2 - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Chapter 6. BIND 9 Configuration Reference</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
26 <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
42 <div class="chapter" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
46 <p><b>Table of Contents</b></p>
48 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
50 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
51 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573235">Comment Syntax</a></span></dt>
53 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
55 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573895"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
56 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
58 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574091"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
59 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
61 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574451"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
62 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574468"><span><strong class="command">include</strong></span> Statement Definition and
64 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574628"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
65 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574651"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
66 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574742"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
67 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574868"><span><strong class="command">logging</strong></span> Statement Definition and
69 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577079"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
70 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577153"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
71 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577285"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
72 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577329"><span><strong class="command">masters</strong></span> Statement Definition and
74 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577350"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
75 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
77 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
78 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
80 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
81 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590471"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
83 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
84 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590642"><span><strong class="command">trusted-keys</strong></span> Statement Definition
85 and Usage</a></span></dt>
86 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590757"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
87 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
88 and Usage</a></span></dt>
89 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
90 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591192"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
91 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
92 Statement Grammar</a></span></dt>
93 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592901"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
95 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596587">Zone File</a></span></dt>
97 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
98 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598681">Discussion of MX Records</a></span></dt>
99 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
100 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599297">Inverse Mapping in IPv4</a></span></dt>
101 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599492">Other Zone File Directives</a></span></dt>
102 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599765"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
103 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
105 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
106 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
110 <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
111 to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
113 of configuration, such as views. <acronym class="acronym">BIND</acronym>
114 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
115 9, although more complex configurations should be reviewed to check
116 if they can be more efficiently implemented using the new features
117 found in <acronym class="acronym">BIND</acronym> 9.
120 <acronym class="acronym">BIND</acronym> 4 configuration files can be
121 converted to the new format
122 using the shell script
123 <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
125 <div class="sect1" lang="en">
126 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
127 <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
129 Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
132 <div class="informaltable"><table border="1">
141 <code class="varname">acl_name</code>
146 The name of an <code class="varname">address_match_list</code> as
147 defined by the <span><strong class="command">acl</strong></span> statement.
154 <code class="varname">address_match_list</code>
159 A list of one or more
160 <code class="varname">ip_addr</code>,
161 <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
162 or <code class="varname">acl_name</code> elements, see
163 <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
170 <code class="varname">masters_list</code>
175 A named list of one or more <code class="varname">ip_addr</code>
176 with optional <code class="varname">key_id</code> and/or
177 <code class="varname">ip_port</code>.
178 A <code class="varname">masters_list</code> may include other
179 <code class="varname">masters_lists</code>.
186 <code class="varname">domain_name</code>
191 A quoted string which will be used as
192 a DNS name, for example "<code class="literal">my.test.domain</code>".
199 <code class="varname">namelist</code>
204 A list of one or more <code class="varname">domain_name</code>
212 <code class="varname">dotted_decimal</code>
217 One to four integers valued 0 through
218 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
219 <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
226 <code class="varname">ip4_addr</code>
231 An IPv4 address with exactly four elements
232 in <code class="varname">dotted_decimal</code> notation.
239 <code class="varname">ip6_addr</code>
244 An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
245 IPv6 scoped addresses that have ambiguity on their
246 scope zones must be disambiguated by an appropriate
247 zone ID with the percent character (`%') as
248 delimiter. It is strongly recommended to use
249 string zone names rather than numeric identifiers,
250 in order to be robust against system configuration
251 changes. However, since there is no standard
252 mapping for such names and identifier values,
253 currently only interface names as link identifiers
254 are supported, assuming one-to-one mapping between
255 interfaces and links. For example, a link-local
256 address <span><strong class="command">fe80::1</strong></span> on the link
257 attached to the interface <span><strong class="command">ne0</strong></span>
258 can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
259 Note that on most systems link-local addresses
260 always have the ambiguity, and need to be
268 <code class="varname">ip_addr</code>
273 An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
280 <code class="varname">ip_port</code>
285 An IP port <code class="varname">number</code>.
286 The <code class="varname">number</code> is limited to 0
287 through 65535, with values
288 below 1024 typically restricted to use by processes running
290 In some cases, an asterisk (`*') character can be used as a
292 select a random high-numbered port.
299 <code class="varname">ip_prefix</code>
304 An IP network specified as an <code class="varname">ip_addr</code>,
305 followed by a slash (`/') and then the number of bits in the
307 Trailing zeros in a <code class="varname">ip_addr</code>
309 For example, <span><strong class="command">127/8</strong></span> is the
310 network <span><strong class="command">127.0.0.0</strong></span> with
311 netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
312 network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
315 When specifying a prefix involving a IPv6 scoped address
316 the scope may be omitted. In that case the prefix will
317 match packets from any scope.
