastion-ips-go-here</varname>;
1702 // sample allow-transfer (no one)
1703 allow-transfer { none; };
1704 // restrict query access
1705 allow-query { internals; externals; };
1706 // restrict recursion
1707 allow-recursion { internals; };
1712 // sample master zone
1713 zone "site1.example.com" {
1715 file "m/site1.example.com";
1716 // do normal iterative resolution (do not forward)
1718 allow-query { internals; externals; };
1719 allow-transfer { internals; };
1722 // sample slave zone
1723 zone "site2.example.com" {
1725 file "s/site2.example.com";
1726 masters { 172.16.72.3; };
1728 allow-query { internals; externals; };
1729 allow-transfer { internals; };
1732 zone "site1.internal" {
1734 file "m/site1.internal";
1736 allow-query { internals; };
1737 allow-transfer { internals; }
1740 zone "site2.internal" {
1742 file "s/site2.internal";
1743 masters { 172.16.72.3; };
1745 allow-query { internals };
1746 allow-transfer { internals; }
1751 External (bastion host) DNS server config:
1755 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1757 acl externals { bastion-ips-go-here; };
1762 // sample allow-transfer (no one)
1763 allow-transfer { none; };
1764 // default query access
1765 allow-query { any; };
1766 // restrict cache access
1767 allow-query-cache { internals; externals; };
1768 // restrict recursion
1769 allow-recursion { internals; externals; };
1774 // sample slave zone
1775 zone "site1.example.com" {
1777 file "m/site1.foo.com";
1778 allow-transfer { internals; externals; };
1781 zone "site2.example.com" {
1783 file "s/site2.foo.com";
1784 masters { another_bastion_host_maybe; };
1785 allow-transfer { internals; externals; }
1790 In the <filename>resolv.conf</filename> (or equivalent) on
1791 the bastion host(s):
1796 nameserver 172.16.72.2
1797 nameserver 172.16.72.3
1798 nameserver 172.16.72.4
1806 This is a short guide to setting up Transaction SIGnatures
1807 (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
1808 to the configuration file as well as what changes are required for
1809 different features, including the process of creating transaction
1810 keys and using transaction signatures with <acronym>BIND</acronym>.
1813 <acronym>BIND</acronym> primarily supports TSIG for server
1814 to server communication.
1815 This includes zone transfer, notify, and recursive query messages.
1816 Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
1821 TSIG can also be useful for dynamic update. A primary
1822 server for a dynamic zone should control access to the dynamic
1823 update service, but IP-based access control is insufficient.
1824 The cryptographic access control provided by TSIG
1825 is far superior. The <command>nsupdate</command>
1826 program supports TSIG via the <option>-k</option> and
1827 <option>-y</option> command line options or inline by use
1828 of the <command>key</command>.
1832 <title>Generate Shared Keys for Each Pair of Hosts</title>
1834 A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
1835 An arbitrary key name is chosen: "host1-host2.". The key name must
1836 be the same on both hosts.
1839 <title>Automatic Generation</title>
1841 The following command will generate a 128-bit (16 byte) HMAC-SHA256
1842 key as described above. Longer keys are better, but shorter keys
1843 are easier to read. Note that the maximum key length is the digest
1844 length, here 256 bits.
1847 <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
1850 The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
1851 Nothing directly uses this file, but the base-64 encoded string
1852 following "<literal>Key:</literal>"
1853 can be extracted from the file and used as a shared secret:
1855 <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
1857 The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
1858 be used as the shared secret.
1862 <title>Manual Generation</title>
1864 The shared secret is simply a random sequence of bits, encoded
1865 in base-64. Most ASCII strings are valid base-64 strings (assuming
1866 the length is a multiple of 4 and only valid characters are used),
1867 so the shared secret can be manually generated.
1870 Also, a known string can be run through <command>mmencode</command> or
1871 a similar program to generate base-64 encoded data.
1876 <title>Copying the Shared Secret to Both Machines</title>
1878 This is beyond the scope of DNS. A secure transport mechanism
1879 should be used. This could be secure FTP, ssh, telephone, etc.
1883 <title>Informing the Servers of the Key's Existence</title>
1885 Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
1887 both servers. The following is added to each server's <filename>named.conf</filename> file:
1892 algorithm hmac-sha256;
1893 secret "La/E5CjG9O+os1jq0a2jdA==";
1898 The secret is the one generated above. Since this is a secret, it
1899 is recommended that either <filename>named.conf</filename> be
1900 non-world readable, or the key directive be added to a non-world
1901 readable file that is included by <filename>named.conf</filename>.
1904 At this point, the key is recognized. This means that if the
1905 server receives a message signed by this key, it can verify the
1906 signature. If the signature is successfully verified, the
1907 response is signed by the same key.
1912 <title>Instructing the Server to Use the Key</title>
1914 Since keys are shared between two hosts only, the server must
1915 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
1916 for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
1922 keys { host1-host2. ;};
1927 Multiple keys may be present, but only the first is used.
1928 This directive does not contain any secrets, so it may be in a
1933 If <emphasis>host1</emphasis> sends a message that is a request
1934 to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
1935 expect any responses to signed messages to be signed with the same
1939 A similar statement must be present in <emphasis>host2</emphasis>'s
1940 configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
1941 sign request messages to <emphasis>host1</emphasis>.
1945 <title>TSIG Key Based Access Control</title>
1947 <acronym>BIND</acronym> allows IP addresses and ranges
1948 to be specified in ACL
1950 <command>allow-{ query | transfer | update }</command>
1952 This has been extended to allow TSIG keys also. The above key would
1953 be denoted <command>key host1-host2.</command>
1956 An example of an <command>allow-update</command> directive would be:
1960 allow-update { key host1-host2. ;};
1964 This allows dynamic updates to succeed only if the request
1965 was signed by a key named "<command>host1-host2.</command>".
1969 See <xref linkend="dynamic_update_policies"/> for a discussion of
1970 the more flexible <command>update-policy</command> statement.
1975 <title>Errors</title>
1978 The processing of TSIG signed messages can result in
1979 several errors. If a signed message is sent to a non-TSIG aware
1980 server, a FORMERR (format error) will be returned, since the server will not
1981 understand the record. This is a result of misconfiguration,
1982 since the server must be explicitly configured to send a TSIG
1983 signed message to a specific server.
1987 If a TSIG aware server receives a message signed by an
1988 unknown key, the response will be unsigned with the TSIG
1989 extended error code set to BADKEY. If a TSIG aware server
1990 receives a message with a signature that does not validate, the
1991 response will be unsigned with the TSIG extended error code set
1992 to BADSIG. If a TSIG aware server receives a message with a time
1993 outside of the allowed range, the response will be signed with
1994 the TSIG extended error code set to BADTIME, and the time values
1995 will be adjusted so that the response can be successfully
1996 verified. In any of these cases, the message's rcode (response code) is set to
1997 NOTAUTH (not authenticated).
2005 <para><command>TKEY</command>
2006 is a mechanism for automatically generating a shared secret
2007 between two hosts. There are several "modes" of
2008 <command>TKEY</command> that specify how the key is generated
2009 or assigned. <acronym>BIND</acronym> 9 implements only one of
2010 these modes, the Diffie-Hellman key exchange. Both hosts are
2011 required to have a Diffie-Hellman KEY record (although this
2012 record is not required to be present in a zone). The
2013 <command>TKEY</command> process must use signed messages,
2014 signed either by TSIG or SIG(0). The result of
2015 <command>TKEY</command> is a shared secret that can be used to
2016 sign messages with TSIG. <command>TKEY</command> can also be
2017 used to delete shared secrets that it had previously
2022 The <command>TKEY</command> process is initiated by a
2024 or server by sending a signed <command>TKEY</command>
2026 (including any appropriate KEYs) to a TKEY-aware server. The
2027 server response, if it indicates success, will contain a
2028 <command>TKEY</command> record and any appropriate keys.
2030 this exchange, both participants have enough information to
2031 determine the shared secret; the exact process depends on the
2032 <command>TKEY</command> mode. When using the
2034 <command>TKEY</command> mode, Diffie-Hellman keys are
2036 and the shared secret is derived by both participants.
2041 <title>SIG(0)</title>
2044 <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2045 transaction signatures as specified in RFC 2535 and RFC 2931.
2047 uses public/private keys to authenticate messages. Access control
2048 is performed in the same manner as TSIG keys; privileges can be
2049 granted or denied based on the key name.
2053 When a SIG(0) signed message is received, it will only be
2054 verified if the key is known and trusted by the server; the server
2055 will not attempt to locate and/or validate the key.
2059 SIG(0) signing of multiple-message TCP streams is not
2064 The only tool shipped with <acronym>BIND</acronym> 9 that
2065 generates SIG(0) signed messages is <command>nsupdate</command>.
2070 <title>DNSSEC</title>
2073 Cryptographic authentication of DNS information is possible
2074 through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2075 defined in RFC 4033, RFC 4034, and RFC 4035.
2076 This section describes the creation and use of DNSSEC signed zones.
2080 In order to set up a DNSSEC secure zone, there are a series
2081 of steps which must be followed. <acronym>BIND</acronym>
2084 that are used in this process, which are explained in more detail
2085 below. In all cases, the <option>-h</option> option prints a
2086 full list of parameters. Note that the DNSSEC tools require the
2087 keyset files to be in the working directory or the
2088 directory specified by the <option>-d</option> option, and
2089 that the tools shipped with BIND 9.2.x and earlier are not compatible
2090 with the current ones.
2094 There must also be communication with the administrators of
2095 the parent and/or child zone to transmit keys. A zone's security
2096 status must be indicated by the parent zone for a DNSSEC capable
2097 resolver to trust its data. This is done through the presence
2098 or absence of a <literal>DS</literal> record at the
2104 For other servers to trust data in this zone, they must
2105 either be statically configured with this zone's zone key or the
2106 zone key of another zone above this one in the DNS tree.
2110 <title>Generating Keys</title>
2113 The <command>dnssec-keygen</command> program is used to
2118 A secure zone must contain one or more zone keys. The
2119 zone keys will sign all other records in the zone, as well as
2120 the zone keys of any secure delegated zones. Zone keys must
2121 have the same name as the zone, a name type of
2122 <command>ZONE</command>, and must be usable for
2124 It is recommended that zone keys use a cryptographic algorithm
2125 designated as "mandatory to implement" by the IETF; currently
2126 the only one is RSASHA1.
2130 The following command will generate a 768-bit RSASHA1 key for
2131 the <filename>child.example</filename> zone:
2135 <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2139 Two output files will be produced:
2140 <filename>Kchild.example.+005+12345.key</filename> and
2141 <filename>Kchild.example.+005+12345.private</filename>
2143 12345 is an example of a key tag). The key filenames contain
2144 the key name (<filename>child.example.</filename>),
2146 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2148 The private key (in the <filename>.private</filename>
2150 used to generate signatures, and the public key (in the
2151 <filename>.key</filename> file) is used for signature
2156 To generate another key with the same properties (but with
2157 a different key tag), repeat the above command.
2161 The <command>dnssec-keyfromlabel</command> program is used
2162 to get a key pair from a crypto hardware and build the key
2163 files. Its usage is similar to <command>dnssec-keygen</command>.
2167 The public keys should be inserted into the zone file by
2168 including the <filename>.key</filename> files using
2169 <command>$INCLUDE</command> statements.
2174 <title>Signing the Zone</title>
2177 The <command>dnssec-signzone</command> program is used
2182 Any <filename>keyset</filename> files corresponding to
2183 secure subzones should be present. The zone signer will
2184 generate <literal>NSEC</literal>, <literal>NSEC3</literal>
2185 and <literal>RRSIG</literal> records for the zone, as
2186 well as <literal>DS</literal> for the child zones if
2187 <literal>'-g'</literal> is specified. If <literal>'-g'</literal>
2188 is not specified, then DS RRsets for the secure child
2189 zones need to be added manually.
2193 The following command signs the zone, assuming it is in a
2194 file called <filename>zone.child.example</filename>. By
2195 default, all zone keys which have an available private key are
2196 used to generate signatures.
2200 <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2204 One output file is produced:
2205 <filename>zone.child.example.signed</filename>. This
2207 should be referenced by <filename>named.conf</filename>
2209 input file for the zone.
2212 <para><command>dnssec-signzone</command>
2213 will also produce a keyset and dsset files and optionally a
2214 dlvset file. These are used to provide the parent zone
2215 administrators with the <literal>DNSKEYs</literal> (or their
2216 corresponding <literal>DS</literal> records) that are the
2217 secure entry point to the zone.
2223 <title>Configuring Servers</title>
2226 To enable <command>named</command> to respond appropriately
2227 to DNS requests from DNSSEC aware clients,
2228 <command>dnssec-enable</command> must be set to yes.
2229 (This is the default setting.)
2233 To enable <command>named</command> to validate answers from
2234 other servers, the <command>dnssec-enable</command> option
2235 must be set to <userinput>yes</userinput>, and the
2236 <command>dnssec-validation</command> options must be set to
2237 <userinput>yes</userinput> or <userinput>auto</userinput>.
2241 If <command>dnssec-validation</command> is set to
2242 <userinput>auto</userinput>, then a default
2243 trust anchor for the DNS root zone will be used.
2244 If it is set to <userinput>yes</userinput>, however,
2245 then at least one trust anchor must be configured
2246 with a <command>trusted-keys</command> or
2247 <command>managed-keys</command> statement in
2248 <filename>named.conf</filename>, or DNSSEC validation
2249 will not occur. The default setting is
2250 <userinput>yes</userinput>.
2254 <command>trusted-keys</command> are copies of DNSKEY RRs
2255 for zones that are used to form the first link in the
2256 cryptographic chain of trust. All keys listed in
2257 <command>trusted-keys</command> (and corresponding zones)
2258 are deemed to exist and only the listed keys will be used
2259 to validated the DNSKEY RRset that they are from.
2263 <command>managed-keys</command> are trusted keys which are
2264 automatically kept up to date via RFC 5011 trust anchor
2269 <command>trusted-keys</command> and
2270 <command>managed-keys</command> are described in more detail
2271 later in this document.
2275 Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2276 9 does not verify signatures on load, so zone keys for
2277 authoritative zones do not need to be specified in the
2282 After DNSSEC gets established, a typical DNSSEC configuration
2283 will look something like the following. It has one or
2284 more public keys for the root. This allows answers from
2285 outside the organization to be validated. It will also
2286 have several keys for parts of the namespace the organization
2287 controls. These are here to ensure that <command>named</command>
2288 is immune to compromises in the DNSSEC components of the security
2295 "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
2296 JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
2297 aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
2298 4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
2299 hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
2300 5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
2301 g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
2302 66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
2303 97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
2304 dgxbcDTClU0CRBdiieyLMNzXG3";
2308 /* Key for our organization's forward zone */
2309 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM6
2310 5KbhTjrW1ZaARmPhEZZe3Y9ifgEuq7vZ/z
2311 GZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb
2312 4JKUbbOTcM8pwXlj0EiX3oDFVmjHO444gL
2313 kBOUKUf/mC7HvfwYH/Be22GnClrinKJp1O
2314 g4ywzO9WglMk7jbfW33gUKvirTHr25GL7S
2315 TQUzBb5Usxt8lgnyTUHs1t3JwCY5hKZ6Cq
2316 FxmAVZP20igTixin/1LcrgX/KMEGd/biuv
2317 F4qJCyduieHukuY3H4XMAcR+xia2nIUPvm
2318 /oyWR8BW/hWdzOvnSCThlHf3xiYleDbt/o
2321 /* Key for our reverse zone. */
2322 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
2323 xOdNax071L18QqZnQQQAVVr+i
2324 LhGTnNGp3HoWQLUIzKrJVZ3zg
2325 gy3WwNT6kZo6c0tszYqbtvchm
2326 gQC8CzKojM/W16i6MG/eafGU3
2327 siaOdS0yOI6BgPsw+YZdzlYMa
2328 IJGf4M4dyoKIhzdZyQ2bYQrjy
2329 Q4LB0lC7aOnsMyYKHHYeRvPxj
2330 IQXmdqgOJGq+vsevG06zW+1xg
2331 YJh9rCIfnm1GX/KMgxLPG2vXT
2332 D/RnLX+D3T3UL7HJYHJhAZD5L
2333 59VvjSPsZJHeDCUyWYrvPZesZ
2334 DIRvhDD52SKvbheeTJUm6Ehkz
2335 ytNN2SN96QRk8j/iI8ib";
2341 dnssec-validation yes;
2346 None of the keys listed in this example are valid. In particular,
2347 the root key is not valid.
2351 When DNSSEC validation is enabled and properly configured,
2352 the resolver will reject any answers from signed, secure zones
2353 which fail to validate, and will return SERVFAIL to the client.
2357 Responses may fail to validate for any of several reasons,
2358 including missing, expired, or invalid signatures, a key which
2359 does not match the DS RRset in the parent zone, or an insecure
2360 response from a zone which, according to its parent, should have
2366 When the validator receives a response from an unsigned zone
2367 that has a signed parent, it must confirm with the parent
2368 that the zone was intentionally left unsigned. It does
2369 this by verifying, via signed and validated NSEC/NSEC3 records,
2370 that the parent zone contains no DS records for the child.
2373 If the validator <emphasis>can</emphasis> prove that the zone
2374 is insecure, then the response is accepted. However, if it
2375 cannot, then it must assume an insecure response to be a
2376 forgery; it rejects the response and logs an error.
2379 The logged error reads "insecurity proof failed" and
2380 "got insecure response; parent indicates it should be secure".
2381 (Prior to BIND 9.7, the logged error was "not insecure".
2382 This referred to the zone, not the response.)
2389 <xi:include href="dnssec.xml"/>
2391 <xi:include href="managed-keys.xml"/>
2393 <xi:include href="pkcs11.xml"/>
2396 <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2399 <acronym>BIND</acronym> 9 fully supports all currently
2400 defined forms of IPv6 name to address and address to name
2401 lookups. It will also use IPv6 addresses to make queries when
2402 running on an IPv6 capable system.
2406 For forward lookups, <acronym>BIND</acronym> 9 supports
2407 only AAAA records. RFC 3363 deprecated the use of A6 records,
2408 and client-side support for A6 records was accordingly removed
2409 from <acronym>BIND</acronym> 9.
2410 However, authoritative <acronym>BIND</acronym> 9 name servers still
2411 load zone files containing A6 records correctly, answer queries
2412 for A6 records, and accept zone transfer for a zone containing A6
2417 For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2418 the traditional "nibble" format used in the
2419 <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2420 <emphasis>ip6.int</emphasis> domain.
2421 Older versions of <acronym>BIND</acronym> 9
2422 supported the "binary label" (also known as "bitstring") format,
2423 but support of binary labels has been completely removed per
2425 Many applications in <acronym>BIND</acronym> 9 do not understand
2426 the binary label format at all any more, and will return an
2428 In particular, an authoritative <acronym>BIND</acronym> 9
2429 name server will not load a zone file containing binary labels.
2433 For an overview of the format and structure of IPv6 addresses,
2434 see <xref linkend="ipv6addresses"/>.
2438 <title>Address Lookups Using AAAA Records</title>
2441 The IPv6 AAAA record is a parallel to the IPv4 A record,
2442 and, unlike the deprecated A6 record, specifies the entire
2443 IPv6 address in a single record. For example,
2447 $ORIGIN example.com.
2448 host 3600 IN AAAA 2001:db8::1
2452 Use of IPv4-in-IPv6 mapped addresses is not recommended.
2453 If a host has an IPv4 address, use an A record, not
2454 a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2459 <title>Address to Name Lookups Using Nibble Format</title>
2462 When looking up an address in nibble format, the address
2463 components are simply reversed, just as in IPv4, and
2464 <literal>ip6.arpa.</literal> is appended to the
2466 For example, the following would provide reverse name lookup for
2468 <literal>2001:db8::1</literal>.
2472 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
2473 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR (
2481 <chapter id="Bv9ARM.ch05">
2482 <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2484 <title>The Lightweight Resolver Library</title>
2486 Traditionally applications have been linked with a stub resolver
2487 library that sends recursive DNS queries to a local caching name
2491 IPv6 once introduced new complexity into the resolution process,
2492 such as following A6 chains and DNAME records, and simultaneous
2493 lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2494 then removed, these are hard or impossible
2495 to implement in a traditional stub resolver.
2498 <acronym>BIND</acronym> 9 therefore can also provide resolution
2499 services to local clients
2500 using a combination of a lightweight resolver library and a resolver
2501 daemon process running on the local host. These communicate using
2502 a simple UDP-based protocol, the "lightweight resolver protocol"
2503 that is distinct from and simpler than the full DNS protocol.
2507 <title>Running a Resolver Daemon</title>
2510 To use the lightweight resolver interface, the system must
2511 run the resolver daemon <command>lwresd</command> or a
2513 name server configured with a <command>lwres</command>
2518 By default, applications using the lightweight resolver library will
2520 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2522 address can be overridden by <command>lwserver</command>
2524 <filename>/etc/resolv.conf</filename>.
2528 The daemon currently only looks in the DNS, but in the future
2529 it may use other sources such as <filename>/etc/hosts</filename>,
2534 The <command>lwresd</command> daemon is essentially a
2535 caching-only name server that responds to requests using the
2537 resolver protocol rather than the DNS protocol. Because it needs
2538 to run on each host, it is designed to require no or minimal
2540 Unless configured otherwise, it uses the name servers listed on
2541 <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2542 as forwarders, but is also capable of doing the resolution
2547 The <command>lwresd</command> daemon may also be
2549 <filename>named.conf</filename> style configuration file,
2551 <filename>/etc/lwresd.conf</filename> by default. A name
2553 be configured to act as a lightweight resolver daemon using the
2554 <command>lwres</command> statement in <filename>named.conf</filename>.
2560 <chapter id="Bv9ARM.ch06">
2561 <title><acronym>BIND</acronym> 9 Configuration Reference</title>
2564 <acronym>BIND</acronym> 9 configuration is broadly similar
2565 to <acronym>BIND</acronym> 8; however, there are a few new
2567 of configuration, such as views. <acronym>BIND</acronym>
2568 8 configuration files should work with few alterations in <acronym>BIND</acronym>
2569 9, although more complex configurations should be reviewed to check
2570 if they can be more efficiently implemented using the new features
2571 found in <acronym>BIND</acronym> 9.
2575 <acronym>BIND</acronym> 4 configuration files can be
2576 converted to the new format
2577 using the shell script
2578 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2580 <sect1 id="configuration_file_elements">
2581 <title>Configuration File Elements</title>
2583 Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2586 <informaltable colsep="0" rowsep="0">
2587 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2588 <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2589 <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2594 <varname>acl_name</varname>
2599 The name of an <varname>address_match_list</varname> as
2600 defined by the <command>acl</command> statement.
2607 <varname>address_match_list</varname>
2612 A list of one or more
2613 <varname>ip_addr</varname>,
2614 <varname>ip_prefix</varname>, <varname>key_id</varname>,
2615 or <varname>acl_name</varname> elements, see
2616 <xref linkend="address_match_lists"/>.
2623 <varname>masters_list</varname>
2628 A named list of one or more <varname>ip_addr</varname>
2629 with optional <varname>key_id</varname> and/or
2630 <varname>ip_port</varname>.
2631 A <varname>masters_list</varname> may include other
2632 <varname>masters_lists</varname>.
2639 <varname>domain_name</varname>
2644 A quoted string which will be used as
2645 a DNS name, for example "<literal>my.test.domain</literal>".
2652 <varname>namelist</varname>
2657 A list of one or more <varname>domain_name</varname>
2665 <varname>dotted_decimal</varname>
2670 One to four integers valued 0 through
2671 255 separated by dots (`.'), such as <command>123</command>,
2672 <command>45.67</command> or <command>89.123.45.67</command>.
2679 <varname>ip4_addr</varname>
2684 An IPv4 address with exactly four elements
2685 in <varname>dotted_decimal</varname> notation.
2692 <varname>ip6_addr</varname>
2697 An IPv6 address, such as <command>2001:db8::1234</command>.
2698 IPv6 scoped addresses that have ambiguity on their
2699 scope zones must be disambiguated by an appropriate
2700 zone ID with the percent character (`%') as
2701 delimiter. It is strongly recommended to use
2702 string zone names rather than numeric identifiers,
2703 in order to be robust against system configuration
2704 changes. However, since there is no standard
2705 mapping for such names and identifier values,
2706 currently only interface names as link identifiers
2707 are supported, assuming one-to-one mapping between
2708 interfaces and links. For example, a link-local
2709 address <command>fe80::1</command> on the link
2710 attached to the interface <command>ne0</command>
2711 can be specified as <command>fe80::1%ne0</command>.
2712 Note that on most systems link-local addresses
2713 always have the ambiguity, and need to be
2721 <varname>ip_addr</varname>
2726 An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2733 <varname>ip_port</varname>
2738 An IP port <varname>number</varname>.
2739 The <varname>number</varname> is limited to 0
2740 through 65535, with values
2741 below 1024 typically restricted to use by processes running
2743 In some cases, an asterisk (`*') character can be used as a
2745 select a random high-numbered port.
2752 <varname>ip_prefix</varname>
2757 An IP network specified as an <varname>ip_addr</varname>,
2758 followed by a slash (`/') and then the number of bits in the
2760 Trailing zeros in a <varname>ip_addr</varname>
2762 For example, <command>127/8</command> is the
2763 network <command>127.0.0.0</command> with
2764 netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2765 network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2768 When specifying a prefix involving a IPv6 scoped address
2769 the scope may be omitted. In that case the prefix will
2770 match packets from any scope.
2777 <varname>key_id</varname>
2782 A <varname>domain_name</varname> representing
2783 the name of a shared key, to be used for transaction
2791 <varname>key_list</varname>
2796 A list of one or more
2797 <varname>key_id</varname>s,
2798 separated by semicolons and ending with a semicolon.
2805 <varname>number</varname>
2810 A non-negative 32-bit integer
2811 (i.e., a number between 0 and 4294967295, inclusive).
2812 Its acceptable value might further
2813 be limited by the context in which it is used.
2820 <varname>path_name</varname>
2825 A quoted string which will be used as
2826 a pathname, such as <filename>zones/master/my.test.domain</filename>.
2833 <varname>port_list</varname>
2838 A list of an <varname>ip_port</varname> or a port
2840 A port range is specified in the form of
2841 <userinput>range</userinput> followed by
2842 two <varname>ip_port</varname>s,
2843 <varname>port_low</varname> and
2844 <varname>port_high</varname>, which represents
2845 port numbers from <varname>port_low</varname> through
2846 <varname>port_high</varname>, inclusive.
2847 <varname>port_low</varname> must not be larger than
2848 <varname>port_high</varname>.
2850 <userinput>range 1024 65535</userinput> represents
2851 ports from 1024 through 65535.
2852 In either case an asterisk (`*') character is not
2853 allowed as a valid <varname>ip_port</varname>.
2860 <varname>size_spec</varname>
2865 A 64-bit unsigned integer, or the keywords
2866 <userinput>unlimited</userinput> or
2867 <userinput>default</userinput>.
2870 Integers may take values
2871 0 <= value <= 18446744073709551615, though
2873 (such as <command>max-journal-size</command>) may
2874 use a more limited range within these extremes.
2875 In most cases, setting a value to 0 does not
2876 literally mean zero; it means "undefined" or
2877 "as big as possible", depending on the context.
2878 See the explanations of particular parameters
2879 that use <varname>size_spec</varname>
2880 for details on how they interpret its use.
2883 Numeric values can optionally be followed by a
2885 <userinput>K</userinput> or <userinput>k</userinput>
2887 <userinput>M</userinput> or <userinput>m</userinput>
2889 <userinput>G</userinput> or <userinput>g</userinput>
2890 for gigabytes, which scale by 1024, 1024*1024, and
2891 1024*1024*1024 respectively.
2894 <varname>unlimited</varname> generally means
2895 "as big as possible", though in certain contexts,
2896 (including <option>max-cache-size</option>), it may
2897 mean the largest possible 32-bit unsigned integer
2898 (0xffffffff); this distinction can be important when
2899 dealing with larger quantities.
2900 <varname>unlimited</varname> is usually the best way
2901 to safely set a very large number.
2904 <varname>default</varname>
2905 uses the limit that was in force when the server was started.
2912 <varname>yes_or_no</varname>
2917 Either <userinput>yes</userinput> or <userinput>no</userinput>.
2918 The words <userinput>true</userinput> and <userinput>false</userinput> are
2919 also accepted, as are the numbers <userinput>1</userinput>
2920 and <userinput>0</userinput>.
2927 <varname>dialup_option</varname>
2932 One of <userinput>yes</userinput>,
2933 <userinput>no</userinput>, <userinput>notify</userinput>,
2934 <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
2935 <userinput>passive</userinput>.
2936 When used in a zone, <userinput>notify-passive</userinput>,
2937 <userinput>refresh</userinput>, and <userinput>passive</userinput>
2938 are restricted to slave and stub zones.
2945 <sect2 id="address_match_lists">
2946 <title>Address Match Lists</title>
2948 <title>Syntax</title>
2950 <programlisting><varname>address_match_list</varname> = address_match_list_element ;
2951 <optional> address_match_list_element; ... </optional>
2952 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
2953 key key_id | acl_name | { address_match_list } )
2958 <title>Definition and Usage</title>
2960 Address match lists are primarily used to determine access
2961 control for various server operations. They are also used in
2962 the <command>listen-on</command> and <command>sortlist</command>
2963 statements. The elements which constitute an address match
2964 list can be any of the following:
2968 <simpara>an IP address (IPv4 or IPv6)</simpara>
2971 <simpara>an IP prefix (in `/' notation)</simpara>
2975 a key ID, as defined by the <command>key</command>
2980 <simpara>the name of an address match list defined with
2981 the <command>acl</command> statement
2985 <simpara>a nested address match list enclosed in braces</simpara>
2990 Elements can be negated with a leading exclamation mark (`!'),
2991 and the match list names "any", "none", "localhost", and
2992 "localnets" are predefined. More information on those names
2993 can be found in the description of the acl statement.
2997 The addition of the key clause made the name of this syntactic
2998 element something of a misnomer, since security keys can be used
2999 to validate access without regard to a host or network address.
3000 Nonetheless, the term "address match list" is still used
3001 throughout the documentation.
3005 When a given IP address or prefix is compared to an address
3006 match list, the comparison takes place in approximately O(1)
3007 time. However, key comparisons require that the list of keys
3008 be traversed until a matching key is found, and therefore may
3013 The interpretation of a match depends on whether the list is being
3014 used for access control, defining <command>listen-on</command> ports, or in a
3015 <command>sortlist</command>, and whether the element was negated.
3019 When used as an access control list, a non-negated match
3020 allows access and a negated match denies access. If
3021 there is no match, access is denied. The clauses
3022 <command>allow-notify</command>,
3023 <command>allow-recursion</command>,
3024 <command>allow-recursion-on</command>,
3025 <command>allow-query</command>,
3026 <command>allow-query-on</command>,
3027 <command>allow-query-cache</command>,
3028 <command>allow-query-cache-on</command>,
3029 <command>allow-transfer</command>,
3030 <command>allow-update</command>,
3031 <command>allow-update-forwarding</command>, and
3032 <command>blackhole</command> all use address match
3033 lists. Similarly, the <command>listen-on</command> option will cause the
3034 server to refuse queries on any of the machine's
3035 addresses which do not match the list.
3039 Order of insertion is significant. If more than one element
3040 in an ACL is found to match a given IP address or prefix,
3041 preference will be given to the one that came
3042 <emphasis>first</emphasis> in the ACL definition.
3043 Because of this first-match behavior, an element that
3044 defines a subset of another element in the list should
3045 come before the broader element, regardless of whether
3046 either is negated. For example, in
3047 <command>1.2.3/24; ! 1.2.3.13;</command>
3048 the 1.2.3.13 element is completely useless because the
3049 algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
3050 element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3051 that problem by having 1.2.3.13 blocked by the negation, but
3052 all other 1.2.3.* hosts fall through.
3058 <title>Comment Syntax</title>
3061 The <acronym>BIND</acronym> 9 comment syntax allows for
3063 anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3064 file. To appeal to programmers of all kinds, they can be written
3065 in the C, C++, or shell/perl style.
3069 <title>Syntax</title>
3072 <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3073 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3074 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells
3075 # and perl</programlisting>
3079 <title>Definition and Usage</title>
3081 Comments may appear anywhere that whitespace may appear in
3082 a <acronym>BIND</acronym> configuration file.
3085 C-style comments start with the two characters /* (slash,
3086 star) and end with */ (star, slash). Because they are completely
3087 delimited with these characters, they can be used to comment only
3088 a portion of a line or to span multiple lines.
3091 C-style comments cannot be nested. For example, the following
3092 is not valid because the entire comment ends with the first */:
3096 <programlisting>/* This is the start of a comment.
3097 This is still part of the comment.
3098 /* This is an incorrect attempt at nesting a comment. */
3099 This is no longer in any comment. */
3105 C++-style comments start with the two characters // (slash,
3106 slash) and continue to the end of the physical line. They cannot
3107 be continued across multiple physical lines; to have one logical
3108 comment span multiple lines, each line must use the // pair.
3113 <programlisting>// This is the start of a comment. The next line
3114 // is a new comment, even though it is logically
3115 // part of the previous comment.
3120 Shell-style (or perl-style, if you prefer) comments start
3121 with the character <literal>#</literal> (number sign)
3122 and continue to the end of the
3123 physical line, as in C++ comments.
3129 <programlisting># This is the start of a comment. The next line
3130 # is a new comment, even though it is logically
3131 # part of the previous comment.
3138 You cannot use the semicolon (`;') character
3139 to start a comment such as you would in a zone file. The
3140 semicolon indicates the end of a configuration
3148 <sect1 id="Configuration_File_Grammar">
3149 <title>Configuration File Grammar</title>
3152 A <acronym>BIND</acronym> 9 configuration consists of
3153 statements and comments.
3154 Statements end with a semicolon. Statements and comments are the
3155 only elements that can appear without enclosing braces. Many
3156 statements contain a block of sub-statements, which are also
3157 terminated with a semicolon.
3161 The following statements are supported:
3164 <informaltable colsep="0" rowsep="0">
3165 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3166 <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3167 <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3171 <para><command>acl</command></para>
3175 defines a named IP address
3176 matching list, for access control and other uses.
3182 <para><command>controls</command></para>
3186 declares control channels to be used
3187 by the <command>rndc</command> utility.
3193 <para><command>include</command></para>
3203 <para><command>key</command></para>
3207 specifies key information for use in
3208 authentication and authorization using TSIG.
3214 <para><command>logging</command></para>
3218 specifies what the server logs, and where
3219 the log messages are sent.
3225 <para><command>lwres</command></para>
3229 configures <command>named</command> to
3230 also act as a light-weight resolver daemon (<command>lwresd</command>).
3236 <para><command>masters</command></para>
3240 defines a named masters list for
3241 inclusion in stub and slave zones'
3242 <command>masters</command> or
3243 <command>also-notify</command> lists.
3249 <para><command>options</command></para>
3253 controls global server configuration
3254 options and sets defaults for other statements.
3260 <para><command>server</command></para>
3264 sets certain configuration options on
3271 <para><command>statistics-channels</command></para>
3275 declares communication channels to get access to
3276 <command>named</command> statistics.
3282 <para><command>trusted-keys</command></para>
3286 defines trusted DNSSEC keys.
3292 <para><command>managed-keys</command></para>
3296 lists DNSSEC keys to be kept up to date
3297 using RFC 5011 trust anchor maintenance.
3303 <para><command>view</command></para>
3313 <para><command>zone</command></para>
3326 The <command>logging</command> and
3327 <command>options</command> statements may only occur once
3333 <title><command>acl</command> Statement Grammar</title>
3335 <programlisting><command>acl</command> acl-name {
3342 <title><command>acl</command> Statement Definition and
3346 The <command>acl</command> statement assigns a symbolic
3347 name to an address match list. It gets its name from a primary
3348 use of address match lists: Access Control Lists (ACLs).
3352 Note that an address match list's name must be defined
3353 with <command>acl</command> before it can be used
3354 elsewhere; no forward references are allowed.
3358 The following ACLs are built-in:
3361 <informaltable colsep="0" rowsep="0">
3362 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3363 <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3364 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3368 <para><command>any</command></para>
3378 <para><command>none</command></para>
3388 <para><command>localhost</command></para>
3392 Matches the IPv4 and IPv6 addresses of all network
3393 interfaces on the system. When addresses are
3394 added or removed, the <command>localhost</command>
3395 ACL element is updated to reflect the changes.
3401 <para><command>localnets</command></para>
3405 Matches any host on an IPv4 or IPv6 network
3406 for which the system has an interface.
3407 When addresses are added or removed,
3408 the <command>localnets</command>
3409 ACL element is updated to reflect the changes.
3410 Some systems do not provide a way to determine the prefix
3412 local IPv6 addresses.
3413 In such a case, <command>localnets</command>
3414 only matches the local
3415 IPv6 addresses, just like <command>localhost</command>.
3425 <title><command>controls</command> Statement Grammar</title>
3427 <programlisting><command>controls</command> {
3428 [ inet ( ip_addr | * ) [ port ip_port ]
3429 allow { <replaceable> address_match_list </replaceable> }
3430 keys { <replaceable>key_list</replaceable> }; ]
3432 [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable>
3433 keys { <replaceable>key_list</replaceable> }; ]
3440 <sect2 id="controls_statement_definition_and_usage">
3441 <title><command>controls</command> Statement Definition and
3445 The <command>controls</command> statement declares control
3446 channels to be used by system administrators to control the
3447 operation of the name server. These control channels are
3448 used by the <command>rndc</command> utility to send
3449 commands to and retrieve non-DNS results from a name server.
3453 An <command>inet</command> control channel is a TCP socket
3454 listening at the specified <command>ip_port</command> on the
3455 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3456 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3457 interpreted as the IPv4 wildcard address; connections will be
3458 accepted on any of the system's IPv4 addresses.
3459 To listen on the IPv6 wildcard address,
3460 use an <command>ip_addr</command> of <literal>::</literal>.
3461 If you will only use <command>rndc</command> on the local host,
3462 using the loopback address (<literal>127.0.0.1</literal>
3463 or <literal>::1</literal>) is recommended for maximum security.
3467 If no port is specified, port 953 is used. The asterisk
3468 "<literal>*</literal>" cannot be used for <command>ip_port</command>.
3472 The ability to issue commands over the control channel is
3473 restricted by the <command>allow</command> and
3474 <command>keys</command> clauses.
3475 Connections to the control channel are permitted based on the
3476 <command>address_match_list</command>. This is for simple
3477 IP address based filtering only; any <command>key_id</command>
3478 elements of the <command>address_match_list</command>
3483 A <command>unix</command> control channel is a UNIX domain
3484 socket listening at the specified path in the file system.
3485 Access to the socket is specified by the <command>perm</command>,
3486 <command>owner</command> and <command>group</command> clauses.
3487 Note on some platforms (SunOS and Solaris) the permissions
3488 (<command>perm</command>) are applied to the parent directory
3489 as the permissions on the socket itself are ignored.
3493 The primary authorization mechanism of the command
3494 channel is the <command>key_list</command>, which
3495 contains a list of <command>key_id</command>s.
3496 Each <command>key_id</command> in the <command>key_list</command>
3497 is authorized to execute commands over the control channel.
3498 See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3499 for information about configuring keys in <command>rndc</command>.
3503 If no <command>controls</command> statement is present,
3504 <command>named</command> will set up a default
3505 control channel listening on the loopback address 127.0.0.1
3506 and its IPv6 counterpart ::1.
3507 In this case, and also when the <command>controls</command> statement
3508 is present but does not have a <command>keys</command> clause,
3509 <command>named</command> will attempt to load the command channel key
3510 from the file <filename>rndc.key</filename> in
3511 <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3512 was specified as when <acronym>BIND</acronym> was built).
3513 To create a <filename>rndc.key</filename> file, run
3514 <userinput>rndc-confgen -a</userinput>.
3518 The <filename>rndc.key</filename> feature was created to
3519 ease the transition of systems from <acronym>BIND</acronym> 8,
3520 which did not have digital signatures on its command channel
3521 messages and thus did not have a <command>keys</command> clause.
3523 It makes it possible to use an existing <acronym>BIND</acronym> 8
3524 configuration file in <acronym>BIND</acronym> 9 unchanged,
3525 and still have <command>rndc</command> work the same way
3526 <command>ndc</command> worked in BIND 8, simply by executing the
3527 command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3532 Since the <filename>rndc.key</filename> feature
3533 is only intended to allow the backward-compatible usage of
3534 <acronym>BIND</acronym> 8 configuration files, this
3536 have a high degree of configurability. You cannot easily change
3537 the key name or the size of the secret, so you should make a
3538 <filename>rndc.conf</filename> with your own key if you
3540 those things. The <filename>rndc.key</filename> file
3542 permissions set such that only the owner of the file (the user that
3543 <command>named</command> is running as) can access it.
3545 desire greater flexibility in allowing other users to access
3546 <command>rndc</command> commands, then you need to create
3548 <filename>rndc.conf</filename> file and make it group
3550 that contains the users who should have access.
3554 To disable the command channel, use an empty
3555 <command>controls</command> statement:
3556 <command>controls { };</command>.
3561 <title><command>include</command> Statement Grammar</title>
3562 <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
3565 <title><command>include</command> Statement Definition and
3569 The <command>include</command> statement inserts the
3570 specified file at the point where the <command>include</command>
3571 statement is encountered. The <command>include</command>
3572 statement facilitates the administration of configuration
3574 by permitting the reading or writing of some things but not
3575 others. For example, the statement could include private keys
3576 that are readable only by the name server.
3581 <title><command>key</command> Statement Grammar</title>
3583 <programlisting><command>key</command> <replaceable>key_id</replaceable> {
3584 algorithm <replaceable>string</replaceable>;
3585 secret <replaceable>string</replaceable>;
3592 <title><command>key</command> Statement Definition and Usage</title>
3595 The <command>key</command> statement defines a shared
3596 secret key for use with TSIG (see <xref linkend="tsig"/>)
3597 or the command channel
3598 (see <xref linkend="controls_statement_definition_and_usage"/>).
3602 The <command>key</command> statement can occur at the
3604 of the configuration file or inside a <command>view</command>
3605 statement. Keys defined in top-level <command>key</command>
3606 statements can be used in all views. Keys intended for use in
3607 a <command>controls</command> statement
3608 (see <xref linkend="controls_statement_definition_and_usage"/>)
3609 must be defined at the top level.
3613 The <replaceable>key_id</replaceable>, also known as the
3614 key name, is a domain name uniquely identifying the key. It can
3615 be used in a <command>server</command>
3616 statement to cause requests sent to that
3617 server to be signed with this key, or in address match lists to
3618 verify that incoming requests have been signed with a key
3619 matching this name, algorithm, and secret.
3623 The <replaceable>algorithm_id</replaceable> is a string
3624 that specifies a security/authentication algorithm. Named
3625 supports <literal>hmac-md5</literal>,
3626 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3627 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3628 and <literal>hmac-sha512</literal> TSIG authentication.
3629 Truncated hashes are supported by appending the minimum
3630 number of required bits preceded by a dash, e.g.
3631 <literal>hmac-sha1-80</literal>. The
3632 <replaceable>secret_string</replaceable> is the secret
3633 to be used by the algorithm, and is treated as a base-64
3639 <title><command>logging</command> Statement Grammar</title>
3641 <programlisting><command>logging</command> {
3642 [ <command>channel</command> <replaceable>channel_name</replaceable> {
3643 ( <command>file</command> <replaceable>path_name</replaceable>
3644 [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
3645 [ <command>size</command> <replaceable>size_spec</replaceable> ]
3646 | <command>syslog</command> <replaceable>syslog_facility</replaceable>
3647 | <command>stderr</command>
3648 | <command>null</command> );
3649 [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
3650 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
3651 [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
3652 [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
3653 [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
3655 [ <command>category</command> <replaceable>category_name</replaceable> {
3656 <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
3665 <title><command>logging</command> Statement Definition and
3669 The <command>logging</command> statement configures a
3671 variety of logging options for the name server. Its <command>channel</command> phrase
3672 associates output methods, format options and severity levels with
3673 a name that can then be used with the <command>category</command> phrase
3674 to select how various classes of messages are logged.
3677 Only one <command>logging</command> statement is used to
3679 as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3680 the logging configuration will be:
3683 <programlisting>logging {
3684 category default { default_syslog; default_debug; };
3685 category unmatched { null; };
3690 In <acronym>BIND</acronym> 9, the logging configuration
3691 is only established when
3692 the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3693 established as soon as the <command>logging</command>
3695 was parsed. When the server is starting up, all logging messages
3696 regarding syntax errors in the configuration file go to the default
3697 channels, or to standard error if the "<option>-g</option>" option
3702 <title>The <command>channel</command> Phrase</title>
3705 All log output goes to one or more <emphasis>channels</emphasis>;
3706 you can make as many of them as you want.
3710 Every channel definition must include a destination clause that
3711 says whether messages selected for the channel go to a file, to a
3712 particular syslog facility, to the standard error stream, or are
3713 discarded. It can optionally also limit the message severity level
3714 that will be accepted by the channel (the default is
3715 <command>info</command>), and whether to include a
3716 <command>named</command>-generated time stamp, the
3718 and/or severity level (the default is not to include any).
3722 The <command>null</command> destination clause
3723 causes all messages sent to the channel to be discarded;
3724 in that case, other options for the channel are meaningless.
3728 The <command>file</command> destination clause directs
3730 to a disk file. It can include limitations
3731 both on how large the file is allowed to become, and how many
3733 of the file will be saved each time the file is opened.
3737 If you use the <command>versions</command> log file
3739 <command>named</command> will retain that many backup
3740 versions of the file by
3741 renaming them when opening. For example, if you choose to keep
3743 of the file <filename>lamers.log</filename>, then just
3745 <filename>lamers.log.1</filename> is renamed to
3746 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3747 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3748 renamed to <filename>lamers.log.0</filename>.
3749 You can say <command>versions unlimited</command> to
3751 the number of versions.
3752 If a <command>size</command> option is associated with
3754 then renaming is only done when the file being opened exceeds the
3755 indicated size. No backup versions are kept by default; any
3757 log file is simply appended.
3761 The <command>size</command> option for files is used
3763 growth. If the file ever exceeds the size, then <command>named</command> will
3764 stop writing to the file unless it has a <command>versions</command> option
3765 associated with it. If backup versions are kept, the files are
3767 described above and a new one begun. If there is no
3768 <command>versions</command> option, no more data will
3769 be written to the log
3770 until some out-of-band mechanism removes or truncates the log to
3772 maximum size. The default behavior is not to limit the size of
3778 Example usage of the <command>size</command> and
3779 <command>versions</command> options:
3782 <programlisting>channel an_example_channel {
3783 file "example.log" versions 3 size 20m;
3790 The <command>syslog</command> destination clause
3792 channel to the system log. Its argument is a
3793 syslog facility as described in the <command>syslog</command> man
3794 page. Known facilities are <command>kern</command>, <command>user</command>,
3795 <command>mail</command>, <command>daemon</command>, <command>auth</command>,
3796 <command>syslog</command>, <command>lpr</command>, <command>news</command>,
3797 <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3798 <command>ftp</command>, <command>local0</command>, <command>local1</command>,
3799 <command>local2</command>, <command>local3</command>, <command>local4</command>,
3800 <command>local5</command>, <command>local6</command> and
3801 <command>local7</command>, however not all facilities
3803 all operating systems.
3804 How <command>syslog</command> will handle messages
3806 this facility is described in the <command>syslog.conf</command> man
3807 page. If you have a system which uses a very old version of <command>syslog</command> that
3808 only uses two arguments to the <command>openlog()</command> function,
3809 then this clause is silently ignored.
3812 On Windows machines syslog messages are directed to the EventViewer.
3815 The <command>severity</command> clause works like <command>syslog</command>'s
3816 "priorities", except that they can also be used if you are writing
3817 straight to a file rather than using <command>syslog</command>.
3818 Messages which are not at least of the severity level given will
3819 not be selected for the channel; messages of higher severity
3824 If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3825 will also determine what eventually passes through. For example,
3826 defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3827 only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3828 cause messages of severity <command>info</command> and
3829 <command>notice</command> to
3830 be dropped. If the situation were reversed, with <command>named</command> writing
3831 messages of only <command>warning</command> or higher,
3832 then <command>syslogd</command> would
3833 print all messages it received from the channel.
3837 The <command>stderr</command> destination clause
3839 channel to the server's standard error stream. This is intended
3841 use when the server is running as a foreground process, for
3843 when debugging a configuration.
3847 The server can supply extensive debugging information when
3848 it is in debugging mode. If the server's global debug level is
3850 than zero, then debugging mode will be active. The global debug
3851 level is set either by starting the <command>named</command> server
3852 with the <option>-d</option> flag followed by a positive integer,
3853 or by running <command>rndc trace</command>.
3854 The global debug level
3855 can be set to zero, and debugging mode turned off, by running <command>rndc
3856 notrace</command>. All debugging messages in the server have a debug
3857 level, and higher debug levels give more detailed output. Channels
3858 that specify a specific debug severity, for example:
3861 <programlisting>channel specific_debug_level {
3868 will get debugging output of level 3 or less any time the
3869 server is in debugging mode, regardless of the global debugging
3870 level. Channels with <command>dynamic</command>
3872 server's global debug level to determine what messages to print.
3875 If <command>print-time</command> has been turned on,
3877 the date and time will be logged. <command>print-time</command> may
3878 be specified for a <command>syslog</command> channel,
3880 pointless since <command>syslog</command> also logs
3882 time. If <command>print-category</command> is
3884 category of the message will be logged as well. Finally, if <command>print-severity</command> is
3885 on, then the severity level of the message will be logged. The <command>print-</command> options may
3886 be used in any combination, and will always be printed in the
3888 order: time, category, severity. Here is an example where all
3889 three <command>print-</command> options
3894 <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
3898 There are four predefined channels that are used for
3899 <command>named</command>'s default logging as follows.
3901 used is described in <xref linkend="the_category_phrase"/>.
3904 <programlisting>channel default_syslog {
3905 // send to syslog's daemon facility
3907 // only send priority info and higher
3910 channel default_debug {
3911 // write to named.run in the working directory
3912 // Note: stderr is used instead of "named.run" if
3913 // the server is started with the '-f' option.
3915 // log at the server's current debug level
3919 channel default_stderr {
3922 // only send priority info and higher
3927 // toss anything sent to this channel
3933 The <command>default_debug</command> channel has the
3935 property that it only produces output when the server's debug
3937 nonzero. It normally writes to a file called <filename>named.run</filename>
3938 in the server's working directory.
3942 For security reasons, when the "<option>-u</option>"
3943 command line option is used, the <filename>named.run</filename> file
3944 is created only after <command>named</command> has
3946 new UID, and any debug output generated while <command>named</command> is
3947 starting up and still running as root is discarded. If you need
3948 to capture this output, you must run the server with the "<option>-g</option>"
3949 option and redirect standard error to a file.
3953 Once a channel is defined, it cannot be redefined. Thus you
3954 cannot alter the built-in channels directly, but you can modify
3955 the default logging by pointing categories at channels you have
3960 <sect3 id="the_category_phrase">
3961 <title>The <command>category</command> Phrase</title>
3964 There are many categories, so you can send the logs you want
3965 to see wherever you want, without seeing logs you don't want. If
3966 you don't specify a list of channels for a category, then log
3968 in that category will be sent to the <command>default</command> category
3969 instead. If you don't specify a default category, the following
3970 "default default" is used:
3973 <programlisting>category default { default_syslog; default_debug; };
3977 As an example, let's say you want to log security events to
3978 a file, but you also want keep the default logging behavior. You'd
3979 specify the following:
3982 <programlisting>channel my_security_channel {
3983 file "my_security_file";
3987 my_security_channel;
3993 To discard all messages in a category, specify the <command>null</command> channel:
3996 <programlisting>category xfer-out { null; };
3997 category notify { null; };
4001 Following are the available categories and brief descriptions
4002 of the types of log information they contain. More
4003 categories may be added in future <acronym>BIND</acronym> releases.
4005 <informaltable colsep="0" rowsep="0">
4006 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4007 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4008 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4012 <para><command>default</command></para>
4016 The default category defines the logging
4017 options for those categories where no specific
4018 configuration has been
4025 <para><command>general</command></para>
4029 The catch-all. Many things still aren't
4030 classified into categories, and they all end up here.
4036 <para><command>database</command></para>
4040 Messages relating to the databases used
4041 internally by the name server to store zone and cache
4048 <para><command>security</command></para>
4052 Approval and denial of requests.
4058 <para><command>config</command></para>
4062 Configuration file parsing and processing.
4068 <para><command>resolver</command></para>
4072 DNS resolution, such as the recursive
4073 lookups performed on behalf of clients by a caching name
4080 <para><command>xfer-in</command></para>
4084 Zone transfers the server is receiving.
4090 <para><command>xfer-out</command></para>
4094 Zone transfers the server is sending.
4100 <para><command>notify</command></para>
4104 The NOTIFY protocol.
4110 <para><command>client</command></para>
4114 Processing of client requests.
4120 <para><command>unmatched</command></para>
4124 Messages that <command>named</command> was unable to determine the
4125 class of or for which there was no matching <command>view</command>.
4126 A one line summary is also logged to the <command>client</command> category.
4127 This category is best sent to a file or stderr, by
4128 default it is sent to
4129 the <command>null</command> channel.
4135 <para><command>network</command></para>
4145 <para><command>update</command></para>
4155 <para><command>update-security</command></para>
4159 Approval and denial of update requests.
4165 <para><command>queries</command></para>
4169 Specify where queries should be logged to.
4172 At startup, specifying the category <command>queries</command> will also
4173 enable query logging unless <command>querylog</command> option has been
4178 The query log entry reports the client's IP
4179 address and port number, and the query name,
4180 class and type. Next it reports whether the
4181 Recursion Desired flag was set (+ if set, -
4182 if not set), if the query was signed (S),
4183 EDNS was in use (E), if TCP was used (T), if
4184 DO (DNSSEC Ok) was set (D), or if CD (Checking
4185 Disabled) was set (C). After this the
4186 destination address the query was sent to is
4191 <computeroutput>client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</computeroutput>
4194 <computeroutput>client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</computeroutput>
4197 (The first part of this log message, showing the
4198 client address/port number and query name, is
4199 repeated in all subsequent log messages related
4206 <para><command>query-errors</command></para>
4210 Information about queries that resulted in some
4217 <para><command>dispatch</command></para>
4221 Dispatching of incoming packets to the
4222 server modules where they are to be processed.
4228 <para><command>dnssec</command></para>
4232 DNSSEC and TSIG protocol processing.
4238 <para><command>lame-servers</command></para>
4242 Lame servers. These are misconfigurations
4243 in remote servers, discovered by BIND 9 when trying to
4244 query those servers during resolution.
4250 <para><command>delegation-only</command></para>
4254 Delegation only. Logs queries that have been
4255 forced to NXDOMAIN as the result of a
4256 delegation-only zone or a
4257 <command>delegation-only</command> in a
4258 forward, hint or stub zone declaration.
4264 <para><command>edns-disabled</command></para>
4268 Log queries that have been forced to use plain
4269 DNS due to timeouts. This is often due to
4270 the remote servers not being RFC 1034 compliant
4271 (not always returning FORMERR or similar to
4272 EDNS queries and other extensions to the DNS
4273 when they are not understood). In other words, this is
4274 targeted at servers that fail to respond to
4275 DNS queries that they don't understand.
4278 Note: the log message can also be due to
4279 packet loss. Before reporting servers for
4280 non-RFC 1034 compliance they should be re-tested
4281 to determine the nature of the non-compliance.
4282 This testing should prevent or reduce the
4283 number of false-positive reports.
4286 Note: eventually <command>named</command> will have to stop
4287 treating such timeouts as due to RFC 1034 non
4288 compliance and start treating it as plain
4289 packet loss. Falsely classifying packet
4290 loss as due to RFC 1034 non compliance impacts
4291 on DNSSEC validation which requires EDNS for
4292 the DNSSEC records to be returned.
4298 <para><command>RPZ</command></para>
4302 Information about errors in response policy zone files,
4303 rewritten responses, and at the highest
4304 <command>debug</command> levels, mere rewriting
4311 <para><command>rate-limit</command></para>
4315 (Only available when <acronym>BIND</acronym> 9 is
4316 configured with the <userinput>--enable-rrl</userinput>
4317 option at compile time.)
4320 The start, periodic, and final notices of the
4321 rate limiting of a stream of responses are logged at
4322 <command>info</command> severity in this category.
4323 These messages include a hash value of the domain name
4324 of the response and the name itself,
4325 except when there is insufficient memory to record
4326 the name for the final notice
4327 The final notice is normally delayed until about one
4328 minute after rate limit stops.
4329 A lack of memory can hurry the final notice,
4330 in which case it starts with an asterisk (*).
4331 Various internal events are logged at debug 1 level
4335 Rate limiting of individual requests
4336 is logged in the <command>query-errors</command> category.
4345 <title>The <command>query-errors</command> Category</title>
4347 The <command>query-errors</command> category is
4348 specifically intended for debugging purposes: To identify
4349 why and how specific queries result in responses which
4351 Messages of this category are therefore only logged
4352 with <command>debug</command> levels.
4356 At the debug levels of 1 or higher, each response with the
4357 rcode of SERVFAIL is logged as follows:
4360 <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
4363 This means an error resulting in SERVFAIL was
4364 detected at line 3880 of source file
4365 <filename>query.c</filename>.
4366 Log messages of this level will particularly
4367 help identify the cause of SERVFAIL for an
4368 authoritative server.
4371 At the debug levels of 2 or higher, detailed context
4372 information of recursive resolutions that resulted in
4374 The log message will look like as follows:
4377 <!-- NOTE: newlines and some spaces added so this would fit on page -->
4379 fetch completed at resolver.c:2970 for www.example.com/A
4380 in 30.000183: timed out/success [domain:example.com,
4381 referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
4382 badresp:1,adberr:0,findfail:0,valfail:0]
4386 The first part before the colon shows that a recursive
4387 resolution for AAAA records of www.example.com completed
4388 in 30.000183 seconds and the final result that led to the
4389 SERVFAIL was determined at line 2970 of source file
4390 <filename>resolver.c</filename>.
4393 The following part shows the detected final result and the
4394 latest result of DNSSEC validation.
4395 The latter is always success when no validation attempt
4397 In this example, this query resulted in SERVFAIL probably
4398 because all name servers are down or unreachable, leading
4399 to a timeout in 30 seconds.
4400 DNSSEC validation was probably not attempted.
4403 The last part enclosed in square brackets shows statistics
4404 information collected for this particular resolution
4406 The <varname>domain</varname> field shows the deepest zone
4407 that the resolver reached;
4408 it is the zone where the error was finally detected.
4409 The meaning of the other fields is summarized in the
4413 <informaltable colsep="0" rowsep="0">
4414 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4415 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4416 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4420 <para><varname>referral</varname></para>
4424 The number of referrals the resolver received
4425 throughout the resolution process.
4426 In the above example this is 2, which are most
4427 likely com and example.com.
4433 <para><varname>restart</varname></para>
4437 The number of cycles that the resolver tried
4438 remote servers at the <varname>domain</varname>
4440 In each cycle the resolver sends one query
4441 (possibly resending it, depending on the response)
4442 to each known name server of
4443 the <varname>domain</varname> zone.
4449 <para><varname>qrysent</varname></para>
4453 The number of queries the resolver sent at the
4454 <varname>domain</varname> zone.
4460 <para><varname>timeout</varname></para>
4464 The number of timeouts since the resolver
4465 received the last response.
4471 <para><varname>lame</varname></para>
4475 The number of lame servers the resolver detected
4476 at the <varname>domain</varname> zone.
4477 A server is detected to be lame either by an
4478 invalid response or as a result of lookup in
4479 BIND9's address database (ADB), where lame
4486 <para><varname>neterr</varname></para>
4490 The number of erroneous results that the
4491 resolver encountered in sending queries
4492 at the <varname>domain</varname> zone.
4493 One common case is the remote server is
4494 unreachable and the resolver receives an ICMP
4495 unreachable error message.
4501 <para><varname>badresp</varname></para>
4505 The number of unexpected responses (other than
4506 <varname>lame</varname>) to queries sent by the
4507 resolver at the <varname>domain</varname> zone.
4513 <para><varname>adberr</varname></para>
4517 Failures in finding remote server addresses
4518 of the <varname>domain</varname> zone in the ADB.
4519 One common case of this is that the remote
4520 server's name does not have any address records.
4526 <para><varname>findfail</varname></para>
4530 Failures of resolving remote server addresses.
4531 This is a total number of failures throughout
4532 the resolution process.
4538 <para><varname>valfail</varname></para>
4542 Failures of DNSSEC validation.
4543 Validation failures are counted throughout
4544 the resolution process (not limited to
4545 the <varname>domain</varname> zone), but should
4546 only happen in <varname>domain</varname>.
4554 At the debug levels of 3 or higher, the same messages
4555 as those at the debug 1 level are logged for other errors
4557 Note that negative responses such as NXDOMAIN are not
4558 regarded as errors here.
4561 At the debug levels of 4 or higher, the same messages
4562 as those at the debug 2 level are logged for other errors
4564 Unlike the above case of level 3, messages are logged for
4566 This is because any unexpected results can be difficult to
4567 debug in the recursion case.
4573 <title><command>lwres</command> Statement Grammar</title>
4576 This is the grammar of the <command>lwres</command>
4577 statement in the <filename>named.conf</filename> file:
4580 <programlisting><command>lwres</command> {
4581 <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
4582 <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4583 <optional> view <replaceable>view_name</replaceable>; </optional>
4584 <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
4585 <optional> ndots <replaceable>number</replaceable>; </optional>
4591 <title><command>lwres</command> Statement Definition and Usage</title>
4594 The <command>lwres</command> statement configures the
4596 server to also act as a lightweight resolver server. (See
4597 <xref linkend="lwresd"/>.) There may be multiple
4598 <command>lwres</command> statements configuring
4599 lightweight resolver servers with different properties.
4603 The <command>listen-on</command> statement specifies a
4605 IPv4 addresses (and ports) that this instance of a lightweight
4607 should accept requests on. If no port is specified, port 921 is
4609 If this statement is omitted, requests will be accepted on
4615 The <command>view</command> statement binds this
4617 lightweight resolver daemon to a view in the DNS namespace, so that
4619 response will be constructed in the same manner as a normal DNS
4621 matching this view. If this statement is omitted, the default view
4623 used, and if there is no default view, an error is triggered.
4627 The <command>search</command> statement is equivalent to
4629 <command>search</command> statement in
4630 <filename>/etc/resolv.conf</filename>. It provides a
4632 which are appended to relative names in queries.
4636 The <command>ndots</command> statement is equivalent to
4638 <command>ndots</command> statement in
4639 <filename>/etc/resolv.conf</filename>. It indicates the
4641 number of dots in a relative domain name that should result in an
4642 exact match lookup before search path elements are appended.
4646 <title><command>masters</command> Statement Grammar</title>
4649 <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> |
4650 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
4656 <title><command>masters</command> Statement Definition and
4658 <para><command>masters</command>
4659 lists allow for a common set of masters to be easily used by
4660 multiple stub and slave zones in their <command>masters</command>
4661 or <command>also-notify</command> lists.
4666 <title><command>options</command> Statement Grammar</title>
4669 This is the grammar of the <command>options</command>
4670 statement in the <filename>named.conf</filename> file:
4673 <programlisting><command>options</command> {
4674 <optional> attach-cache <replaceable>cache_name</replaceable>; </optional>
4675 <optional> version <replaceable>version_string</replaceable>; </optional>
4676 <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
4677 <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
4678 <optional> directory <replaceable>path_name</replaceable>; </optional>
4679 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
4680 <optional> managed-keys-directory <replaceable>path_name</replaceable>; </optional>
4681 <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4682 <optional> tkey-gssapi-keytab <replaceable>path_name</replaceable>; </optional>
4683 <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
4684 <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
4685 <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4686 <optional> cache-file <replaceable>path_name</replaceable>; </optional>
4687 <optional> dump-file <replaceable>path_name</replaceable>; </optional>
4688 <optional> bindkeys-file <replaceable>path_name</replaceable>; </optional>
4689 <optional> secroots-file <replaceable>path_name</replaceable>; </optional>
4690 <optional> session-keyfile <replaceable>path_name</replaceable>; </optional>
4691 <optional> session-keyname <replaceable>key_name</replaceable>; </optional>
4692 <optional> session-keyalg <replaceable>algorithm_id</replaceable>; </optional>
4693 <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
4694 <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
4695 <optional> pid-file <replaceable>path_name</replaceable>; </optional>
4696 <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
4697 <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
4698 <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional>
4699 <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
4700 <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
4701 <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
4702 <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
4703 <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
4704 <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
4705 <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
4706 <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
4707 <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
4708 <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
4709 <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
4710 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
4711 <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
4712 <optional> request-nsid <replaceable>yes_or_no</replaceable>; </optional>
4713 <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
4714 <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
4715 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
4716 <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
4717 <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4718 <optional> dnssec-validation (<replaceable>yes_or_no</replaceable> | <constant>auto</constant>); </optional>
4719 <optional> dnssec-lookaside ( <replaceable>auto</replaceable> |
4720 <replaceable>no</replaceable> |
4721 <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable> ); </optional>
4722 <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4723 <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
4724 <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
4725 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4726 <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4727 ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4728 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4730 <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4731 ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4732 <optional> check-dup-records ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4733 <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4734 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4735 <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4736 <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4737 <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4738 <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
4739 <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4740 <optional> allow-new-zones { <replaceable>yes_or_no</replaceable> }; </optional>
4741 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
4742 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4743 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
4744 <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4745 <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
4746 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
4747 <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4748 <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
4749 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
4750 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4751 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4752 <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
4753 <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
4754 <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
4755 <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ;</optional>
4756 <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
4757 <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
4758 <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
4759 <optional> no-case-compress { <replaceable>address_match_list</replaceable> }; </optional>
4760 <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4761 <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4762 <optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4763 <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4764 <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4765 <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4766 <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4767 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4768 <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4769 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4770 <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4771 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4772 <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4773 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4774 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
4775 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
4776 <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
4777 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
4778 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
4779 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
4780 <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
4781 <optional> tcp-clients <replaceable>number</replaceable>; </optional>
4782 <optional> reserved-sockets <replaceable>number</replaceable>; </optional>
4783 <optional> recursive-clients <replaceable>number</replaceable>; </optional>
4784 <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
4785 <optional> serial-queries <replaceable>number</replaceable>; </optional>
4786 <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
4787 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
4788 <optional> transfers-in <replaceable>number</replaceable>; </optional>
4789 <optional> transfers-out <replaceable>number</replaceable>; </optional>
4790 <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
4791 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4792 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4793 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4794 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
4795 <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4796 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4797 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
4798 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4799 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4800 <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
4801 <optional> also-notify { <replaceable>ip_addr</replaceable>
4802 <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>keyname</replaceable></optional> ;
4803 <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>keyname</replaceable></optional> ; ... </optional> }; </optional>
4804 <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
4805 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
4806 <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
4807 <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
4808 <optional> files <replaceable>size_spec</replaceable> ; </optional>
4809 <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
4810 <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
4811 <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
4812 <optional> interface-interval <replaceable>number</replaceable>; </optional>
4813 <optional> statistics-interval <replaceable>number</replaceable>; </optional>
4814 <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
4815 <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
4816 <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
4817 <optional> lame-ttl <replaceable>number</replaceable>; </optional>
4818 <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
4819 <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
4820 <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
4821 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
4822 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
4823 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
4824 <optional> min-roots <replaceable>number</replaceable>; </optional>
4825 <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4826 <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4827 <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4828 <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
4829 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
4830 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4831 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4832 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4833 <optional> port <replaceable>ip_port</replaceable>; </optional>
4834 <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
4835 <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
4836 <optional> random-device <replaceable>path_name</replaceable> ; </optional>
4837 <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
4838 <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
4839 <optional> filter-aaaa-on-v4 ( <replaceable>yes_or_no</replaceable> | <replaceable>break-dnssec</replaceable> ); </optional>
4840 <optional> filter-aaaa { <replaceable>address_match_list</replaceable> }; </optional>
4841 <optional> dns64 <replaceable>ipv6-prefix</replaceable> {
4842 <optional> clients { <replaceable>address_match_list</replaceable> }; </optional>
4843 <optional> mapped { <replaceable>address_match_list</replaceable> }; </optional>
4844 <optional> exclude { <replaceable>address_match_list</replaceable> }; </optional>
4845 <optional> suffix IPv6-address; </optional>
4846 <optional> recursive-only <replaceable>yes_or_no</replaceable>; </optional>
4847 <optional> break-dnssec <replaceable>yes_or_no</replaceable>; </optional>
4849 <optional> dns64-server <replaceable>name</replaceable> </optional>
4850 <optional> dns64-contact <replaceable>name</replaceable> </optional>
4851 <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
4852 <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4853 <optional> max-udp-size <replaceable>number</replaceable>; </optional>
4854 <optional> max-rsa-exponent-size <replaceable>number</replaceable>; </optional>
4855 <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
4856 <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
4857 <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>;
4858 <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4859 <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4860 <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4861 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4862 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4863 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4864 <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional>
4865 <optional> max-recursion-queries <replaceable>number</replaceable> ; </optional>
4866 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4867 <optional> empty-server <replaceable>name</replaceable> ; </optional>
4868 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
4869 <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4870 <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4871 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4872 <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
4873 <optional> resolver-query-timeout <replaceable>number</replaceable> ; </optional>
4874 <optional> deny-answer-addresses { <replaceable>address_match_list</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
4875 <optional> deny-answer-aliases { <replaceable>namelist</replaceable> } <optional> except-from { <replaceable>namelist</replaceable> } </optional>;</optional>
4876 <optional> rate-limit {
4877 <optional> responses-per-second <replaceable>number</replaceable> ; </optional>
4878 <optional> referrals-per-second <replaceable>number</replaceable> ; </optional>
4879 <optional> nodata-per-second <replaceable>number</replaceable> ; </optional>
4880 <optional> nxdomains-per-second <replaceable>number</replaceable> ; </optional>
4881 <optional> errors-per-second <replaceable>number</replaceable> ; </optional>
4882 <optional> all-per-second <replaceable>number</replaceable> ; </optional>
4883 <optional> window <replaceable>number</replaceable> ; </optional>
4884 <optional> log-only <replaceable>yes_or_no</replaceable> ; </optional>
4885 <optional> qps-scale <replaceable>number</replaceable> ; </optional>
4886 <optional> ipv4-prefix-length <replaceable>number</replaceable> ; </optional>
4887 <optional> ipv6-prefix-length <replaceable>number</replaceable> ; </optional>
4888 <optional> slip <replaceable>number</replaceable> ; </optional>
4889 <optional> exempt-clients { <replaceable>address_match_list</replaceable> } ; </optional>
4890 <optional> max-table-size <replaceable>number</replaceable> ; </optional>
4891 <optional> min-table-size <replaceable>number</replaceable> ; </optional>
4893 <optional> response-policy { <replaceable>zone_name</replaceable>
4894 <optional> policy given | disabled | passthru | nxdomain | nodata | cname <replaceable>domain</replaceable> </optional>
4895 <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional> ;
4896 } <optional> recursive-only <replaceable>yes_or_no</replaceable> </optional> <optional> max-policy-ttl <replaceable>number</replaceable> </optional>
4897 <optional> break-dnssec <replaceable>yes_or_no</replaceable> </optional> <optional> min-ns-dots <replaceable>number</replaceable> </optional> ; </optional>
4903 <sect2 id="options">
4904 <title><command>options</command> Statement Definition and
4908 The <command>options</command> statement sets up global
4910 to be used by <acronym>BIND</acronym>. This statement
4912 once in a configuration file. If there is no <command>options</command>
4913 statement, an options block with each option set to its default will
4920 <term><command>attach-cache</command></term>
4923 Allows multiple views to share a single cache
4925 Each view has its own cache database by default, but
4926 if multiple views have the same operational policy
4927 for name resolution and caching, those views can
4928 share a single cache to save memory and possibly
4929 improve resolution efficiency by using this option.
4933 The <command>attach-cache</command> option
4934 may also be specified in <command>view</command>
4935 statements, in which case it overrides the
4936 global <command>attach-cache</command> option.
4940 The <replaceable>cache_name</replaceable> specifies
4941 the cache to be shared.
4942 When the <command>named</command> server configures
4943 views which are supposed to share a cache, it
4944 creates a cache with the specified name for the
4945 first view of these sharing views.
4946 The rest of the views will simply refer to the
4947 already created cache.
4951 One common configuration to share a cache would be to
4952 allow all views to share a single cache.
4953 This can be done by specifying
4954 the <command>attach-cache</command> as a global
4955 option with an arbitrary name.
4959 Another possible operation is to allow a subset of
4960 all views to share a cache while the others to
4961 retain their own caches.
4962 For example, if there are three views A, B, and C,
4963 and only A and B should share a cache, specify the
4964 <command>attach-cache</command> option as a view A (or
4965 B)'s option, referring to the other view name:
4970 // this view has its own cache
4974 // this view refers to A's cache
4978 // this view has its own cache
4984 Views that share a cache must have the same policy
4985 on configurable parameters that may affect caching.
4986 The current implementation requires the following
4987 configurable options be consistent among these
4989 <command>check-names</command>,
4990 <command>cleaning-interval</command>,
4991 <command>dnssec-accept-expired</command>,
4992 <command>dnssec-validation</command>,
4993 <command>max-cache-ttl</command>,
4994 <command>max-ncache-ttl</command>,
4995 <command>max-cache-size</command>, and
4996 <command>zero-no-soa-ttl</command>.
5000 Note that there may be other parameters that may
5001 cause confusion if they are inconsistent for
5002 different views that share a single cache.
5003 For example, if these views define different sets of
5004 forwarders that can return different answers for the
5005 same question, sharing the answer does not make
5006 sense or could even be harmful.
5007 It is administrator's responsibility to ensure
5008 configuration differences in different views do
5009 not cause disruption with a shared cache.
5016 <term><command>directory</command></term>
5019 The working directory of the server.
5020 Any non-absolute pathnames in the configuration file will be
5022 as relative to this directory. The default location for most
5024 output files (e.g. <filename>named.run</filename>)
5026 If a directory is not specified, the working directory
5027 defaults to `<filename>.</filename>', the directory from
5029 was started. The directory specified should be an absolute
5036 <term><command>key-directory</command></term>
5039 When performing dynamic update of secure zones, the
5040 directory where the public and private DNSSEC key files
5041 should be found, if different than the current working
5042 directory. (Note that this option has no effect on the
5043 paths for files containing non-DNSSEC keys such as
5044 <filename>bind.keys</filename>,
5045 <filename>rndc.key</filename> or
5046 <filename>session.key</filename>.)
5052 <term><command>managed-keys-directory</command></term>
5055 Specifies the directory in which to store the files that
5056 track managed DNSSEC keys. By default, this is the working
5060 If <command>named</command> is not configured to use views,
5061 then managed keys for the server will be tracked in a single
5062 file called <filename>managed-keys.bind</filename>.
5063 Otherwise, managed keys will be tracked in separate files,
5064 one file per view; each file name will be the SHA256 hash
5065 of the view name, followed by the extension
5066 <filename>.mkeys</filename>.
5072 <term><command>named-xfer</command></term>
5075 <emphasis>This option is obsolete.</emphasis> It
5076 was used in <acronym>BIND</acronym> 8 to specify
5077 the pathname to the <command>named-xfer</command>
5078 program. In <acronym>BIND</acronym> 9, no separate
5079 <command>named-xfer</command> program is needed;
5080 its functionality is built into the name server.
5086 <term><command>tkey-gssapi-keytab</command></term>
5089 The KRB5 keytab file to use for GSS-TSIG updates. If
5090 this option is set and tkey-gssapi-credential is not
5091 set, then updates will be allowed with any key
5092 matching a principal in the specified keytab.
5098 <term><command>tkey-gssapi-credential</command></term>
5101 The security credential with which the server should
5102 authenticate keys requested by the GSS-TSIG protocol.
5103 Currently only Kerberos 5 authentication is available
5104 and the credential is a Kerberos principal which the
5105 server can acquire through the default system key
5106 file, normally <filename>/etc/krb5.keytab</filename>.
5107 The location keytab file can be overridden using the
5108 tkey-gssapi-keytab option. Normally this principal is
5109 of the form "<userinput>DNS/</userinput><varname>server.domain</varname>".
5110 To use GSS-TSIG, <command>tkey-domain</command> must
5111 also be set if a specific keytab is not set with
5118 <term><command>tkey-domain</command></term>
5121 The domain appended to the names of all shared keys
5122 generated with <command>TKEY</command>. When a
5123 client requests a <command>TKEY</command> exchange,
5124 it may or may not specify the desired name for the
5125 key. If present, the name of the shared key will
5126 be <varname>client specified part</varname> +
5127 <varname>tkey-domain</varname>. Otherwise, the
5128 name of the shared key will be <varname>random hex
5129 digits</varname> + <varname>tkey-domain</varname>.
5130 In most cases, the <command>domainname</command>
5131 should be the server's domain name, or an otherwise
5132 non-existent subdomain like
5133 "_tkey.<varname>domainname</varname>". If you are
5134 using GSS-TSIG, this variable must be defined, unless
5135 you specify a specific keytab using tkey-gssapi-keytab.
5141 <term><command>tkey-dhkey</command></term>
5144 The Diffie-Hellman key used by the server
5145 to generate shared keys with clients using the Diffie-Hellman
5147 of <command>TKEY</command>. The server must be
5149 public and private keys from files in the working directory.
5151 most cases, the keyname should be the server's host name.
5157 <term><command>cache-file</command></term>
5160 This is for testing only. Do not use.
5166 <term><command>dump-file</command></term>
5169 The pathname of the file the server dumps
5170 the database to when instructed to do so with
5171 <command>rndc dumpdb</command>.
5172 If not specified, the default is <filename>named_dump.db</filename>.
5178 <term><command>memstatistics-file</command></term>
5181 The pathname of the file the server writes memory
5182 usage statistics to on exit. If not specified,
5183 the default is <filename>named.memstats</filename>.
5189 <term><command>pid-file</command></term>
5192 The pathname of the file the server writes its process ID
5193 in. If not specified, the default is
5194 <filename>/var/run/named/named.pid</filename>.
5195 The PID file is used by programs that want to send signals to
5197 name server. Specifying <command>pid-file none</command> disables the
5198 use of a PID file — no file will be written and any
5199 existing one will be removed. Note that <command>none</command>
5200 is a keyword, not a filename, and therefore is not enclosed
5208 <term><command>recursing-file</command></term>
5211 The pathname of the file the server dumps
5212 the queries that are currently recursing when instructed
5213 to do so with <command>rndc recursing</command>.
5214 If not specified, the default is <filename>named.recursing</filename>.
5220 <term><command>statistics-file</command></term>
5223 The pathname of the file the server appends statistics
5224 to when instructed to do so using <command>rndc stats</command>.
5225 If not specified, the default is <filename>named.stats</filename> in the
5226 server's current directory. The format of the file is
5228 in <xref linkend="statsfile"/>.
5234 <term><command>bindkeys-file</command></term>
5237 The pathname of a file to override the built-in trusted
5238 keys provided by <command>named</command>.
5239 See the discussion of <command>dnssec-lookaside</command>
5240 and <command>dnssec-validation</command> for details.
5241 If not specified, the default is
5242 <filename>/etc/bind.keys</filename>.
5248 <term><command>secroots-file</command></term>
5251 The pathname of the file the server dumps
5252 security roots to when instructed to do so with
5253 <command>rndc secroots</command>.
5254 If not specified, the default is
5255 <filename>named.secroots</filename>.
5261 <term><command>session-keyfile</command></term>
5264 The pathname of the file into which to write a TSIG
5265 session key generated by <command>named</command> for use by
5266 <command>nsupdate -l</command>. If not specified, the
5267 default is <filename>/var/run/named/session.key</filename>.
5268 (See <xref linkend="dynamic_update_policies"/>, and in
5269 particular the discussion of the
5270 <command>update-policy</command> statement's
5271 <userinput>local</userinput> option for more
5272 information about this feature.)
5278 <term><command>session-keyname</command></term>
5281 The key name to use for the TSIG session key.
5282 If not specified, the default is "local-ddns".
5288 <term><command>session-keyalg</command></term>
5291 The algorithm to use for the TSIG session key.
5292 Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
5293 hmac-sha384, hmac-sha512 and hmac-md5. If not
5294 specified, the default is hmac-sha256.
5300 <term><command>port</command></term>
5303 The UDP/TCP port number the server uses for
5304 receiving and sending DNS protocol traffic.
5305 The default is 53. This option is mainly intended for server
5307 a server using a port other than 53 will not be able to
5315 <term><command>random-device</command></term>
5318 The source of entropy to be used by the server. Entropy is
5320 for DNSSEC operations, such as TKEY transactions and dynamic
5322 zones. This options specifies the device (or file) from which
5324 entropy. If this is a file, operations requiring entropy will
5326 file has been exhausted. If not specified, the default value
5328 <filename>/dev/random</filename>
5329 (or equivalent) when present, and none otherwise. The
5330 <command>random-device</command> option takes
5332 the initial configuration load at server startup time and
5333 is ignored on subsequent reloads.
5339 <term><command>preferred-glue</command></term>
5342 If specified, the listed type (A or AAAA) will be emitted
5344 in the additional section of a query response.
5345 The default is not to prefer any type (NONE).
5350 <varlistentry id="root_delegation_only">
5351 <term><command>root-delegation-only</command></term>
5354 Turn on enforcement of delegation-only in TLDs
5355 (top level domains) and root zones with an optional
5359 DS queries are expected to be made to and be answered by
5360 delegation only zones. Such queries and responses are
5361 treated as an exception to delegation-only processing
5362 and are not converted to NXDOMAIN responses provided
5363 a CNAME is not discovered at the query name.
5366 If a delegation only zone server also serves a child
5367 zone it is not always possible to determine whether
5368 an answer comes from the delegation only zone or the
5369 child zone. SOA NS and DNSKEY records are apex
5370 only records and a matching response that contains
5371 these records or DS is treated as coming from a
5372 child zone. RRSIG records are also examined to see
5373 if they are signed by a child zone or not. The
5374 authority section is also examined to see if there
5375 is evidence that the answer is from the child zone.
5376 Answers that are determined to be from a child zone
5377 are not converted to NXDOMAIN responses. Despite
5378 all these checks there is still a possibility of
5379 false negatives when a child zone is being served.
5382 Similarly false positives can arise from empty nodes
5383 (no records at the name) in the delegation only zone
5384 when the query type is not ANY.
5387 Note some TLDs are not delegation only (e.g. "DE", "LV",
5388 "US" and "MUSEUM"). This list is not exhaustive.
5393 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
5401 <term><command>disable-algorithms</command></term>
5404 Disable the specified DNSSEC algorithms at and below the
5406 Multiple <command>disable-algorithms</command>
5407 statements are allowed.
5408 Only the most specific will be applied.
5414 <term><command>dnssec-lookaside</command></term>
5417 When set, <command>dnssec-lookaside</command> provides the
5418 validator with an alternate method to validate DNSKEY
5419 records at the top of a zone. When a DNSKEY is at or
5420 below a domain specified by the deepest
5421 <command>dnssec-lookaside</command>, and the normal DNSSEC
5422 validation has left the key untrusted, the trust-anchor
5423 will be appended to the key name and a DLV record will be
5424 looked up to see if it can validate the key. If the DLV
5425 record validates a DNSKEY (similarly to the way a DS
5426 record does) the DNSKEY RRset is deemed to be trusted.
5429 If <command>dnssec-lookaside</command> is set to
5430 <userinput>auto</userinput>, then built-in default
5431 values for the DLV domain and trust anchor will be
5432 used, along with a built-in key for validation.
5435 If <command>dnssec-lookaside</command> is set to
5436 <userinput>no</userinput>, then dnssec-lookaside
5440 The default DLV key is stored in the file
5441 <filename>bind.keys</filename>;
5442 <command>named</command> will load that key at
5443 startup if <command>dnssec-lookaside</command> is set to
5444 <constant>auto</constant>. A copy of the file is
5445 installed along with <acronym>BIND</acronym> 9, and is
5446 current as of the release date. If the DLV key expires, a
5447 new copy of <filename>bind.keys</filename> can be downloaded
5448 from <ulink url="https://www.isc.org/solutions/dlv/"
5449 >https://www.isc.org/solutions/dlv/</ulink>.
5452 (To prevent problems if <filename>bind.keys</filename> is
5453 not found, the current key is also compiled in to
5454 <command>named</command>. Relying on this is not
5455 recommended, however, as it requires <command>named</command>
5456 to be recompiled with a new key when the DLV key expires.)
5459 NOTE: <command>named</command> only loads certain specific
5460 keys from <filename>bind.keys</filename>: those for the
5461 DLV zone and for the DNS root zone. The file cannot be
5462 used to store keys for other zones.
5468 <term><command>dnssec-must-be-secure</command></term>
5471 Specify hierarchies which must be or may not be secure
5472 (signed and validated). If <userinput>yes</userinput>,
5473 then <command>named</command> will only accept answers if
5474 they are secure. If <userinput>no</userinput>, then normal
5475 DNSSEC validation applies allowing for insecure answers to
5476 be accepted. The specified domain must be under a
5477 <command>trusted-keys</command> or
5478 <command>managed-keys</command> statement, or
5479 <command>dnssec-lookaside</command> must be active.
5485 <term><command>dns64</command></term>
5488 This directive instructs <command>named</command> to
5489 return mapped IPv4 addresses to AAAA queries when
5490 there are no AAAA records. It is intended to be
5491 used in conjunction with a NAT64. Each
5492 <command>dns64</command> defines one DNS64 prefix.
5493 Multiple DNS64 prefixes can be defined.
5496 Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
5497 64 and 96 as per RFC 6052.