324 <code class="varname">key_id</code>
329 A <code class="varname">domain_name</code> representing
330 the name of a shared key, to be used for transaction
338 <code class="varname">key_list</code>
343 A list of one or more
344 <code class="varname">key_id</code>s,
345 separated by semicolons and ending with a semicolon.
352 <code class="varname">number</code>
357 A non-negative 32-bit integer
358 (i.e., a number between 0 and 4294967295, inclusive).
359 Its acceptable value might further
360 be limited by the context in which it is used.
367 <code class="varname">path_name</code>
372 A quoted string which will be used as
373 a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
380 <code class="varname">port_list</code>
385 A list of an <code class="varname">ip_port</code> or a port
387 A port range is specified in the form of
388 <strong class="userinput"><code>range</code></strong> followed by
389 two <code class="varname">ip_port</code>s,
390 <code class="varname">port_low</code> and
391 <code class="varname">port_high</code>, which represents
392 port numbers from <code class="varname">port_low</code> through
393 <code class="varname">port_high</code>, inclusive.
394 <code class="varname">port_low</code> must not be larger than
395 <code class="varname">port_high</code>.
397 <strong class="userinput"><code>range 1024 65535</code></strong> represents
398 ports from 1024 through 65535.
399 In either case an asterisk (`*') character is not
400 allowed as a valid <code class="varname">ip_port</code>.
407 <code class="varname">size_spec</code>
412 A 64-bit unsigned integer, or the keywords
413 <strong class="userinput"><code>unlimited</code></strong> or
414 <strong class="userinput"><code>default</code></strong>.
417 Integers may take values
418 0 <= value <= 18446744073709551615, though
420 (such as <span><strong class="command">max-journal-size</strong></span>) may
421 use a more limited range within these extremes.
422 In most cases, setting a value to 0 does not
423 literally mean zero; it means "undefined" or
424 "as big as possible", depending on the context.
425 See the explanations of particular parameters
426 that use <code class="varname">size_spec</code>
427 for details on how they interpret its use.
430 Numeric values can optionally be followed by a
432 <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
434 <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
436 <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong>
437 for gigabytes, which scale by 1024, 1024*1024, and
438 1024*1024*1024 respectively.
441 <code class="varname">unlimited</code> generally means
442 "as big as possible", though in certain contexts,
443 (including <code class="option">max-cache-size</code>), it may
444 mean the largest possible 32-bit unsigned integer
445 (0xffffffff); this distinction can be important when
446 dealing with larger quantities.
447 <code class="varname">unlimited</code> is usually the best way
448 to safely set a very large number.
451 <code class="varname">default</code>
452 uses the limit that was in force when the server was started.
459 <code class="varname">yes_or_no</code>
464 Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
465 The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
466 also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
467 and <strong class="userinput"><code>0</code></strong>.
474 <code class="varname">dialup_option</code>
479 One of <strong class="userinput"><code>yes</code></strong>,
480 <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
481 <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
482 <strong class="userinput"><code>passive</code></strong>.
483 When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
484 <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
485 are restricted to slave and stub zones.
491 <div class="sect2" lang="en">
492 <div class="titlepage"><div><div><h3 class="title">
493 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
494 <div class="sect3" lang="en">
495 <div class="titlepage"><div><div><h4 class="title">
496 <a name="id2572933"></a>Syntax</h4></div></div></div>
497 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
498 [<span class="optional"> address_match_list_element; ... </span>]
499 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
500 key key_id | acl_name | { address_match_list } )
503 <div class="sect3" lang="en">
504 <div class="titlepage"><div><div><h4 class="title">
505 <a name="id2572961"></a>Definition and Usage</h4></div></div></div>
507 Address match lists are primarily used to determine access
508 control for various server operations. They are also used in
509 the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
510 statements. The elements which constitute an address match
511 list can be any of the following:
513 <div class="itemizedlist"><ul type="disc">
514 <li>an IP address (IPv4 or IPv6)</li>
515 <li>an IP prefix (in `/' notation)</li>
517 a key ID, as defined by the <span><strong class="command">key</strong></span>
520 <li>the name of an address match list defined with
521 the <span><strong class="command">acl</strong></span> statement
523 <li>a nested address match list enclosed in braces</li>
526 Elements can be negated with a leading exclamation mark (`!'),
527 and the match list names "any", "none", "localhost", and
528 "localnets" are predefined. More information on those names
529 can be found in the description of the acl statement.