5500 Additionally a reverse IP6.ARPA zone will be created for
5501 the prefix to provide a mapping from the IP6.ARPA names
5502 to the corresponding IN-ADDR.ARPA names using synthesized
5503 CNAMEs. <command>dns64-server</command> and
5504 <command>dns64-contact</command> can be used to specify
5505 the name of the server and contact for the zones. These
5506 are settable at the view / options level. These are
5507 not settable on a per-prefix basis.
5510 Each <command>dns64</command> supports an optional
5511 <command>clients</command> ACL that determines which
5512 clients are affected by this directive. If not defined,
5513 it defaults to <userinput>any;</userinput>.
5516 Each <command>dns64</command> supports an optional
5517 <command>mapped</command> ACL that selects which
5518 IPv4 addresses are to be mapped in the corresponding
5519 A RRset. If not defined it defaults to
5520 <userinput>any;</userinput>.
5523 Normally, DNS64 won't apply to a domain name that
5524 owns one or more AAAA records; these records will
5525 simply be returned. The optional
5526 <command>exclude</command> ACL allows specification
5527 of a list of IPv6 addresses that will be ignored
5528 if they appear in a domain name's AAAA records, and
5529 DNS64 will be applied to any A records the domain
5530 name owns. If not defined, <command>exclude</command>
5534 A optional <command>suffix</command> can also
5535 be defined to set the bits trailing the mapped
5536 IPv4 address bits. By default these bits are
5537 set to <userinput>::</userinput>. The bits
5538 matching the prefix and mapped IPv4 address
5542 If <command>recursive-only</command> is set to
5543 <command>yes</command> the DNS64 synthesis will
5544 only happen for recursive queries. The default
5545 is <command>no</command>.
5548 If <command>break-dnssec</command> is set to
5549 <command>yes</command> the DNS64 synthesis will
5550 happen even if the result, if validated, would
5551 cause a DNSSEC validation failure. If this option
5552 is set to <command>no</command> (the default), the DO
5553 is set on the incoming query, and there are RRSIGs on
5554 the applicable records, then synthesis will not happen.
5557 acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
5559 dns64 64:FF9B::/96 {
5561 mapped { !rfc1918; any; };
5562 exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
5570 <term><command>dnssec-update-mode</command></term>
5573 If this option is set to its default value of
5574 <literal>maintain</literal> in a zone of type
5575 <literal>master</literal> which is DNSSEC-signed
5576 and configured to allow dynamic updates (see
5577 <xref linkend="dynamic_update_policies"/>), and
5578 if <command>named</command> has access to the
5579 private signing key(s) for the zone, then
5580 <command>named</command> will automatically sign all new
5581 or changed records and maintain signatures for the zone
5582 by regenerating RRSIG records whenever they approach
5583 their expiration date.
5586 If the option is changed to <literal>no-resign</literal>,
5587 then <command>named</command> will sign all new or
5588 changed records, but scheduled maintenance of
5589 signatures is disabled.
5592 With either of these settings, <command>named</command>
5593 will reject updates to a DNSSEC-signed zone when the
5594 signing keys are inactive or unavailable to
5595 <command>named</command>. (A planned third option,
5596 <literal>external</literal>, will disable all automatic
5597 signing and allow DNSSEC data to be submitted into a zone
5598 via dynamic update; this is not yet implemented.)
5604 <term><command>zone-statistics</command></term>
5607 If <userinput>full</userinput>, the server will collect
5608 statistical data on all zones (unless specifically
5609 turned off on a per-zone basis by specifying
5610 <command>zone-statistics terse</command> or
5611 <command>zone-statistics none</command>
5612 in the <command>zone</command> statement).
5613 The default is <userinput>terse</userinput>, providing
5614 minimal statistics on zones (including name and
5615 current serial number, but not query type
5619 These statistics may be accessed via the
5620 <command>statistics-channel</command> or
5621 using <command>rndc stats</command>, which
5622 will dump them to the file listed
5623 in the <command>statistics-file</command>. See
5624 also <xref linkend="statsfile"/>.
5627 For backward compatibility with earlier versions
5628 of BIND 9, the <command>zone-statistics</command>
5629 option can also accept <userinput>yes</userinput>
5630 or <userinput>no</userinput>, which have the same
5631 effect as <userinput>full</userinput> and
5632 <userinput>terse</userinput>, respectively.
5638 <sect3 id="boolean_options">
5639 <title>Boolean Options</title>
5644 <term><command>allow-new-zones</command></term>
5647 If <userinput>yes</userinput>, then zones can be
5648 added at runtime via <command>rndc addzone</command>
5649 or deleted via <command>rndc delzone</command>.
5650 The default is <userinput>no</userinput>.
5656 <term><command>auth-nxdomain</command></term>
5659 If <userinput>yes</userinput>, then the <command>AA</command> bit
5660 is always set on NXDOMAIN responses, even if the server is
5662 authoritative. The default is <userinput>no</userinput>;
5664 a change from <acronym>BIND</acronym> 8. If you
5665 are using very old DNS software, you
5666 may need to set it to <userinput>yes</userinput>.
5672 <term><command>deallocate-on-exit</command></term>
5675 This option was used in <acronym>BIND</acronym>
5676 8 to enable checking
5677 for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
5684 <term><command>memstatistics</command></term>
5687 Write memory statistics to the file specified by
5688 <command>memstatistics-file</command> at exit.
5689 The default is <userinput>no</userinput> unless
5690 '-m record' is specified on the command line in
5691 which case it is <userinput>yes</userinput>.
5697 <term><command>dialup</command></term>
5700 If <userinput>yes</userinput>, then the
5701 server treats all zones as if they are doing zone transfers
5703 a dial-on-demand dialup link, which can be brought up by
5705 originating from this server. This has different effects
5707 to zone type and concentrates the zone maintenance so that
5709 happens in a short interval, once every <command>heartbeat-interval</command> and
5710 hopefully during the one call. It also suppresses some of
5712 zone maintenance traffic. The default is <userinput>no</userinput>.
5715 The <command>dialup</command> option
5716 may also be specified in the <command>view</command> and
5717 <command>zone</command> statements,
5718 in which case it overrides the global <command>dialup</command>
5722 If the zone is a master zone, then the server will send out a
5724 request to all the slaves (default). This should trigger the
5726 number check in the slave (providing it supports NOTIFY)
5728 to verify the zone while the connection is active.
5729 The set of servers to which NOTIFY is sent can be controlled
5731 <command>notify</command> and <command>also-notify</command>.
5735 zone is a slave or stub zone, then the server will suppress
5737 "zone up to date" (refresh) queries and only perform them
5739 <command>heartbeat-interval</command> expires in
5744 Finer control can be achieved by using
5745 <userinput>notify</userinput> which only sends NOTIFY
5747 <userinput>notify-passive</userinput> which sends NOTIFY
5749 suppresses the normal refresh queries, <userinput>refresh</userinput>
5750 which suppresses normal refresh processing and sends refresh
5752 when the <command>heartbeat-interval</command>
5754 <userinput>passive</userinput> which just disables normal
5759 <informaltable colsep="0" rowsep="0">
5760 <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
5761 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
5762 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
5763 <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
5764 <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
5790 <para><command>no</command> (default)</para>
5810 <para><command>yes</command></para>
5830 <para><command>notify</command></para>
5850 <para><command>refresh</command></para>
5870 <para><command>passive</command></para>
5890 <para><command>notify-passive</command></para>
5913 Note that normal NOTIFY processing is not affected by
5914 <command>dialup</command>.
5921 <term><command>fake-iquery</command></term>
5924 In <acronym>BIND</acronym> 8, this option
5925 enabled simulating the obsolete DNS query type
5926 IQUERY. <acronym>BIND</acronym> 9 never does
5933 <term><command>fetch-glue</command></term>
5936 This option is obsolete.
5937 In BIND 8, <userinput>fetch-glue yes</userinput>
5938 caused the server to attempt to fetch glue resource records
5940 didn't have when constructing the additional
5941 data section of a response. This is now considered a bad
5943 and BIND 9 never does it.
5949 <term><command>flush-zones-on-shutdown</command></term>
5952 When the nameserver exits due receiving SIGTERM,
5953 flush or do not flush any pending zone writes. The default
5955 <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5961 <term><command>has-old-clients</command></term>
5964 This option was incorrectly implemented
5965 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5966 To achieve the intended effect
5968 <command>has-old-clients</command> <userinput>yes</userinput>, specify
5969 the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5970 and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5976 <term><command>host-statistics</command></term>
5979 In BIND 8, this enables keeping of
5980 statistics for every host that the name server interacts
5982 Not implemented in BIND 9.
5988 <term><command>maintain-ixfr-base</command></term>
5991 <emphasis>This option is obsolete</emphasis>.
5992 It was used in <acronym>BIND</acronym> 8 to
5993 determine whether a transaction log was
5994 kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5995 log whenever possible. If you need to disable outgoing
5997 transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
6003 <term><command>minimal-responses</command></term>
6006 If <userinput>yes</userinput>, then when generating
6007 responses the server will only add records to the authority
6008 and additional data sections when they are required (e.g.
6009 delegations, negative responses). This may improve the
6010 performance of the server.
6011 The default is <userinput>no</userinput>.
6017 <term><command>multiple-cnames</command></term>
6020 This option was used in <acronym>BIND</acronym> 8 to allow
6021 a domain name to have multiple CNAME records in violation of
6022 the DNS standards. <acronym>BIND</acronym> 9.2 onwards
6023 always strictly enforces the CNAME rules both in master
6024 files and dynamic updates.
6030 <term><command>notify</command></term>
6033 If <userinput>yes</userinput> (the default),
6034 DNS NOTIFY messages are sent when a zone the server is
6036 changes, see <xref linkend="notify"/>. The messages are
6038 servers listed in the zone's NS records (except the master
6040 in the SOA MNAME field), and to any servers listed in the
6041 <command>also-notify</command> option.
6044 If <userinput>master-only</userinput>, notifies are only
6047 If <userinput>explicit</userinput>, notifies are sent only
6049 servers explicitly listed using <command>also-notify</command>.
6050 If <userinput>no</userinput>, no notifies are sent.
6053 The <command>notify</command> option may also be
6054 specified in the <command>zone</command>
6056 in which case it overrides the <command>options notify</command> statement.
6057 It would only be necessary to turn off this option if it
6065 <term><command>notify-to-soa</command></term>
6068 If <userinput>yes</userinput> do not check the nameservers
6069 in the NS RRset against the SOA MNAME. Normally a NOTIFY
6070 message is not sent to the SOA MNAME (SOA ORIGIN) as it is
6071 supposed to contain the name of the ultimate master.
6072 Sometimes, however, a slave is listed as the SOA MNAME in
6073 hidden master configurations and in that case you would
6074 want the ultimate master to still send NOTIFY messages to
6075 all the nameservers listed in the NS RRset.
6081 <term><command>recursion</command></term>
6084 If <userinput>yes</userinput>, and a
6085 DNS query requests recursion, then the server will attempt
6087 all the work required to answer the query. If recursion is
6089 and the server does not already know the answer, it will
6091 referral response. The default is
6092 <userinput>yes</userinput>.
6093 Note that setting <command>recursion no</command> does not prevent
6094 clients from getting data from the server's cache; it only
6095 prevents new data from being cached as an effect of client
6097 Caching may still occur as an effect the server's internal
6098 operation, such as NOTIFY address lookups.
6099 See also <command>fetch-glue</command> above.
6105 <term><command>request-nsid</command></term>
6108 If <userinput>yes</userinput>, then an empty EDNS(0)
6109 NSID (Name Server Identifier) option is sent with all
6110 queries to authoritative name servers during iterative
6111 resolution. If the authoritative server returns an NSID
6112 option in its response, then its contents are logged in
6113 the <command>resolver</command> category at level
6114 <command>info</command>.
6115 The default is <userinput>no</userinput>.
6121 <term><command>rfc2308-type1</command></term>
6124 Setting this to <userinput>yes</userinput> will
6125 cause the server to send NS records along with the SOA
6127 answers. The default is <userinput>no</userinput>.
6131 Not yet implemented in <acronym>BIND</acronym>
6139 <term><command>use-id-pool</command></term>
6142 <emphasis>This option is obsolete</emphasis>.
6143 <acronym>BIND</acronym> 9 always allocates query
6150 <term><command>use-ixfr</command></term>
6153 <emphasis>This option is obsolete</emphasis>.
6154 If you need to disable IXFR to a particular server or
6156 the information on the <command>provide-ixfr</command> option
6157 in <xref linkend="server_statement_definition_and_usage"/>.
6159 <xref linkend="incremental_zone_transfers"/>.
6165 <term><command>provide-ixfr</command></term>
6168 See the description of
6169 <command>provide-ixfr</command> in
6170 <xref linkend="server_statement_definition_and_usage"/>.
6176 <term><command>request-ixfr</command></term>
6179 See the description of
6180 <command>request-ixfr</command> in
6181 <xref linkend="server_statement_definition_and_usage"/>.
6187 <term><command>treat-cr-as-space</command></term>
6190 This option was used in <acronym>BIND</acronym>
6192 the server treat carriage return ("<command>\r</command>") characters the same way
6193 as a space or tab character,
6194 to facilitate loading of zone files on a UNIX system that
6196 on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
6197 and NT/DOS "<command>\r\n</command>" newlines
6198 are always accepted,
6199 and the option is ignored.
6205 <term><command>additional-from-auth</command></term>
6206 <term><command>additional-from-cache</command></term>
6210 These options control the behavior of an authoritative
6212 answering queries which have additional data, or when
6218 When both of these options are set to <userinput>yes</userinput>
6220 query is being answered from authoritative data (a zone
6221 configured into the server), the additional data section of
6223 reply will be filled in using data from other authoritative
6225 and from the cache. In some situations this is undesirable,
6227 as when there is concern over the correctness of the cache,
6229 in servers where slave zones may be added and modified by
6230 untrusted third parties. Also, avoiding
6231 the search for this additional data will speed up server
6233 at the possible expense of additional queries to resolve
6235 otherwise be provided in the additional section.
6239 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
6240 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
6241 records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
6242 if known, even though they are not in the example.com zone.
6243 Setting these options to <command>no</command>
6244 disables this behavior and makes
6245 the server only search for additional data in the zone it
6250 These options are intended for use in authoritative-only
6251 servers, or in authoritative-only views. Attempts to set
6252 them to <command>no</command> without also
6254 <command>recursion no</command> will cause the
6256 ignore the options and log a warning message.
6260 Specifying <command>additional-from-cache no</command> actually
6261 disables the use of the cache not only for additional data
6263 but also when looking up the answer. This is usually the
6265 behavior in an authoritative-only server where the
6267 the cached data is an issue.
6271 When a name server is non-recursively queried for a name
6273 below the apex of any served zone, it normally answers with
6275 "upwards referral" to the root servers or the servers of
6277 known parent of the query name. Since the data in an
6279 comes from the cache, the server will not be able to provide
6281 referrals when <command>additional-from-cache no</command>
6282 has been specified. Instead, it will respond to such
6284 with REFUSED. This should not cause any problems since
6285 upwards referrals are not required for the resolution
6293 <term><command>match-mapped-addresses</command></term>
6296 If <userinput>yes</userinput>, then an
6297 IPv4-mapped IPv6 address will match any address match
6298 list entries that match the corresponding IPv4 address.
6301 This option was introduced to work around a kernel quirk
6302 in some operating systems that causes IPv4 TCP
6303 connections, such as zone transfers, to be accepted on an
6304 IPv6 socket using mapped addresses. This caused address
6305 match lists designed for IPv4 to fail to match. However,
6306 <command>named</command> now solves this problem
6307 internally. The use of this option is discouraged.
6313 <term><command>filter-aaaa-on-v4</command></term>
6316 This option is only available when
6317 <acronym>BIND</acronym> 9 is compiled with the
6318 <userinput>--enable-filter-aaaa</userinput> option on the
6319 "configure" command line. It is intended to help the
6320 transition from IPv4 to IPv6 by not giving IPv6 addresses
6321 to DNS clients unless they have connections to the IPv6
6322 Internet. This is not recommended unless absolutely
6323 necessary. The default is <userinput>no</userinput>.
6324 The <command>filter-aaaa-on-v4</command> option
6325 may also be specified in <command>view</command> statements
6326 to override the global <command>filter-aaaa-on-v4</command>
6330 If <userinput>yes</userinput>,
6331 the DNS client is at an IPv4 address, in <command>filter-aaaa</command>,
6332 and if the response does not include DNSSEC signatures,
6333 then all AAAA records are deleted from the response.
6334 This filtering applies to all responses and not only
6335 authoritative responses.
6338 If <userinput>break-dnssec</userinput>,
6339 then AAAA records are deleted even when dnssec is enabled.
6340 As suggested by the name, this makes the response not verify,
6341 because the DNSSEC protocol is designed detect deletions.
6344 This mechanism can erroneously cause other servers to
6345 not give AAAA records to their clients.
6346 A recursing server with both IPv6 and IPv4 network connections
6347 that queries an authoritative server using this mechanism
6348 via IPv4 will be denied AAAA records even if its client is
6352 This mechanism is applied to authoritative as well as
6353 non-authoritative records.
6354 A client using IPv4 that is not allowed recursion can
6355 erroneously be given AAAA records because the server is not
6356 allowed to check for A records.
6359 Some AAAA records are given to IPv4 clients in glue records.
6360 IPv4 clients that are servers can then erroneously
6361 answer requests for AAAA records received via IPv4.
6367 <term><command>ixfr-from-differences</command></term>
6370 When <userinput>yes</userinput> and the server loads a new
6371 version of a master zone from its zone file or receives a
6372 new version of a slave file via zone transfer, it will
6373 compare the new version to the previous one and calculate
6374 a set of differences. The differences are then logged in
6375 the zone's journal file such that the changes can be
6376 transmitted to downstream slaves as an incremental zone
6380 By allowing incremental zone transfers to be used for
6381 non-dynamic zones, this option saves bandwidth at the
6382 expense of increased CPU and memory consumption at the
6384 In particular, if the new version of a zone is completely
6385 different from the previous one, the set of differences
6386 will be of a size comparable to the combined size of the
6387 old and new zone version, and the server will need to
6388 temporarily allocate memory to hold this complete
6391 <para><command>ixfr-from-differences</command>
6392 also accepts <command>master</command> and
6393 <command>slave</command> at the view and options
6395 <command>ixfr-from-differences</command> to be enabled for
6396 all <command>master</command> or
6397 <command>slave</command> zones respectively.
6398 It is off by default.
6404 <term><command>multi-master</command></term>
6407 This should be set when you have multiple masters for a zone
6409 addresses refer to different machines. If <userinput>yes</userinput>, <command>named</command> will
6411 when the serial number on the master is less than what <command>named</command>
6413 has. The default is <userinput>no</userinput>.
6419 <term><command>dnssec-enable</command></term>
6422 Enable DNSSEC support in <command>named</command>. Unless set to <userinput>yes</userinput>,
6423 <command>named</command> behaves as if it does not support DNSSEC.
6424 The default is <userinput>yes</userinput>.
6430 <term><command>dnssec-validation</command></term>
6433 Enable DNSSEC validation in <command>named</command>.
6434 Note <command>dnssec-enable</command> also needs to be
6435 set to <userinput>yes</userinput> to be effective.
6436 If set to <userinput>no</userinput>, DNSSEC validation
6437 is disabled. If set to <userinput>auto</userinput>,
6438 DNSSEC validation is enabled, and a default
6439 trust-anchor for the DNS root zone is used. If set to
6440 <userinput>yes</userinput>, DNSSEC validation is enabled,
6441 but a trust anchor must be manually configured using
6442 a <command>trusted-keys</command> or
6443 <command>managed-keys</command> statement. The default
6444 is <userinput>yes</userinput>.
6450 <term><command>dnssec-accept-expired</command></term>
6453 Accept expired signatures when verifying DNSSEC signatures.
6454 The default is <userinput>no</userinput>.
6455 Setting this option to <userinput>yes</userinput>
6456 leaves <command>named</command> vulnerable to
6463 <term><command>querylog</command></term>
6466 Specify whether query logging should be started when <command>named</command>
6468 If <command>querylog</command> is not specified,
6469 then the query logging
6470 is determined by the presence of the logging category <command>queries</command>.
6476 <term><command>check-names</command></term>
6479 This option is used to restrict the character set and syntax
6481 certain domain names in master files and/or DNS responses
6483 from the network. The default varies according to usage
6485 <command>master</command> zones the default is <command>fail</command>.
6486 For <command>slave</command> zones the default
6487 is <command>warn</command>.
6488 For answers received from the network (<command>response</command>)
6489 the default is <command>ignore</command>.
6492 The rules for legal hostnames and mail domains are derived
6493 from RFC 952 and RFC 821 as modified by RFC 1123.
6495 <para><command>check-names</command>
6496 applies to the owner names of A, AAAA and MX records.
6497 It also applies to the domain names in the RDATA of NS, SOA,
6498 MX, and SRV records.
6499 It also applies to the RDATA of PTR records where the owner
6500 name indicated that it is a reverse lookup of a hostname
6501 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
6507 <term><command>check-dup-records</command></term>
6510 Check master zones for records that are treated as different
6511 by DNSSEC but are semantically equal in plain DNS. The
6512 default is to <command>warn</command>. Other possible
6513 values are <command>fail</command> and
6514 <command>ignore</command>.
6520 <term><command>check-mx</command></term>
6523 Check whether the MX record appears to refer to a IP address.
6524 The default is to <command>warn</command>. Other possible
6525 values are <command>fail</command> and
6526 <command>ignore</command>.
6532 <term><command>check-wildcard</command></term>
6535 This option is used to check for non-terminal wildcards.
6536 The use of non-terminal wildcards is almost always as a
6538 to understand the wildcard matching algorithm (RFC 1034).
6540 affects master zones. The default (<command>yes</command>) is to check
6541 for non-terminal wildcards and issue a warning.
6547 <term><command>check-integrity</command></term>
6550 Perform post load zone integrity checks on master
6551 zones. This checks that MX and SRV records refer
6552 to address (A or AAAA) records and that glue
6553 address records exist for delegated zones. For
6554 MX and SRV records only in-zone hostnames are
6555 checked (for out-of-zone hostnames use
6556 <command>named-checkzone</command>).
6557 For NS records only names below top of zone are
6558 checked (for out-of-zone names and glue consistency
6559 checks use <command>named-checkzone</command>).
6560 The default is <command>yes</command>.
6563 The use of the SPF record for publishing Sender
6564 Policy Framework is deprecated as the migration
6565 from using TXT records to SPF records was abandoned.
6566 Enabling this option also checks that a TXT Sender
6567 Policy Framework record exists (starts with "v=spf1")
6568 if there is an SPF record. Warnings are emitted if the
6569 TXT record does not exist and can be suppressed with
6570 <command>check-spf</command>.
6576 <term><command>check-mx-cname</command></term>
6579 If <command>check-integrity</command> is set then
6580 fail, warn or ignore MX records that refer
6581 to CNAMES. The default is to <command>warn</command>.
6587 <term><command>check-srv-cname</command></term>
6590 If <command>check-integrity</command> is set then
6591 fail, warn or ignore SRV records that refer
6592 to CNAMES. The default is to <command>warn</command>.
6598 <term><command>check-sibling</command></term>
6601 When performing integrity checks, also check that
6602 sibling glue exists. The default is <command>yes</command>.
6608 <term><command>check-spf</command></term>
6611 If <command>check-integrity</command> is set then
6612 check that there is a TXT Sender Policy Framework
6613 record present (starts with "v=spf1") if there is an
6614 SPF record present. The default is
6615 <command>warn</command>.
6621 <term><command>zero-no-soa-ttl</command></term>
6624 When returning authoritative negative responses to
6625 SOA queries set the TTL of the SOA record returned in
6626 the authority section to zero.
6627 The default is <command>yes</command>.
6633 <term><command>zero-no-soa-ttl-cache</command></term>
6636 When caching a negative response to a SOA query
6637 set the TTL to zero.
6638 The default is <command>no</command>.
6644 <term><command>update-check-ksk</command></term>
6647 When set to the default value of <literal>yes</literal>,
6648 check the KSK bit in each key to determine how the key
6649 should be used when generating RRSIGs for a secure zone.
6652 Ordinarily, zone-signing keys (that is, keys without the
6653 KSK bit set) are used to sign the entire zone, while
6654 key-signing keys (keys with the KSK bit set) are only
6655 used to sign the DNSKEY RRset at the zone apex.
6656 However, if this option is set to <literal>no</literal>,
6657 then the KSK bit is ignored; KSKs are treated as if they
6658 were ZSKs and are used to sign the entire zone. This is
6659 similar to the <command>dnssec-signzone -z</command>
6660 command line option.
6663 When this option is set to <literal>yes</literal>, there
6664 must be at least two active keys for every algorithm
6665 represented in the DNSKEY RRset: at least one KSK and one
6666 ZSK per algorithm. If there is any algorithm for which
6667 this requirement is not met, this option will be ignored
6674 <term><command>dnssec-dnskey-kskonly</command></term>
6677 When this option and <command>update-check-ksk</command>
6678 are both set to <literal>yes</literal>, only key-signing
6679 keys (that is, keys with the KSK bit set) will be used
6680 to sign the DNSKEY RRset at the zone apex. Zone-signing
6681 keys (keys without the KSK bit set) will be used to sign
6682 the remainder of the zone, but not the DNSKEY RRset.
6683 This is similar to the
6684 <command>dnssec-signzone -x</command> command line option.
6687 The default is <command>no</command>. If
6688 <command>update-check-ksk</command> is set to
6689 <literal>no</literal>, this option is ignored.
6695 <term><command>dnssec-loadkeys-interval</command></term>
6698 When a zone is configured with <command>auto-dnssec
6699 maintain;</command> its key repository must be checked
6700 periodically to see if any new keys have been added
6701 or any existing keys' timing metadata has been updated
6702 (see <xref linkend="man.dnssec-keygen"/> and
6703 <xref linkend="man.dnssec-settime"/>). The
6704 <command>dnssec-loadkeys-interval</command> option
6705 sets the frequency of automatic repository checks, in
6706 minutes. The default is <literal>60</literal> (1 hour),
6707 the minimum is <literal>1</literal> (1 minute), and the
6708 maximum is <literal>1440</literal> (24 hours); any higher
6709 value is silently reduced.
6715 <term><command>try-tcp-refresh</command></term>
6718 Try to refresh the zone using TCP if UDP queries fail.
6719 For BIND 8 compatibility, the default is
6720 <command>yes</command>.
6726 <term><command>dnssec-secure-to-insecure</command></term>
6729 Allow a dynamic zone to transition from secure to
6730 insecure (i.e., signed to unsigned) by deleting all
6731 of the DNSKEY records. The default is <command>no</command>.
6732 If set to <command>yes</command>, and if the DNSKEY RRset
6733 at the zone apex is deleted, all RRSIG and NSEC records
6734 will be removed from the zone as well.
6737 If the zone uses NSEC3, then it is also necessary to
6738 delete the NSEC3PARAM RRset from the zone apex; this will
6739 cause the removal of all corresponding NSEC3 records.
6740 (It is expected that this requirement will be eliminated
6741 in a future release.)
6744 Note that if a zone has been configured with
6745 <command>auto-dnssec maintain</command> and the
6746 private keys remain accessible in the key repository,
6747 then the zone will be automatically signed again the
6748 next time <command>named</command> is started.
6758 <title>Forwarding</title>
6760 The forwarding facility can be used to create a large site-wide
6761 cache on a few servers, reducing traffic over links to external
6762 name servers. It can also be used to allow queries by servers that
6763 do not have direct access to the Internet, but wish to look up
6765 names anyway. Forwarding occurs only on those queries for which
6766 the server is not authoritative and does not have the answer in
6772 <term><command>forward</command></term>
6775 This option is only meaningful if the
6776 forwarders list is not empty. A value of <varname>first</varname>,
6777 the default, causes the server to query the forwarders
6779 if that doesn't answer the question, the server will then
6781 the answer itself. If <varname>only</varname> is
6783 server will only query the forwarders.
6789 <term><command>forwarders</command></term>
6792 Specifies the IP addresses to be used
6793 for forwarding. The default is the empty list (no
6802 Forwarding can also be configured on a per-domain basis, allowing
6803 for the global forwarding options to be overridden in a variety
6804 of ways. You can set particular domains to use different
6806 or have a different <command>forward only/first</command> behavior,
6807 or not forward at all, see <xref linkend="zone_statement_grammar"/>.
6812 <title>Dual-stack Servers</title>
6814 Dual-stack servers are used as servers of last resort to work
6816 problems in reachability due the lack of support for either IPv4
6818 on the host machine.
6823 <term><command>dual-stack-servers</command></term>
6826 Specifies host names or addresses of machines with access to
6827 both IPv4 and IPv6 transports. If a hostname is used, the
6829 to resolve the name using only the transport it has. If the
6831 stacked, then the <command>dual-stack-servers</command> have no effect unless
6832 access to a transport has been disabled on the command line
6833 (e.g. <command>named -4</command>).
6840 <sect3 id="access_control">
6841 <title>Access Control</title>
6844 Access to the server can be restricted based on the IP address
6845 of the requesting system. See <xref linkend="address_match_lists"/> for
6846 details on how to specify IP address lists.
6852 <term><command>allow-notify</command></term>
6855 Specifies which hosts are allowed to
6856 notify this server, a slave, of zone changes in addition
6857 to the zone masters.
6858 <command>allow-notify</command> may also be
6860 <command>zone</command> statement, in which case
6862 <command>options allow-notify</command>
6863 statement. It is only meaningful
6864 for a slave zone. If not specified, the default is to
6865 process notify messages
6866 only from a zone's master.
6872 <term><command>allow-query</command></term>
6875 Specifies which hosts are allowed to ask ordinary
6876 DNS questions. <command>allow-query</command> may
6877 also be specified in the <command>zone</command>
6878 statement, in which case it overrides the
6879 <command>options allow-query</command> statement.
6880 If not specified, the default is to allow queries
6885 <command>allow-query-cache</command> is now
6886 used to specify access to the cache.
6893 <term><command>allow-query-on</command></term>
6896 Specifies which local addresses can accept ordinary
6897 DNS questions. This makes it possible, for instance,
6898 to allow queries on internal-facing interfaces but
6899 disallow them on external-facing ones, without
6900 necessarily knowing the internal network's addresses.
6903 Note that <command>allow-query-on</command> is only
6904 checked for queries that are permitted by
6905 <command>allow-query</command>. A query must be
6906 allowed by both ACLs, or it will be refused.
6909 <command>allow-query-on</command> may
6910 also be specified in the <command>zone</command>
6911 statement, in which case it overrides the
6912 <command>options allow-query-on</command> statement.
6915 If not specified, the default is to allow queries
6920 <command>allow-query-cache</command> is
6921 used to specify access to the cache.
6928 <term><command>allow-query-cache</command></term>
6931 Specifies which hosts are allowed to get answers
6932 from the cache. If <command>allow-query-cache</command>
6933 is not set then <command>allow-recursion</command>
6934 is used if set, otherwise <command>allow-query</command>
6935 is used if set unless <command>recursion no;</command> is
6936 set in which case <command>none;</command> is used,
6937 otherwise the default (<command>localnets;</command>
6938 <command>localhost;</command>) is used.
6944 <term><command>allow-query-cache-on</command></term>
6947 Specifies which local addresses can give answers
6948 from the cache. If not specified, the default is
6949 to allow cache queries on any address,
6950 <command>localnets</command> and
6951 <command>localhost</command>.
6957 <term><command>allow-recursion</command></term>
6960 Specifies which hosts are allowed to make recursive
6961 queries through this server. If
6962 <command>allow-recursion</command> is not set
6963 then <command>allow-query-cache</command> is
6964 used if set, otherwise <command>allow-query</command>
6965 is used if set, otherwise the default
6966 (<command>localnets;</command>
6967 <command>localhost;</command>) is used.
6973 <term><command>allow-recursion-on</command></term>
6976 Specifies which local addresses can accept recursive
6977 queries. If not specified, the default is to allow
6978 recursive queries on all addresses.
6984 <term><command>allow-update</command></term>
6987 Specifies which hosts are allowed to
6988 submit Dynamic DNS updates for master zones. The default is
6990 updates from all hosts. Note that allowing updates based
6991 on the requestor's IP address is insecure; see
6992 <xref linkend="dynamic_update_security"/> for details.
6998 <term><command>allow-update-forwarding</command></term>
7001 Specifies which hosts are allowed to
7002 submit Dynamic DNS updates to slave zones to be forwarded to
7004 master. The default is <userinput>{ none; }</userinput>,
7006 means that no update forwarding will be performed. To
7008 update forwarding, specify
7009 <userinput>allow-update-forwarding { any; };</userinput>.
7010 Specifying values other than <userinput>{ none; }</userinput> or
7011 <userinput>{ any; }</userinput> is usually
7012 counterproductive, since
7013 the responsibility for update access control should rest
7015 master server, not the slaves.
7018 Note that enabling the update forwarding feature on a slave
7020 may expose master servers relying on insecure IP address
7022 access control to attacks; see <xref linkend="dynamic_update_security"/>
7029 <term><command>allow-v6-synthesis</command></term>
7032 This option was introduced for the smooth transition from
7034 to A6 and from "nibble labels" to binary labels.
7035 However, since both A6 and binary labels were then
7037 this option was also deprecated.
7038 It is now ignored with some warning messages.
7044 <term><command>allow-transfer</command></term>
7047 Specifies which hosts are allowed to
7048 receive zone transfers from the server. <command>allow-transfer</command> may
7049 also be specified in the <command>zone</command>
7051 case it overrides the <command>options allow-transfer</command> statement.
7052 If not specified, the default is to allow transfers to all
7059 <term><command>blackhole</command></term>
7062 Specifies a list of addresses that the
7063 server will not accept queries from or use to resolve a
7065 from these addresses will not be responded to. The default
7066 is <userinput>none</userinput>.
7072 <term><command>filter-aaaa</command></term>
7075 Specifies a list of addresses to which
7076 <command>filter-aaaa-on-v4</command>
7077 is applies. The default is <userinput>any</userinput>.
7083 <term><command>no-case-compress</command></term> <listitem>
7085 Specifies a list of addresses which require responses
7086 to use case-insensitive compression. This ACL can be
7087 used when <command>named</command> needs to work with
7088 clients that do not comply with the requirement in RFC
7089 1034 to use case-insensitive name comparisons when
7090 checking for matching domain names.
7093 If left undefined, the ACL defaults to
7094 <command>none</command>: case-insensitive compression
7095 will be used for all clients. If the ACL is defined and
7096 matches a client, then case will be ignored when
7097 compressing domain names in DNS responses sent to that
7101 This can result in slightly smaller responses: if
7102 a response contains the names "example.com" and
7103 "example.COM", case-insensitive compression would treat
7104 the second one as a duplicate. It also ensures
7105 that the case of the query name exactly matches the
7106 case of the owner names of returned records, rather
7107 than matching the case of the records entered in
7108 the zone file. This allows responses to exactly
7109 match the query, which is required by some clients
7110 due to incorrect use of case-sensitive comparisons.
7113 Case-insensitive compression is <emphasis>always</emphasis>
7114 used in AXFR and IXFR responses, regardless of whether
7115 the client matches this ACL.
7118 There are circumstances in which <command>named</command>
7119 will not preserve the case of owner names of records:
7120 if a zone file defines records of different types with
7121 the same name, but the capitalization of the name is
7122 different (e.g., "www.example.com/A" and
7123 "WWW.EXAMPLE.COM/AAAA"), then all responses for that
7124 name will use the <emphasis>first</emphasis> version
7125 of the name that was used in the zone file. This
7126 limitation may be addressed in a future release. However,
7127 domain names specified in the rdata of resource records
7128 (i.e., records of type NS, MX, CNAME, etc) will always
7129 have their case preserved unless the client matches this
7136 <term><command>resolver-query-timeout</command></term>
7139 The amount of time the resolver will spend attempting
7140 to resolve a recursive query before failing. The default
7141 and minimum is <literal>10</literal> and the maximum is
7142 <literal>30</literal>. Setting it to <literal>0</literal>
7143 will result in the default being used.
7152 <title>Interfaces</title>
7154 The interfaces and ports that the server will answer queries
7155 from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
7156 an optional port and an <varname>address_match_list</varname>
7157 of IPv4 addresses. (IPv6 addresses are ignored, with a
7159 The server will listen on all interfaces allowed by the address
7160 match list. If a port is not specified, port 53 will be used.
7163 Multiple <command>listen-on</command> statements are
7168 <programlisting>listen-on { 5.6.7.8; };
7169 listen-on port 1234 { !1.2.3.4; 1.2/16; };
7173 will enable the name server on port 53 for the IP address
7174 5.6.7.8, and on port 1234 of an address on the machine in net
7175 1.2 that is not 1.2.3.4.
7179 If no <command>listen-on</command> is specified, the
7180 server will listen on port 53 on all IPv4 interfaces.
7184 The <command>listen-on-v6</command> option is used to
7185 specify the interfaces and the ports on which the server will
7187 for incoming queries sent using IPv6.
7191 When <programlisting>{ any; }</programlisting> is
7193 as the <varname>address_match_list</varname> for the
7194 <command>listen-on-v6</command> option,
7195 the server does not bind a separate socket to each IPv6 interface
7196 address as it does for IPv4 if the operating system has enough API
7197 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
7199 Instead, it listens on the IPv6 wildcard address.
7200 If the system only has incomplete API support for IPv6, however,
7201 the behavior is the same as that for IPv4.
7205 A list of particular IPv6 addresses can also be specified, in
7207 the server listens on a separate socket for each specified
7209 regardless of whether the desired API is supported by the system.
7210 IPv4 addresses specified in <command>listen-on-v6</command>
7211 will be ignored, with a logged warning.
7215 Multiple <command>listen-on-v6</command> options can
7220 <programlisting>listen-on-v6 { any; };
7221 listen-on-v6 port 1234 { !2001:db8::/32; any; };
7225 will enable the name server on port 53 for any IPv6 addresses
7226 (with a single wildcard socket),
7227 and on port 1234 of IPv6 addresses that is not in the prefix
7228 2001:db8::/32 (with separate sockets for each matched address.)
7232 To make the server not listen on any IPv6 address, use
7235 <programlisting>listen-on-v6 { none; };
7239 If no <command>listen-on-v6</command> option is
7240 specified, the server will not listen on any IPv6 address
7241 unless <command>-6</command> is specified when <command>named</command> is
7242 invoked. If <command>-6</command> is specified then
7243 <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
7247 <sect3 id="query_address">
7248 <title>Query Address</title>
7250 If the server doesn't know the answer to a question, it will
7251 query other name servers. <command>query-source</command> specifies
7252 the address and port used for such queries. For queries sent over
7253 IPv6, there is a separate <command>query-source-v6</command> option.
7254 If <command>address</command> is <command>*</command> (asterisk) or is omitted,
7255 a wildcard IP address (<command>INADDR_ANY</command>)
7260 If <command>port</command> is <command>*</command> or is omitted,
7261 a random port number from a pre-configured
7262 range is picked up and will be used for each query.
7263 The port range(s) is that specified in
7264 the <command>use-v4-udp-ports</command> (for IPv4)
7265 and <command>use-v6-udp-ports</command> (for IPv6)
7266 options, excluding the ranges specified in
7267 the <command>avoid-v4-udp-ports</command>
7268 and <command>avoid-v6-udp-ports</command> options, respectively.
7272 The defaults of the <command>query-source</command> and
7273 <command>query-source-v6</command> options
7277 <programlisting>query-source address * port *;
7278 query-source-v6 address * port *;
7282 If <command>use-v4-udp-ports</command> or
7283 <command>use-v6-udp-ports</command> is unspecified,
7284 <command>named</command> will check if the operating
7285 system provides a programming interface to retrieve the
7286 system's default range for ephemeral ports.
7287 If such an interface is available,
7288 <command>named</command> will use the corresponding system
7289 default range; otherwise, it will use its own defaults:
7292 <programlisting>use-v4-udp-ports { range 1024 65535; };
7293 use-v6-udp-ports { range 1024 65535; };
7297 Note: make sure the ranges be sufficiently large for
7298 security. A desirable size depends on various parameters,
7299 but we generally recommend it contain at least 16384 ports
7300 (14 bits of entropy).
7301 Note also that the system's default range when used may be
7302 too small for this purpose, and that the range may even be
7303 changed while <command>named</command> is running; the new
7304 range will automatically be applied when <command>named</command>
7307 configure <command>use-v4-udp-ports</command> and
7308 <command>use-v6-udp-ports</command> explicitly so that the
7309 ranges are sufficiently large and are reasonably
7310 independent from the ranges used by other applications.
7314 Note: the operational configuration
7315 where <command>named</command> runs may prohibit the use
7316 of some ports. For example, UNIX systems will not allow
7317 <command>named</command> running without a root privilege
7318 to use ports less than 1024.
7319 If such ports are included in the specified (or detected)
7320 set of query ports, the corresponding query attempts will
7321 fail, resulting in resolution failures or delay.
7322 It is therefore important to configure the set of ports
7323 that can be safely used in the expected operational environment.
7327 The defaults of the <command>avoid-v4-udp-ports</command> and
7328 <command>avoid-v6-udp-ports</command> options
7332 <programlisting>avoid-v4-udp-ports {};
7333 avoid-v6-udp-ports {};
7337 Note: BIND 9.5.0 introduced
7338 the <command>use-queryport-pool</command>
7339 option to support a pool of such random ports, but this
7340 option is now obsolete because reusing the same ports in
7341 the pool may not be sufficiently secure.
7342 For the same reason, it is generally strongly discouraged to
7343 specify a particular port for the
7344 <command>query-source</command> or
7345 <command>query-source-v6</command> options;
7346 it implicitly disables the use of randomized port numbers.
7351 <term><command>use-queryport-pool</command></term>
7354 This option is obsolete.
7360 <term><command>queryport-pool-ports</command></term>
7363 This option is obsolete.
7369 <term><command>queryport-pool-updateinterval</command></term>
7372 This option is obsolete.
7380 The address specified in the <command>query-source</command> option
7381 is used for both UDP and TCP queries, but the port applies only
7382 to UDP queries. TCP queries always use a random
7388 Solaris 2.5.1 and earlier does not support setting the source
7389 address for TCP sockets.
7394 See also <command>transfer-source</command> and
7395 <command>notify-source</command>.
7400 <sect3 id="zone_transfers">
7401 <title>Zone Transfers</title>
7403 <acronym>BIND</acronym> has mechanisms in place to
7404 facilitate zone transfers
7405 and set limits on the amount of load that transfers place on the
7406 system. The following options apply to zone transfers.
7412 <term><command>also-notify</command></term>
7415 Defines a global list of IP addresses of name servers
7416 that are also sent NOTIFY messages whenever a fresh copy of
7418 zone is loaded, in addition to the servers listed in the
7420 This helps to ensure that copies of the zones will
7421 quickly converge on stealth servers.
7422 Optionally, a port may be specified with each
7423 <command>also-notify</command> address to send
7424 the notify messages to a port other than the
7426 An optional TSIG key can also be specified with each
7427 address to cause the notify messages to be signed; this
7428 can be useful when sending notifies to multiple views.
7429 In place of explicit addresses, one or more named
7430 <command>masters</command> lists can be used.
7433 If an <command>also-notify</command> list
7434 is given in a <command>zone</command> statement,
7436 the <command>options also-notify</command>
7437 statement. When a <command>zone notify</command>
7439 is set to <command>no</command>, the IP
7440 addresses in the global <command>also-notify</command> list will
7441 not be sent NOTIFY messages for that zone. The default is
7443 list (no global notification list).
7449 <term><command>max-transfer-time-in</command></term>
7452 Inbound zone transfers running longer than
7453 this many minutes will be terminated. The default is 120
7455 (2 hours). The maximum value is 28 days (40320 minutes).
7461 <term><command>max-transfer-idle-in</command></term>
7464 Inbound zone transfers making no progress
7465 in this many minutes will be terminated. The default is 60
7467 (1 hour). The maximum value is 28 days (40320 minutes).
7473 <term><command>max-transfer-time-out</command></term>
7476 Outbound zone transfers running longer than
7477 this many minutes will be terminated. The default is 120
7479 (2 hours). The maximum value is 28 days (40320 minutes).
7485 <term><command>max-transfer-idle-out</command></term>
7488 Outbound zone transfers making no progress
7489 in this many minutes will be terminated. The default is 60
7491 hour). The maximum value is 28 days (40320 minutes).
7497 <term><command>serial-query-rate</command></term>
7500 Slave servers will periodically query master
7501 servers to find out if zone serial numbers have
7502 changed. Each such query uses a minute amount of
7503 the slave server's network bandwidth. To limit
7504 the amount of bandwidth used, BIND 9 limits the
7505 rate at which queries are sent. The value of the
7506 <command>serial-query-rate</command> option, an
7507 integer, is the maximum number of queries sent
7508 per second. The default is 20.
7511 In addition to controlling the rate SOA refresh
7512 queries are issued at
7513 <command>serial-query-rate</command> also controls
7514 the rate at which NOTIFY messages are sent from
7515 both master and slave zones.
7521 <term><command>serial-queries</command></term>
7524 In BIND 8, the <command>serial-queries</command>
7526 set the maximum number of concurrent serial number queries
7527 allowed to be outstanding at any given time.
7528 BIND 9 does not limit the number of outstanding
7529 serial queries and ignores the <command>serial-queries</command> option.
7530 Instead, it limits the rate at which the queries are sent
7531 as defined using the <command>serial-query-rate</command> option.
7537 <term><command>transfer-format</command></term>
7541 Zone transfers can be sent using two different formats,
7542 <command>one-answer</command> and
7543 <command>many-answers</command>.
7544 The <command>transfer-format</command> option is used
7545 on the master server to determine which format it sends.
7546 <command>one-answer</command> uses one DNS message per
7547 resource record transferred.
7548 <command>many-answers</command> packs as many resource
7549 records as possible into a message.
7550 <command>many-answers</command> is more efficient, but is
7551 only supported by relatively new slave servers,
7552 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
7553 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
7554 The <command>many-answers</command> format is also supported by
7555 recent Microsoft Windows nameservers.
7556 The default is <command>many-answers</command>.
7557 <command>transfer-format</command> may be overridden on a
7558 per-server basis by using the <command>server</command>
7566 <term><command>transfers-in</command></term>
7569 The maximum number of inbound zone transfers
7570 that can be running concurrently. The default value is <literal>10</literal>.
7571 Increasing <command>transfers-in</command> may
7572 speed up the convergence
7573 of slave zones, but it also may increase the load on the
7580 <term><command>transfers-out</command></term>
7583 The maximum number of outbound zone transfers
7584 that can be running concurrently. Zone transfer requests in
7586 of the limit will be refused. The default value is <literal>10</literal>.
7592 <term><command>transfers-per-ns</command></term>
7595 The maximum number of inbound zone transfers
7596 that can be concurrently transferring from a given remote
7598 The default value is <literal>2</literal>.
7599 Increasing <command>transfers-per-ns</command>
7601 speed up the convergence of slave zones, but it also may
7603 the load on the remote name server. <command>transfers-per-ns</command> may
7604 be overridden on a per-server basis by using the <command>transfers</command> phrase
7605 of the <command>server</command> statement.
7611 <term><command>transfer-source</command></term>
7613 <para><command>transfer-source</command>
7614 determines which local address will be bound to IPv4
7615 TCP connections used to fetch zones transferred
7616 inbound by the server. It also determines the
7617 source IPv4 address, and optionally the UDP port,
7618 used for the refresh queries and forwarded dynamic
7619 updates. If not set, it defaults to a system
7620 controlled value which will usually be the address
7621 of the interface "closest to" the remote end. This
7622 address must appear in the remote end's
7623 <command>allow-transfer</command> option for the
7624 zone being transferred, if one is specified. This
7626 <command>transfer-source</command> for all zones,
7627 but can be overridden on a per-view or per-zone
7628 basis by including a
7629 <command>transfer-source</command> statement within
7630 the <command>view</command> or
7631 <command>zone</command> block in the configuration
7636 Solaris 2.5.1 and earlier does not support setting the
7637 source address for TCP sockets.
7644 <term><command>transfer-source-v6</command></term>
7647 The same as <command>transfer-source</command>,
7648 except zone transfers are performed using IPv6.
7654 <term><command>alt-transfer-source</command></term>
7657 An alternate transfer source if the one listed in
7658 <command>transfer-source</command> fails and
7659 <command>use-alt-transfer-source</command> is
7663 If you do not wish the alternate transfer source
7664 to be used, you should set
7665 <command>use-alt-transfer-source</command>
7666 appropriately and you should not depend upon
7667 getting an answer back to the first refresh
7674 <term><command>alt-transfer-source-v6</command></term>
7677 An alternate transfer source if the one listed in
7678 <command>transfer-source-v6</command> fails and
7679 <command>use-alt-transfer-source</command> is
7686 <term><command>use-alt-transfer-source</command></term>
7689 Use the alternate transfer sources or not. If views are
7690 specified this defaults to <command>no</command>
7691 otherwise it defaults to
7692 <command>yes</command> (for BIND 8
7699 <term><command>notify-source</command></term>
7701 <para><command>notify-source</command>
7702 determines which local source address, and
7703 optionally UDP port, will be used to send NOTIFY
7704 messages. This address must appear in the slave
7705 server's <command>masters</command> zone clause or
7706 in an <command>allow-notify</command> clause. This
7707 statement sets the <command>notify-source</command>
7708 for all zones, but can be overridden on a per-zone or
7709 per-view basis by including a
7710 <command>notify-source</command> statement within
7711 the <command>zone</command> or
7712 <command>view</command> block in the configuration
7717 Solaris 2.5.1 and earlier does not support setting the
7718 source address for TCP sockets.
7725 <term><command>notify-source-v6</command></term>
7728 Like <command>notify-source</command>,
7729 but applies to notify messages sent to IPv6 addresses.
7739 <title>UDP Port Lists</title>
7741 <command>use-v4-udp-ports</command>,
7742 <command>avoid-v4-udp-ports</command>,
7743 <command>use-v6-udp-ports</command>, and
7744 <command>avoid-v6-udp-ports</command>
7745 specify a list of IPv4 and IPv6 UDP ports that will be
7746 used or not used as source ports for UDP messages.
7747 See <xref linkend="query_address"/> about how the
7748 available ports are determined.
7749 For example, with the following configuration
7753 use-v6-udp-ports { range 32768 65535; };
7754 avoid-v6-udp-ports { 40000; range 50000 60000; };
7758 UDP ports of IPv6 messages sent
7759 from <command>named</command> will be in one
7760 of the following ranges: 32768 to 39999, 40001 to 49999,
7765 <command>avoid-v4-udp-ports</command> and
7766 <command>avoid-v6-udp-ports</command> can be used
7767 to prevent <command>named</command> from choosing as its random source port a
7768 port that is blocked by your firewall or a port that is
7769 used by other applications;
7770 if a query went out with a source port blocked by a
7772 answer would not get by the firewall and the name server would
7773 have to query again.
7774 Note: the desired range can also be represented only with
7775 <command>use-v4-udp-ports</command> and
7776 <command>use-v6-udp-ports</command>, and the
7777 <command>avoid-</command> options are redundant in that
7778 sense; they are provided for backward compatibility and
7779 to possibly simplify the port specification.
7784 <title>Operating System Resource Limits</title>
7787 The server's usage of many system resources can be limited.
7788 Scaled values are allowed when specifying resource limits. For
7789 example, <command>1G</command> can be used instead of
7790 <command>1073741824</command> to specify a limit of
7792 gigabyte. <command>unlimited</command> requests
7793 unlimited use, or the
7794 maximum available amount. <command>default</command>
7796 that was in force when the server was started. See the description
7797 of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
7801 The following options set operating system resource limits for
7802 the name server process. Some operating systems don't support
7804 any of the limits. On such systems, a warning will be issued if
7806 unsupported limit is used.
7812 <term><command>coresize</command></term>
7815 The maximum size of a core dump. The default
7816 is <literal>default</literal>.
7822 <term><command>datasize</command></term>
7825 The maximum amount of data memory the server
7826 may use. The default is <literal>default</literal>.
7827 This is a hard limit on server memory usage.
7828 If the server attempts to allocate memory in excess of this
7829 limit, the allocation will fail, which may in turn leave
7830 the server unable to perform DNS service. Therefore,
7831 this option is rarely useful as a way of limiting the
7832 amount of memory used by the server, but it can be used
7833 to raise an operating system data size limit that is
7834 too small by default. If you wish to limit the amount
7835 of memory used by the server, use the
7836 <command>max-cache-size</command> and
7837 <command>recursive-clients</command>
7844 <term><command>files</command></term>
7847 The maximum number of files the server
7848 may have open concurrently. The default is <literal>unlimited</literal>.
7854 <term><command>stacksize</command></term>
7857 The maximum amount of stack memory the server
7858 may use. The default is <literal>default</literal>.
7867 <sect3 id="server_resource_limits">
7868 <title>Server Resource Limits</title>
7871 The following options set limits on the server's
7872 resource consumption that are enforced internally by the
7873 server rather than the operating system.
7879 <term><command>max-ixfr-log-size</command></term>
7882 This option is obsolete; it is accepted
7883 and ignored for BIND 8 compatibility. The option
7884 <command>max-journal-size</command> performs a
7885 similar function in BIND 9.
7891 <term><command>max-journal-size</command></term>
7894 Sets a maximum size for each journal file
7895 (see <xref linkend="journal"/>). When the journal file
7897 the specified size, some of the oldest transactions in the
7899 will be automatically removed. The largest permitted
7900 value is 2 gigabytes. The default is
7901 <literal>unlimited</literal>, which also
7903 This may also be set on a per-zone basis.
7909 <term><command>host-statistics-max</command></term>
7912 In BIND 8, specifies the maximum number of host statistics
7914 Not implemented in BIND 9.
7920 <term><command>recursive-clients</command></term>
7923 The maximum number of simultaneous recursive lookups
7924 the server will perform on behalf of clients. The default
7926 <literal>1000</literal>. Because each recursing
7928 bit of memory, on the order of 20 kilobytes, the value of
7930 <command>recursive-clients</command> option may
7931 have to be decreased
7932 on hosts with limited memory.
7938 <term><command>tcp-clients</command></term>
7941 The maximum number of simultaneous client TCP
7942 connections that the server will accept.
7943 The default is <literal>100</literal>.
7949 <term><command>reserved-sockets</command></term>
7952 The number of file descriptors reserved for TCP, stdio,
7953 etc. This needs to be big enough to cover the number of
7954 interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
7955 to provide room for outgoing TCP queries and incoming zone
7956 transfers. The default is <literal>512</literal>.
7957 The minimum value is <literal>128</literal> and the
7958 maximum value is <literal>128</literal> less than
7959 maxsockets (-S). This option may be removed in the future.
7962 This option has little effect on Windows.
7968 <term><command>max-cache-size</command></term>
7971 The maximum amount of memory to use for the
7972 server's cache, in bytes.
7973 When the amount of data in the cache
7974 reaches this limit, the server will cause records to expire
7975 prematurely based on an LRU based strategy so that
7976 the limit is not exceeded.
7977 A value of 0 is special, meaning that
7978 records are purged from the cache only when their
7980 Another special keyword <userinput>unlimited</userinput>
7981 means the maximum value of 32-bit unsigned integers
7982 (0xffffffff), which may not have the same effect as
7983 0 on machines that support more than 32 bits of
7985 Any positive values less than 2MB will be ignored reset
7987 In a server with multiple views, the limit applies
7988 separately to the cache of each view.
7995 <term><command>tcp-listen-queue</command></term>
7998 The listen queue depth. The default and minimum is 10.
7999 If the kernel supports the accept filter "dataready" this
8001 many TCP connections that will be queued in kernel space
8003 some data before being passed to accept. Nonzero values
8004 less than 10 will be silently raised. A value of 0 may also
8005 be used; on most platforms this sets the listen queue
8006 length to a system-defined default value.
8016 <title>Periodic Task Intervals</title>
8021 <term><command>cleaning-interval</command></term>
8024 This interval is effectively obsolete. Previously,
8025 the server would remove expired resource records
8026 from the cache every <command>cleaning-interval</command> minutes.
8027 <acronym>BIND</acronym> 9 now manages cache
8028 memory in a more sophisticated manner and does not
8029 rely on the periodic cleaning any more.
8030 Specifying this option therefore has no effect on
8031 the server's behavior.
8037 <term><command>heartbeat-interval</command></term>
8040 The server will perform zone maintenance tasks
8041 for all zones marked as <command>dialup</command> whenever this
8042 interval expires. The default is 60 minutes. Reasonable
8044 to 1 day (1440 minutes). The maximum value is 28 days
8046 If set to 0, no zone maintenance for these zones will occur.
8052 <term><command>interface-interval</command></term>
8055 The server will scan the network interface list
8056 every <command>interface-interval</command>
8057 minutes. The default
8058 is 60 minutes. The maximum value is 28 days (40320 minutes).
8059 If set to 0, interface scanning will only occur when
8060 the configuration file is loaded. After the scan, the
8062 begin listening for queries on any newly discovered
8063 interfaces (provided they are allowed by the
8064 <command>listen-on</command> configuration), and
8066 stop listening on interfaces that have gone away.
8072 <term><command>statistics-interval</command></term>
8075 Name server statistics will be logged
8076 every <command>statistics-interval</command>
8077 minutes. The default is
8078 60. The maximum value is 28 days (40320 minutes).
8079 If set to 0, no statistics will be logged.
8082 Not yet implemented in
8083 <acronym>BIND</acronym> 9.
8093 <sect3 id="topology">
8094 <title>Topology</title>
8097 All other things being equal, when the server chooses a name
8099 to query from a list of name servers, it prefers the one that is
8100 topologically closest to itself. The <command>topology</command> statement
8101 takes an <command>address_match_list</command> and
8103 in a special way. Each top-level list element is assigned a
8105 Non-negated elements get a distance based on their position in the
8106 list, where the closer the match is to the start of the list, the
8107 shorter the distance is between it and the server. A negated match
8108 will be assigned the maximum distance from the server. If there
8109 is no match, the address will get a distance which is further than
8110 any non-negated list element, and closer than any negated element.
8114 <programlisting>topology {
8121 will prefer servers on network 10 the most, followed by hosts
8122 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
8123 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
8124 is preferred least of all.
8127 The default topology is
8130 <programlisting> topology { localhost; localnets; };
8135 The <command>topology</command> option
8136 is not implemented in <acronym>BIND</acronym> 9.
8141 <sect3 id="the_sortlist_statement">
8143 <title>The <command>sortlist</command> Statement</title>
8146 The response to a DNS query may consist of multiple resource
8147 records (RRs) forming a resource records set (RRset).
8148 The name server will normally return the
8149 RRs within the RRset in an indeterminate order
8150 (but see the <command>rrset-order</command>
8151 statement in <xref linkend="rrset_ordering"/>).
8152 The client resolver code should rearrange the RRs as appropriate,
8153 that is, using any addresses on the local net in preference to
8155 However, not all resolvers can do this or are correctly
8157 When a client is using a local server, the sorting can be performed
8158 in the server, based on the client's address. This only requires
8159 configuring the name servers, not all the clients.
8163 The <command>sortlist</command> statement (see below)
8165 an <command>address_match_list</command> and
8167 more specifically than the <command>topology</command>
8169 does (<xref linkend="topology"/>).
8170 Each top level statement in the <command>sortlist</command> must
8171 itself be an explicit <command>address_match_list</command> with
8172 one or two elements. The first element (which may be an IP
8174 an IP prefix, an ACL name or a nested <command>address_match_list</command>)
8175 of each top level list is checked against the source address of
8176 the query until a match is found.
8179 Once the source address of the query has been matched, if
8180 the top level statement contains only one element, the actual
8182 element that matched the source address is used to select the
8184 in the response to move to the beginning of the response. If the
8185 statement is a list of two elements, then the second element is
8186 treated the same as the <command>address_match_list</command> in
8187 a <command>topology</command> statement. Each top
8189 is assigned a distance and the address in the response with the
8191 distance is moved to the beginning of the response.
8194 In the following example, any queries received from any of
8195 the addresses of the host itself will get responses preferring
8197 on any of the locally connected networks. Next most preferred are
8199 on the 192.168.1/24 network, and after that either the
8202 192.168.3/24 network with no preference shown between these two
8203 networks. Queries received from a host on the 192.168.1/24 network
8204 will prefer other addresses on that network to the 192.168.2/24
8206 192.168.3/24 networks. Queries received from a host on the
8208 or the 192.168.5/24 network will only prefer other addresses on
8209 their directly connected networks.
8212 <programlisting>sortlist {
8213 // IF the local host
8214 // THEN first fit on the following nets
8218 { 192.168.2/24; 192.168.3/24; }; }; };
8219 // IF on class C 192.168.1 THEN use .1, or .2 or .3
8222 { 192.168.2/24; 192.168.3/24; }; }; };
8223 // IF on class C 192.168.2 THEN use .2, or .1 or .3
8226 { 192.168.1/24; 192.168.3/24; }; }; };
8227 // IF on class C 192.168.3 THEN use .3, or .1 or .2
8230 { 192.168.1/24; 192.168.2/24; }; }; };
8231 // IF .4 or .5 THEN prefer that net
8232 { { 192.168.4/24; 192.168.5/24; };
8237 The following example will give reasonable behavior for the
8238 local host and hosts on directly connected networks. It is similar
8239 to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
8240 to queries from the local host will favor any of the directly
8242 networks. Responses sent to queries from any other hosts on a
8244 connected network will prefer addresses on that same network.
8246 to other queries will not be sorted.
8249 <programlisting>sortlist {
8250 { localhost; localnets; };
8256 <sect3 id="rrset_ordering">
8257 <title id="rrset_ordering_title">RRset Ordering</title>
8259 When multiple records are returned in an answer it may be
8260 useful to configure the order of the records placed into the
8262 The <command>rrset-order</command> statement permits
8264 of the ordering of the records in a multiple record response.
8265 See also the <command>sortlist</command> statement,
8266 <xref linkend="the_sortlist_statement"/>.
8270 An <command>order_spec</command> is defined as
8274 <optional>class <replaceable>class_name</replaceable></optional>
8275 <optional>type <replaceable>type_name</replaceable></optional>
8276 <optional>name <replaceable>"domain_name"</replaceable></optional>
8277 order <replaceable>ordering</replaceable>
8280 If no class is specified, the default is <command>ANY</command>.
8281 If no type is specified, the default is <command>ANY</command>.
8282 If no name is specified, the default is "<command>*</command>" (asterisk).
8285 The legal values for <command>ordering</command> are:
8287 <informaltable colsep="0" rowsep="0">
8288 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
8289 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
8290 <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
8294 <para><command>fixed</command></para>
8298 Records are returned in the order they
8299 are defined in the zone file.
8305 <para><command>random</command></para>
8309 Records are returned in some random order.
8315 <para><command>cyclic</command></para>
8319 Records are returned in a cyclic round-robin order.
8322 If <acronym>BIND</acronym> is configured with the
8323 "--enable-fixed-rrset" option at compile time, then
8324 the initial ordering of the RRset will match the
8325 one specified in the zone file.
8336 <programlisting>rrset-order {
8337 class IN type A name "host.example.com" order random;
8343 will cause any responses for type A records in class IN that
8344 have "<literal>host.example.com</literal>" as a
8345 suffix, to always be returned
8346 in random order. All other records are returned in cyclic order.
8349 If multiple <command>rrset-order</command> statements
8350 appear, they are not combined — the last one applies.
8353 By default, all records are returned in random order.
8358 In this release of <acronym>BIND</acronym> 9, the
8359 <command>rrset-order</command> statement does not support
8360 "fixed" ordering by default. Fixed ordering can be enabled
8361 at compile time by specifying "--enable-fixed-rrset" on
8362 the "configure" command line.
8368 <title>Tuning</title>
8373 <term><command>lame-ttl</command></term>
8376 Sets the number of seconds to cache a
8377 lame server indication. 0 disables caching. (This is
8378 <emphasis role="bold">NOT</emphasis> recommended.)
8379 The default is <literal>600</literal> (10 minutes) and the
8381 <literal>1800</literal> (30 minutes).
8385 Lame-ttl also controls the amount of time DNSSEC
8386 validation failures are cached. There is a minimum
8387 of 30 seconds applied to bad cache entries if the
8388 lame-ttl is set to less than 30 seconds.
8395 <term><command>max-ncache-ttl</command></term>
8398 To reduce network traffic and increase performance,
8399 the server stores negative answers. <command>max-ncache-ttl</command> is
8400 used to set a maximum retention time for these answers in
8402 in seconds. The default
8403 <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
8404 <command>max-ncache-ttl</command> cannot exceed
8406 be silently truncated to 7 days if set to a greater value.
8412 <term><command>max-cache-ttl</command></term>
8415 Sets the maximum time for which the server will
8416 cache ordinary (positive) answers. The default is
8418 A value of zero may cause all queries to return
8419 SERVFAIL, because of lost caches of intermediate
8420 RRsets (such as NS and glue AAAA/A records) in the
8427 <term><command>min-roots</command></term>
8430 The minimum number of root servers that
8431 is required for a request for the root servers to be
8432 accepted. The default
8433 is <userinput>2</userinput>.
8437 Not implemented in <acronym>BIND</acronym> 9.
8444 <term><command>sig-validity-interval</command></term>
8447 Specifies the number of days into the future when
8448 DNSSEC signatures automatically generated as a
8449 result of dynamic updates (<xref
8450 linkend="dynamic_update"/>) will expire. There
8451 is an optional second field which specifies how
8452 long before expiry that the signatures will be
8453 regenerated. If not specified, the signatures will
8454 be regenerated at 1/4 of base interval. The second
8455 field is specified in days if the base interval is
8456 greater than 7 days otherwise it is specified in hours.
8457 The default base interval is <literal>30</literal> days
8458 giving a re-signing interval of 7 1/2 days. The maximum
8459 values are 10 years (3660 days).
8462 The signature inception time is unconditionally
8463 set to one hour before the current time to allow
8464 for a limited amount of clock skew.
8467 The <command>sig-validity-interval</command>
8468 should be, at least, several multiples of the SOA
8469 expire interval to allow for reasonable interaction
8470 between the various timer and expiry dates.
8476 <term><command>sig-signing-nodes</command></term>
8479 Specify the maximum number of nodes to be
8480 examined in each quantum when signing a zone with
8481 a new DNSKEY. The default is
8482 <literal>100</literal>.
8488 <term><command>sig-signing-signatures</command></term>
8491 Specify a threshold number of signatures that
8492 will terminate processing a quantum when signing
8493 a zone with a new DNSKEY. The default is
8494 <literal>10</literal>.
8500 <term><command>sig-signing-type</command></term>
8503 Specify a private RDATA type to be used when generating
8504 signing state records. The default is
8505 <literal>65534</literal>.
8508 It is expected that this parameter may be removed
8509 in a future version once there is a standard type.
8512 Signing state records are used to internally by
8513 <command>named</command> to track the current state of
8514 a zone-signing process, i.e., whether it is still active
8515 or has been completed. The records can be inspected
8517 <command>rndc signing -list <replaceable>zone</replaceable></command>.
8518 Once <command>named</command> has finished signing
8519 a zone with a particular key, the signing state
8520 record associated with that key can be removed from
8522 <command>rndc signing -clear <replaceable>keyid/algorithm</replaceable> <replaceable>zone</replaceable></command>.
8523 To clear all of the completed signing state
8524 records for a zone, use
8525 <command>rndc signing -clear all <replaceable>zone</replaceable></command>.
8531 <term><command>min-refresh-time</command></term>
8532 <term><command>max-refresh-time</command></term>
8533 <term><command>min-retry-time</command></term>
8534 <term><command>max-retry-time</command></term>
8537 These options control the server's behavior on refreshing a
8539 (querying for SOA changes) or retrying failed transfers.
8540 Usually the SOA values for the zone are used, but these
8542 are set by the master, giving slave server administrators
8544 control over their contents.
8547 These options allow the administrator to set a minimum and
8549 refresh and retry time either per-zone, per-view, or
8551 These options are valid for slave and stub zones,
8552 and clamp the SOA refresh and retry times to the specified
8556 The following defaults apply.
8557 <command>min-refresh-time</command> 300 seconds,
8558 <command>max-refresh-time</command> 2419200 seconds
8559 (4 weeks), <command>min-retry-time</command> 500 seconds,
8560 and <command>max-retry-time</command> 1209600 seconds
8567 <term><command>edns-udp-size</command></term>
8570 Sets the advertised EDNS UDP buffer size in bytes
8571 to control the size of packets received.
8572 Valid values are 512 to 4096 (values outside this range
8573 will be silently adjusted). The default value
8574 is 4096. The usual reason for setting
8575 <command>edns-udp-size</command> to a non-default
8576 value is to get UDP answers to pass through broken
8577 firewalls that block fragmented packets and/or
8578 block UDP packets that are greater than 512 bytes.
8581 <command>named</command> will fallback to using 512 bytes
8582 if it get a series of timeout at the initial value. 512
8583 bytes is not being offered to encourage sites to fix their
8584 firewalls. Small EDNS UDP sizes will result in the
8585 excessive use of TCP.
8591 <term><command>max-udp-size</command></term>
8594 Sets the maximum EDNS UDP message size
8595 <command>named</command> will send in bytes.
8596 Valid values are 512 to 4096 (values outside this
8597 range will be silently adjusted). The default
8598 value is 4096. The usual reason for setting
8599 <command>max-udp-size</command> to a non-default
8600 value is to get UDP answers to pass through broken
8601 firewalls that block fragmented packets and/or
8602 block UDP packets that are greater than 512 bytes.
8603 This is independent of the advertised receive
8604 buffer (<command>edns-udp-size</command>).
8607 Setting this to a low value will encourage additional
8608 TCP traffic to the nameserver.
8614 <term><command>masterfile-format</command></term>
8617 the file format of zone files (see
8618 <xref linkend="zonefile_format"/>).
8619 The default value is <constant>text</constant>, which is the
8620 standard textual representation, except for slave zones,
8621 in which the default value is <constant>raw</constant>.
8622 Files in other formats than <constant>text</constant> are
8623 typically expected to be generated by the
8624 <command>named-compilezone</command> tool, or dumped by
8625 <command>named</command>.
8628 Note that when a zone file in a different format than
8629 <constant>text</constant> is loaded, <command>named</command>
8630 may omit some of the checks which would be performed for a
8631 file in the <constant>text</constant> format. In particular,
8632 <command>check-names</command> checks do not apply
8633 for the <constant>raw</constant> format. This means
8634 a zone file in the <constant>raw</constant> format
8635 must be generated with the same check level as that
8636 specified in the <command>named</command> configuration
8637 file. This statement sets the
8638 <command>masterfile-format</command> for all zones,
8639 but can be overridden on a per-zone or per-view basis
8640 by including a <command>masterfile-format</command>
8641 statement within the <command>zone</command> or
8642 <command>view</command> block in the configuration
8648 <varlistentry id="clients-per-query">
8649 <term><command>clients-per-query</command></term>
8650 <term><command>max-clients-per-query</command></term>
8653 initial value (minimum) and maximum number of recursive
8654 simultaneous clients for any given query
8655 (<qname,qtype,qclass>) that the server will accept
8656 before dropping additional clients. <command>named</command> will attempt to
8657 self tune this value and changes will be logged. The
8658 default values are 10 and 100.
8661 This value should reflect how many queries come in for
8662 a given name in the time it takes to resolve that name.
8663 If the number of queries exceed this value, <command>named</command> will
8664 assume that it is dealing with a non-responsive zone
8665 and will drop additional queries. If it gets a response
8666 after dropping queries, it will raise the estimate. The
8667 estimate will then be lowered in 20 minutes if it has
8671 If <command>clients-per-query</command> is set to zero,
8672 then there is no limit on the number of clients per query
8673 and no queries will be dropped.
8676 If <command>max-clients-per-query</command> is set to zero,
8677 then there is no upper bound other than imposed by
8678 <command>recursive-clients</command>.
8683 <varlistentry id="max-recursion-depth">
8684 <term><command>max-recursion-depth</command></term>
8687 Sets the maximum number of levels of recursion
8688 that are permitted at any one time while servicing
8689 a recursive query. Resolving a name may require
8690 looking up a name server address, which in turn
8691 requires resolving another name, etc; if the number
8692 of indirections exceeds this value, the recursive
8693 query is terminated and returns SERVFAIL. The
8699 <varlistentry id="max-recursion-queries">
8700 <term><command>max-recursion-queries</command></term>
8703 Sets the maximum number of iterative queries that
8704 may be sent while servicing a recursive query.
8705 If more queries are sent, the recursive query
8706 is terminated and returns SERVFAIL. The default
8713 <term><command>notify-delay</command></term>
8716 The delay, in seconds, between sending sets of notify
8717 messages for a zone. The default is five (5) seconds.
8720 The overall rate that NOTIFY messages are sent for all
8721 zones is controlled by <command>serial-query-rate</command>.
8727 <term><command>max-rsa-exponent-size</command></term>
8730 The maximum RSA exponent size, in bits, that will
8731 be accepted when validating. Valid values are 35
8732 to 4096 bits. The default zero (0) is also accepted
8733 and is equivalent to 4096.
8741 <sect3 id="builtin">
8742 <title>Built-in server information zones</title>
8745 The server provides some helpful diagnostic information
8746 through a number of built-in zones under the
8747 pseudo-top-level-domain <literal>bind</literal> in the
8748 <command>CHAOS</command> class. These zones are part
8750 built-in view (see <xref linkend="view_statement_grammar"/>) of
8752 <command>CHAOS</command> which is separate from the
8753 default view of class <command>IN</command>. Most global
8754 configuration options (<command>allow-query</command>,
8755 etc) will apply to this view, but some are locally
8756 overridden: <command>notify</command>,
8757 <command>recursion</command> and
8758 <command>allow-new-zones</command> are
8759 always set to <userinput>no</userinput>.
8762 If you need to disable these zones, use the options
8763 below, or hide the built-in <command>CHAOS</command>
8765 defining an explicit view of class <command>CHAOS</command>
8766 that matches all clients.
8772 <term><command>version</command></term>
8775 The version the server should report
8776 via a query of the name <literal>version.bind</literal>
8777 with type <command>TXT</command>, class <command>CHAOS</command>.
8778 The default is the real version number of this server.
8779 Specifying <command>version none</command>
8780 disables processing of the queries.
8786 <term><command>hostname</command></term>
8789 The hostname the server should report via a query of
8790 the name <filename>hostname.bind</filename>
8791 with type <command>TXT</command>, class <command>CHAOS</command>.
8792 This defaults to the hostname of the machine hosting the
8794 found by the gethostname() function. The primary purpose of such queries
8796 identify which of a group of anycast servers is actually
8797 answering your queries. Specifying <command>hostname none;</command>
8798 disables processing of the queries.
8804 <term><command>server-id</command></term>
8807 The ID the server should report when receiving a Name
8808 Server Identifier (NSID) query, or a query of the name
8809 <filename>ID.SERVER</filename> with type
8810 <command>TXT</command>, class <command>CHAOS</command>.
8811 The primary purpose of such queries is to
8812 identify which of a group of anycast servers is actually
8813 answering your queries. Specifying <command>server-id none;</command>
8814 disables processing of the queries.
8815 Specifying <command>server-id hostname;</command> will cause <command>named</command> to
8816 use the hostname as found by the gethostname() function.
8817 The default <command>server-id</command> is <command>none</command>.
8827 <title>Built-in Empty Zones</title>
8829 Named has some built-in empty zones (SOA and NS records only).
8830 These are for zones that should normally be answered locally
8831 and which queries should not be sent to the Internet's root
8832 servers. The official servers which cover these namespaces
8833 return NXDOMAIN responses to these queries. In particular,
8834 these cover the reverse namespaces for addresses from
8835 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the
8836 reverse namespace for IPv6 local address (locally assigned),
8837 IPv6 link local addresses, the IPv6 loopback address and the
8838 IPv6 unknown address.
8841 Named will attempt to determine if a built-in zone already exists
8842 or is active (covered by a forward-only forwarding declaration)
8843 and will not create an empty zone in that case.
8846 The current list of empty zones is:
8848 <listitem>10.IN-ADDR.ARPA</listitem>
8849 <listitem>16.172.IN-ADDR.ARPA</listitem>
8850 <listitem>17.172.IN-ADDR.ARPA</listitem>
8851 <listitem>18.172.IN-ADDR.ARPA</listitem>
8852 <listitem>19.172.IN-ADDR.ARPA</listitem>
8853 <listitem>20.172.IN-ADDR.ARPA</listitem>
8854 <listitem>21.172.IN-ADDR.ARPA</listitem>
8855 <listitem>22.172.IN-ADDR.ARPA</listitem>
8856 <listitem>23.172.IN-ADDR.ARPA</listitem>
8857 <listitem>24.172.IN-ADDR.ARPA</listitem>
8858 <listitem>25.172.IN-ADDR.ARPA</listitem>
8859 <listitem>26.172.IN-ADDR.ARPA</listitem>
8860 <listitem>27.172.IN-ADDR.ARPA</listitem>
8861 <listitem>28.172.IN-ADDR.ARPA</listitem>
8862 <listitem>29.172.IN-ADDR.ARPA</listitem>
8863 <listitem>30.172.IN-ADDR.ARPA</listitem>
8864 <listitem>31.172.IN-ADDR.ARPA</listitem>
8865 <listitem>168.192.IN-ADDR.ARPA</listitem>
8866 <listitem>64.100.IN-ADDR.ARPA</listitem>
8867 <listitem>65.100.IN-ADDR.ARPA</listitem>
8868 <listitem>66.100.IN-ADDR.ARPA</listitem>
8869 <listitem>67.100.IN-ADDR.ARPA</listitem>
8870 <listitem>68.100.IN-ADDR.ARPA</listitem>
8871 <listitem>69.100.IN-ADDR.ARPA</listitem>
8872 <listitem>70.100.IN-ADDR.ARPA</listitem>
8873 <listitem>71.100.IN-ADDR.ARPA</listitem>
8874 <listitem>72.100.IN-ADDR.ARPA</listitem>
8875 <listitem>73.100.IN-ADDR.ARPA</listitem>
8876 <listitem>74.100.IN-ADDR.ARPA</listitem>
8877 <listitem>75.100.IN-ADDR.ARPA</listitem>
8878 <listitem>76.100.IN-ADDR.ARPA</listitem>
8879 <listitem>77.100.IN-ADDR.ARPA</listitem>
8880 <listitem>78.100.IN-ADDR.ARPA</listitem>
8881 <listitem>79.100.IN-ADDR.ARPA</listitem>
8882 <listitem>80.100.IN-ADDR.ARPA</listitem>
8883 <listitem>81.100.IN-ADDR.ARPA</listitem>
8884 <listitem>82.100.IN-ADDR.ARPA</listitem>
8885 <listitem>83.100.IN-ADDR.ARPA</listitem>
8886 <listitem>84.100.IN-ADDR.ARPA</listitem>
8887 <listitem>85.100.IN-ADDR.ARPA</listitem>
8888 <listitem>86.100.IN-ADDR.ARPA</listitem>
8889 <listitem>87.100.IN-ADDR.ARPA</listitem>
8890 <listitem>88.100.IN-ADDR.ARPA</listitem>
8891 <listitem>89.100.IN-ADDR.ARPA</listitem>
8892 <listitem>90.100.IN-ADDR.ARPA</listitem>
8893 <listitem>91.100.IN-ADDR.ARPA</listitem>
8894 <listitem>92.100.IN-ADDR.ARPA</listitem>
8895 <listitem>93.100.IN-ADDR.ARPA</listitem>
8896 <listitem>94.100.IN-ADDR.ARPA</listitem>
8897 <listitem>95.100.IN-ADDR.ARPA</listitem>
8898 <listitem>96.100.IN-ADDR.ARPA</listitem>
8899 <listitem>97.100.IN-ADDR.ARPA</listitem>
8900 <listitem>98.100.IN-ADDR.ARPA</listitem>
8901 <listitem>99.100.IN-ADDR.ARPA</listitem>
8902 <listitem>100.100.IN-ADDR.ARPA</listitem>
8903 <listitem>101.100.IN-ADDR.ARPA</listitem>
8904 <listitem>102.100.IN-ADDR.ARPA</listitem>
8905 <listitem>103.100.IN-ADDR.ARPA</listitem>
8906 <listitem>104.100.IN-ADDR.ARPA</listitem>
8907 <listitem>105.100.IN-ADDR.ARPA</listitem>
8908 <listitem>106.100.IN-ADDR.ARPA</listitem>
8909 <listitem>107.100.IN-ADDR.ARPA</listitem>
8910 <listitem>108.100.IN-ADDR.ARPA</listitem>
8911 <listitem>109.100.IN-ADDR.ARPA</listitem>
8912 <listitem>110.100.IN-ADDR.ARPA</listitem>
8913 <listitem>111.100.IN-ADDR.ARPA</listitem>
8914 <listitem>112.100.IN-ADDR.ARPA</listitem>
8915 <listitem>113.100.IN-ADDR.ARPA</listitem>
8916 <listitem>114.100.IN-ADDR.ARPA</listitem>
8917 <listitem>115.100.IN-ADDR.ARPA</listitem>
8918 <listitem>116.100.IN-ADDR.ARPA</listitem>
8919 <listitem>117.100.IN-ADDR.ARPA</listitem>
8920 <listitem>118.100.IN-ADDR.ARPA</listitem>
8921 <listitem>119.100.IN-ADDR.ARPA</listitem>
8922 <listitem>120.100.IN-ADDR.ARPA</listitem>
8923 <listitem>121.100.IN-ADDR.ARPA</listitem>
8924 <listitem>122.100.IN-ADDR.ARPA</listitem>
8925 <listitem>123.100.IN-ADDR.ARPA</listitem>
8926 <listitem>124.100.IN-ADDR.ARPA</listitem>
8927 <listitem>125.100.IN-ADDR.ARPA</listitem>
8928 <listitem>126.100.IN-ADDR.ARPA</listitem>
8929 <listitem>127.100.IN-ADDR.ARPA</listitem>
8930 <listitem>0.IN-ADDR.ARPA</listitem>
8931 <listitem>127.IN-ADDR.ARPA</listitem>
8932 <listitem>254.169.IN-ADDR.ARPA</listitem>
8933 <listitem>2.0.192.IN-ADDR.ARPA</listitem>
8934 <listitem>100.51.198.IN-ADDR.ARPA</listitem>
8935 <listitem>113.0.203.IN-ADDR.ARPA</listitem>
8936 <listitem>255.255.255.255.IN-ADDR.ARPA</listitem>
8937 <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
8938 <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
8939 <listitem>8.B.D.0.1.0.0.2.IP6.ARPA</listitem>
8940 <listitem>D.F.IP6.ARPA</listitem>
8941 <listitem>8.E.F.IP6.ARPA</listitem>
8942 <listitem>9.E.F.IP6.ARPA</listitem>
8943 <listitem>A.E.F.IP6.ARPA</listitem>
8944 <listitem>B.E.F.IP6.ARPA</listitem>
8948 Empty zones are settable at the view level and only apply to
8949 views of class IN. Disabled empty zones are only inherited
8950 from options if there are no disabled empty zones specified
8951 at the view level. To override the options list of disabled
8952 zones, you can disable the root zone at the view level, for example:
8954 disable-empty-zone ".";
8958 If you are using the address ranges covered here, you should
8959 already have reverse zones covering the addresses you use.
8960 In practice this appears to not be the case with many queries
8961 being made to the infrastructure servers for names in these
8962 spaces. So many in fact that sacrificial servers were needed
8963 to be deployed to channel the query load away from the
8964 infrastructure servers.
8967 The real parent servers for these zones should disable all
8968 empty zone under the parent zone they serve. For the real
8969 root servers, this is all built-in empty zones. This will
8970 enable them to return referrals to deeper in the tree.
8974 <term><command>empty-server</command></term>
8977 Specify what server name will appear in the returned
8978 SOA record for empty zones. If none is specified, then
8979 the zone's name will be used.
8985 <term><command>empty-contact</command></term>
8988 Specify what contact name will appear in the returned
8989 SOA record for empty zones. If none is specified, then
8996 <term><command>empty-zones-enable</command></term>
8999 Enable or disable all empty zones. By default, they
9006 <term><command>disable-empty-zone</command></term>
9009 Disable individual empty zones. By default, none are
9010 disabled. This option can be specified multiple times.
9018 <title>Additional Section Caching</title>
9021 The additional section cache, also called <command>acache</command>,
9022 is an internal cache to improve the response performance of BIND 9.
9023 When additional section caching is enabled, BIND 9 will
9024 cache an internal short-cut to the additional section content for
9026 Note that <command>acache</command> is an internal caching
9027 mechanism of BIND 9, and is not related to the DNS caching
9032 Additional section caching does not change the
9033 response content (except the RRsets ordering of the additional
9034 section, see below), but can improve the response performance
9036 It is particularly effective when BIND 9 acts as an authoritative
9037 server for a zone that has many delegations with many glue RRs.
9041 In order to obtain the maximum performance improvement
9042 from additional section caching, setting
9043 <command>additional-from-cache</command>
9044 to <command>no</command> is recommended, since the current
9045 implementation of <command>acache</command>
9046 does not short-cut of additional section information from the
9051 One obvious disadvantage of <command>acache</command> is
9052 that it requires much more
9053 memory for the internal cached data.
9054 Thus, if the response performance does not matter and memory
9055 consumption is much more critical, the
9056 <command>acache</command> mechanism can be
9057 disabled by setting <command>acache-enable</command> to
9058 <command>no</command>.
9059 It is also possible to specify the upper limit of memory
9061 for acache by using <command>max-acache-size</command>.
9065 Additional section caching also has a minor effect on the
9066 RRset ordering in the additional section.
9067 Without <command>acache</command>,
9068 <command>cyclic</command> order is effective for the additional
9069 section as well as the answer and authority sections.
9070 However, additional section caching fixes the ordering when it
9071 first caches an RRset for the additional section, and the same
9072 ordering will be kept in succeeding responses, regardless of the
9073 setting of <command>rrset-order</command>.
9074 The effect of this should be minor, however, since an
9075 RRset in the additional section
9076 typically only contains a small number of RRs (and in many cases
9077 it only contains a single RR), in which case the
9078 ordering does not matter much.