532 The addition of the key clause made the name of this syntactic
533 element something of a misnomer, since security keys can be used
534 to validate access without regard to a host or network address.
535 Nonetheless, the term "address match list" is still used
536 throughout the documentation.
539 When a given IP address or prefix is compared to an address
540 match list, the comparison takes place in approximately O(1)
541 time. However, key comparisons require that the list of keys
542 be traversed until a matching key is found, and therefore may
546 The interpretation of a match depends on whether the list is being
547 used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
548 <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
551 When used as an access control list, a non-negated match
552 allows access and a negated match denies access. If
553 there is no match, access is denied. The clauses
554 <span><strong class="command">allow-notify</strong></span>,
555 <span><strong class="command">allow-recursion</strong></span>,
556 <span><strong class="command">allow-recursion-on</strong></span>,
557 <span><strong class="command">allow-query</strong></span>,
558 <span><strong class="command">allow-query-on</strong></span>,
559 <span><strong class="command">allow-query-cache</strong></span>,
560 <span><strong class="command">allow-query-cache-on</strong></span>,
561 <span><strong class="command">allow-transfer</strong></span>,
562 <span><strong class="command">allow-update</strong></span>,
563 <span><strong class="command">allow-update-forwarding</strong></span>, and
564 <span><strong class="command">blackhole</strong></span> all use address match
565 lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
566 server to refuse queries on any of the machine's
567 addresses which do not match the list.
570 Order of insertion is significant. If more than one element
571 in an ACL is found to match a given IP address or prefix,
572 preference will be given to the one that came
573 <span class="emphasis"><em>first</em></span> in the ACL definition.
574 Because of this first-match behavior, an element that
575 defines a subset of another element in the list should
576 come before the broader element, regardless of whether
577 either is negated. For example, in
578 <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
579 the 1.2.3.13 element is completely useless because the
580 algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
581 element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
582 that problem by having 1.2.3.13 blocked by the negation, but
583 all other 1.2.3.* hosts fall through.
587 <div class="sect2" lang="en">
588 <div class="titlepage"><div><div><h3 class="title">
589 <a name="id2573235"></a>Comment Syntax</h3></div></div></div>
591 The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
593 anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
594 file. To appeal to programmers of all kinds, they can be written
595 in the C, C++, or shell/perl style.
597 <div class="sect3" lang="en">
598 <div class="titlepage"><div><div><h4 class="title">
599 <a name="id2573318"></a>Syntax</h4></div></div></div>
602 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
605 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
608 <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
613 <div class="sect3" lang="en">
614 <div class="titlepage"><div><div><h4 class="title">
615 <a name="id2573348"></a>Definition and Usage</h4></div></div></div>
617 Comments may appear anywhere that whitespace may appear in
618 a <acronym class="acronym">BIND</acronym> configuration file.
621 C-style comments start with the two characters /* (slash,
622 star) and end with */ (star, slash). Because they are completely
623 delimited with these characters, they can be used to comment only
624 a portion of a line or to span multiple lines.
627 C-style comments cannot be nested. For example, the following
628 is not valid because the entire comment ends with the first */:
633 <pre class="programlisting">/* This is the start of a comment.
634 This is still part of the comment.
635 /* This is an incorrect attempt at nesting a comment. */
636 This is no longer in any comment. */
642 C++-style comments start with the two characters // (slash,
643 slash) and continue to the end of the physical line. They cannot
644 be continued across multiple physical lines; to have one logical
645 comment span multiple lines, each line must use the // pair.
651 <pre class="programlisting">// This is the start of a comment. The next line
652 // is a new comment, even though it is logically
653 // part of the previous comment.
659 Shell-style (or perl-style, if you prefer) comments start
660 with the character <code class="literal">#</code> (number sign)
661 and continue to the end of the
662 physical line, as in C++ comments.
668 <pre class="programlisting"># This is the start of a comment. The next line
669 # is a new comment, even though it is logically
670 # part of the previous comment.
675 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
676 <h3 class="title">Warning</h3>
678 You cannot use the semicolon (`;') character
679 to start a comment such as you would in a zone file. The
680 semicolon indicates the end of a configuration
687 <div class="sect1" lang="en">
688 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
689 <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
691 A <acronym class="acronym">BIND</acronym> 9 configuration consists of
692 statements and comments.
693 Statements end with a semicolon. Statements and comments are the
694 only elements that can appear without enclosing braces. Many
695 statements contain a block of sub-statements, which are also
696 terminated with a semicolon.