9082 The following is a summary of options related to
9083 <command>acache</command>.
9089 <term><command>acache-enable</command></term>
9092 If <command>yes</command>, additional section caching is
9093 enabled. The default value is <command>no</command>.
9099 <term><command>acache-cleaning-interval</command></term>
9102 The server will remove stale cache entries, based on an LRU
9104 algorithm, every <command>acache-cleaning-interval</command> minutes.
9105 The default is 60 minutes.
9106 If set to 0, no periodic cleaning will occur.
9112 <term><command>max-acache-size</command></term>
9115 The maximum amount of memory in bytes to use for the server's acache.
9116 When the amount of data in the acache reaches this limit,
9118 will clean more aggressively so that the limit is not
9120 In a server with multiple views, the limit applies
9122 acache of each view.
9123 The default is <literal>16M</literal>.
9133 <title>Content Filtering</title>
9135 <acronym>BIND</acronym> 9 provides the ability to filter
9136 out DNS responses from external DNS servers containing
9137 certain types of data in the answer section.
9138 Specifically, it can reject address (A or AAAA) records if
9139 the corresponding IPv4 or IPv6 addresses match the given
9140 <varname>address_match_list</varname> of the
9141 <command>deny-answer-addresses</command> option.
9142 It can also reject CNAME or DNAME records if the "alias"
9143 name (i.e., the CNAME alias or the substituted query name
9144 due to DNAME) matches the
9145 given <varname>namelist</varname> of the
9146 <command>deny-answer-aliases</command> option, where
9147 "match" means the alias name is a subdomain of one of
9148 the <varname>name_list</varname> elements.
9149 If the optional <varname>namelist</varname> is specified
9150 with <command>except-from</command>, records whose query name
9151 matches the list will be accepted regardless of the filter
9153 Likewise, if the alias name is a subdomain of the
9154 corresponding zone, the <command>deny-answer-aliases</command>
9155 filter will not apply;
9156 for example, even if "example.com" is specified for
9157 <command>deny-answer-aliases</command>,
9159 <programlisting>www.example.com. CNAME xxx.example.com.</programlisting>
9162 returned by an "example.com" server will be accepted.
9166 In the <varname>address_match_list</varname> of the
9167 <command>deny-answer-addresses</command> option, only
9168 <varname>ip_addr</varname>
9169 and <varname>ip_prefix</varname>
9171 any <varname>key_id</varname> will be silently ignored.
9175 If a response message is rejected due to the filtering,
9176 the entire message is discarded without being cached, and
9177 a SERVFAIL error will be returned to the client.
9181 This filtering is intended to prevent "DNS rebinding attacks," in
9182 which an attacker, in response to a query for a domain name the
9183 attacker controls, returns an IP address within your own network or
9184 an alias name within your own domain.
9185 A naive web browser or script could then serve as an
9186 unintended proxy, allowing the attacker
9187 to get access to an internal node of your local network
9188 that couldn't be externally accessed otherwise.
9189 See the paper available at
9190 <ulink url="http://portal.acm.org/citation.cfm?id=1315245.1315298">
9191 http://portal.acm.org/citation.cfm?id=1315245.1315298
9193 for more details about the attacks.
9197 For example, if you own a domain named "example.net" and
9198 your internal network uses an IPv4 prefix 192.0.2.0/24,
9199 you might specify the following rules:
9202 <programlisting>deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
9203 deny-answer-aliases { "example.net"; };
9207 If an external attacker lets a web browser in your local
9208 network look up an IPv4 address of "attacker.example.com",
9209 the attacker's DNS server would return a response like this:
9212 <programlisting>attacker.example.com. A 192.0.2.1</programlisting>
9215 in the answer section.
9216 Since the rdata of this record (the IPv4 address) matches
9217 the specified prefix 192.0.2.0/24, this response will be
9222 On the other hand, if the browser looks up a legitimate
9223 internal web server "www.example.net" and the
9224 following response is returned to
9225 the <acronym>BIND</acronym> 9 server
9228 <programlisting>www.example.net. A 192.0.2.2</programlisting>
9231 it will be accepted since the owner name "www.example.net"
9232 matches the <command>except-from</command> element,
9237 Note that this is not really an attack on the DNS per se.
9238 In fact, there is nothing wrong for an "external" name to
9239 be mapped to your "internal" IP address or domain name
9240 from the DNS point of view.
9241 It might actually be provided for a legitimate purpose,
9242 such as for debugging.
9243 As long as the mapping is provided by the correct owner,
9244 it is not possible or does not make sense to detect
9245 whether the intent of the mapping is legitimate or not
9247 The "rebinding" attack must primarily be protected at the
9248 application that uses the DNS.
9249 For a large site, however, it may be difficult to protect
9250 all possible applications at once.
9251 This filtering feature is provided only to help such an
9252 operational environment;
9253 it is generally discouraged to turn it on unless you are
9254 very sure you have no other choice and the attack is a
9255 real threat for your applications.
9259 Care should be particularly taken if you want to use this
9260 option for addresses within 127.0.0.0/8.
9261 These addresses are obviously "internal", but many
9262 applications conventionally rely on a DNS mapping from
9263 some name to such an address.
9264 Filtering out DNS records containing this address
9265 spuriously can break such applications.
9270 <title>Response Policy Zone (RPZ) Rewriting</title>
9272 <acronym>BIND</acronym> 9 includes a limited
9273 mechanism to modify DNS responses for requests
9274 analogous to email anti-spam DNS blacklists.
9275 Responses can be changed to deny the existence of domains(NXDOMAIN),
9276 deny the existence of IP addresses for domains (NODATA),
9277 or contain other IP addresses or data.
9281 Response policy zones are named in the
9282 <command>response-policy</command> option for the view or among the
9283 global options if there is no response-policy option for the view.
9284 RPZs are ordinary DNS zones containing RRsets
9285 that can be queried normally if allowed.
9286 It is usually best to restrict those queries with something like
9287 <command>allow-query { localhost; };</command>.
9291 Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
9293 QNAME RPZ records triggered by query names of requests and targets
9294 of CNAME records resolved to generate the response.
9295 The owner name of a QNAME RPZ record is the query name relativized
9300 The second kind of RPZ trigger is an IP address in an A and AAAA
9301 record in the ANSWER section of a response.
9302 IP address triggers are encoded in records that have owner names
9303 that are subdomains of <userinput>rpz-ip</userinput> relativized
9304 to the RPZ origin name and encode an IP address or address block.
9305 IPv4 trigger addresses are represented as
9306 <userinput>prefixlength.B4.B3.B2.B1.rpz-ip</userinput>.
9307 The prefix length must be between 1 and 32.
9308 All four bytes, B4, B3, B2, and B1, must be present.
9309 B4 is the decimal value of the least significant byte of the
9310 IPv4 address as in IN-ADDR.ARPA.
9311 IPv6 addresses are encoded in a format similar to the standard
9312 IPv6 text representation,
9313 <userinput>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</userinput>.
9314 Each of W8,...,W1 is a one to four digit hexadecimal number
9315 representing 16 bits of the IPv6 address as in the standard text
9316 representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
9317 All 8 words must be present except when consecutive
9318 zero words are replaced with <userinput>.zz.</userinput>
9319 analogous to double colons (::) in standard IPv6 text encodings.
9320 The prefix length must be between 1 and 128.
9324 NSDNAME triggers match names of authoritative servers
9325 for the query name, a parent of the query name, a CNAME for
9326 query name, or a parent of a CNAME.
9327 They are encoded as subdomains of
9328 <userinput>rpz-nsdomain</userinput> relativized
9329 to the RPZ origin name.
9330 NSIP triggers match IP addresses in A and
9331 AAAA RRsets for domains that can be checked against NSDNAME
9333 NSIP triggers are encoded like IP triggers except as subdomains of
9334 <userinput>rpz-nsip</userinput>.
9335 NSDNAME and NSIP triggers are checked only for names with at
9336 least <command>min-ns-dots</command> dots.
9337 The default value of <command>min-ns-dots</command> is 1 to
9338 exclude top level domains.
9342 The query response is checked against all RPZs, so
9343 two or more policy records can be triggered by a response.
9344 Because DNS responses can be rewritten according to at most one
9345 policy record, a single record encoding an action (other than
9346 <command>DISABLED</command> actions) must be chosen.
9347 Triggers or the records that encode them are chosen in
9348 the following order:
9350 <listitem>Choose the triggered record in the zone that appears
9351 first in the response-policy option.
9353 <listitem>Prefer QNAME to IP to NSDNAME to NSIP triggers
9356 <listitem>Among NSDNAME triggers, prefer the
9357 trigger that matches the smallest name under the DNSSEC ordering.
9359 <listitem>Among IP or NSIP triggers, prefer the trigger
9360 with the longest prefix.
9362 <listitem>Among triggers with the same prefex length,
9363 prefer the IP or NSIP trigger that matches
9364 the smallest IP address.
9370 When the processing of a response is restarted to resolve
9371 DNAME or CNAME records and a policy record set has
9373 all RPZs are again consulted for the DNAME or CNAME names
9378 RPZ record sets are sets of any types of DNS record except
9379 DNAME or DNSSEC that encode actions or responses to queries.
9381 <listitem>The <command>NXDOMAIN</command> response is encoded
9382 by a CNAME whose target is the root domain (.)
9384 <listitem>A CNAME whose target is the wildcard top-level
9385 domain (*.) specifies the <command>NODATA</command> action,
9386 which rewrites the response to NODATA or ANCOUNT=1.
9388 <listitem>The <command>Local Data</command> action is
9389 represented by a set ordinary DNS records that are used
9390 to answer queries. Queries for record types not the
9391 set are answered with NODATA.
9393 A special form of local data is a CNAME whose target is a
9394 wildcard such as *.example.com.
9395 It is used as if were an ordinary CNAME after the astrisk (*)
9396 has been replaced with the query name.
9397 The purpose for this special form is query logging in the
9398 walled garden's authority DNS server.
9400 <listitem>The <command>PASSTHRU</command> policy is specified
9401 by a CNAME whose target is <command>rpz-passthru.</command>
9402 It causes the response to not be rewritten
9403 and is most often used to "poke holes" in policies for
9405 (A CNAME whose target is the variable part of its owner name
9406 is an obsolete specification of the PASSTHRU policy.)
9412 The actions specified in an RPZ can be overridden with a
9413 <command>policy</command> clause in the
9414 <command>response-policy</command> option.
9415 An organization using an RPZ provided by another organization might
9416 use this mechanism to redirect domains to its own walled garden.
9418 <listitem><command>GIVEN</command> says "do not override but
9419 perform the action specified in the zone."
9421 <listitem><command>DISABLED</command> causes policy records to do
9422 nothing but log what they might have done.
9423 The response to the DNS query will be written according to
9424 any triggered policy records that are not disabled.
9425 Disabled policy zones should appear first,
9426 because they will often not be logged
9427 if a higher precedence trigger is found first.
9429 <listitem><command>PASSTHRU</command> causes all policy records
9430 to act as if they were CNAME records with targets the variable
9431 part of their owner name. They protect the response from
9434 <listitem><command>NXDOMAIN</command> causes all RPZ records
9435 to specify NXDOMAIN policies.
9437 <listitem><command>NODATA</command> overrides with the
9440 <listitem><command>CNAME domain</command> causes all RPZ
9441 policy records to act as if they were "cname domain" records.
9447 By default, the actions encoded in an RPZ are applied
9448 only to queries that ask for recursion (RD=1).
9449 That default can be changed for a single RPZ or all RPZs in a view
9450 with a <command>recursive-only no</command> clause.
9451 This feature is useful for serving the same zone files
9452 both inside and outside an RFC 1918 cloud and using RPZ to
9453 delete answers that would otherwise contain RFC 1918 values
9454 on the externally visible name server or view.
9458 Also by default, RPZ actions are applied only to DNS requests that
9459 either do not request DNSSEC metadata (DO=0) or when no DNSSEC
9460 records are available for request name in the original zone (not
9461 the response policy zone).
9462 This default can be changed for all RPZs in a view with a
9463 <command>break-dnssec yes</command> clause.
9464 In that case, RPZ actions are applied regardless of DNSSEC.
9465 The name of the clause option reflects the fact that results
9466 rewritten by RPZ actions cannot verify.
9470 The TTL of a record modified by RPZ policies is set from the
9471 TTL of the relevant record in policy zone. It is then limited
9473 The <command>max-policy-ttl</command> clause changes that
9474 maximum from its default of 5.
9478 For example, you might use this option statement
9480 <programlisting> response-policy { zone "badlist"; };</programlisting>
9482 and this zone statement
9484 <programlisting> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</programlisting>
9488 <programlisting>$TTL 1H
9489 @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
9492 ; QNAME policy records. There are no periods (.) after the owner names.
9493 nxdomain.domain.com CNAME . ; NXDOMAIN policy
9494 nodata.domain.com CNAME *. ; NODATA policy
9495 bad.domain.com A 10.0.0.1 ; redirect to a walled garden
9498 ; do not rewrite (PASSTHRU) OK.DOMAIN.COM
9499 ok.domain.com CNAME rpz-passthru.
9501 bzone.domain.com CNAME garden.example.com.
9503 ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
9504 *.bzone.domain.com CNAME *.garden.example.com.
9507 ; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
9508 8.0.0.0.127.rpz-ip CNAME .
9509 32.1.0.0.127.rpz-ip CNAME rpz-passthru.
9511 ; NSDNAME and NSIP policy records
9512 ns.domain.com.rpz-nsdname CNAME .
9513 48.zz.2.2001.rpz-nsip CNAME .
9516 RPZ can affect server performance.
9517 Each configured response policy zone requires the server to
9518 perform one to four additional database lookups before a
9519 query can be answered.
9520 For example, a DNS server with four policy zones, each with all
9521 four kinds of response triggers, QNAME, IP, NSIP, and
9522 NSDNAME, requires a total of 17 times as many database
9523 lookups as a similar DNS server with no response policy zones.
9524 A <acronym>BIND9</acronym> server with adequate memory and one
9525 response policy zone with QNAME and IP triggers might achieve a
9526 maximum queries-per-second rate about 20% lower.
9527 A server with four response policy zones with QNAME and IP
9528 triggers might have a maximum QPS rate about 50% lower.
9532 Responses rewritten by RPZ are counted in the
9533 <command>RPZRewrites</command> statistics.
9538 <title>Response Rate Limiting</title>
9540 This feature is only available when <acronym>BIND</acronym> 9
9541 is compiled with the <userinput>--enable-rrl</userinput>
9542 option on the "configure" command line.
9545 Excessive almost identical UDP <emphasis>responses</emphasis>
9546 can be controlled by configuring a
9547 <command>rate-limit</command> clause in an
9548 <command>options</command> or <command>view</command> statement.
9549 This mechanism keeps authoritative BIND 9 from being used
9550 in amplifying reflection denial of service (DoS) attacks.
9551 Short truncated (TC=1) responses can be sent to provide
9552 rate-limited responses to legitimate clients within
9553 a range of forged, attacked IP addresses.
9554 Legitimate clients react to dropped or truncated response
9555 by retrying with UDP or with TCP respectively.
9559 This mechanism is intended for authoritative DNS servers.
9560 It can be used on recursive servers but can slow
9561 applications such as SMTP servers (mail receivers) and
9562 HTTP clients (web browsers) that repeatedly request the
9564 When possible, closing "open" recursive servers is better.
9568 Response rate limiting uses a "credit" or "token bucket" scheme.
9569 Each combination of identical response and client
9570 has a conceptual account that earns a specified number
9571 of credits every second.
9572 A prospective response debits its account by one.
9573 Responses are dropped or truncated
9574 while the account is negative.
9575 Responses are tracked within a rolling window of time
9576 which defaults to 15 seconds, but can be configured with
9577 the <command>window</command> option to any value from
9578 1 to 3600 seconds (1 hour).
9579 The account cannot become more positive than
9580 the per-second limit
9581 or more negative than <command>window</command>
9582 times the per-second limit.
9583 When the specified number of credits for a class of
9584 responses is set to 0, those responses are not rate limited.
9588 The notions of "identical response" and "DNS client"
9589 for rate limiting are not simplistic.
9590 All responses to an address block are counted as if to a
9592 The prefix lengths of addresses blocks are
9593 specified with <command>ipv4-prefix-length</command> (default 24)
9594 and <command>ipv6-prefix-length</command> (default 56).
9598 All non-empty responses for a valid domain name (qname)
9599 and record type (qtype) are identical and have a limit specified
9600 with <command>responses-per-second</command>
9601 (default 0 or no limit).
9602 All empty (NODATA) responses for a valid domain,
9603 regardless of query type, are identical.
9604 Responses in the NODATA class are limited by
9605 <command>nodata-per-second</command>
9606 (default <command>responses-per-second</command>).
9607 Requests for any and all undefined subdomains of a given
9608 valid domain result in NXDOMAIN errors, and are identical
9609 regardless of query type.
9610 They are limited by <command>nxdomain-per-second</command>
9611 (default <command>responses-per-second</command>).
9612 This controls some attacks using random names, but
9613 can be relaxed or turned off (set to 0)
9614 on servers that expect many legitimate
9615 NXDOMAIN responses, such as from anti-spam blacklists.
9616 Referrals or delegations to the server of a given
9617 domain are identical and are limited by
9618 <command>referrals-per-second</command>
9619 (default <command>responses-per-second</command>).
9623 Responses generated from local wildcards are counted and limited
9624 as if they were for the parent domain name.
9625 This controls flooding using random.wild.example.com.
9629 All requests that result in DNS errors other
9630 than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
9631 regardless of requested name (qname) or record type (qtype).
9632 This controls attacks using invalid requests or distant,
9633 broken authoritative servers.
9634 By default the limit on errors is the same as the
9635 <command>responses-per-second</command> value,
9636 but it can be set separately with
9637 <command>errors-per-second</command>.
9641 Many attacks using DNS involve UDP requests with forged source
9643 Rate limiting prevents the use of BIND 9 to flood a network
9644 with responses to requests with forged source addresses,
9645 but could let a third party block responses to legitimate requests.
9646 There is a mechanism that can answer some legitimate
9647 requests from a client whose address is being forged in a flood.
9648 Setting <command>slip</command> to 2 (its default) causes every
9649 other UDP request to be answered with a small truncated (TC=1)
9651 The small size and reduced frequency, and so lack of
9652 amplification, of "slipped" responses make them unattractive
9653 for reflection DoS attacks.
9654 <command>slip</command> must be between 0 and 10.
9655 A value of 0 does not "slip":
9656 no truncated responses are sent due to rate limiting,
9657 all responses are dropped.
9658 A value of 1 causes every response to slip;
9659 values between 2 and 10 cause every n'th response to slip.
9660 Some error responses including REFUSED and SERVFAIL
9661 cannot be replaced with truncated responses and are instead
9662 leaked at the <command>slip</command> rate.
9666 (NOTE: Dropped responses from an authoritative server may
9667 reduce the difficulty of a third party successfully forging
9668 a response to a recursive resolver. The best security
9669 against forged responses is for authoritative operators
9670 to sign their zones using DNSSEC and for resolver operators
9671 to validate the responses. When this is not an option,
9672 operators who are more concerned with response integrity
9673 than with flood mitigation may consider setting
9674 <command>slip</command> to 1, causing all rate-limited
9675 responses to be truncated rather than dropped. This reduces
9676 the effectiveness of rate-limiting against reflection attacks.)
9680 When the approximate query per second rate exceeds
9681 the <command>qps-scale</command> value,
9682 then the <command>responses-per-second</command>,
9683 <command>errors-per-second</command>,
9684 <command>nxdomains-per-second</command> and
9685 <command>all-per-second</command> values are reduced by the
9686 ratio of the current rate to the <command>qps-scale</command> value.
9687 This feature can tighten defenses during attacks.
9689 <command>qps-scale 250; responses-per-second 20;</command> and
9690 a total query rate of 1000 queries/second for all queries from
9691 all DNS clients including via TCP,
9692 then the effective responses/second limit changes to
9694 Responses sent via TCP are not limited
9695 but are counted to compute the query per second rate.
9699 Communities of DNS clients can be given their own parameters or no
9700 rate limiting by putting
9701 <command>rate-limit</command> statements in <command>view</command>
9702 statements instead of the global <command>option</command>
9704 A <command>rate-limit</command> statement in a view replaces,
9705 rather than supplementing, a <command>rate-limit</command>
9706 statement among the main options.
9707 DNS clients within a view can be exempted from rate limits
9708 with the <command>exempt-clients</command> clause.
9712 UDP responses of all kinds can be limited with the
9713 <command>all-per-second</command> phrase.
9714 This rate limiting is unlike the rate limiting provided by
9715 <command>responses-per-second</command>,
9716 <command>errors-per-second</command>, and
9717 <command>nxdomains-per-second</command> on a DNS server
9718 which are often invisible to the victim of a DNS reflection attack.
9719 Unless the forged requests of the attack are the same as the
9720 legitimate requests of the victim, the victim's requests are
9722 Responses affected by an <command>all-per-second</command> limit
9723 are always dropped; the <command>slip</command> value has no
9725 An <command>all-per-second</command> limit should be
9726 at least 4 times as large as the other limits,
9727 because single DNS clients often send bursts of legitimate
9729 For example, the receipt of a single mail message can prompt
9730 requests from an SMTP server for NS, PTR, A, and AAAA records
9731 as the incoming SMTP/TCP/IP connection is considered.
9732 The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF
9733 records as it considers the STMP <command>Mail From</command>
9735 Web browsers often repeatedly resolve the same names that
9736 are repeated in HTML <IMG> tags in a page.
9737 <command>All-per-second</command> is similar to the
9738 rate limiting offered by firewalls but often inferior.
9739 Attacks that justify ignoring the
9740 contents of DNS responses are likely to be attacks on the
9742 They usually should be discarded before the DNS server
9743 spends resources making TCP connections or parsing DNS requests,
9744 but that rate limiting must be done before the
9745 DNS server sees the requests.
9749 The maximum size of the table used to track requests and
9750 rate limit responses is set with <command>max-table-size</command>.
9751 Each entry in the table is between 40 and 80 bytes.
9752 The table needs approximately as many entries as the number
9753 of requests received per second.
9754 The default is 20,000.
9755 To reduce the cold start of growing the table,
9756 <command>min-table-size</command> (default 500)
9757 can set the minimum table size.
9758 Enable <command>rate-limit</command> category logging to monitor
9759 expansions of the table and inform
9760 choices for the initial and maximum table size.
9764 Use <command>log-only yes</command> to test rate limiting parameters
9765 without actually dropping any requests.
9769 Responses dropped by rate limits are included in the
9770 <command>RateDropped</command> and <command>QryDropped</command>
9772 Responses that truncated by rate limits are included in
9773 <command>RateSlipped</command> and <command>RespTruncated</command>.
9778 <sect2 id="server_statement_grammar">
9779 <title><command>server</command> Statement Grammar</title>
9781 <programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
9782 <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
9783 <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
9784 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
9785 <optional> request-nsid <replaceable>yes_or_no</replaceable> ; </optional>
9786 <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
9787 <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
9788 <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
9789 <optional> transfers <replaceable>number</replaceable> ; </optional>
9790 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
9791 <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
9792 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
9793 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
9794 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
9795 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
9796 <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
9797 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
9798 <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
9799 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
9800 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
9801 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
9802 <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
9808 <sect2 id="server_statement_definition_and_usage">
9809 <title><command>server</command> Statement Definition and
9813 The <command>server</command> statement defines
9815 to be associated with a remote name server. If a prefix length is
9816 specified, then a range of servers is covered. Only the most
9818 server clause applies regardless of the order in
9819 <filename>named.conf</filename>.
9823 The <command>server</command> statement can occur at
9824 the top level of the
9825 configuration file or inside a <command>view</command>
9827 If a <command>view</command> statement contains
9828 one or more <command>server</command> statements, only
9830 apply to the view and any top-level ones are ignored.
9831 If a view contains no <command>server</command>
9833 any top-level <command>server</command> statements are
9839 If you discover that a remote server is giving out bad data,
9840 marking it as bogus will prevent further queries to it. The
9842 value of <command>bogus</command> is <command>no</command>.
9845 The <command>provide-ixfr</command> clause determines
9847 the local server, acting as master, will respond with an
9849 zone transfer when the given remote server, a slave, requests it.
9850 If set to <command>yes</command>, incremental transfer
9852 whenever possible. If set to <command>no</command>,
9854 to the remote server will be non-incremental. If not set, the
9856 of the <command>provide-ixfr</command> option in the
9858 global options block is used as a default.
9862 The <command>request-ixfr</command> clause determines
9864 the local server, acting as a slave, will request incremental zone
9865 transfers from the given remote server, a master. If not set, the
9866 value of the <command>request-ixfr</command> option in
9867 the view or global options block is used as a default. It may
9868 also be set in the zone block and, if set there, it will
9869 override the global or view setting for that zone.
9873 IXFR requests to servers that do not support IXFR will
9875 fall back to AXFR. Therefore, there is no need to manually list
9876 which servers support IXFR and which ones do not; the global
9878 of <command>yes</command> should always work.
9879 The purpose of the <command>provide-ixfr</command> and
9880 <command>request-ixfr</command> clauses is
9881 to make it possible to disable the use of IXFR even when both
9883 and slave claim to support it, for example if one of the servers
9884 is buggy and crashes or corrupts data when IXFR is used.
9888 The <command>edns</command> clause determines whether
9889 the local server will attempt to use EDNS when communicating
9890 with the remote server. The default is <command>yes</command>.
9894 The <command>edns-udp-size</command> option sets the EDNS UDP size
9895 that is advertised by <command>named</command> when querying the remote server.
9896 Valid values are 512 to 4096 bytes (values outside this range will be
9897 silently adjusted). This option is useful when you wish to
9898 advertises a different value to this server than the value you
9899 advertise globally, for example, when there is a firewall at the
9900 remote site that is blocking large replies.
9904 The <command>max-udp-size</command> option sets the
9905 maximum EDNS UDP message size <command>named</command> will send. Valid
9906 values are 512 to 4096 bytes (values outside this range will
9907 be silently adjusted). This option is useful when you
9908 know that there is a firewall that is blocking large
9909 replies from <command>named</command>.
9913 The server supports two zone transfer methods. The first, <command>one-answer</command>,
9914 uses one DNS message per resource record transferred. <command>many-answers</command> packs
9915 as many resource records as possible into a message. <command>many-answers</command> is
9916 more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
9917 8.x, and patched versions of <acronym>BIND</acronym>
9918 4.9.5. You can specify which method
9919 to use for a server with the <command>transfer-format</command> option.
9920 If <command>transfer-format</command> is not
9921 specified, the <command>transfer-format</command>
9923 by the <command>options</command> statement will be
9927 <para><command>transfers</command>
9928 is used to limit the number of concurrent inbound zone
9929 transfers from the specified server. If no
9930 <command>transfers</command> clause is specified, the
9931 limit is set according to the
9932 <command>transfers-per-ns</command> option.
9936 The <command>keys</command> clause identifies a
9937 <command>key_id</command> defined by the <command>key</command> statement,
9938 to be used for transaction security (TSIG, <xref linkend="tsig"/>)
9939 when talking to the remote server.
9940 When a request is sent to the remote server, a request signature
9941 will be generated using the key specified here and appended to the
9942 message. A request originating from the remote server is not
9944 to be signed by this key.
9948 Although the grammar of the <command>keys</command>
9950 allows for multiple keys, only a single key per server is
9956 The <command>transfer-source</command> and
9957 <command>transfer-source-v6</command> clauses specify
9958 the IPv4 and IPv6 source
9959 address to be used for zone transfer with the remote server,
9961 For an IPv4 remote server, only <command>transfer-source</command> can
9963 Similarly, for an IPv6 remote server, only
9964 <command>transfer-source-v6</command> can be
9966 For more details, see the description of
9967 <command>transfer-source</command> and
9968 <command>transfer-source-v6</command> in
9969 <xref linkend="zone_transfers"/>.
9973 The <command>notify-source</command> and
9974 <command>notify-source-v6</command> clauses specify the
9975 IPv4 and IPv6 source address to be used for notify
9976 messages sent to remote servers, respectively. For an
9977 IPv4 remote server, only <command>notify-source</command>
9978 can be specified. Similarly, for an IPv6 remote server,
9979 only <command>notify-source-v6</command> can be specified.
9983 The <command>query-source</command> and
9984 <command>query-source-v6</command> clauses specify the
9985 IPv4 and IPv6 source address to be used for queries
9986 sent to remote servers, respectively. For an IPv4
9987 remote server, only <command>query-source</command> can
9988 be specified. Similarly, for an IPv6 remote server,
9989 only <command>query-source-v6</command> can be specified.
9993 The <command>request-nsid</command> clause determines
9994 whether the local server will add a NSID EDNS option
9995 to requests sent to the server. This overrides
9996 <command>request-nsid</command> set at the view or
10001 <sect2 id="statschannels">
10002 <title><command>statistics-channels</command> Statement Grammar</title>
10004 <programlisting><command>statistics-channels</command> {
10005 [ inet ( ip_addr | * ) [ port ip_port ]
10006 [ allow { <replaceable> address_match_list </replaceable> } ]; ]
10013 <title><command>statistics-channels</command> Statement Definition and
10017 The <command>statistics-channels</command> statement
10018 declares communication channels to be used by system
10019 administrators to get access to statistics information of
10024 This statement intends to be flexible to support multiple
10025 communication protocols in the future, but currently only
10026 HTTP access is supported.
10027 It requires that BIND 9 be compiled with libxml2;
10028 the <command>statistics-channels</command> statement is
10029 still accepted even if it is built without the library,
10030 but any HTTP access will fail with an error.
10034 An <command>inet</command> control channel is a TCP socket
10035 listening at the specified <command>ip_port</command> on the
10036 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
10037 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
10038 interpreted as the IPv4 wildcard address; connections will be
10039 accepted on any of the system's IPv4 addresses.
10040 To listen on the IPv6 wildcard address,
10041 use an <command>ip_addr</command> of <literal>::</literal>.
10045 If no port is specified, port 80 is used for HTTP channels.
10046 The asterisk "<literal>*</literal>" cannot be used for
10047 <command>ip_port</command>.
10051 The attempt of opening a statistics channel is
10052 restricted by the optional <command>allow</command> clause.
10053 Connections to the statistics channel are permitted based on the
10054 <command>address_match_list</command>.
10055 If no <command>allow</command> clause is present,
10056 <command>named</command> accepts connection
10057 attempts from any address; since the statistics may
10058 contain sensitive internal information, it is highly
10059 recommended to restrict the source of connection requests
10064 If no <command>statistics-channels</command> statement is present,
10065 <command>named</command> will not open any communication channels.
10069 If the statistics channel is configured to listen on 127.0.0.1
10070 port 8888, then the statistics are accessible in XML format at
10071 <ulink url="http://127.0.0.1:8888/"
10072 >http://127.0.0.1:8888/</ulink> or
10073 <ulink url="http://127.0.0.1:8888/xml"
10074 >http://127.0.0.1:8888/xml</ulink>. A CSS file is
10075 included which can format the XML statistics into tables
10076 when viewed with a stylesheet-capable browser. When
10077 <acronym>BIND</acronym> 9 is configured with --enable-newstats,
10078 a new XML schema is used (version 3) which adds additional
10079 zone statistics and uses a flatter tree for more efficient
10080 parsing. The stylesheet included uses the Google Charts API
10081 to render data into into charts and graphs when using a
10082 javascript-capable browser.
10086 Applications that depend on a particular XML schema
10088 <ulink url="http://127.0.0.1:8888/xml/v2"
10089 >http://127.0.0.1:8888/xml/v2</ulink> for version 2
10090 of the statistics XML schema or
10091 <ulink url="http://127.0.0.1:8888/xml/v3"
10092 >http://127.0.0.1:8888/xml/v3</ulink> for version 3.
10093 If the requested schema is supported by the server, then
10094 it will respond; if not, it will return a "page not found"
10099 <sect2 id="trusted-keys">
10100 <title><command>trusted-keys</command> Statement Grammar</title>
10102 <programlisting><command>trusted-keys</command> {
10103 <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
10104 <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
10110 <title><command>trusted-keys</command> Statement Definition
10113 The <command>trusted-keys</command> statement defines
10114 DNSSEC security roots. DNSSEC is described in <xref
10115 linkend="DNSSEC"/>. A security root is defined when the
10116 public key for a non-authoritative zone is known, but
10117 cannot be securely obtained through DNS, either because
10118 it is the DNS root zone or because its parent zone is
10119 unsigned. Once a key has been configured as a trusted
10120 key, it is treated as if it had been validated and
10121 proven secure. The resolver attempts DNSSEC validation
10122 on all DNS data in subdomains of a security root.
10125 All keys (and corresponding zones) listed in
10126 <command>trusted-keys</command> are deemed to exist regardless
10127 of what parent zones say. Similarly for all keys listed in
10128 <command>trusted-keys</command> only those keys are
10129 used to validate the DNSKEY RRset. The parent's DS RRset
10133 The <command>trusted-keys</command> statement can contain
10134 multiple key entries, each consisting of the key's
10135 domain name, flags, protocol, algorithm, and the Base-64
10136 representation of the key data.
10137 Spaces, tabs, newlines and carriage returns are ignored
10138 in the key data, so the configuration may be split up into
10142 <command>trusted-keys</command> may be set at the top level
10143 of <filename>named.conf</filename> or within a view. If it is
10144 set in both places, they are additive: keys defined at the top
10145 level are inherited by all views, but keys defined in a view
10146 are only used within that view.
10151 <title><command>managed-keys</command> Statement Grammar</title>
10153 <programlisting><command>managed-keys</command> {
10154 <replaceable>name</replaceable> initial-key <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ;
10155 <optional> <replaceable>name</replaceable> initial-key <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key-data</replaceable> ; <optional>...</optional></optional>
10160 <sect2 id="managed-keys">
10161 <title><command>managed-keys</command> Statement Definition
10164 The <command>managed-keys</command> statement, like
10165 <command>trusted-keys</command>, defines DNSSEC
10166 security roots. The difference is that
10167 <command>managed-keys</command> can be kept up to date
10168 automatically, without intervention from the resolver
10172 Suppose, for example, that a zone's key-signing
10173 key was compromised, and the zone owner had to revoke and
10174 replace the key. A resolver which had the old key in a
10175 <command>trusted-keys</command> statement would be
10176 unable to validate this zone any longer; it would
10177 reply with a SERVFAIL response code. This would
10178 continue until the resolver operator had updated the
10179 <command>trusted-keys</command> statement with the new key.
10182 If, however, the zone were listed in a
10183 <command>managed-keys</command> statement instead, then the
10184 zone owner could add a "stand-by" key to the zone in advance.
10185 <command>named</command> would store the stand-by key, and
10186 when the original key was revoked, <command>named</command>
10187 would be able to transition smoothly to the new key. It would
10188 also recognize that the old key had been revoked, and cease
10189 using that key to validate answers, minimizing the damage that
10190 the compromised key could do.
10193 A <command>managed-keys</command> statement contains a list of
10194 the keys to be managed, along with information about how the
10195 keys are to be initialized for the first time. The only
10196 initialization method currently supported (as of
10197 <acronym>BIND</acronym> 9.7.0) is <literal>initial-key</literal>.
10198 This means the <command>managed-keys</command> statement must
10199 contain a copy of the initializing key. (Future releases may
10200 allow keys to be initialized by other methods, eliminating this
10204 Consequently, a <command>managed-keys</command> statement
10205 appears similar to a <command>trusted-keys</command>, differing
10206 in the presence of the second field, containing the keyword
10207 <literal>initial-key</literal>. The difference is, whereas the
10208 keys listed in a <command>trusted-keys</command> continue to be
10209 trusted until they are removed from
10210 <filename>named.conf</filename>, an initializing key listed
10211 in a <command>managed-keys</command> statement is only trusted
10212 <emphasis>once</emphasis>: for as long as it takes to load the
10213 managed key database and start the RFC 5011 key maintenance
10217 The first time <command>named</command> runs with a managed key
10218 configured in <filename>named.conf</filename>, it fetches the
10219 DNSKEY RRset directly from the zone apex, and validates it
10220 using the key specified in the <command>managed-keys</command>
10221 statement. If the DNSKEY RRset is validly signed, then it is
10222 used as the basis for a new managed keys database.
10225 From that point on, whenever <command>named</command> runs, it
10226 sees the <command>managed-keys</command> statement, checks to
10227 make sure RFC 5011 key maintenance has already been initialized
10228 for the specified domain, and if so, it simply moves on. The
10229 key specified in the <command>managed-keys</command> is not
10230 used to validate answers; it has been superseded by the key or
10231 keys stored in the managed keys database.
10234 The next time <command>named</command> runs after a name
10235 has been <emphasis>removed</emphasis> from the
10236 <command>managed-keys</command> statement, the corresponding
10237 zone will be removed from the managed keys database,
10238 and RFC 5011 key maintenance will no longer be used for that
10242 <command>named</command> only maintains a single managed keys
10243 database; consequently, unlike <command>trusted-keys</command>,
10244 <command>managed-keys</command> may only be set at the top
10245 level of <filename>named.conf</filename>, not within a view.
10248 In the current implementation, the managed keys database is
10249 stored as a master-format zone file called
10250 <filename>managed-keys.bind</filename>. When the key database
10251 is changed, the zone is updated. As with any other dynamic
10252 zone, changes will be written into a journal file,
10253 <filename>managed-keys.bind.jnl</filename>. They are committed
10254 to the master file as soon as possible afterward; in the case
10255 of the managed key database, this will usually occur within 30
10256 seconds. So, whenever <command>named</command> is using
10257 automatic key maintenance, those two files can be expected to
10258 exist in the working directory. (For this reason among others,
10259 the working directory should be always be writable by
10260 <command>named</command>.)
10263 If the <command>dnssec-validation</command> option is
10264 set to <userinput>auto</userinput>, <command>named</command>
10265 will automatically initialize a managed key for the
10266 root zone. Similarly, if the <command>dnssec-lookaside</command>
10267 option is set to <userinput>auto</userinput>,
10268 <command>named</command> will automatically initialize
10269 a managed key for the zone <literal>dlv.isc.org</literal>.
10270 In both cases, the key that is used to initialize the key
10271 maintenance process is built into <command>named</command>,
10272 and can be overridden from <command>bindkeys-file</command>.
10276 <sect2 id="view_statement_grammar">
10277 <title><command>view</command> Statement Grammar</title>
10279 <programlisting><command>view</command> <replaceable>view_name</replaceable>
10280 <optional><replaceable>class</replaceable></optional> {
10281 match-clients { <replaceable>address_match_list</replaceable> };
10282 match-destinations { <replaceable>address_match_list</replaceable> };
10283 match-recursive-only <replaceable>yes_or_no</replaceable> ;
10284 <optional> <replaceable>view_option</replaceable>; ...</optional>
10285 <optional> <replaceable>zone_statement</replaceable>; ...</optional>
10291 <title><command>view</command> Statement Definition and Usage</title>
10294 The <command>view</command> statement is a powerful
10296 of <acronym>BIND</acronym> 9 that lets a name server
10297 answer a DNS query differently
10298 depending on who is asking. It is particularly useful for
10300 split DNS setups without having to run multiple servers.
10304 Each <command>view</command> statement defines a view
10306 DNS namespace that will be seen by a subset of clients. A client
10308 a view if its source IP address matches the
10309 <varname>address_match_list</varname> of the view's
10310 <command>match-clients</command> clause and its
10311 destination IP address matches
10312 the <varname>address_match_list</varname> of the
10314 <command>match-destinations</command> clause. If not
10316 <command>match-clients</command> and <command>match-destinations</command>
10317 default to matching all addresses. In addition to checking IP
10319 <command>match-clients</command> and <command>match-destinations</command>
10320 can also take <command>keys</command> which provide an
10322 client to select the view. A view can also be specified
10323 as <command>match-recursive-only</command>, which
10324 means that only recursive
10325 requests from matching clients will match that view.
10326 The order of the <command>view</command> statements is
10327 significant —
10328 a client request will be resolved in the context of the first
10329 <command>view</command> that it matches.
10333 Zones defined within a <command>view</command>
10335 only be accessible to clients that match the <command>view</command>.
10336 By defining a zone of the same name in multiple views, different
10337 zone data can be given to different clients, for example,
10339 and "external" clients in a split DNS setup.
10343 Many of the options given in the <command>options</command> statement
10344 can also be used within a <command>view</command>
10345 statement, and then
10346 apply only when resolving queries with that view. When no
10348 value is given, the value in the <command>options</command> statement
10349 is used as a default. Also, zone options can have default values
10351 in the <command>view</command> statement; these
10352 view-specific defaults
10353 take precedence over those in the <command>options</command> statement.
10357 Views are class specific. If no class is given, class IN
10358 is assumed. Note that all non-IN views must contain a hint zone,
10359 since only the IN class has compiled-in default hints.
10363 If there are no <command>view</command> statements in
10365 file, a default view that matches any client is automatically
10367 in class IN. Any <command>zone</command> statements
10369 the top level of the configuration file are considered to be part
10371 this default view, and the <command>options</command>
10373 apply to the default view. If any explicit <command>view</command>
10374 statements are present, all <command>zone</command>
10376 occur inside <command>view</command> statements.
10380 Here is an example of a typical split DNS setup implemented
10381 using <command>view</command> statements:
10384 <programlisting>view "internal" {
10385 // This should match our internal networks.
10386 match-clients { 10.0.0.0/8; };
10388 // Provide recursive service to internal
10392 // Provide a complete view of the example.com
10393 // zone including addresses of internal hosts.
10394 zone "example.com" {
10396 file "example-internal.db";
10401 // Match all clients not matched by the
10403 match-clients { any; };
10405 // Refuse recursive service to external clients.
10408 // Provide a restricted view of the example.com
10409 // zone containing only publicly accessible hosts.
10410 zone "example.com" {
10412 file "example-external.db";
10418 <sect2 id="zone_statement_grammar">
10419 <title><command>zone</command>
10420 Statement Grammar</title>
10422 <programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10424 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
10425 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
10426 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
10427 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
10428 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
10429 <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
10430 <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
10431 <optional> update-policy <replaceable>local</replaceable> | { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
10432 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ;
10433 <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
10434 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
10435 <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
10436 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
10437 <optional> check-spf ( <replaceable>warn</replaceable> | <replaceable>ignore</replaceable> ); </optional>
10438 <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
10439 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
10440 <optional> file <replaceable>string</replaceable> ; </optional>
10441 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
10442 <optional> journal <replaceable>string</replaceable> ; </optional>
10443 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
10444 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
10445 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
10446 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
10447 <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
10448 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
10449 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
10450 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
10451 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
10452 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
10453 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
10454 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
10455 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
10456 <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
10457 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
10458 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10459 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10460 <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional>
10461 <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
10462 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
10463 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
10464 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
10465 <optional> database <replaceable>string</replaceable> ; </optional>
10466 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
10467 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
10468 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
10469 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
10470 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
10471 <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
10472 <optional> inline-signing <replaceable>yes_or_no</replaceable>; </optional>
10473 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
10474 <optional> serial-update-method <constant>increment</constant>|<constant>unixtime</constant>; </optional>
10477 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10479 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
10480 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
10481 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
10482 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
10483 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
10484 <optional> dnssec-update-mode ( <replaceable>maintain</replaceable> | <replaceable>no-resign</replaceable> ); </optional>
10485 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
10486 <optional> dnssec-dnskey-kskonly <replaceable>yes_or_no</replaceable>; </optional>
10487 <optional> dnssec-loadkeys-interval <replaceable>number</replaceable>; </optional>
10488 <optional> dnssec-secure-to-insecure <replaceable>yes_or_no</replaceable> ; </optional>
10489 <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
10490 <optional> also-notify <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
10491 <optional>port <replaceable>ip_port</replaceable></optional>
10492 <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
10493 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
10494 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
10495 <optional> file <replaceable>string</replaceable> ; </optional>
10496 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
10497 <optional> journal <replaceable>string</replaceable> ; </optional>
10498 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
10499 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
10500 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
10501 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
10502 <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
10503 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
10504 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
10505 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
10506 <optional>port <replaceable>ip_port</replaceable></optional>
10507 <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
10508 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
10509 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
10510 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
10511 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
10512 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
10513 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
10514 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
10515 <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
10516 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
10517 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10518 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10519 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10520 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
10521 <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10522 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
10523 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10524 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10525 <optional> zone-statistics <replaceable>full</replaceable> | <replaceable>terse</replaceable> | <replaceable>none</replaceable>; </optional>
10526 <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
10527 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
10528 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
10529 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
10530 <optional> database <replaceable>string</replaceable> ; </optional>
10531 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
10532 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
10533 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
10534 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
10535 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
10536 <optional> auto-dnssec <constant>allow</constant>|<constant>maintain</constant>|<constant>off</constant>; </optional>
10537 <optional> inline-signing <replaceable>yes_or_no</replaceable>; </optional>
10538 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
10539 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
10542 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10544 file <replaceable>string</replaceable> ;
10545 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
10546 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional> // Not Implemented.
10549 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10551 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
10552 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
10553 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
10554 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
10555 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
10556 <optional> file <replaceable>string</replaceable> ; </optional>
10557 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
10558 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
10559 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
10560 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable>
10561 <optional>port <replaceable>ip_port</replaceable></optional>
10562 <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
10563 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
10564 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
10565 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
10566 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10567 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
10568 <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10569 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10570 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>)
10571 <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
10572 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
10573 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
10574 <optional> database <replaceable>string</replaceable> ; </optional>
10575 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
10576 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
10577 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
10578 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
10579 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
10582 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10584 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
10585 <optional> server-addresses { <optional> <replaceable>ip_addr</replaceable> ; ... </optional> }; </optional>
10586 <optional> server-names { <optional> <replaceable>namelist</replaceable> </optional> }; </optional>
10587 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
10590 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10592 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
10593 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
10594 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
10597 zone <replaceable>"."</replaceable> <optional><replaceable>class</replaceable></optional> {
10599 file <replaceable>string</replaceable> ;
10600 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
10601 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
10604 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
10605 type delegation-only;
10612 <title><command>zone</command> Statement Definition and Usage</title>
10614 <title>Zone Types</title>
10615 <informaltable colsep="0" rowsep="0">
10616 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10617 <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
10618 <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
10619 <colspec colname="1" colnum="1" colsep="0"/>
10620 <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
10623 <entry colname="1">
10625 <varname>master</varname>
10628 <entry colname="2">
10630 The server has a master copy of the data
10631 for the zone and will be able to provide authoritative
10638 <entry colname="1">
10640 <varname>slave</varname>
10643 <entry colname="2">
10645 A slave zone is a replica of a master
10646 zone. The <command>masters</command> list
10647 specifies one or more IP addresses
10648 of master servers that the slave contacts to update
10649 its copy of the zone.
10650 Masters list elements can also be names of other
10652 By default, transfers are made from port 53 on the
10654 be changed for all servers by specifying a port number
10656 list of IP addresses, or on a per-server basis after
10658 Authentication to the master can also be done with
10659 per-server TSIG keys.
10660 If a file is specified, then the
10661 replica will be written to this file whenever the zone
10663 and reloaded from this file on a server restart. Use
10665 recommended, since it often speeds server startup and
10667 a needless waste of bandwidth. Note that for large
10669 tens or hundreds of thousands) of zones per server, it
10671 use a two-level naming scheme for zone filenames. For
10673 a slave server for the zone <literal>example.com</literal> might place
10674 the zone contents into a file called
10675 <filename>ex/example.com</filename> where <filename>ex/</filename> is
10676 just the first two letters of the zone name. (Most
10678 behave very slowly if you put 100000 files into
10679 a single directory.)
10684 <entry colname="1">
10686 <varname>stub</varname>
10689 <entry colname="2">
10691 A stub zone is similar to a slave zone,
10692 except that it replicates only the NS records of a
10693 master zone instead
10694 of the entire zone. Stub zones are not a standard part
10696 they are a feature specific to the <acronym>BIND</acronym> implementation.
10700 Stub zones can be used to eliminate the need for glue
10702 in a parent zone at the expense of maintaining a stub
10704 a set of name server addresses in <filename>named.conf</filename>.
10705 This usage is not recommended for new configurations,
10707 supports it only in a limited way.
10708 In <acronym>BIND</acronym> 4/8, zone
10709 transfers of a parent zone
10710 included the NS records from stub children of that
10712 that, in some cases, users could get away with
10713 configuring child stubs
10714 only in the master server for the parent zone. <acronym>BIND</acronym>
10715 9 never mixes together zone data from different zones
10717 way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
10718 zone has child stub zones configured, all the slave
10720 parent zone also need to have the same child stub
10726 Stub zones can also be used as a way of forcing the
10728 of a given domain to use a particular set of
10729 authoritative servers.
10730 For example, the caching name servers on a private
10732 RFC1918 addressing may be configured with stub zones
10734 <literal>10.in-addr.arpa</literal>
10735 to use a set of internal name servers as the
10737 servers for that domain.
10742 <entry colname="1">
10744 <varname>static-stub</varname>
10747 <entry colname="2">
10749 A static-stub zone is similar to a stub zone
10750 with the following exceptions:
10751 the zone data is statically configured, rather
10752 than transferred from a master server;
10753 when recursion is necessary for a query that
10754 matches a static-stub zone, the locally
10755 configured data (nameserver names and glue addresses)
10756 is always used even if different authoritative
10757 information is cached.
10760 Zone data is configured via the
10761 <command>server-addresses</command> and
10762 <command>server-names</command> zone options.
10765 The zone data is maintained in the form of NS
10766 and (if necessary) glue A or AAAA RRs
10767 internally, which can be seen by dumping zone
10768 databases by <command>rndc dumpdb -all</command>.
10769 The configured RRs are considered local configuration
10770 parameters rather than public data.
10771 Non recursive queries (i.e., those with the RD
10772 bit off) to a static-stub zone are therefore
10773 prohibited and will be responded with REFUSED.
10776 Since the data is statically configured, no
10777 zone maintenance action takes place for a static-stub
10779 For example, there is no periodic refresh
10780 attempt, and an incoming notify message
10781 will be rejected with an rcode of NOTAUTH.
10784 Each static-stub zone is configured with
10785 internally generated NS and (if necessary)
10791 <entry colname="1">
10793 <varname>forward</varname>
10796 <entry colname="2">
10798 A "forward zone" is a way to configure
10799 forwarding on a per-domain basis. A <command>zone</command> statement
10800 of type <command>forward</command> can
10801 contain a <command>forward</command>
10802 and/or <command>forwarders</command>
10804 which will apply to queries within the domain given by
10806 name. If no <command>forwarders</command>
10807 statement is present or
10808 an empty list for <command>forwarders</command> is given, then no
10809 forwarding will be done for the domain, canceling the
10811 any forwarders in the <command>options</command> statement. Thus
10812 if you want to use this type of zone to change the
10814 global <command>forward</command> option
10815 (that is, "forward first"
10816 to, then "forward only", or vice versa, but want to
10818 servers as set globally) you need to re-specify the
10824 <entry colname="1">
10826 <varname>hint</varname>
10829 <entry colname="2">
10831 The initial set of root name servers is
10832 specified using a "hint zone". When the server starts
10834 the root hints to find a root name server and get the
10836 list of root name servers. If no hint zone is
10837 specified for class
10838 IN, the server uses a compiled-in default set of root
10840 Classes other than IN have no built-in defaults hints.
10845 <entry colname="1">
10847 <varname>redirect</varname>
10850 <entry colname="2">
10852 Redirect zones are used to provide answers to
10853 queries when normal resolution would result in
10854 NXDOMAIN being returned.
10855 Only one redirect zone is supported
10856 per view. <command>allow-query</command> can be
10857 used to restrict which clients see these answers.
10860 If the client has requested DNSSEC records (DO=1) and
10861 the NXDOMAIN response is signed then no substitution
10865 To redirect all NXDOMAIN responses to
10867 2001:ffff:ffff::100.100.100.2, one would
10868 configure a type redirect zone named ".",
10869 with the zone file containing wildcard records
10870 that point to the desired addresses:
10871 <literal>"*. IN A 100.100.100.2"</literal>
10873 <literal>"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</literal>.
10876 To redirect all Spanish names (under .ES) one
10877 would use similar entries but with the names
10878 "*.ES." instead of "*.". To redirect all
10879 commercial Spanish names (under COM.ES) one
10880 would use wildcard entries called "*.COM.ES.".
10883 Note that the redirect zone supports all
10884 possible types; it is not limited to A and
10888 Because redirect zones are not referenced
10889 directly by name, they are not kept in the
10890 zone lookup table with normal master and slave
10891 zones. Consequently, it is not currently possible
10893 <command>rndc reload
10894 <replaceable>zonename</replaceable></command>
10895 to reload a redirect zone. However, when using
10896 <command>rndc reload</command> without specifying
10897 a zone name, redirect zones will be reloaded along
10903 <entry colname="1">
10905 <varname>delegation-only</varname>
10908 <entry colname="2">
10910 This is used to enforce the delegation-only
10911 status of infrastructure zones (e.g. COM,
10912 NET, ORG). Any answer that is received
10913 without an explicit or implicit delegation
10914 in the authority section will be treated
10915 as NXDOMAIN. This does not apply to the
10916 zone apex. This should not be applied to
10920 <varname>delegation-only</varname> has no
10921 effect on answers received from forwarders.
10924 See caveats in <xref linkend="root_delegation_only"/>.
10934 <title>Class</title>
10936 The zone's name may optionally be followed by a class. If
10937 a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
10938 is assumed. This is correct for the vast majority of cases.
10941 The <literal>hesiod</literal> class is
10942 named for an information service from MIT's Project Athena. It
10944 used to share information about various systems databases, such
10945 as users, groups, printers and so on. The keyword
10946 <literal>HS</literal> is
10947 a synonym for hesiod.
10950 Another MIT development is Chaosnet, a LAN protocol created
10951 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
10956 <title>Zone Options</title>
10961 <term><command>allow-notify</command></term>
10964 See the description of
10965 <command>allow-notify</command> in <xref linkend="access_control"/>.
10971 <term><command>allow-query</command></term>
10974 See the description of
10975 <command>allow-query</command> in <xref linkend="access_control"/>.
10981 <term><command>allow-query-on</command></term>
10984 See the description of
10985 <command>allow-query-on</command> in <xref linkend="access_control"/>.
10991 <term><command>allow-transfer</command></term>
10994 See the description of <command>allow-transfer</command>
10995 in <xref linkend="access_control"/>.
11001 <term><command>allow-update</command></term>
11004 See the description of <command>allow-update</command>
11005 in <xref linkend="access_control"/>.
11011 <term><command>update-policy</command></term>
11014 Specifies a "Simple Secure Update" policy. See
11015 <xref linkend="dynamic_update_policies"/>.
11021 <term><command>allow-update-forwarding</command></term>
11024 See the description of <command>allow-update-forwarding</command>
11025 in <xref linkend="access_control"/>.
11031 <term><command>also-notify</command></term>
11034 Only meaningful if <command>notify</command>
11036 active for this zone. The set of machines that will
11038 <literal>DNS NOTIFY</literal> message
11039 for this zone is made up of all the listed name servers
11041 the primary master) for the zone plus any IP addresses
11043 with <command>also-notify</command>. A port
11045 with each <command>also-notify</command>
11046 address to send the notify
11047 messages to a port other than the default of 53.
11048 A TSIG key may also be specified to cause the
11049 <literal>NOTIFY</literal> to be signed by the
11051 <command>also-notify</command> is not
11052 meaningful for stub zones.
11053 The default is the empty list.
11059 <term><command>check-names</command></term>
11062 This option is used to restrict the character set and
11064 certain domain names in master files and/or DNS responses
11066 network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
11067 zones the default is <command>warn</command>.
11068 It is not implemented for <command>hint</command> zones.
11074 <term><command>check-mx</command></term>
11077 See the description of
11078 <command>check-mx</command> in <xref linkend="boolean_options"/>.
11084 <term><command>check-spf</command></term>
11087 See the description of
11088 <command>check-spf</command> in <xref linkend="boolean_options"/>.
11094 <term><command>check-wildcard</command></term>
11097 See the description of
11098 <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
11104 <term><command>check-integrity</command></term>
11107 See the description of
11108 <command>check-integrity</command> in <xref linkend="boolean_options"/>.
11114 <term><command>check-sibling</command></term>
11117 See the description of
11118 <command>check-sibling</command> in <xref linkend="boolean_options"/>.
11124 <term><command>zero-no-soa-ttl</command></term>
11127 See the description of
11128 <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
11134 <term><command>update-check-ksk</command></term>
11137 See the description of
11138 <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
11144 <term><command>dnssec-update-mode</command></term>
11147 See the description of
11148 <command>dnssec-update-mode</command> in <xref linkend="options"/>.
11154 <term><command>dnssec-dnskey-kskonly</command></term>
11157 See the description of
11158 <command>dnssec-dnskey-kskonly</command> in <xref linkend="boolean_options"/>.
11164 <term><command>try-tcp-refresh</command></term>
11167 See the description of
11168 <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
11174 <term><command>database</command></term>
11177 Specify the type of database to be used for storing the
11178 zone data. The string following the <command>database</command> keyword
11179 is interpreted as a list of whitespace-delimited words.
11181 identifies the database type, and any subsequent words are
11183 as arguments to the database to be interpreted in a way
11185 to the database type.
11188 The default is <userinput>"rbt"</userinput>, BIND 9's
11190 red-black-tree database. This database does not take
11194 Other values are possible if additional database drivers
11195 have been linked into the server. Some sample drivers are
11197 with the distribution but none are linked in by default.
11203 <term><command>dialup</command></term>
11206 See the description of
11207 <command>dialup</command> in <xref linkend="boolean_options"/>.
11213 <term><command>delegation-only</command></term>
11216 The flag only applies to forward, hint and stub
11217 zones. If set to <userinput>yes</userinput>,
11218 then the zone will also be treated as if it is
11219 also a delegation-only type zone.
11222 See caveats in <xref linkend="root_delegation_only"/>.
11228 <term><command>forward</command></term>
11231 Only meaningful if the zone has a forwarders
11232 list. The <command>only</command> value causes
11234 after trying the forwarders and getting no answer, while <command>first</command> would
11235 allow a normal lookup to be tried.
11241 <term><command>forwarders</command></term>
11244 Used to override the list of global forwarders.
11245 If it is not specified in a zone of type <command>forward</command>,
11246 no forwarding is done for the zone and the global options are
11253 <term><command>ixfr-base</command></term>
11256 Was used in <acronym>BIND</acronym> 8 to
11258 of the transaction log (journal) file for dynamic update
11260 <acronym>BIND</acronym> 9 ignores the option
11261 and constructs the name of the journal
11262 file by appending "<filename>.jnl</filename>"
11270 <term><command>ixfr-tmp-file</command></term>
11273 Was an undocumented option in <acronym>BIND</acronym> 8.
11274 Ignored in <acronym>BIND</acronym> 9.
11280 <term><command>journal</command></term>
11283 Allow the default journal's filename to be overridden.
11284 The default is the zone's filename with "<filename>.jnl</filename>" appended.
11285 This is applicable to <command>master</command> and <command>slave</command> zones.
11291 <term><command>max-journal-size</command></term>
11294 See the description of
11295 <command>max-journal-size</command> in <xref linkend="server_resource_limits"/>.
11301 <term><command>max-transfer-time-in</command></term>
11304 See the description of
11305 <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
11311 <term><command>max-transfer-idle-in</command></term>
11314 See the description of
11315 <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
11321 <term><command>max-transfer-time-out</command></term>
11324 See the description of
11325 <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
11331 <term><command>max-transfer-idle-out</command></term>
11334 See the description of
11335 <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
11341 <term><command>notify</command></term>
11344 See the description of
11345 <command>notify</command> in <xref linkend="boolean_options"/>.
11351 <term><command>notify-delay</command></term>
11354 See the description of
11355 <command>notify-delay</command> in <xref linkend="tuning"/>.
11361 <term><command>notify-to-soa</command></term>
11364 See the description of
11365 <command>notify-to-soa</command> in
11366 <xref linkend="boolean_options"/>.
11372 <term><command>pubkey</command></term>
11375 In <acronym>BIND</acronym> 8, this option was
11376 intended for specifying
11377 a public zone key for verification of signatures in DNSSEC
11379 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
11380 on load and ignores the option.
11386 <term><command>zone-statistics</command></term>
11389 If <userinput>yes</userinput>, the server will keep
11391 information for this zone, which can be dumped to the
11392 <command>statistics-file</command> defined in
11393 the server options.
11399 <term><command>server-addresses</command></term>
11402 Only meaningful for static-stub zones.
11403 This is a list of IP addresses to which queries
11404 should be sent in recursive resolution for the
11406 A non empty list for this option will internally
11407 configure the apex NS RR with associated glue A or
11411 For example, if "example.com" is configured as a
11412 static-stub zone with 192.0.2.1 and 2001:db8::1234
11413 in a <command>server-addresses</command> option,
11414 the following RRs will be internally configured.
11416 <programlisting>example.com. NS example.com.
11417 example.com. A 192.0.2.1
11418 example.com. AAAA 2001:db8::1234</programlisting>
11420 These records are internally used to resolve
11421 names under the static-stub zone.
11422 For instance, if the server receives a query for
11423 "www.example.com" with the RD bit on, the server
11424 will initiate recursive resolution and send
11425 queries to 192.0.2.1 and/or 2001:db8::1234.
11431 <term><command>server-names</command></term>
11434 Only meaningful for static-stub zones.
11435 This is a list of domain names of nameservers that
11436 act as authoritative servers of the static-stub
11438 These names will be resolved to IP addresses when
11439 <command>named</command> needs to send queries to
11441 To make this supplemental resolution successful,
11442 these names must not be a subdomain of the origin
11443 name of static-stub zone.
11444 That is, when "example.net" is the origin of a
11445 static-stub zone, "ns.example" and
11446 "master.example.com" can be specified in the
11447 <command>server-names</command> option, but
11448 "ns.example.net" cannot, and will be rejected by
11449 the configuration parser.
11452 A non empty list for this option will internally
11453 configure the apex NS RR with the specified names.
11454 For example, if "example.com" is configured as a
11455 static-stub zone with "ns1.example.net" and
11457 in a <command>server-names</command> option,
11458 the following RRs will be internally configured.
11460 <programlisting>example.com. NS ns1.example.net.
11461 example.com. NS ns2.example.net.
11464 These records are internally used to resolve
11465 names under the static-stub zone.
11466 For instance, if the server receives a query for
11467 "www.example.com" with the RD bit on, the server
11468 initiate recursive resolution,
11469 resolve "ns1.example.net" and/or
11470 "ns2.example.net" to IP addresses, and then send
11471 queries to (one or more of) these addresses.
11477 <term><command>sig-validity-interval</command></term>
11480 See the description of
11481 <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
11487 <term><command>sig-signing-nodes</command></term>
11490 See the description of
11491 <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
11497 <term><command>sig-signing-signatures</command></term>
11500 See the description of
11501 <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
11507 <term><command>sig-signing-type</command></term>
11510 See the description of
11511 <command>sig-signing-type</command> in <xref linkend="tuning"/>.
11517 <term><command>transfer-source</command></term>
11520 See the description of
11521 <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
11527 <term><command>transfer-source-v6</command></term>
11530 See the description of
11531 <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
11537 <term><command>alt-transfer-source</command></term>
11540 See the description of
11541 <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
11547 <term><command>alt-transfer-source-v6</command></term>
11550 See the description of
11551 <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
11557 <term><command>use-alt-transfer-source</command></term>
11560 See the description of
11561 <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
11568 <term><command>notify-source</command></term>
11571 See the description of
11572 <command>notify-source</command> in <xref linkend="zone_transfers"/>.
11578 <term><command>notify-source-v6</command></term>
11581 See the description of
11582 <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
11588 <term><command>min-refresh-time</command></term>
11589 <term><command>max-refresh-time</command></term>
11590 <term><command>min-retry-time</command></term>
11591 <term><command>max-retry-time</command></term>
11594 See the description in <xref linkend="tuning"/>.
11600 <term><command>ixfr-from-differences</command></term>
11603 See the description of
11604 <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
11605 (Note that the <command>ixfr-from-differences</command>
11606 <userinput>master</userinput> and
11607 <userinput>slave</userinput> choices are not
11608 available at the zone level.)
11614 <term><command>key-directory</command></term>
11617 See the description of
11618 <command>key-directory</command> in <xref linkend="options"/>.
11624 <term><command>auto-dnssec</command></term>
11627 Zones configured for dynamic DNS may also use this
11628 option to allow varying levels of automatic DNSSEC key
11629 management. There are three possible settings:
11632 <command>auto-dnssec allow;</command> permits
11633 keys to be updated and the zone fully re-signed
11634 whenever the user issues the command <command>rndc sign
11635 <replaceable>zonename</replaceable></command>.
11638 <command>auto-dnssec maintain;</command> includes the
11639 above, but also automatically adjusts the zone's DNSSEC
11640 keys on schedule, according to the keys' timing metadata
11641 (see <xref linkend="man.dnssec-keygen"/> and
11642 <xref linkend="man.dnssec-settime"/>). The command
11644 <replaceable>zonename</replaceable></command> causes
11645 <command>named</command> to load keys from the key
11646 repository and sign the zone with all keys that are
11648 <command>rndc loadkeys
11649 <replaceable>zonename</replaceable></command> causes
11650 <command>named</command> to load keys from the key
11651 repository and schedule key maintenance events to occur
11652 in the future, but it does not sign the full zone
11653 immediately. Note: once keys have been loaded for a
11654 zone the first time, the repository will be searched
11655 for changes periodically, regardless of whether
11656 <command>rndc loadkeys</command> is used. The recheck
11657 interval is defined by
11658 <command>dnssec-loadkeys-interval</command>.)
11661 The default setting is <command>auto-dnssec off</command>.
11667 <term><command>serial-update-method</command></term>
11670 Zones configured for dynamic DNS may use this
11671 option to set the update method that will be used for
11672 the zone serial number in the SOA record.
11675 With the default setting of
11676 <command>serial-update-method increment;</command>, the
11677 SOA serial number will be incremented by one each time
11678 the zone is updated.
11682 <command>serial-update-method unixtime;</command>, the
11683 SOA serial number will be set to the number of seconds
11684 since the UNIX epoch, unless the serial number is
11685 already greater than or equal to that value, in which
11686 case it is simply incremented by one.
11692 <term><command>inline-signing</command></term>
11695 If <literal>yes</literal>, this enables
11696 "bump in the wire" signing of a zone, where a
11697 unsigned zone is transferred in or loaded from
11698 disk and a signed version of the zone is served,
11699 with possibly, a different serial number. This
11700 behaviour is disabled by default.
11706 <term><command>multi-master</command></term>
11709 See the description of <command>multi-master</command> in
11710 <xref linkend="boolean_options"/>.
11716 <term><command>masterfile-format</command></term>
11719 See the description of <command>masterfile-format</command>
11720 in <xref linkend="tuning"/>.
11726 <term><command>dnssec-secure-to-insecure</command></term>
11729 See the description of
11730 <command>dnssec-secure-to-insecure</command> in <xref linkend="boolean_options"/>.
11738 <sect3 id="dynamic_update_policies">
11739 <title>Dynamic Update Policies</title>
11740 <para><acronym>BIND</acronym> 9 supports two alternative
11741 methods of granting clients the right to perform
11742 dynamic updates to a zone, configured by the
11743 <command>allow-update</command> and
11744 <command>update-policy</command> option, respectively.
11747 The <command>allow-update</command> clause works the
11748 same way as in previous versions of <acronym>BIND</acronym>.
11749 It grants given clients the permission to update any
11750 record of any name in the zone.
11753 The <command>update-policy</command> clause
11754 allows more fine-grained control over what updates are
11755 allowed. A set of rules is specified, where each rule
11756 either grants or denies permissions for one or more
11757 names to be updated by one or more identities. If
11758 the dynamic update request message is signed (that is,
11759 it includes either a TSIG or SIG(0) record), the
11760 identity of the signer can be determined.
11763 Rules are specified in the <command>update-policy</command>
11764 zone option, and are only meaningful for master zones.
11765 When the <command>update-policy</command> statement
11766 is present, it is a configuration error for the
11767 <command>allow-update</command> statement to be
11768 present. The <command>update-policy</command> statement
11769 only examines the signer of a message; the source
11770 address is not relevant.
11773 There is a pre-defined <command>update-policy</command>
11774 rule which can be switched on with the command
11775 <command>update-policy local;</command>.
11776 Switching on this rule in a zone causes
11777 <command>named</command> to generate a TSIG session
11778 key and place it in a file, and to allow that key
11779 to update the zone. (By default, the file is
11780 <filename>/var/run/named/session.key</filename>, the key
11781 name is "local-ddns" and the key algorithm is HMAC-SHA256,
11782 but these values are configurable with the
11783 <command>session-keyfile</command>,
11784 <command>session-keyname</command> and
11785 <command>session-keyalg</command> options, respectively).
11788 A client running on the local system, and with appropriate
11789 permissions, may read that file and use the key to sign update
11790 requests. The zone's update policy will be set to allow that
11791 key to change any record within the zone. Assuming the
11792 key name is "local-ddns", this policy is equivalent to:
11795 <programlisting>update-policy { grant local-ddns zonesub any; };
11799 The command <command>nsupdate -l</command> sends update
11800 requests to localhost, and signs them using the session key.
11804 Other rule definitions look like this:
11808 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <optional> <replaceable>name</replaceable> </optional> <optional> <replaceable>types</replaceable> </optional>
11812 Each rule grants or denies privileges. Once a message has
11813 successfully matched a rule, the operation is immediately
11814 granted or denied and no further rules are examined. A rule
11815 is matched when the signer matches the identity field, the
11816 name matches the name field in accordance with the nametype
11817 field, and the type matches the types specified in the type
11821 No signer is required for <replaceable>tcp-self</replaceable>
11822 or <replaceable>6to4-self</replaceable> however the standard
11823 reverse mapping / prefix conversion must match the identity
11827 The identity field specifies a name or a wildcard
11828 name. Normally, this is the name of the TSIG or
11829 SIG(0) key used to sign the update request. When a
11830 TKEY exchange has been used to create a shared secret,
11831 the identity of the shared secret is the same as the
11832 identity of the key used to authenticate the TKEY
11833 exchange. TKEY is also the negotiation method used
11834 by GSS-TSIG, which establishes an identity that is
11835 the Kerberos principal of the client, such as
11836 <userinput>"user@host.domain"</userinput>. When the
11837 <replaceable>identity</replaceable> field specifies
11838 a wildcard name, it is subject to DNS wildcard
11839 expansion, so the rule will apply to multiple identities.
11840 The <replaceable>identity</replaceable> field must
11841 contain a fully-qualified domain name.
11844 For nametypes <varname>krb5-self</varname>,
11845 <varname>ms-self</varname>, <varname>krb5-subdomain</varname>,
11846 and <varname>ms-subdomain</varname> the
11847 <replaceable>identity</replaceable> field specifies
11848 the Windows or Kerberos realm of the machine belongs to.
11851 The <replaceable>nametype</replaceable> field has 13
11853 <varname>name</varname>, <varname>subdomain</varname>,
11854 <varname>wildcard</varname>, <varname>self</varname>,
11855 <varname>selfsub</varname>, <varname>selfwild</varname>,
11856 <varname>krb5-self</varname>, <varname>ms-self</varname>,
11857 <varname>krb5-subdomain</varname>,
11858 <varname>ms-subdomain</varname>,
11859 <varname>tcp-self</varname>, <varname>6to4-self</varname>,
11860 <varname>zonesub</varname>, and <varname>external</varname>.
11863 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11864 <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
11865 <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
11868 <entry colname="1">
11870 <varname>name</varname>
11872 </entry> <entry colname="2">
11874 Exact-match semantics. This rule matches
11875 when the name being updated is identical
11876 to the contents of the
11877 <replaceable>name</replaceable> field.
11882 <entry colname="1">
11884 <varname>subdomain</varname>
11886 </entry> <entry colname="2">
11888 This rule matches when the name being updated
11889 is a subdomain of, or identical to, the
11890 contents of the <replaceable>name</replaceable>
11896 <entry colname="1">
11898 <varname>zonesub</varname>
11900 </entry> <entry colname="2">
11902 This rule is similar to subdomain, except that
11903 it matches when the name being updated is a
11904 subdomain of the zone in which the
11905 <command>update-policy</command> statement
11906 appears. This obviates the need to type the zone
11907 name twice, and enables the use of a standard
11908 <command>update-policy</command> statement in
11909 multiple zones without modification.
11912 When this rule is used, the
11913 <replaceable>name</replaceable> field is omitted.
11918 <entry colname="1">
11920 <varname>wildcard</varname>
11922 </entry> <entry colname="2">
11924 The <replaceable>name</replaceable> field
11925 is subject to DNS wildcard expansion, and
11926 this rule matches when the name being updated
11927 name is a valid expansion of the wildcard.
11932 <entry colname="1">
11934 <varname>self</varname>
11937 <entry colname="2">
11939 This rule matches when the name being updated
11940 matches the contents of the
11941 <replaceable>identity</replaceable> field.
11942 The <replaceable>name</replaceable> field
11943 is ignored, but should be the same as the
11944 <replaceable>identity</replaceable> field.
11945 The <varname>self</varname> nametype is
11946 most useful when allowing using one key per
11947 name to update, where the key has the same
11948 name as the name to be updated. The
11949 <replaceable>identity</replaceable> would
11950 be specified as <constant>*</constant> (an asterisk) in
11956 <entry colname="1">
11958 <varname>selfsub</varname>
11960 </entry> <entry colname="2">
11962 This rule is similar to <varname>self</varname>
11963 except that subdomains of <varname>self</varname>
11964 can also be updated.
11969 <entry colname="1">
11971 <varname>selfwild</varname>
11973 </entry> <entry colname="2">
11975 This rule is similar to <varname>self</varname>
11976 except that only subdomains of
11977 <varname>self</varname> can be updated.
11982 <entry colname="1">
11984 <varname>ms-self</varname>
11986 </entry> <entry colname="2">
11988 This rule takes a Windows machine principal
11989 (machine$@REALM) for machine in REALM and
11990 and converts it machine.realm allowing the machine
11991 to update machine.realm. The REALM to be matched
11992 is specified in the <replaceable>identity</replaceable>
11998 <entry colname="1">
12000 <varname>ms-subdomain</varname>
12002 </entry> <entry colname="2">
12004 This rule takes a Windows machine principal
12005 (machine$@REALM) for machine in REALM and
12006 converts it to machine.realm allowing the machine
12007 to update subdomains of machine.realm. The REALM
12008 to be matched is specified in the
12009 <replaceable>identity</replaceable> field.
12014 <entry colname="1">
12016 <varname>krb5-self</varname>
12018 </entry> <entry colname="2">
12020 This rule takes a Kerberos machine principal
12021 (host/machine@REALM) for machine in REALM and
12022 and converts it machine.realm allowing the machine
12023 to update machine.realm. The REALM to be matched
12024 is specified in the <replaceable>identity</replaceable>
12030 <entry colname="1">
12032 <varname>krb5-subdomain</varname>
12034 </entry> <entry colname="2">
12036 This rule takes a Kerberos machine principal
12037 (host/machine@REALM) for machine in REALM and
12038 converts it to machine.realm allowing the machine
12039 to update subdomains of machine.realm. The REALM
12040 to be matched is specified in the
12041 <replaceable>identity</replaceable> field.
12046 <entry colname="1">
12048 <varname>tcp-self</varname>
12050 </entry> <entry colname="2">
12052 Allow updates that have been sent via TCP and
12053 for which the standard mapping from the initiating
12054 IP address into the IN-ADDR.ARPA and IP6.ARPA
12055 namespaces match the name to be updated.
12058 It is theoretically possible to spoof these TCP
12064 <entry colname="1">
12066 <varname>6to4-self</varname>
12068 </entry> <entry colname="2">
12070 Allow the 6to4 prefix to be update by any TCP
12071 connection from the 6to4 network or from the
12072 corresponding IPv4 address. This is intended
12073 to allow NS or DNAME RRsets to be added to the
12077 It is theoretically possible to spoof these TCP
12083 <entry colname="1">
12085 <varname>external</varname>
12087 </entry> <entry colname="2">
12089 This rule allows <command>named</command>
12090 to defer the decision of whether to allow a
12091 given update to an external daemon.
12094 The method of communicating with the daemon is
12095 specified in the <replaceable>identity</replaceable>
12096 field, the format of which is
12097 "<constant>local:</constant><replaceable>path</replaceable>",
12098 where <replaceable>path</replaceable> is the location
12099 of a UNIX-domain socket. (Currently, "local" is the
12100 only supported mechanism.)
12103 Requests to the external daemon are sent over the
12104 UNIX-domain socket as datagrams with the following
12108 Protocol version number (4 bytes, network byte order, currently 1)
12109 Request length (4 bytes, network byte order)
12110 Signer (null-terminated string)
12111 Name (null-terminated string)
12112 TCP source address (null-terminated string)
12113 Rdata type (null-terminated string)
12114 Key (null-terminated string)
12115 TKEY token length (4 bytes, network byte order)
12116 TKEY token (remainder of packet)</programlisting>
12118 The daemon replies with a four-byte value in
12119 network byte order, containing either 0 or 1; 0
12120 indicates that the specified update is not
12121 permitted, and 1 indicates that it is.
12130 In all cases, the <replaceable>name</replaceable>
12131 field must specify a fully-qualified domain name.
12135 If no types are explicitly specified, this rule matches
12136 all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
12137 may be specified by name, including "ANY" (ANY matches
12138 all types except NSEC and NSEC3, which can never be
12139 updated). Note that when an attempt is made to delete
12140 all records associated with a name, the rules are
12141 checked for each existing record type.
12147 <title>Zone File</title>
12148 <sect2 id="types_of_resource_records_and_when_to_use_them">
12149 <title>Types of Resource Records and When to Use Them</title>
12151 This section, largely borrowed from RFC 1034, describes the
12152 concept of a Resource Record (RR) and explains when each is used.
12153 Since the publication of RFC 1034, several new RRs have been
12155 and implemented in the DNS. These are also included.
12158 <title>Resource Records</title>
12161 A domain name identifies a node. Each node has a set of
12162 resource information, which may be empty. The set of resource
12163 information associated with a particular name is composed of
12164 separate RRs. The order of RRs in a set is not significant and
12165 need not be preserved by name servers, resolvers, or other
12166 parts of the DNS. However, sorting of multiple RRs is
12167 permitted for optimization purposes, for example, to specify
12168 that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
12172 The components of a Resource Record are:
12174 <informaltable colsep="0" rowsep="0">
12175 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12176 <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
12177 <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
12180 <entry colname="1">
12185 <entry colname="2">
12187 The domain name where the RR is found.
12192 <entry colname="1">
12197 <entry colname="2">
12199 An encoded 16-bit value that specifies
12200 the type of the resource record.
12205 <entry colname="1">
12210 <entry colname="2">
12212 The time-to-live of the RR. This field
12213 is a 32-bit integer in units of seconds, and is
12215 resolvers when they cache RRs. The TTL describes how
12217 be cached before it should be discarded.
12222 <entry colname="1">
12227 <entry colname="2">
12229 An encoded 16-bit value that identifies
12230 a protocol family or instance of a protocol.
12235 <entry colname="1">
12240 <entry colname="2">
12242 The resource data. The format of the
12243 data is type (and sometimes class) specific.
12251 The following are <emphasis>types</emphasis> of valid RRs:
12253 <informaltable colsep="0" rowsep="0">
12254 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12255 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
12256 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
12259 <entry colname="1">
12264 <entry colname="2">
12266 A host address. In the IN class, this is a
12267 32-bit IP address. Described in RFC 1035.
12272 <entry colname="1">
12277 <entry colname="2">
12279 IPv6 address. Described in RFC 1886.
12284 <entry colname="1">
12289 <entry colname="2">
12291 IPv6 address. This can be a partial
12292 address (a suffix) and an indirection to the name
12293 where the rest of the
12294 address (the prefix) can be found. Experimental.
12295 Described in RFC 2874.
12300 <entry colname="1">
12305 <entry colname="2">
12307 Location of AFS database servers.
12308 Experimental. Described in RFC 1183.
12313 <entry colname="1">
12318 <entry colname="2">
12320 Address prefix list. Experimental.
12321 Described in RFC 3123.
12326 <entry colname="1">
12331 <entry colname="2">
12333 Holds a digital certificate.
12334 Described in RFC 2538.
12339 <entry colname="1">
12344 <entry colname="2">
12346 Identifies the canonical name of an alias.
12347 Described in RFC 1035.
12352 <entry colname="1">
12357 <entry colname="2">
12359 Is used for identifying which DHCP client is
12360 associated with this name. Described in RFC 4701.
12365 <entry colname="1">
12370 <entry colname="2">
12372 Replaces the domain name specified with
12373 another name to be looked up, effectively aliasing an
12375 subtree of the domain name space rather than a single
12377 as in the case of the CNAME RR.
12378 Described in RFC 2672.
12383 <entry colname="1">
12388 <entry colname="2">
12390 Stores a public key associated with a signed
12391 DNS zone. Described in RFC 4034.
12396 <entry colname="1">
12401 <entry colname="2">
12403 Stores the hash of a public key associated with a
12404 signed DNS zone. Described in RFC 4034.
12409 <entry colname="1">
12414 <entry colname="2">
12416 Specifies the global position. Superseded by LOC.
12421 <entry colname="1">
12426 <entry colname="2">
12428 Identifies the CPU and OS used by a host.
12429 Described in RFC 1035.
12434 <entry colname="1">
12439 <entry colname="2">
12441 Provides a method for storing IPsec keying material in
12442 DNS. Described in RFC 4025.
12447 <entry colname="1">
12452 <entry colname="2">
12454 Representation of ISDN addresses.
12455 Experimental. Described in RFC 1183.
12460 <entry colname="1">
12465 <entry colname="2">
12467 Stores a public key associated with a
12468 DNS name. Used in original DNSSEC; replaced
12469 by DNSKEY in DNSSECbis, but still used with
12470 SIG(0). Described in RFCs 2535 and 2931.
12475 <entry colname="1">
12480 <entry colname="2">
12482 Identifies a key exchanger for this
12483 DNS name. Described in RFC 2230.
12488 <entry colname="1">
12493 <entry colname="2">
12495 For storing GPS info. Described in RFC 1876.
12501 <entry colname="1">
12506 <entry colname="2">
12508 Identifies a mail exchange for the domain with
12509 a 16-bit preference value (lower is better)
12510 followed by the host name of the mail exchange.
12511 Described in RFC 974, RFC 1035.
12516 <entry colname="1">
12521 <entry colname="2">
12523 Name authority pointer. Described in RFC 2915.
12528 <entry colname="1">
12533 <entry colname="2">
12535 A network service access point.
12536 Described in RFC 1706.
12541 <entry colname="1">
12546 <entry colname="2">
12548 The authoritative name server for the
12549 domain. Described in RFC 1035.
12554 <entry colname="1">
12559 <entry colname="2">
12561 Used in DNSSECbis to securely indicate that
12562 RRs with an owner name in a certain name interval do
12564 a zone and indicate what RR types are present for an
12566 Described in RFC 4034.
12571 <entry colname="1">
12576 <entry colname="2">
12578 Used in DNSSECbis to securely indicate that
12579 RRs with an owner name in a certain name
12580 interval do not exist in a zone and indicate
12581 what RR types are present for an existing
12582 name. NSEC3 differs from NSEC in that it
12583 prevents zone enumeration but is more
12584 computationally expensive on both the server
12585 and the client than NSEC. Described in RFC
12591 <entry colname="1">
12596 <entry colname="2">
12598 Used in DNSSECbis to tell the authoritative
12599 server which NSEC3 chains are available to use.
12600 Described in RFC 5155.
12605 <entry colname="1">
12610 <entry colname="2">
12612 Used in DNSSEC to securely indicate that
12613 RRs with an owner name in a certain name interval do
12615 a zone and indicate what RR types are present for an
12617 Used in original DNSSEC; replaced by NSEC in
12619 Described in RFC 2535.
12624 <entry colname="1">
12629 <entry colname="2">
12631 A pointer to another part of the domain
12632 name space. Described in RFC 1035.
12637 <entry colname="1">
12642 <entry colname="2">
12644 Provides mappings between RFC 822 and X.400
12645 addresses. Described in RFC 2163.
12650 <entry colname="1">
12655 <entry colname="2">
12657 Information on persons responsible
12658 for the domain. Experimental. Described in RFC 1183.
12663 <entry colname="1">
12668 <entry colname="2">
12670 Contains DNSSECbis signature data. Described
12676 <entry colname="1">
12681 <entry colname="2">
12683 Route-through binding for hosts that
12684 do not have their own direct wide area network
12686 Experimental. Described in RFC 1183.
12691 <entry colname="1">
12696 <entry colname="2">
12698 Contains DNSSEC signature data. Used in
12699 original DNSSEC; replaced by RRSIG in
12700 DNSSECbis, but still used for SIG(0).
12701 Described in RFCs 2535 and 2931.
12706 <entry colname="1">
12711 <entry colname="2">
12713 Identifies the start of a zone of authority.
12714 Described in RFC 1035.
12719 <entry colname="1">
12724 <entry colname="2">
12726 Contains the Sender Policy Framework information
12727 for a given email domain. Described in RFC 4408.
12732 <entry colname="1">
12737 <entry colname="2">
12739 Information about well known network
12740 services (replaces WKS). Described in RFC 2782.
12745 <entry colname="1">
12750 <entry colname="2">
12752 Provides a way to securely publish a secure shell key's
12753 fingerprint. Described in RFC 4255.
12758 <entry colname="1">
12763 <entry colname="2">
12765 Text records. Described in RFC 1035.
12770 <entry colname="1">
12775 <entry colname="2">
12777 Information about which well known
12778 network services, such as SMTP, that a domain
12779 supports. Historical.
12784 <entry colname="1">
12789 <entry colname="2">
12791 Representation of X.25 network addresses.
12792 Experimental. Described in RFC 1183.
12800 The following <emphasis>classes</emphasis> of resource records
12801 are currently valid in the DNS:
12803 <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12804 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
12805 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
12809 <entry colname="1">
12814 <entry colname="2">
12822 <entry colname="1">
12827 <entry colname="2">
12829 Chaosnet, a LAN protocol created at MIT in the
12831 Rarely used for its historical purpose, but reused for
12833 built-in server information zones, e.g.,
12834 <literal>version.bind</literal>.
12840 <entry colname="1">
12845 <entry colname="2">
12847 Hesiod, an information service
12848 developed by MIT's Project Athena. It is used to share
12850 about various systems databases, such as users,
12862 The owner name is often implicit, rather than forming an
12864 part of the RR. For example, many name servers internally form
12866 or hash structures for the name space, and chain RRs off nodes.
12867 The remaining RR parts are the fixed header (type, class, TTL)
12868 which is consistent for all RRs, and a variable part (RDATA)
12870 fits the needs of the resource being described.
12873 The meaning of the TTL field is a time limit on how long an
12874 RR can be kept in a cache. This limit does not apply to
12876 data in zones; it is also timed out, but by the refreshing
12878 for the zone. The TTL is assigned by the administrator for the
12879 zone where the data originates. While short TTLs can be used to
12880 minimize caching, and a zero TTL prohibits caching, the
12882 of Internet performance suggest that these times should be on
12884 order of days for the typical host. If a change can be
12886 the TTL can be reduced prior to the change to minimize
12888 during the change, and then increased back to its former value
12893 The data in the RDATA section of RRs is carried as a combination
12894 of binary strings and domain names. The domain names are
12896 used as "pointers" to other data in the DNS.
12900 <title>Textual expression of RRs</title>
12902 RRs are represented in binary form in the packets of the DNS
12903 protocol, and are usually represented in highly encoded form
12905 stored in a name server or resolver. In the examples provided
12907 RFC 1034, a style similar to that used in master files was
12909 in order to show the contents of RRs. In this format, most RRs
12910 are shown on a single line, although continuation lines are
12915 The start of the line gives the owner of the RR. If a line
12916 begins with a blank, then the owner is assumed to be the same as
12917 that of the previous RR. Blank lines are often included for
12921 Following the owner, we list the TTL, type, and class of the
12922 RR. Class and type use the mnemonics defined above, and TTL is
12923 an integer before the type field. In order to avoid ambiguity
12925 parsing, type and class mnemonics are disjoint, TTLs are
12927 and the type mnemonic is always last. The IN class and TTL
12929 are often omitted from examples in the interests of clarity.
12932 The resource data or RDATA section of the RR are given using
12933 knowledge of the typical representation for the data.
12936 For example, we might show the RRs carried in a message as:
12938 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12939 <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
12940 <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
12941 <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
12944 <entry colname="1">
12946 <literal>ISI.EDU.</literal>
12949 <entry colname="2">
12951 <literal>MX</literal>
12954 <entry colname="3">
12956 <literal>10 VENERA.ISI.EDU.</literal>
12961 <entry colname="1">
12964 <entry colname="2">
12966 <literal>MX</literal>
12969 <entry colname="3">
12971 <literal>10 VAXA.ISI.EDU</literal>
12976 <entry colname="1">
12978 <literal>VENERA.ISI.EDU</literal>
12981 <entry colname="2">
12983 <literal>A</literal>
12986 <entry colname="3">
12988 <literal>128.9.0.32</literal>
12993 <entry colname="1">
12996 <entry colname="2">
12998 <literal>A</literal>
13001 <entry colname="3">
13003 <literal>10.1.0.52</literal>
13008 <entry colname="1">
13010 <literal>VAXA.ISI.EDU</literal>
13013 <entry colname="2">
13015 <literal>A</literal>
13018 <entry colname="3">
13020 <literal>10.2.0.27</literal>
13025 <entry colname="1">
13028 <entry colname="2">
13030 <literal>A</literal>
13033 <entry colname="3">
13035 <literal>128.9.0.33</literal>
13043 The MX RRs have an RDATA section which consists of a 16-bit
13044 number followed by a domain name. The address RRs use a
13046 IP address format to contain a 32-bit internet address.
13049 The above example shows six RRs, with two RRs at each of three
13053 Similarly we might see:
13055 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
13056 <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
13057 <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
13058 <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
13061 <entry colname="1">
13063 <literal>XX.LCS.MIT.EDU.</literal>
13066 <entry colname="2">
13068 <literal>IN A</literal>
13071 <entry colname="3">
13073 <literal>10.0.0.44</literal>
13078 <entry colname="1"/>
13079 <entry colname="2">
13081 <literal>CH A</literal>
13084 <entry colname="3">
13086 <literal>MIT.EDU. 2420</literal>
13094 This example shows two addresses for
13095 <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
13101 <title>Discussion of MX Records</title>
13104 As described above, domain servers store information as a
13105 series of resource records, each of which contains a particular
13106 piece of information about a given domain name (which is usually,
13107 but not always, a host). The simplest way to think of a RR is as
13108 a typed pair of data, a domain name matched with a relevant datum,
13109 and stored with some additional type information to help systems
13110 determine when the RR is relevant.
13114 MX records are used to control delivery of email. The data
13115 specified in the record is a priority and a domain name. The
13117 controls the order in which email delivery is attempted, with the
13118 lowest number first. If two priorities are the same, a server is
13119 chosen randomly. If no servers at a given priority are responding,
13120 the mail transport agent will fall back to the next largest
13122 Priority numbers do not have any absolute meaning — they are
13124 only respective to other MX records for that domain name. The
13126 name given is the machine to which the mail will be delivered.
13127 It <emphasis>must</emphasis> have an associated address record
13128 (A or AAAA) — CNAME is not sufficient.
13131 For a given domain, if there is both a CNAME record and an
13132 MX record, the MX record is in error, and will be ignored.
13134 the mail will be delivered to the server specified in the MX
13136 pointed to by the CNAME.
13139 <informaltable colsep="0" rowsep="0">
13140 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
13141 <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
13142 <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
13143 <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
13144 <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
13145 <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
13148 <entry colname="1">
13150 <literal>example.com.</literal>
13153 <entry colname="2">
13155 <literal>IN</literal>
13158 <entry colname="3">
13160 <literal>MX</literal>
13163 <entry colname="4">
13165 <literal>10</literal>
13168 <entry colname="5">
13170 <literal>mail.example.com.</literal>
13175 <entry colname="1">
13178 <entry colname="2">
13180 <literal>IN</literal>
13183 <entry colname="3">
13185 <literal>MX</literal>
13188 <entry colname="4">
13190 <literal>10</literal>
13193 <entry colname="5">
13195 <literal>mail2.example.com.</literal>
13200 <entry colname="1">
13203 <entry colname="2">
13205 <literal>IN</literal>
13208 <entry colname="3">
13210 <literal>MX</literal>
13213 <entry colname="4">
13215 <literal>20</literal>
13218 <entry colname="5">
13220 <literal>mail.backup.org.</literal>
13225 <entry colname="1">
13227 <literal>mail.example.com.</literal>
13230 <entry colname="2">
13232 <literal>IN</literal>
13235 <entry colname="3">
13237 <literal>A</literal>
13240 <entry colname="4">
13242 <literal>10.0.0.1</literal>
13245 <entry colname="5">
13250 <entry colname="1">
13252 <literal>mail2.example.com.</literal>
13255 <entry colname="2">
13257 <literal>IN</literal>
13260 <entry colname="3">
13262 <literal>A</literal>
13265 <entry colname="4">
13267 <literal>10.0.0.2</literal>
13270 <entry colname="5">
13276 </informaltable><para>
13277 Mail delivery will be attempted to <literal>mail.example.com</literal> and
13278 <literal>mail2.example.com</literal> (in
13279 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
13283 <sect2 id="Setting_TTLs">
13284 <title>Setting TTLs</title>
13286 The time-to-live of the RR field is a 32-bit integer represented
13287 in units of seconds, and is primarily used by resolvers when they
13288 cache RRs. The TTL describes how long a RR can be cached before it
13289 should be discarded. The following three types of TTL are
13291 used in a zone file.
13293 <informaltable colsep="0" rowsep="0">
13294 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
13295 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
13296 <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
13299 <entry colname="1">
13304 <entry colname="2">
13306 The last field in the SOA is the negative
13307 caching TTL. This controls how long other servers will
13308 cache no-such-domain
13309 (NXDOMAIN) responses from you.
13312 The maximum time for
13313 negative caching is 3 hours (3h).
13318 <entry colname="1">
13323 <entry colname="2">
13325 The $TTL directive at the top of the
13326 zone file (before the SOA) gives a default TTL for every
13328 a specific TTL set.
13333 <entry colname="1">
13338 <entry colname="2">
13340 Each RR can have a TTL as the second
13341 field in the RR, which will control how long other
13342 servers can cache it.
13350 All of these TTLs default to units of seconds, though units
13351 can be explicitly specified, for example, <literal>1h30m</literal>.
13355 <title>Inverse Mapping in IPv4</title>
13357 Reverse name resolution (that is, translation from IP address
13358 to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
13359 and PTR records. Entries in the in-addr.arpa domain are made in
13360 least-to-most significant order, read left to right. This is the
13361 opposite order to the way IP addresses are usually written. Thus,
13362 a machine with an IP address of 10.1.2.3 would have a
13364 in-addr.arpa name of
13365 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
13366 whose data field is the name of the machine or, optionally,
13368 PTR records if the machine has more than one name. For example,
13369 in the <optional>example.com</optional> domain:
13371 <informaltable colsep="0" rowsep="0">
13372 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
13373 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
13374 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
13377 <entry colname="1">
13379 <literal>$ORIGIN</literal>
13382 <entry colname="2">
13384 <literal>2.1.10.in-addr.arpa</literal>
13389 <entry colname="1">
13391 <literal>3</literal>
13394 <entry colname="2">
13396 <literal>IN PTR foo.example.com.</literal>
13405 The <command>$ORIGIN</command> lines in the examples
13406 are for providing context to the examples only — they do not
13408 appear in the actual usage. They are only used here to indicate
13409 that the example is relative to the listed origin.
13414 <title>Other Zone File Directives</title>
13416 The Master File Format was initially defined in RFC 1035 and
13417 has subsequently been extended. While the Master File Format
13419 is class independent all records in a Master File must be of the
13424 Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
13425 and <command>$TTL.</command>
13428 <title>The <command>@</command> (at-sign)</title>
13430 When used in the label (or name) field, the asperand or
13431 at-sign (@) symbol represents the current origin.
13432 At the start of the zone file, it is the
13433 <<varname>zone_name</varname>> (followed by
13438 <title>The <command>$ORIGIN</command> Directive</title>
13440 Syntax: <command>$ORIGIN</command>
13441 <replaceable>domain-name</replaceable>
13442 <optional><replaceable>comment</replaceable></optional>
13444 <para><command>$ORIGIN</command>
13445 sets the domain name that will be appended to any
13446 unqualified records. When a zone is first read in there
13447 is an implicit <command>$ORIGIN</command>
13448 <<varname>zone_name</varname>><command>.</command>
13449 (followed by trailing dot).
13450 The current <command>$ORIGIN</command> is appended to
13451 the domain specified in the <command>$ORIGIN</command>
13452 argument if it is not absolute.
13456 $ORIGIN example.com.
13457 WWW CNAME MAIN-SERVER
13465 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
13470 <title>The <command>$INCLUDE</command> Directive</title>
13472 Syntax: <command>$INCLUDE</command>
13473 <replaceable>filename</replaceable>
13475 <replaceable>origin</replaceable> </optional>
13476 <optional> <replaceable>comment</replaceable> </optional>
13479 Read and process the file <filename>filename</filename> as
13480 if it were included into the file at this point. If <command>origin</command> is
13481 specified the file is processed with <command>$ORIGIN</command> set
13482 to that value, otherwise the current <command>$ORIGIN</command> is
13486 The origin and the current domain name
13487 revert to the values they had prior to the <command>$INCLUDE</command> once
13488 the file has been read.
13492 RFC 1035 specifies that the current origin should be restored
13494 an <command>$INCLUDE</command>, but it is silent
13495 on whether the current
13496 domain name should also be restored. BIND 9 restores both of
13498 This could be construed as a deviation from RFC 1035, a
13504 <title>The <command>$TTL</command> Directive</title>
13506 Syntax: <command>$TTL</command>
13507 <replaceable>default-ttl</replaceable>
13509 <replaceable>comment</replaceable> </optional>
13512 Set the default Time To Live (TTL) for subsequent records
13513 with undefined TTLs. Valid TTLs are of the range 0-2147483647
13516 <para><command>$TTL</command>
13517 is defined in RFC 2308.
13522 <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
13524 Syntax: <command>$GENERATE</command>
13525 <replaceable>range</replaceable>
13526 <replaceable>lhs</replaceable>
13527 <optional><replaceable>ttl</replaceable></optional>
13528 <optional><replaceable>class</replaceable></optional>
13529 <replaceable>type</replaceable>
13530 <replaceable>rhs</replaceable>
13531 <optional><replaceable>comment</replaceable></optional>
13533 <para><command>$GENERATE</command>
13534 is used to create a series of resource records that only
13535 differ from each other by an
13536 iterator. <command>$GENERATE</command> can be used to
13537 easily generate the sets of records required to support
13538 sub /24 reverse delegations described in RFC 2317:
13539 Classless IN-ADDR.ARPA delegation.
13542 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
13543 $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
13544 $GENERATE 1-127 $ CNAME $.0</programlisting>
13550 <programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
13551 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
13552 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
13553 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
13555 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
13559 Generate a set of A and MX records. Note the MX's right hand
13560 side is a quoted string. The quotes will be stripped when the
13561 right hand side is processed.
13566 $GENERATE 1-127 HOST-$ A 1.2.3.$
13567 $GENERATE 1-127 HOST-$ MX "0 ."</programlisting>
13573 <programlisting>HOST-1.EXAMPLE. A 1.2.3.1
13574 HOST-1.EXAMPLE. MX 0 .
13575 HOST-2.EXAMPLE. A 1.2.3.2
13576 HOST-2.EXAMPLE. MX 0 .
13577 HOST-3.EXAMPLE. A 1.2.3.3
13578 HOST-3.EXAMPLE. MX 0 .
13580 HOST-127.EXAMPLE. A 1.2.3.127
13581 HOST-127.EXAMPLE. MX 0 .
13584 <informaltable colsep="0" rowsep="0">
13585 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
13586 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
13587 <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
13590 <entry colname="1">
13591 <para><command>range</command></para>
13593 <entry colname="2">
13595 This can be one of two forms: start-stop
13596 or start-stop/step. If the first form is used, then step
13597 is set to 1. start, stop and step must be positive
13598 integers between 0 and (2^31)-1. start must not be
13604 <entry colname="1">
13605 <para><command>lhs</command></para>
13607 <entry colname="2">
13609 describes the owner name of the resource records
13610 to be created. Any single <command>$</command>
13612 symbols within the <command>lhs</command> string
13613 are replaced by the iterator value.
13615 To get a $ in the output, you need to escape the
13616 <command>$</command> using a backslash
13617 <command>\</command>,
13618 e.g. <command>\$</command>. The
13619 <command>$</command> may optionally be followed
13620 by modifiers which change the offset from the
13621 iterator, field width and base.
13623 Modifiers are introduced by a
13624 <command>{</command> (left brace) immediately following the
13625 <command>$</command> as
13626 <command>${offset[,width[,base]]}</command>.
13627 For example, <command>${-20,3,d}</command>
13628 subtracts 20 from the current value, prints the
13629 result as a decimal in a zero-padded field of
13632 Available output forms are decimal
13633 (<command>d</command>), octal
13634 (<command>o</command>), hexadecimal
13635 (<command>x</command> or <command>X</command>
13636 for uppercase) and nibble
13637 (<command>n</command> or <command>N</command>\
13638 for uppercase). The default modifier is
13639 <command>${0,0,d}</command>. If the
13640 <command>lhs</command> is not absolute, the
13641 current <command>$ORIGIN</command> is appended
13645 In nibble mode the value will be treated as
13646 if it was a reversed hexadecimal string
13647 with each hexadecimal digit as a separate
13648 label. The width field includes the label
13652 For compatibility with earlier versions,
13653 <command>$$</command> is still recognized as
13654 indicating a literal $ in the output.
13659 <entry colname="1">
13660 <para><command>ttl</command></para>
13662 <entry colname="2">
13664 Specifies the time-to-live of the generated records. If
13665 not specified this will be inherited using the
13666 normal TTL inheritance rules.
13668 <para><command>class</command>
13669 and <command>ttl</command> can be
13670 entered in either order.
13675 <entry colname="1">
13676 <para><command>class</command></para>
13678 <entry colname="2">
13680 Specifies the class of the generated records.
13681 This must match the zone class if it is
13684 <para><command>class</command>
13685 and <command>ttl</command> can be
13686 entered in either order.
13691 <entry colname="1">
13692 <para><command>type</command></para>
13694 <entry colname="2">
13701 <entry colname="1">
13702 <para><command>rhs</command></para>
13704 <entry colname="2">
13706 <command>rhs</command>, optionally, quoted string.
13714 The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
13715 and not part of the standard zone file format.
13718 BIND 8 does not support the optional TTL and CLASS fields.
13722 <sect2 id="zonefile_format">
13723 <title>Additional File Formats</title>
13725 In addition to the standard textual format, BIND 9
13726 supports the ability to read or dump to zone files in
13727 other formats. The <constant>raw</constant> format is
13728 currently available as an additional format. It is a
13729 binary format representing BIND 9's internal data
13730 structure directly, thereby remarkably improving the
13734 For a primary server, a zone file in the
13735 <constant>raw</constant> format is expected to be
13736 generated from a textual zone file by the
13737 <command>named-compilezone</command> command. For a
13738 secondary server or for a dynamic zone, it is automatically
13739 generated (if this format is specified by the
13740 <command>masterfile-format</command> option) when
13741 <command>named</command> dumps the zone contents after
13742 zone transfer or when applying prior updates.
13745 If a zone file in a binary format needs manual modification,
13746 it first must be converted to a textual form by the
13747 <command>named-compilezone</command> command. All
13748 necessary modification should go to the text file, which
13749 should then be converted to the binary form by the
13750 <command>named-compilezone</command> command again.
13753 Although the <constant>raw</constant> format uses the
13754 network byte order and avoids architecture-dependent
13755 data alignment so that it is as much portable as
13756 possible, it is primarily expected to be used inside
13757 the same single system. In order to export a zone
13758 file in the <constant>raw</constant> format or make a
13759 portable backup of the file, it is recommended to
13760 convert the file to the standard textual representation.
13765 <sect1 id="statistics">
13766 <title>BIND9 Statistics</title>
13768 <acronym>BIND</acronym> 9 maintains lots of statistics
13769 information and provides several interfaces for users to
13770 get access to the statistics.
13771 The available statistics include all statistics counters
13772 that were available in <acronym>BIND</acronym> 8 and
13773 are meaningful in <acronym>BIND</acronym> 9,
13774 and other information that is considered useful.
13778 The statistics information is categorized into the following
13782 <informaltable frame="all">
13784 <colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
13785 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
13789 <entry colname="1">
13790 <para>Incoming Requests</para>
13792 <entry colname="2">
13794 The number of incoming DNS requests for each OPCODE.
13800 <entry colname="1">
13801 <para>Incoming Queries</para>
13803 <entry colname="2">
13805 The number of incoming queries for each RR type.
13811 <entry colname="1">
13812 <para>Outgoing Queries</para>
13814 <entry colname="2">
13816 The number of outgoing queries for each RR
13817 type sent from the internal resolver.
13818 Maintained per view.
13824 <entry colname="1">
13825 <para>Name Server Statistics</para>
13827 <entry colname="2">
13829 Statistics counters about incoming request processing.
13835 <entry colname="1">
13836 <para>Zone Maintenance Statistics</para>
13838 <entry colname="2">
13840 Statistics counters regarding zone maintenance
13841 operations such as zone transfers.
13847 <entry colname="1">
13848 <para>Resolver Statistics</para>
13850 <entry colname="2">
13852 Statistics counters about name resolution
13853 performed in the internal resolver.
13854 Maintained per view.
13860 <entry colname="1">
13861 <para>Cache DB RRsets</para>
13863 <entry colname="2">
13865 The number of RRsets per RR type and nonexistent
13866 names stored in the cache database.
13867 If the exclamation mark (!) is printed for a RR
13868 type, it means that particular type of RRset is
13869 known to be nonexistent (this is also known as
13871 Maintained per view.
13877 <entry colname="1">
13878 <para>Socket I/O Statistics</para>
13880 <entry colname="2">
13882 Statistics counters about network related events.
13892 A subset of Name Server Statistics is collected and shown
13893 per zone for which the server has the authority when
13894 <command>zone-statistics</command> is set to
13895 <userinput>yes</userinput>.
13896 These statistics counters are shown with their zone and view
13898 In some cases the view names are omitted for the default view.
13902 There are currently two user interfaces to get access to the
13904 One is in the plain text format dumped to the file specified
13905 by the <command>statistics-file</command> configuration option.
13906 The other is remotely accessible via a statistics channel
13907 when the <command>statistics-channels</command> statement
13908 is specified in the configuration file
13909 (see <xref linkend="statschannels"/>.)
13912 <sect3 id="statsfile">
13913 <title>The Statistics File</title>
13915 The text format statistics dump begins with a line, like:
13918 <command>+++ Statistics Dump +++ (973798949)</command>
13921 The number in parentheses is a standard
13922 Unix-style timestamp, measured as seconds since January 1, 1970.
13925 that line is a set of statistics information, which is categorized
13926 as described above.
13927 Each section begins with a line, like:
13931 <command>++ Name Server Statistics ++</command>
13935 Each section consists of lines, each containing the statistics
13936 counter value followed by its textual description.
13937 See below for available counters.
13938 For brevity, counters that have a value of 0 are not shown
13939 in the statistics file.
13943 The statistics dump ends with the line where the
13944 number is identical to the number in the beginning line; for example:
13947 <command>--- Statistics Dump --- (973798949)</command>
13951 <sect2 id="statistics_counters">
13952 <title>Statistics Counters</title>
13954 The following tables summarize statistics counters that
13955 <acronym>BIND</acronym> 9 provides.
13956 For each row of the tables, the leftmost column is the
13957 abbreviated symbol name of that counter.
13958 These symbols are shown in the statistics information
13959 accessed via an HTTP statistics channel.
13960 The rightmost column gives the description of the counter,
13961 which is also shown in the statistics file
13962 (but, in this document, possibly with slight modification
13963 for better readability).
13964 Additional notes may also be provided in this column.
13965 When a middle column exists between these two columns,
13966 it gives the corresponding counter name of the
13967 <acronym>BIND</acronym> 8 statistics, if applicable.
13971 <title>Name Server Statistics Counters</title>
13973 <informaltable colsep="0" rowsep="0">
13974 <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
13975 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
13976 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
13977 <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
13980 <entry colname="1">
13982 <emphasis>Symbol</emphasis>
13985 <entry colname="2">
13987 <emphasis>BIND8 Symbol</emphasis>
13990 <entry colname="3">
13992 <emphasis>Description</emphasis>
13998 <entry colname="1">
13999 <para><command>Requestv4</command></para>
14001 <entry colname="2">
14002 <para><command>RQ</command></para>
14004 <entry colname="3">
14006 IPv4 requests received.
14007 Note: this also counts non query requests.
14012 <entry colname="1">
14013 <para><command>Requestv6</command></para>
14015 <entry colname="2">
14016 <para><command>RQ</command></para>
14018 <entry colname="3">
14020 IPv6 requests received.
14021 Note: this also counts non query requests.
14026 <entry colname="1">
14027 <para><command>ReqEdns0</command></para>
14029 <entry colname="2">
14030 <para><command></command></para>
14032 <entry colname="3">
14034 Requests with EDNS(0) received.
14039 <entry colname="1">
14040 <para><command>ReqBadEDNSVer</command></para>
14042 <entry colname="2">
14043 <para><command></command></para>
14045 <entry colname="3">
14047 Requests with unsupported EDNS version received.
14052 <entry colname="1">
14053 <para><command>ReqTSIG</command></para>
14055 <entry colname="2">
14056 <para><command></command></para>
14058 <entry colname="3">
14060 Requests with TSIG received.
14065 <entry colname="1">
14066 <para><command>ReqSIG0</command></para>
14068 <entry colname="2">
14069 <para><command></command></para>
14071 <entry colname="3">
14073 Requests with SIG(0) received.
14078 <entry colname="1">
14079 <para><command>ReqBadSIG</command></para>
14081 <entry colname="2">
14082 <para><command></command></para>
14084 <entry colname="3">
14086 Requests with invalid (TSIG or SIG(0)) signature.
14091 <entry colname="1">
14092 <para><command>ReqTCP</command></para>
14094 <entry colname="2">
14095 <para><command>RTCP</command></para>
14097 <entry colname="3">
14099 TCP requests received.
14104 <entry colname="1">
14105 <para><command>AuthQryRej</command></para>
14107 <entry colname="2">
14108 <para><command>RUQ</command></para>
14110 <entry colname="3">
14112 Authoritative (non recursive) queries rejected.
14117 <entry colname="1">
14118 <para><command>RecQryRej</command></para>
14120 <entry colname="2">
14121 <para><command>RURQ</command></para>
14123 <entry colname="3">
14125 Recursive queries rejected.
14130 <entry colname="1">
14131 <para><command>XfrRej</command></para>
14133 <entry colname="2">
14134 <para><command>RUXFR</command></para>
14136 <entry colname="3">
14138 Zone transfer requests rejected.
14143 <entry colname="1">
14144 <para><command>UpdateRej</command></para>
14146 <entry colname="2">
14147 <para><command>RUUpd</command></para>
14149 <entry colname="3">
14151 Dynamic update requests rejected.
14156 <entry colname="1">
14157 <para><command>Response</command></para>
14159 <entry colname="2">
14160 <para><command>SAns</command></para>
14162 <entry colname="3">
14169 <entry colname="1">
14170 <para><command>RespTruncated</command></para>
14172 <entry colname="2">
14173 <para><command></command></para>
14175 <entry colname="3">
14177 Truncated responses sent.
14182 <entry colname="1">
14183 <para><command>RespEDNS0</command></para>
14185 <entry colname="2">
14186 <para><command></command></para>
14188 <entry colname="3">
14190 Responses with EDNS(0) sent.
14195 <entry colname="1">
14196 <para><command>RespTSIG</command></para>
14198 <entry colname="2">
14199 <para><command></command></para>
14201 <entry colname="3">
14203 Responses with TSIG sent.
14208 <entry colname="1">
14209 <para><command>RespSIG0</command></para>
14211 <entry colname="2">
14212 <para><command></command></para>
14214 <entry colname="3">
14216 Responses with SIG(0) sent.
14221 <entry colname="1">
14222 <para><command>QrySuccess</command></para>
14224 <entry colname="2">
14225 <para><command></command></para>
14227 <entry colname="3">
14229 Queries resulted in a successful answer.
14230 This means the query which returns a NOERROR response
14231 with at least one answer RR.
14232 This corresponds to the
14233 <command>success</command> counter
14234 of previous versions of
14235 <acronym>BIND</acronym> 9.
14240 <entry colname="1">
14241 <para><command>QryAuthAns</command></para>
14243 <entry colname="2">
14244 <para><command></command></para>
14246 <entry colname="3">
14248 Queries resulted in authoritative answer.
14253 <entry colname="1">
14254 <para><command>QryNoauthAns</command></para>
14256 <entry colname="2">
14257 <para><command>SNaAns</command></para>
14259 <entry colname="3">
14261 Queries resulted in non authoritative answer.
14266 <entry colname="1">
14267 <para><command>QryReferral</command></para>
14269 <entry colname="2">
14270 <para><command></command></para>
14272 <entry colname="3">
14274 Queries resulted in referral answer.
14275 This corresponds to the
14276 <command>referral</command> counter
14277 of previous versions of
14278 <acronym>BIND</acronym> 9.
14283 <entry colname="1">
14284 <para><command>QryNxrrset</command></para>
14286 <entry colname="2">
14287 <para><command></command></para>
14289 <entry colname="3">
14291 Queries resulted in NOERROR responses with no data.
14292 This corresponds to the
14293 <command>nxrrset</command> counter
14294 of previous versions of
14295 <acronym>BIND</acronym> 9.
14300 <entry colname="1">
14301 <para><command>QrySERVFAIL</command></para>
14303 <entry colname="2">
14304 <para><command>SFail</command></para>
14306 <entry colname="3">
14308 Queries resulted in SERVFAIL.
14313 <entry colname="1">
14314 <para><command>QryFORMERR</command></para>
14316 <entry colname="2">
14317 <para><command>SFErr</command></para>
14319 <entry colname="3">
14321 Queries resulted in FORMERR.
14326 <entry colname="1">
14327 <para><command>QryNXDOMAIN</command></para>
14329 <entry colname="2">
14330 <para><command>SNXD</command></para>
14332 <entry colname="3">
14334 Queries resulted in NXDOMAIN.
14335 This corresponds to the
14336 <command>nxdomain</command> counter
14337 of previous versions of
14338 <acronym>BIND</acronym> 9.
14343 <entry colname="1">
14344 <para><command>QryRecursion</command></para>
14346 <entry colname="2">
14347 <para><command>RFwdQ</command></para>
14349 <entry colname="3">
14351 Queries which caused the server
14352 to perform recursion in order to find the final answer.
14353 This corresponds to the
14354 <command>recursion</command> counter
14355 of previous versions of
14356 <acronym>BIND</acronym> 9.
14361 <entry colname="1">
14362 <para><command>QryDuplicate</command></para>
14364 <entry colname="2">
14365 <para><command>RDupQ</command></para>
14367 <entry colname="3">
14369 Queries which the server attempted to
14370 recurse but discovered an existing query with the same
14371 IP address, port, query ID, name, type and class
14372 already being processed.
14373 This corresponds to the
14374 <command>duplicate</command> counter
14375 of previous versions of
14376 <acronym>BIND</acronym> 9.
14381 <entry colname="1">
14382 <para><command>QryDropped</command></para>
14384 <entry colname="2">
14385 <para><command></command></para>
14387 <entry colname="3">
14389 Recursive queries for which the server
14390 discovered an excessive number of existing
14391 recursive queries for the same name, type and
14392 class and were subsequently dropped.
14393 This is the number of dropped queries due to
14394 the reason explained with the
14395 <command>clients-per-query</command>
14397 <command>max-clients-per-query</command>
14399 (see the description about
14400 <xref linkend="clients-per-query"/>.)
14401 This corresponds to the
14402 <command>dropped</command> counter
14403 of previous versions of
14404 <acronym>BIND</acronym> 9.
14409 <entry colname="1">
14410 <para><command>QryFailure</command></para>
14412 <entry colname="2">
14413 <para><command></command></para>
14415 <entry colname="3">
14417 Other query failures.
14418 This corresponds to the
14419 <command>failure</command> counter
14420 of previous versions of
14421 <acronym>BIND</acronym> 9.
14422 Note: this counter is provided mainly for
14423 backward compatibility with the previous versions.
14424 Normally a more fine-grained counters such as
14425 <command>AuthQryRej</command> and
14426 <command>RecQryRej</command>
14427 that would also fall into this counter are provided,
14428 and so this counter would not be of much
14429 interest in practice.
14434 <entry colname="1">
14435 <para><command>XfrReqDone</command></para>
14437 <entry colname="2">
14438 <para><command></command></para>
14440 <entry colname="3">
14442 Requested zone transfers completed.
14447 <entry colname="1">
14448 <para><command>UpdateReqFwd</command></para>
14450 <entry colname="2">
14451 <para><command></command></para>
14453 <entry colname="3">
14455 Update requests forwarded.
14460 <entry colname="1">
14461 <para><command>UpdateRespFwd</command></para>
14463 <entry colname="2">
14464 <para><command></command></para>
14466 <entry colname="3">
14468 Update responses forwarded.
14473 <entry colname="1">
14474 <para><command>UpdateFwdFail</command></para>
14476 <entry colname="2">
14477 <para><command></command></para>
14479 <entry colname="3">
14481 Dynamic update forward failed.
14486 <entry colname="1">
14487 <para><command>UpdateDone</command></para>
14489 <entry colname="2">
14490 <para><command></command></para>
14492 <entry colname="3">
14494 Dynamic updates completed.
14499 <entry colname="1">
14500 <para><command>UpdateFail</command></para>
14502 <entry colname="2">
14503 <para><command></command></para>
14505 <entry colname="3">
14507 Dynamic updates failed.
14512 <entry colname="1">
14513 <para><command>UpdateBadPrereq</command></para>
14515 <entry colname="2">
14516 <para><command></command></para>
14518 <entry colname="3">
14520 Dynamic updates rejected due to prerequisite failure.
14525 <entry colname="1">
14526 <para><command>RPZRewrites</command></para>
14528 <entry colname="2">
14529 <para><command></command></para>
14531 <entry colname="3">
14533 Response policy zone rewrites.
14538 <entry colname="1">
14539 <para><command>RateDropped</command></para>
14541 <entry colname="2">
14542 <para><command></command></para>
14544 <entry colname="3">
14546 Responses dropped by rate limits.
14551 <entry colname="1">
14552 <para><command>RateSlipped</command></para>
14554 <entry colname="2">
14555 <para><command></command></para>
14557 <entry colname="3">
14559 Responses truncated by rate limits.
14569 <title>Zone Maintenance Statistics Counters</title>
14571 <informaltable colsep="0" rowsep="0">
14572 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
14573 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
14574 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
14577 <entry colname="1">
14579 <emphasis>Symbol</emphasis>
14582 <entry colname="2">
14584 <emphasis>Description</emphasis>
14590 <entry colname="1">
14591 <para><command>NotifyOutv4</command></para>
14593 <entry colname="2">
14595 IPv4 notifies sent.
14600 <entry colname="1">
14601 <para><command>NotifyOutv6</command></para>
14603 <entry colname="2">
14605 IPv6 notifies sent.
14610 <entry colname="1">
14611 <para><command>NotifyInv4</command></para>
14613 <entry colname="2">
14615 IPv4 notifies received.
14620 <entry colname="1">
14621 <para><command>NotifyInv6</command></para>
14623 <entry colname="2">
14625 IPv6 notifies received.
14630 <entry colname="1">
14631 <para><command>NotifyRej</command></para>
14633 <entry colname="2">
14635 Incoming notifies rejected.
14640 <entry colname="1">
14641 <para><command>SOAOutv4</command></para>
14643 <entry colname="2">
14645 IPv4 SOA queries sent.
14650 <entry colname="1">
14651 <para><command>SOAOutv6</command></para>
14653 <entry colname="2">
14655 IPv6 SOA queries sent.
14660 <entry colname="1">
14661 <para><command>AXFRReqv4</command></para>
14663 <entry colname="2">
14665 IPv4 AXFR requested.
14670 <entry colname="1">
14671 <para><command>AXFRReqv6</command></para>
14673 <entry colname="2">
14675 IPv6 AXFR requested.
14680 <entry colname="1">
14681 <para><command>IXFRReqv4</command></para>
14683 <entry colname="2">
14685 IPv4 IXFR requested.
14690 <entry colname="1">
14691 <para><command>IXFRReqv6</command></para>
14693 <entry colname="2">
14695 IPv6 IXFR requested.
14700 <entry colname="1">
14701 <para><command>XfrSuccess</command></para>
14703 <entry colname="2">
14705 Zone transfer requests succeeded.
14710 <entry colname="1">
14711 <para><command>XfrFail</command></para>
14713 <entry colname="2">
14715 Zone transfer requests failed.
14725 <title>Resolver Statistics Counters</title>
14727 <informaltable colsep="0" rowsep="0">
14728 <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
14729 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
14730 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
14731 <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
14734 <entry colname="1">
14736 <emphasis>Symbol</emphasis>
14739 <entry colname="2">
14741 <emphasis>BIND8 Symbol</emphasis>
14744 <entry colname="3">
14746 <emphasis>Description</emphasis>
14752 <entry colname="1">
14753 <para><command>Queryv4</command></para>
14755 <entry colname="2">
14756 <para><command>SFwdQ</command></para>
14758 <entry colname="3">
14765 <entry colname="1">
14766 <para><command>Queryv6</command></para>
14768 <entry colname="2">
14769 <para><command>SFwdQ</command></para>
14771 <entry colname="3">
14778 <entry colname="1">
14779 <para><command>Responsev4</command></para>
14781 <entry colname="2">
14782 <para><command>RR</command></para>
14784 <entry colname="3">
14786 IPv4 responses received.
14791 <entry colname="1">
14792 <para><command>Responsev6</command></para>
14794 <entry colname="2">
14795 <para><command>RR</command></para>
14797 <entry colname="3">
14799 IPv6 responses received.
14804 <entry colname="1">
14805 <para><command>NXDOMAIN</command></para>
14807 <entry colname="2">
14808 <para><command>RNXD</command></para>
14810 <entry colname="3">
14817 <entry colname="1">
14818 <para><command>SERVFAIL</command></para>
14820 <entry colname="2">
14821 <para><command>RFail</command></para>
14823 <entry colname="3">
14830 <entry colname="1">
14831 <para><command>FORMERR</command></para>
14833 <entry colname="2">
14834 <para><command>RFErr</command></para>
14836 <entry colname="3">
14843 <entry colname="1">
14844 <para><command>OtherError</command></para>
14846 <entry colname="2">
14847 <para><command>RErr</command></para>
14849 <entry colname="3">
14851 Other errors received.
14856 <entry colname="1">
14857 <para><command>EDNS0Fail</command></para>
14859 <entry colname="2">
14860 <para><command></command></para>
14862 <entry colname="3">
14864 EDNS(0) query failures.
14869 <entry colname="1">
14870 <para><command>Mismatch</command></para>
14872 <entry colname="2">
14873 <para><command>RDupR</command></para>
14875 <entry colname="3">
14877 Mismatch responses received.
14878 The DNS ID, response's source address,
14879 and/or the response's source port does not
14880 match what was expected.
14881 (The port must be 53 or as defined by
14882 the <command>port</command> option.)
14883 This may be an indication of a cache
14889 <entry colname="1">
14890 <para><command>Truncated</command></para>
14892 <entry colname="2">
14893 <para><command></command></para>
14895 <entry colname="3">
14897 Truncated responses received.
14902 <entry colname="1">
14903 <para><command>Lame</command></para>
14905 <entry colname="2">
14906 <para><command>RLame</command></para>
14908 <entry colname="3">
14910 Lame delegations received.
14915 <entry colname="1">
14916 <para><command>Retry</command></para>
14918 <entry colname="2">
14919 <para><command>SDupQ</command></para>
14921 <entry colname="3">
14923 Query retries performed.
14928 <entry colname="1">
14929 <para><command>QueryAbort</command></para>
14931 <entry colname="2">
14932 <para><command></command></para>
14934 <entry colname="3">
14936 Queries aborted due to quota control.
14941 <entry colname="1">
14942 <para><command>QuerySockFail</command></para>
14944 <entry colname="2">
14945 <para><command></command></para>
14947 <entry colname="3">
14949 Failures in opening query sockets.
14950 One common reason for such failures is a
14951 failure of opening a new socket due to a
14952 limitation on file descriptors.
14957 <entry colname="1">
14958 <para><command>QueryTimeout</command></para>
14960 <entry colname="2">
14961 <para><command></command></para>
14963 <entry colname="3">
14970 <entry colname="1">
14971 <para><command>GlueFetchv4</command></para>
14973 <entry colname="2">
14974 <para><command>SSysQ</command></para>
14976 <entry colname="3">
14978 IPv4 NS address fetches invoked.
14983 <entry colname="1">
14984 <para><command>GlueFetchv6</command></para>
14986 <entry colname="2">
14987 <para><command>SSysQ</command></para>
14989 <entry colname="3">
14991 IPv6 NS address fetches invoked.
14996 <entry colname="1">
14997 <para><command>GlueFetchv4Fail</command></para>
14999 <entry colname="2">
15000 <para><command></command></para>
15002 <entry colname="3">
15004 IPv4 NS address fetch failed.
15009 <entry colname="1">
15010 <para><command>GlueFetchv6Fail</command></para>
15012 <entry colname="2">
15013 <para><command></command></para>
15015 <entry colname="3">
15017 IPv6 NS address fetch failed.
15022 <entry colname="1">
15023 <para><command>ValAttempt</command></para>
15025 <entry colname="2">
15026 <para><command></command></para>
15028 <entry colname="3">
15030 DNSSEC validation attempted.
15035 <entry colname="1">
15036 <para><command>ValOk</command></para>
15038 <entry colname="2">
15039 <para><command></command></para>
15041 <entry colname="3">
15043 DNSSEC validation succeeded.
15048 <entry colname="1">
15049 <para><command>ValNegOk</command></para>
15051 <entry colname="2">
15052 <para><command></command></para>
15054 <entry colname="3">
15056 DNSSEC validation on negative information succeeded.
15061 <entry colname="1">
15062 <para><command>ValFail</command></para>
15064 <entry colname="2">
15065 <para><command></command></para>
15067 <entry colname="3">
15069 DNSSEC validation failed.
15074 <entry colname="1">
15075 <para><command>QryRTTnn</command></para>
15077 <entry colname="2">
15078 <para><command></command></para>
15080 <entry colname="3">
15082 Frequency table on round trip times (RTTs) of
15084 Each <command>nn</command> specifies the corresponding
15087 <command>nn_1</command>,
15088 <command>nn_2</command>,
15090 <command>nn_m</command>,
15091 the value of <command>nn_i</command> is the
15092 number of queries whose RTTs are between
15093 <command>nn_(i-1)</command> (inclusive) and
15094 <command>nn_i</command> (exclusive) milliseconds.
15095 For the sake of convenience we define
15096 <command>nn_0</command> to be 0.
15097 The last entry should be represented as
15098 <command>nn_m+</command>, which means the
15099 number of queries whose RTTs are equal to or over
15100 <command>nn_m</command> milliseconds.
15111 <title>Socket I/O Statistics Counters</title>
15114 Socket I/O statistics counters are defined per socket
15116 <command>UDP4</command> (UDP/IPv4),
15117 <command>UDP6</command> (UDP/IPv6),
15118 <command>TCP4</command> (TCP/IPv4),
15119 <command>TCP6</command> (TCP/IPv6),
15120 <command>Unix</command> (Unix Domain), and
15121 <command>FDwatch</command> (sockets opened outside the
15123 In the following table <command><TYPE></command>
15124 represents a socket type.
15125 Not all counters are available for all socket types;
15126 exceptions are noted in the description field.
15129 <informaltable colsep="0" rowsep="0">
15130 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
15131 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
15132 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
15135 <entry colname="1">
15137 <emphasis>Symbol</emphasis>
15140 <entry colname="2">
15142 <emphasis>Description</emphasis>
15148 <entry colname="1">
15149 <para><command><TYPE>Open</command></para>
15151 <entry colname="2">
15153 Sockets opened successfully.
15154 This counter is not applicable to the
15155 <command>FDwatch</command> type.
15160 <entry colname="1">
15161 <para><command><TYPE>OpenFail</command></para>
15163 <entry colname="2">
15165 Failures of opening sockets.
15166 This counter is not applicable to the
15167 <command>FDwatch</command> type.
15172 <entry colname="1">
15173 <para><command><TYPE>Close</command></para>
15175 <entry colname="2">
15182 <entry colname="1">
15183 <para><command><TYPE>BindFail</command></para>
15185 <entry colname="2">
15187 Failures of binding sockets.
15192 <entry colname="1">
15193 <para><command><TYPE>ConnFail</command></para>
15195 <entry colname="2">
15197 Failures of connecting sockets.
15202 <entry colname="1">
15203 <para><command><TYPE>Conn</command></para>
15205 <entry colname="2">
15207 Connections established successfully.
15212 <entry colname="1">
15213 <para><command><TYPE>AcceptFail</command></para>
15215 <entry colname="2">
15217 Failures of accepting incoming connection requests.
15218 This counter is not applicable to the
15219 <command>UDP</command> and
15220 <command>FDwatch</command> types.
15225 <entry colname="1">
15226 <para><command><TYPE>Accept</command></para>
15228 <entry colname="2">
15230 Incoming connections successfully accepted.
15231 This counter is not applicable to the
15232 <command>UDP</command> and
15233 <command>FDwatch</command> types.
15238 <entry colname="1">
15239 <para><command><TYPE>SendErr</command></para>
15241 <entry colname="2">
15243 Errors in socket send operations.
15244 This counter corresponds
15245 to <command>SErr</command> counter of
15246 <command>BIND</command> 8.
15251 <entry colname="1">
15252 <para><command><TYPE>RecvErr</command></para>
15254 <entry colname="2">
15256 Errors in socket receive operations.
15257 This includes errors of send operations on a
15258 connected UDP socket notified by an ICMP error
15268 <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
15270 Most statistics counters that were available
15271 in <command>BIND</command> 8 are also supported in
15272 <command>BIND</command> 9 as shown in the above tables.
15273 Here are notes about other counters that do not appear
15279 <term><command>RFwdR,SFwdR</command></term>
15282 These counters are not supported
15283 because <command>BIND</command> 9 does not adopt
15284 the notion of <emphasis>forwarding</emphasis>
15285 as <command>BIND</command> 8 did.
15291 <term><command>RAXFR</command></term>
15294 This counter is accessible in the Incoming Queries section.
15300 <term><command>RIQ</command></term>
15303 This counter is accessible in the Incoming Requests section.
15309 <term><command>ROpts</command></term>
15312 This counter is not supported
15313 because <command>BIND</command> 9 does not care
15314 about IP options in the first place.
15324 <chapter id="Bv9ARM.ch07">
15325 <title><acronym>BIND</acronym> 9 Security Considerations</title>
15326 <sect1 id="Access_Control_Lists">
15327 <title>Access Control Lists</title>
15329 Access Control Lists (ACLs) are address match lists that
15330 you can set up and nickname for future use in <command>allow-notify</command>,
15331 <command>allow-query</command>, <command>allow-query-on</command>,
15332 <command>allow-recursion</command>, <command>allow-recursion-on</command>,
15333 <command>blackhole</command>, <command>allow-transfer</command>,
15337 Using ACLs allows you to have finer control over who can access
15338 your name server, without cluttering up your config files with huge
15339 lists of IP addresses.
15342 It is a <emphasis>good idea</emphasis> to use ACLs, and to
15343 control access to your server. Limiting access to your server by
15344 outside parties can help prevent spoofing and denial of service (DoS) attacks against
15348 Here is an example of how to properly apply ACLs:
15352 // Set up an ACL named "bogusnets" that will block
15353 // RFC1918 space and some reserved space, which is
15354 // commonly used in spoofing attacks.
15356 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
15357 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
15360 // Set up an ACL called our-nets. Replace this with the
15361 // real IP numbers.
15362 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
15366 allow-query { our-nets; };
15367 allow-recursion { our-nets; };
15369 blackhole { bogusnets; };
15373 zone "example.com" {
15375 file "m/example.com";
15376 allow-query { any; };
15381 This allows recursive queries of the server from the outside
15382 unless recursion has been previously disabled.
15386 <title><command>Chroot</command> and <command>Setuid</command></title>
15388 On UNIX servers, it is possible to run <acronym>BIND</acronym>
15389 in a <emphasis>chrooted</emphasis> environment (using
15390 the <command>chroot()</command> function) by specifying
15391 the "<option>-t</option>" option for <command>named</command>.
15392 This can help improve system security by placing
15393 <acronym>BIND</acronym> in a "sandbox", which will limit
15394 the damage done if a server is compromised.
15397 Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
15398 ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
15399 We suggest running as an unprivileged user when using the <command>chroot</command> feature.
15402 Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
15403 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
15407 <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
15411 <title>The <command>chroot</command> Environment</title>
15414 In order for a <command>chroot</command> environment
15416 work properly in a particular directory
15417 (for example, <filename>/var/named</filename>),
15418 you will need to set up an environment that includes everything
15419 <acronym>BIND</acronym> needs to run.
15420 From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
15421 the root of the filesystem. You will need to adjust the values of
15423 like <command>directory</command> and <command>pid-file</command> to account
15427 Unlike with earlier versions of BIND, you typically will
15428 <emphasis>not</emphasis> need to compile <command>named</command>
15429 statically nor install shared libraries under the new root.
15430 However, depending on your operating system, you may need
15431 to set up things like
15432 <filename>/dev/zero</filename>,
15433 <filename>/dev/random</filename>,
15434 <filename>/dev/log</filename>, and
15435 <filename>/etc/localtime</filename>.
15440 <title>Using the <command>setuid</command> Function</title>
15443 Prior to running the <command>named</command> daemon,
15445 the <command>touch</command> utility (to change file
15447 modification times) or the <command>chown</command>
15449 set the user id and/or group id) on files
15450 to which you want <acronym>BIND</acronym>
15454 Note that if the <command>named</command> daemon is running as an
15455 unprivileged user, it will not be able to bind to new restricted
15456 ports if the server is reloaded.
15461 <sect1 id="dynamic_update_security">
15462 <title>Dynamic Update Security</title>
15465 Access to the dynamic
15466 update facility should be strictly limited. In earlier versions of
15467 <acronym>BIND</acronym>, the only way to do this was
15469 address of the host requesting the update, by listing an IP address
15471 network prefix in the <command>allow-update</command>
15473 This method is insecure since the source address of the update UDP
15475 is easily forged. Also note that if the IP addresses allowed by the
15476 <command>allow-update</command> option include the
15478 server which performs forwarding of dynamic updates, the master can
15480 trivially attacked by sending the update to the slave, which will
15481 forward it to the master with its own source IP address causing the
15482 master to approve it without question.
15486 For these reasons, we strongly recommend that updates be
15487 cryptographically authenticated by means of transaction signatures
15488 (TSIG). That is, the <command>allow-update</command>
15490 list only TSIG key names, not IP addresses or network
15491 prefixes. Alternatively, the new <command>update-policy</command>
15492 option can be used.
15496 Some sites choose to keep all dynamically-updated DNS data
15497 in a subdomain and delegate that subdomain to a separate zone. This
15498 way, the top-level zone containing critical data such as the IP
15500 of public web and mail servers need not allow dynamic update at
15507 <chapter id="Bv9ARM.ch08">
15508 <title>Troubleshooting</title>
15510 <title>Common Problems</title>
15512 <title>It's not working; how can I figure out what's wrong?</title>
15515 The best solution to solving installation and
15516 configuration issues is to take preventative measures by setting
15517 up logging files beforehand. The log files provide a
15518 source of hints and information that can be used to figure out
15519 what went wrong and how to fix the problem.
15525 <title>Incrementing and Changing the Serial Number</title>
15528 Zone serial numbers are just numbers — they aren't
15529 date related. A lot of people set them to a number that
15530 represents a date, usually of the form YYYYMMDDRR.
15531 Occasionally they will make a mistake and set them to a
15532 "date in the future" then try to correct them by setting
15533 them to the "current date". This causes problems because
15534 serial numbers are used to indicate that a zone has been
15535 updated. If the serial number on the slave server is
15536 lower than the serial number on the master, the slave
15537 server will attempt to update its copy of the zone.
15541 Setting the serial number to a lower number on the master
15542 server than the slave server means that the slave will not perform
15543 updates to its copy of the zone.
15547 The solution to this is to add 2147483647 (2^31-1) to the
15548 number, reload the zone and make sure all slaves have updated to
15549 the new zone serial number, then reset the number to what you want
15550 it to be, and reload the zone again.
15555 <title>Where Can I Get Help?</title>
15558 The Internet Systems Consortium
15559 (<acronym>ISC</acronym>) offers a wide range
15560 of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
15561 levels of premium support are available and each level includes
15562 support for all <acronym>ISC</acronym> programs,
15563 significant discounts on products
15564 and training, and a recognized priority on bug fixes and
15565 non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
15566 support agreement package which includes services ranging from bug
15567 fix announcements to remote support. It also includes training in
15568 <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
15572 To discuss arrangements for support, contact
15573 <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
15574 <acronym>ISC</acronym> web page at
15575 <ulink url="http://www.isc.org/services/support/"
15576 >http://www.isc.org/services/support/</ulink>
15581 <appendix id="Bv9ARM.ch09">
15582 <title>Appendices</title>
15584 <title>Acknowledgments</title>
15585 <sect2 id="historical_dns_information">
15586 <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
15589 Although the "official" beginning of the Domain Name
15590 System occurred in 1984 with the publication of RFC 920, the
15591 core of the new system was described in 1983 in RFCs 882 and
15592 883. From 1984 to 1987, the ARPAnet (the precursor to today's
15593 Internet) became a testbed of experimentation for developing the
15594 new naming/addressing scheme in a rapidly expanding,
15595 operational network environment. New RFCs were written and
15596 published in 1987 that modified the original documents to
15597 incorporate improvements based on the working model. RFC 1034,
15598 "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
15599 Names-Implementation and Specification" were published and
15600 became the standards upon which all <acronym>DNS</acronym> implementations are
15605 The first working domain name server, called "Jeeves", was
15606 written in 1983-84 by Paul Mockapetris for operation on DEC
15608 machines located at the University of Southern California's
15610 Sciences Institute (USC-ISI) and SRI International's Network
15612 Center (SRI-NIC). A <acronym>DNS</acronym> server for
15613 Unix machines, the Berkeley Internet
15614 Name Domain (<acronym>BIND</acronym>) package, was
15615 written soon after by a group of
15616 graduate students at the University of California at Berkeley
15618 a grant from the US Defense Advanced Research Projects
15623 Versions of <acronym>BIND</acronym> through
15624 4.8.3 were maintained by the Computer
15625 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
15626 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
15627 project team. After that, additional work on the software package
15628 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
15630 employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
15631 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
15632 during that time: Doug Kingston, Craig Partridge, Smoot
15634 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
15635 handled by Mike Karels and Øivind Kure.
15638 <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
15639 released by Digital Equipment
15640 Corporation (now Compaq Computer Corporation). Paul Vixie, then
15641 a DEC employee, became <acronym>BIND</acronym>'s
15642 primary caretaker. He was assisted
15643 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
15645 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
15646 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
15647 Wolfhugel, and others.
15650 In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
15651 Vixie Enterprises. Paul
15652 Vixie became <acronym>BIND</acronym>'s principal
15653 architect/programmer.
15656 <acronym>BIND</acronym> versions from 4.9.3 onward
15657 have been developed and maintained
15658 by the Internet Systems Consortium and its predecessor,
15659 the Internet Software Consortium, with support being provided
15663 As co-architects/programmers, Bob Halley and
15664 Paul Vixie released the first production-ready version of
15665 <acronym>BIND</acronym> version 8 in May 1997.
15668 BIND version 9 was released in September 2000 and is a
15669 major rewrite of nearly all aspects of the underlying
15673 BIND versions 4 and 8 are officially deprecated.
15674 No additional development is done
15675 on BIND version 4 or BIND version 8.
15678 <acronym>BIND</acronym> development work is made
15679 possible today by the sponsorship
15680 of several corporations, and by the tireless work efforts of
15681 numerous individuals.
15686 <title>General <acronym>DNS</acronym> Reference Information</title>
15687 <sect2 id="ipv6addresses">
15688 <title>IPv6 addresses (AAAA)</title>
15690 IPv6 addresses are 128-bit identifiers for interfaces and
15691 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
15692 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
15693 an identifier for a single interface;
15694 <emphasis>Anycast</emphasis>,
15695 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
15696 an identifier for a set of interfaces. Here we describe the global
15697 Unicast address scheme. For more information, see RFC 3587,
15698 "Global Unicast Address Format."
15701 IPv6 unicast addresses consist of a
15702 <emphasis>global routing prefix</emphasis>, a
15703 <emphasis>subnet identifier</emphasis>, and an
15704 <emphasis>interface identifier</emphasis>.
15707 The global routing prefix is provided by the
15708 upstream provider or ISP, and (roughly) corresponds to the
15709 IPv4 <emphasis>network</emphasis> section
15710 of the address range.
15712 The subnet identifier is for local subnetting, much the
15713 same as subnetting an
15714 IPv4 /16 network into /24 subnets.
15716 The interface identifier is the address of an individual
15717 interface on a given network; in IPv6, addresses belong to
15718 interfaces rather than to machines.
15721 The subnetting capability of IPv6 is much more flexible than
15722 that of IPv4: subnetting can be carried out on bit boundaries,
15723 in much the same way as Classless InterDomain Routing
15724 (CIDR), and the DNS PTR representation ("nibble" format)
15725 makes setting up reverse zones easier.
15728 The Interface Identifier must be unique on the local link,
15729 and is usually generated automatically by the IPv6
15730 implementation, although it is usually possible to
15731 override the default setting if necessary. A typical IPv6
15732 address might look like:
15733 <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
15736 IPv6 address specifications often contain long strings
15737 of zeros, so the architects have included a shorthand for
15739 them. The double colon (`::') indicates the longest possible
15741 of zeros that can fit, and can be used only once in an address.
15745 <sect1 id="bibliography">
15746 <title>Bibliography (and Suggested Reading)</title>
15748 <title>Request for Comments (RFCs)</title>
15750 Specification documents for the Internet protocol suite, including
15751 the <acronym>DNS</acronym>, are published as part of
15752 the Request for Comments (RFCs)
15753 series of technical notes. The standards themselves are defined
15754 by the Internet Engineering Task Force (IETF) and the Internet
15755 Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
15758 <ulink url="ftp://www.isi.edu/in-notes/">
15759 ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
15763 (where <replaceable>xxxx</replaceable> is
15764 the number of the RFC). RFCs are also available via the Web at:
15767 <ulink url="http://www.ietf.org/rfc/"
15768 >http://www.ietf.org/rfc/</ulink>.
15772 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
15773 <title>Standards</title>
15775 <abbrev>RFC974</abbrev>
15777 <surname>Partridge</surname>
15778 <firstname>C.</firstname>
15780 <title>Mail Routing and the Domain System</title>
15781 <pubdate>January 1986</pubdate>
15784 <abbrev>RFC1034</abbrev>
15786 <surname>Mockapetris</surname>
15787 <firstname>P.V.</firstname>
15789 <title>Domain Names — Concepts and Facilities</title>
15790 <pubdate>November 1987</pubdate>
15793 <abbrev>RFC1035</abbrev>
15795 <surname>Mockapetris</surname>
15796 <firstname>P. V.</firstname>
15797 </author> <title>Domain Names — Implementation and
15798 Specification</title>
15799 <pubdate>November 1987</pubdate>
15802 <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
15804 <title>Proposed Standards</title>
15805 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
15807 <abbrev>RFC2181</abbrev>
15809 <surname>Elz</surname>
15810 <firstname>R., R. Bush</firstname>
15812 <title>Clarifications to the <acronym>DNS</acronym>
15813 Specification</title>
15814 <pubdate>July 1997</pubdate>
15817 <abbrev>RFC2308</abbrev>
15819 <surname>Andrews</surname>
15820 <firstname>M.</firstname>
15822 <title>Negative Caching of <acronym>DNS</acronym>
15824 <pubdate>March 1998</pubdate>
15827 <abbrev>RFC1995</abbrev>
15829 <surname>Ohta</surname>
15830 <firstname>M.</firstname>
15832 <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
15833 <pubdate>August 1996</pubdate>
15836 <abbrev>RFC1996</abbrev>
15838 <surname>Vixie</surname>
15839 <firstname>P.</firstname>
15841 <title>A Mechanism for Prompt Notification of Zone Changes</title>
15842 <pubdate>August 1996</pubdate>
15845 <abbrev>RFC2136</abbrev>
15848 <surname>Vixie</surname>
15849 <firstname>P.</firstname>
15852 <firstname>S.</firstname>
15853 <surname>Thomson</surname>
15856 <firstname>Y.</firstname>
15857 <surname>Rekhter</surname>
15860 <firstname>J.</firstname>
15861 <surname>Bound</surname>
15864 <title>Dynamic Updates in the Domain Name System</title>
15865 <pubdate>April 1997</pubdate>
15868 <abbrev>RFC2671</abbrev>
15871 <firstname>P.</firstname>
15872 <surname>Vixie</surname>
15875 <title>Extension Mechanisms for DNS (EDNS0)</title>
15876 <pubdate>August 1997</pubdate>
15879 <abbrev>RFC2672</abbrev>
15882 <firstname>M.</firstname>
15883 <surname>Crawford</surname>
15886 <title>Non-Terminal DNS Name Redirection</title>
15887 <pubdate>August 1999</pubdate>
15890 <abbrev>RFC2845</abbrev>
15893 <surname>Vixie</surname>
15894 <firstname>P.</firstname>
15897 <firstname>O.</firstname>
15898 <surname>Gudmundsson</surname>
15901 <firstname>D.</firstname>
15902 <surname>Eastlake</surname>
15903 <lineage>3rd</lineage>
15906 <firstname>B.</firstname>
15907 <surname>Wellington</surname>
15910 <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
15911 <pubdate>May 2000</pubdate>
15914 <abbrev>RFC2930</abbrev>
15917 <firstname>D.</firstname>
15918 <surname>Eastlake</surname>
15919 <lineage>3rd</lineage>
15922 <title>Secret Key Establishment for DNS (TKEY RR)</title>
15923 <pubdate>September 2000</pubdate>
15926 <abbrev>RFC2931</abbrev>
15929 <firstname>D.</firstname>
15930 <surname>Eastlake</surname>
15931 <lineage>3rd</lineage>
15934 <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
15935 <pubdate>September 2000</pubdate>
15938 <abbrev>RFC3007</abbrev>
15941 <firstname>B.</firstname>
15942 <surname>Wellington</surname>
15945 <title>Secure Domain Name System (DNS) Dynamic Update</title>
15946 <pubdate>November 2000</pubdate>
15949 <abbrev>RFC3645</abbrev>
15952 <firstname>S.</firstname>
15953 <surname>Kwan</surname>
15956 <firstname>P.</firstname>
15957 <surname>Garg</surname>
15960 <firstname>J.</firstname>
15961 <surname>Gilroy</surname>
15964 <firstname>L.</firstname>
15965 <surname>Esibov</surname>
15968 <firstname>J.</firstname>
15969 <surname>Westhead</surname>
15972 <firstname>R.</firstname>
15973 <surname>Hall</surname>
15976 <title>Generic Security Service Algorithm for Secret
15977 Key Transaction Authentication for DNS
15979 <pubdate>October 2003</pubdate>
15983 <title><acronym>DNS</acronym> Security Proposed Standards</title>
15985 <abbrev>RFC3225</abbrev>
15988 <firstname>D.</firstname>
15989 <surname>Conrad</surname>
15992 <title>Indicating Resolver Support of DNSSEC</title>
15993 <pubdate>December 2001</pubdate>
15996 <abbrev>RFC3833</abbrev>
15999 <firstname>D.</firstname>
16000 <surname>Atkins</surname>
16003 <firstname>R.</firstname>
16004 <surname>Austein</surname>
16007 <title>Threat Analysis of the Domain Name System (DNS)</title>
16008 <pubdate>August 2004</pubdate>
16011 <abbrev>RFC4033</abbrev>
16014 <firstname>R.</firstname>
16015 <surname>Arends</surname>
16018 <firstname>R.</firstname>
16019 <surname>Austein</surname>
16022 <firstname>M.</firstname>
16023 <surname>Larson</surname>
16026 <firstname>D.</firstname>
16027 <surname>Massey</surname>
16030 <firstname>S.</firstname>
16031 <surname>Rose</surname>
16034 <title>DNS Security Introduction and Requirements</title>
16035 <pubdate>March 2005</pubdate>
16038 <abbrev>RFC4034</abbrev>
16041 <firstname>R.</firstname>
16042 <surname>Arends</surname>
16045 <firstname>R.</firstname>
16046 <surname>Austein</surname>
16049 <firstname>M.</firstname>
16050 <surname>Larson</surname>
16053 <firstname>D.</firstname>
16054 <surname>Massey</surname>
16057 <firstname>S.</firstname>
16058 <surname>Rose</surname>
16061 <title>Resource Records for the DNS Security Extensions</title>
16062 <pubdate>March 2005</pubdate>
16065 <abbrev>RFC4035</abbrev>
16068 <firstname>R.</firstname>
16069 <surname>Arends</surname>
16072 <firstname>R.</firstname>
16073 <surname>Austein</surname>
16076 <firstname>M.</firstname>
16077 <surname>Larson</surname>
16080 <firstname>D.</firstname>
16081 <surname>Massey</surname>
16084 <firstname>S.</firstname>
16085 <surname>Rose</surname>
16088 <title>Protocol Modifications for the DNS
16089 Security Extensions</title>
16090 <pubdate>March 2005</pubdate>
16094 <title>Other Important RFCs About <acronym>DNS</acronym>
16095 Implementation</title>
16097 <abbrev>RFC1535</abbrev>
16099 <surname>Gavron</surname>
16100 <firstname>E.</firstname>
16102 <title>A Security Problem and Proposed Correction With Widely
16103 Deployed <acronym>DNS</acronym> Software.</title>
16104 <pubdate>October 1993</pubdate>
16107 <abbrev>RFC1536</abbrev>
16110 <surname>Kumar</surname>
16111 <firstname>A.</firstname>
16114 <firstname>J.</firstname>
16115 <surname>Postel</surname>
16118 <firstname>C.</firstname>
16119 <surname>Neuman</surname>
16122 <firstname>P.</firstname>
16123 <surname>Danzig</surname>
16126 <firstname>S.</firstname>
16127 <surname>Miller</surname>
16130 <title>Common <acronym>DNS</acronym> Implementation
16131 Errors and Suggested Fixes</title>
16132 <pubdate>October 1993</pubdate>
16135 <abbrev>RFC1982</abbrev>
16138 <surname>Elz</surname>
16139 <firstname>R.</firstname>
16142 <firstname>R.</firstname>
16143 <surname>Bush</surname>
16146 <title>Serial Number Arithmetic</title>
16147 <pubdate>August 1996</pubdate>
16150 <abbrev>RFC4074</abbrev>
16153 <surname>Morishita</surname>
16154 <firstname>Y.</firstname>
16157 <firstname>T.</firstname>
16158 <surname>Jinmei</surname>
16161 <title>Common Misbehaviour Against <acronym>DNS</acronym>
16162 Queries for IPv6 Addresses</title>
16163 <pubdate>May 2005</pubdate>
16167 <title>Resource Record Types</title>
16169 <abbrev>RFC1183</abbrev>
16172 <surname>Everhart</surname>
16173 <firstname>C.F.</firstname>
16176 <firstname>L. A.</firstname>
16177 <surname>Mamakos</surname>
16180 <firstname>R.</firstname>
16181 <surname>Ullmann</surname>
16184 <firstname>P.</firstname>
16185 <surname>Mockapetris</surname>
16188 <title>New <acronym>DNS</acronym> RR Definitions</title>
16189 <pubdate>October 1990</pubdate>
16192 <abbrev>RFC1706</abbrev>
16195 <surname>Manning</surname>
16196 <firstname>B.</firstname>
16199 <firstname>R.</firstname>
16200 <surname>Colella</surname>
16203 <title><acronym>DNS</acronym> NSAP Resource Records</title>
16204 <pubdate>October 1994</pubdate>
16207 <abbrev>RFC2168</abbrev>
16210 <surname>Daniel</surname>
16211 <firstname>R.</firstname>
16214 <firstname>M.</firstname>
16215 <surname>Mealling</surname>
16218 <title>Resolution of Uniform Resource Identifiers using
16219 the Domain Name System</title>
16220 <pubdate>June 1997</pubdate>
16223 <abbrev>RFC1876</abbrev>
16226 <surname>Davis</surname>
16227 <firstname>C.</firstname>
16230 <firstname>P.</firstname>
16231 <surname>Vixie</surname>
16234 <firstname>T.</firstname>
16235 <firstname>Goodwin</firstname>
16238 <firstname>I.</firstname>
16239 <surname>Dickinson</surname>
16242 <title>A Means for Expressing Location Information in the
16244 Name System</title>
16245 <pubdate>January 1996</pubdate>
16248 <abbrev>RFC2052</abbrev>
16251 <surname>Gulbrandsen</surname>
16252 <firstname>A.</firstname>
16255 <firstname>P.</firstname>
16256 <surname>Vixie</surname>
16259 <title>A <acronym>DNS</acronym> RR for Specifying the
16262 <pubdate>October 1996</pubdate>
16265 <abbrev>RFC2163</abbrev>
16267 <surname>Allocchio</surname>
16268 <firstname>A.</firstname>
16270 <title>Using the Internet <acronym>DNS</acronym> to
16272 Conformant Global Address Mapping</title>
16273 <pubdate>January 1998</pubdate>
16276 <abbrev>RFC2230</abbrev>
16278 <surname>Atkinson</surname>
16279 <firstname>R.</firstname>
16281 <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
16282 <pubdate>October 1997</pubdate>
16285 <abbrev>RFC2536</abbrev>
16287 <surname>Eastlake</surname>
16288 <firstname>D.</firstname>
16289 <lineage>3rd</lineage>
16291 <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
16292 <pubdate>March 1999</pubdate>
16295 <abbrev>RFC2537</abbrev>
16297 <surname>Eastlake</surname>
16298 <firstname>D.</firstname>
16299 <lineage>3rd</lineage>
16301 <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
16302 <pubdate>March 1999</pubdate>
16305 <abbrev>RFC2538</abbrev>
16308 <surname>Eastlake</surname>
16309 <firstname>D.</firstname>
16310 <lineage>3rd</lineage>
16313 <surname>Gudmundsson</surname>
16314 <firstname>O.</firstname>
16317 <title>Storing Certificates in the Domain Name System (DNS)</title>
16318 <pubdate>March 1999</pubdate>
16321 <abbrev>RFC2539</abbrev>
16324 <surname>Eastlake</surname>
16325 <firstname>D.</firstname>
16326 <lineage>3rd</lineage>
16329 <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
16330 <pubdate>March 1999</pubdate>
16333 <abbrev>RFC2540</abbrev>
16336 <surname>Eastlake</surname>
16337 <firstname>D.</firstname>
16338 <lineage>3rd</lineage>
16341 <title>Detached Domain Name System (DNS) Information</title>
16342 <pubdate>March 1999</pubdate>
16345 <abbrev>RFC2782</abbrev>
16347 <surname>Gulbrandsen</surname>
16348 <firstname>A.</firstname>
16351 <surname>Vixie</surname>
16352 <firstname>P.</firstname>
16355 <surname>Esibov</surname>
16356 <firstname>L.</firstname>
16358 <title>A DNS RR for specifying the location of services (DNS SRV)</title>
16359 <pubdate>February 2000</pubdate>
16362 <abbrev>RFC2915</abbrev>
16364 <surname>Mealling</surname>
16365 <firstname>M.</firstname>
16368 <surname>Daniel</surname>
16369 <firstname>R.</firstname>
16371 <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
16372 <pubdate>September 2000</pubdate>
16375 <abbrev>RFC3110</abbrev>
16377 <surname>Eastlake</surname>
16378 <firstname>D.</firstname>
16379 <lineage>3rd</lineage>
16381 <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
16382 <pubdate>May 2001</pubdate>
16385 <abbrev>RFC3123</abbrev>
16387 <surname>Koch</surname>
16388 <firstname>P.</firstname>
16390 <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
16391 <pubdate>June 2001</pubdate>
16394 <abbrev>RFC3596</abbrev>
16397 <surname>Thomson</surname>
16398 <firstname>S.</firstname>
16401 <firstname>C.</firstname>
16402 <surname>Huitema</surname>
16405 <firstname>V.</firstname>
16406 <surname>Ksinant</surname>
16409 <firstname>M.</firstname>
16410 <surname>Souissi</surname>
16413 <title><acronym>DNS</acronym> Extensions to support IP
16415 <pubdate>October 2003</pubdate>
16418 <abbrev>RFC3597</abbrev>
16420 <surname>Gustafsson</surname>
16421 <firstname>A.</firstname>
16423 <title>Handling of Unknown DNS Resource Record (RR) Types</title>
16424 <pubdate>September 2003</pubdate>
16428 <title><acronym>DNS</acronym> and the Internet</title>
16430 <abbrev>RFC1101</abbrev>
16432 <surname>Mockapetris</surname>
16433 <firstname>P. V.</firstname>
16435 <title><acronym>DNS</acronym> Encoding of Network Names
16436 and Other Types</title>
16437 <pubdate>April 1989</pubdate>
16440 <abbrev>RFC1123</abbrev>
16442 <surname>Braden</surname>
16443 <surname>R.</surname>
16445 <title>Requirements for Internet Hosts - Application and
16447 <pubdate>October 1989</pubdate>
16450 <abbrev>RFC1591</abbrev>
16452 <surname>Postel</surname>
16453 <firstname>J.</firstname>
16455 <title>Domain Name System Structure and Delegation</title>
16456 <pubdate>March 1994</pubdate>
16459 <abbrev>RFC2317</abbrev>
16462 <surname>Eidnes</surname>
16463 <firstname>H.</firstname>
16466 <firstname>G.</firstname>
16467 <surname>de Groot</surname>
16470 <firstname>P.</firstname>
16471 <surname>Vixie</surname>
16474 <title>Classless IN-ADDR.ARPA Delegation</title>
16475 <pubdate>March 1998</pubdate>
16478 <abbrev>RFC2826</abbrev>
16481 <surname>Internet Architecture Board</surname>
16484 <title>IAB Technical Comment on the Unique DNS Root</title>
16485 <pubdate>May 2000</pubdate>
16488 <abbrev>RFC2929</abbrev>
16491 <surname>Eastlake</surname>
16492 <firstname>D.</firstname>
16493 <lineage>3rd</lineage>
16496 <surname>Brunner-Williams</surname>
16497 <firstname>E.</firstname>
16500 <surname>Manning</surname>
16501 <firstname>B.</firstname>
16504 <title>Domain Name System (DNS) IANA Considerations</title>
16505 <pubdate>September 2000</pubdate>
16509 <title><acronym>DNS</acronym> Operations</title>
16511 <abbrev>RFC1033</abbrev>
16513 <surname>Lottor</surname>
16514 <firstname>M.</firstname>
16516 <title>Domain administrators operations guide.</title>
16517 <pubdate>November 1987</pubdate>
16520 <abbrev>RFC1537</abbrev>
16522 <surname>Beertema</surname>
16523 <firstname>P.</firstname>
16525 <title>Common <acronym>DNS</acronym> Data File
16526 Configuration Errors</title>
16527 <pubdate>October 1993</pubdate>
16530 <abbrev>RFC1912</abbrev>
16532 <surname>Barr</surname>
16533 <firstname>D.</firstname>
16535 <title>Common <acronym>DNS</acronym> Operational and
16536 Configuration Errors</title>
16537 <pubdate>February 1996</pubdate>
16540 <abbrev>RFC2010</abbrev>
16543 <surname>Manning</surname>
16544 <firstname>B.</firstname>
16547 <firstname>P.</firstname>
16548 <surname>Vixie</surname>
16551 <title>Operational Criteria for Root Name Servers.</title>
16552 <pubdate>October 1996</pubdate>
16555 <abbrev>RFC2219</abbrev>
16558 <surname>Hamilton</surname>
16559 <firstname>M.</firstname>
16562 <firstname>R.</firstname>
16563 <surname>Wright</surname>
16566 <title>Use of <acronym>DNS</acronym> Aliases for
16567 Network Services.</title>
16568 <pubdate>October 1997</pubdate>
16572 <title>Internationalized Domain Names</title>
16574 <abbrev>RFC2825</abbrev>
16577 <surname>IAB</surname>
16580 <surname>Daigle</surname>
16581 <firstname>R.</firstname>
16584 <title>A Tangled Web: Issues of I18N, Domain Names,
16585 and the Other Internet protocols</title>
16586 <pubdate>May 2000</pubdate>
16589 <abbrev>RFC3490</abbrev>
16592 <surname>Faltstrom</surname>
16593 <firstname>P.</firstname>
16596 <surname>Hoffman</surname>
16597 <firstname>P.</firstname>
16600 <surname>Costello</surname>
16601 <firstname>A.</firstname>
16604 <title>Internationalizing Domain Names in Applications (IDNA)</title>
16605 <pubdate>March 2003</pubdate>
16608 <abbrev>RFC3491</abbrev>
16611 <surname>Hoffman</surname>
16612 <firstname>P.</firstname>
16615 <surname>Blanchet</surname>
16616 <firstname>M.</firstname>
16619 <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
16620 <pubdate>March 2003</pubdate>
16623 <abbrev>RFC3492</abbrev>
16626 <surname>Costello</surname>
16627 <firstname>A.</firstname>
16630 <title>Punycode: A Bootstring encoding of Unicode
16631 for Internationalized Domain Names in
16632 Applications (IDNA)</title>
16633 <pubdate>March 2003</pubdate>
16637 <title>Other <acronym>DNS</acronym>-related RFCs</title>
16640 Note: the following list of RFCs, although
16641 <acronym>DNS</acronym>-related, are not
16642 concerned with implementing software.
16646 <abbrev>RFC1464</abbrev>
16648 <surname>Rosenbaum</surname>
16649 <firstname>R.</firstname>
16651 <title>Using the Domain Name System To Store Arbitrary String
16653 <pubdate>May 1993</pubdate>
16656 <abbrev>RFC1713</abbrev>
16658 <surname>Romao</surname>
16659 <firstname>A.</firstname>
16661 <title>Tools for <acronym>DNS</acronym> Debugging</title>
16662 <pubdate>November 1994</pubdate>
16665 <abbrev>RFC1794</abbrev>
16667 <surname>Brisco</surname>
16668 <firstname>T.</firstname>
16670 <title><acronym>DNS</acronym> Support for Load
16672 <pubdate>April 1995</pubdate>
16675 <abbrev>RFC2240</abbrev>
16677 <surname>Vaughan</surname>
16678 <firstname>O.</firstname>
16680 <title>A Legal Basis for Domain Name Allocation</title>
16681 <pubdate>November 1997</pubdate>
16684 <abbrev>RFC2345</abbrev>
16687 <surname>Klensin</surname>
16688 <firstname>J.</firstname>
16691 <firstname>T.</firstname>
16692 <surname>Wolf</surname>
16695 <firstname>G.</firstname>
16696 <surname>Oglesby</surname>
16699 <title>Domain Names and Company Name Retrieval</title>
16700 <pubdate>May 1998</pubdate>
16703 <abbrev>RFC2352</abbrev>
16705 <surname>Vaughan</surname>
16706 <firstname>O.</firstname>
16708 <title>A Convention For Using Legal Names as Domain Names</title>
16709 <pubdate>May 1998</pubdate>
16712 <abbrev>RFC3071</abbrev>
16715 <surname>Klensin</surname>
16716 <firstname>J.</firstname>
16719 <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
16720 <pubdate>February 2001</pubdate>
16723 <abbrev>RFC3258</abbrev>
16726 <surname>Hardie</surname>
16727 <firstname>T.</firstname>
16730 <title>Distributing Authoritative Name Servers via
16731 Shared Unicast Addresses</title>
16732 <pubdate>April 2002</pubdate>
16735 <abbrev>RFC3901</abbrev>
16738 <surname>Durand</surname>
16739 <firstname>A.</firstname>
16742 <firstname>J.</firstname>
16743 <surname>Ihren</surname>
16746 <title>DNS IPv6 Transport Operational Guidelines</title>
16747 <pubdate>September 2004</pubdate>
16751 <title>Obsolete and Unimplemented Experimental RFC</title>
16753 <abbrev>RFC1712</abbrev>
16756 <surname>Farrell</surname>
16757 <firstname>C.</firstname>
16760 <firstname>M.</firstname>
16761 <surname>Schulze</surname>
16764 <firstname>S.</firstname>
16765 <surname>Pleitner</surname>
16768 <firstname>D.</firstname>
16769 <surname>Baldoni</surname>
16772 <title><acronym>DNS</acronym> Encoding of Geographical
16774 <pubdate>November 1994</pubdate>
16777 <abbrev>RFC2673</abbrev>
16780 <surname>Crawford</surname>
16781 <firstname>M.</firstname>
16784 <title>Binary Labels in the Domain Name System</title>
16785 <pubdate>August 1999</pubdate>
16788 <abbrev>RFC2874</abbrev>
16791 <surname>Crawford</surname>
16792 <firstname>M.</firstname>
16795 <surname>Huitema</surname>
16796 <firstname>C.</firstname>
16799 <title>DNS Extensions to Support IPv6 Address Aggregation
16800 and Renumbering</title>
16801 <pubdate>July 2000</pubdate>
16805 <title>Obsoleted DNS Security RFCs</title>
16808 Most of these have been consolidated into RFC4033,
16809 RFC4034 and RFC4035 which collectively describe DNSSECbis.
16813 <abbrev>RFC2065</abbrev>
16816 <surname>Eastlake</surname>
16817 <lineage>3rd</lineage>
16818 <firstname>D.</firstname>
16821 <firstname>C.</firstname>
16822 <surname>Kaufman</surname>
16825 <title>Domain Name System Security Extensions</title>
16826 <pubdate>January 1997</pubdate>
16829 <abbrev>RFC2137</abbrev>
16831 <surname>Eastlake</surname>
16832 <lineage>3rd</lineage>
16833 <firstname>D.</firstname>
16835 <title>Secure Domain Name System Dynamic Update</title>
16836 <pubdate>April 1997</pubdate>
16839 <abbrev>RFC2535</abbrev>
16842 <surname>Eastlake</surname>
16843 <lineage>3rd</lineage>
16844 <firstname>D.</firstname>
16847 <title>Domain Name System Security Extensions</title>
16848 <pubdate>March 1999</pubdate>
16851 <abbrev>RFC3008</abbrev>
16854 <surname>Wellington</surname>
16855 <firstname>B.</firstname>
16858 <title>Domain Name System Security (DNSSEC)
16859 Signing Authority</title>
16860 <pubdate>November 2000</pubdate>
16863 <abbrev>RFC3090</abbrev>
16866 <surname>Lewis</surname>
16867 <firstname>E.</firstname>
16870 <title>DNS Security Extension Clarification on Zone Status</title>
16871 <pubdate>March 2001</pubdate>
16874 <abbrev>RFC3445</abbrev>
16877 <surname>Massey</surname>
16878 <firstname>D.</firstname>
16881 <surname>Rose</surname>
16882 <firstname>S.</firstname>
16885 <title>Limiting the Scope of the KEY Resource Record (RR)</title>
16886 <pubdate>December 2002</pubdate>
16889 <abbrev>RFC3655</abbrev>
16892 <surname>Wellington</surname>
16893 <firstname>B.</firstname>
16896 <surname>Gudmundsson</surname>
16897 <firstname>O.</firstname>
16900 <title>Redefinition of DNS Authenticated Data (AD) bit</title>
16901 <pubdate>November 2003</pubdate>
16904 <abbrev>RFC3658</abbrev>
16907 <surname>Gudmundsson</surname>
16908 <firstname>O.</firstname>
16911 <title>Delegation Signer (DS) Resource Record (RR)</title>
16912 <pubdate>December 2003</pubdate>
16915 <abbrev>RFC3755</abbrev>
16918 <surname>Weiler</surname>
16919 <firstname>S.</firstname>
16922 <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
16923 <pubdate>May 2004</pubdate>
16926 <abbrev>RFC3757</abbrev>
16929 <surname>Kolkman</surname>
16930 <firstname>O.</firstname>
16933 <surname>Schlyter</surname>
16934 <firstname>J.</firstname>
16937 <surname>Lewis</surname>
16938 <firstname>E.</firstname>
16941 <title>Domain Name System KEY (DNSKEY) Resource Record
16942 (RR) Secure Entry Point (SEP) Flag</title>
16943 <pubdate>April 2004</pubdate>
16946 <abbrev>RFC3845</abbrev>
16949 <surname>Schlyter</surname>
16950 <firstname>J.</firstname>
16953 <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
16954 <pubdate>August 2004</pubdate>
16959 <sect2 id="internet_drafts">
16960 <title>Internet Drafts</title>
16962 Internet Drafts (IDs) are rough-draft working documents of
16963 the Internet Engineering Task Force. They are, in essence, RFCs
16964 in the preliminary stages of development. Implementors are
16966 to regard IDs as archival, and they should not be quoted or cited
16967 in any formal documents unless accompanied by the disclaimer that
16968 they are "works in progress." IDs have a lifespan of six months
16969 after which they are deleted unless updated by their authors.
16973 <title>Other Documents About <acronym>BIND</acronym></title>
16979 <surname>Albitz</surname>
16980 <firstname>Paul</firstname>
16983 <firstname>Cricket</firstname>
16984 <surname>Liu</surname>
16987 <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
16990 <holder>Sebastopol, CA: O'Reilly and Associates</holder>
16997 <xi:include href="libdns.xml"/>
17002 <reference id="Bv9ARM.ch10">
17003 <title>Manual pages</title>
17004 <xi:include href="../../bin/dig/dig.docbook"/>
17005 <xi:include href="../../bin/dig/host.docbook"/>
17006 <xi:include href="../../bin/python/dnssec-checkds.docbook"/>
17007 <xi:include href="../../bin/python/dnssec-coverage.docbook"/>
17008 <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
17009 <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
17010 <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
17011 <xi:include href="../../bin/dnssec/dnssec-revoke.docbook"/>
17012 <xi:include href="../../bin/dnssec/dnssec-settime.docbook"/>
17013 <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
17014 <xi:include href="../../bin/dnssec/dnssec-verify.docbook"/>
17015 <xi:include href="../../bin/check/named-checkconf.docbook"/>
17016 <xi:include href="../../bin/check/named-checkzone.docbook"/>
17017 <xi:include href="../../bin/named/named.docbook"/>
17018 <xi:include href="../../bin/tools/named-journalprint.docbook"/>
17019 <!-- named.conf.docbook and others? -->
17020 <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
17021 <xi:include href="../../bin/rndc/rndc.docbook"/>
17022 <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
17023 <xi:include href="../../bin/confgen/rndc-confgen.docbook"/>
17024 <xi:include href="../../bin/confgen/ddns-confgen.docbook"/>
17025 <xi:include href="../../bin/tools/arpaname.docbook"/>
17026 <xi:include href="../../bin/tools/genrandom.docbook"/>
17027 <xi:include href="../../bin/tools/isc-hmac-fixup.docbook"/>
17028 <xi:include href="../../bin/tools/nsec3hash.docbook"/>