699 The following statements are supported:
701 <div class="informaltable"><table border="1">
709 <p><span><strong class="command">acl</strong></span></p>
713 defines a named IP address
714 matching list, for access control and other uses.
720 <p><span><strong class="command">controls</strong></span></p>
724 declares control channels to be used
725 by the <span><strong class="command">rndc</strong></span> utility.
731 <p><span><strong class="command">include</strong></span></p>
741 <p><span><strong class="command">key</strong></span></p>
745 specifies key information for use in
746 authentication and authorization using TSIG.
752 <p><span><strong class="command">logging</strong></span></p>
756 specifies what the server logs, and where
757 the log messages are sent.
763 <p><span><strong class="command">lwres</strong></span></p>
767 configures <span><strong class="command">named</strong></span> to
768 also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
774 <p><span><strong class="command">masters</strong></span></p>
778 defines a named masters list for
779 inclusion in stub and slave zones'
780 <span><strong class="command">masters</strong></span> or
781 <span><strong class="command">also-notify</strong></span> lists.
787 <p><span><strong class="command">options</strong></span></p>
791 controls global server configuration
792 options and sets defaults for other statements.
798 <p><span><strong class="command">server</strong></span></p>
802 sets certain configuration options on
809 <p><span><strong class="command">statistics-channels</strong></span></p>
813 declares communication channels to get access to
814 <span><strong class="command">named</strong></span> statistics.
820 <p><span><strong class="command">trusted-keys</strong></span></p>
824 defines trusted DNSSEC keys.
830 <p><span><strong class="command">managed-keys</strong></span></p>
834 lists DNSSEC keys to be kept up to date
835 using RFC 5011 trust anchor maintenance.
841 <p><span><strong class="command">view</strong></span></p>
851 <p><span><strong class="command">zone</strong></span></p>
862 The <span><strong class="command">logging</strong></span> and
863 <span><strong class="command">options</strong></span> statements may only occur once
867 <div class="sect2" lang="en">
868 <div class="titlepage"><div><div><h3 class="title">
869 <a name="id2573895"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
870 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
875 <div class="sect2" lang="en">
876 <div class="titlepage"><div><div><h3 class="title">
877 <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
878 Usage</h3></div></div></div>
880 The <span><strong class="command">acl</strong></span> statement assigns a symbolic
881 name to an address match list. It gets its name from a primary
882 use of address match lists: Access Control Lists (ACLs).
885 Note that an address match list's name must be defined
886 with <span><strong class="command">acl</strong></span> before it can be used
887 elsewhere; no forward references are allowed.
890 The following ACLs are built-in:
892 <div class="informaltable"><table border="1">
900 <p><span><strong class="command">any</strong></span></p>
910 <p><span><strong class="command">none</strong></span></p>
920 <p><span><strong class="command">localhost</strong></span></p>
924 Matches the IPv4 and IPv6 addresses of all network
925 interfaces on the system. When addresses are
926 added or removed, the <span><strong class="command">localhost</strong></span>
927 ACL element is updated to reflect the changes.
933 <p><span><strong class="command">localnets</strong></span></p>
937 Matches any host on an IPv4 or IPv6 network
938 for which the system has an interface.
939 When addresses are added or removed,
940 the <span><strong class="command">localnets</strong></span>
941 ACL element is updated to reflect the changes.
942 Some systems do not provide a way to determine the prefix
944 local IPv6 addresses.
945 In such a case, <span><strong class="command">localnets</strong></span>
946 only matches the local
947 IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
954 <div class="sect2" lang="en">
955 <div class="titlepage"><div><div><h3 class="title">
956 <a name="id2574091"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
957 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
958 [ inet ( ip_addr | * ) [ port ip_port ]
959 allow { <em class="replaceable"><code> address_match_list </code></em> }
960 keys { <em class="replaceable"><code>key_list</code></em> }; ]
962 [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
963 keys { <em class="replaceable"><code>key_list</code></em> }; ]
968 <div class="sect2" lang="en">
969 <div class="titlepage"><div><div><h3 class="title">
970 <a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
971 Usage</h3></div></div></div>
973 The <span><strong class="command">controls</strong></span> statement declares control
974 channels to be used by system administrators to control the
975 operation of the name server. These control channels are
976 used by the <span><strong class="command">rndc</strong></span> utility to send
977 commands to and retrieve non-DNS results from a name server.
980 An <span><strong class="command">inet</strong></span> control channel is a TCP socket
981 listening at the specified <span><strong class="command">ip_port</strong></span> on the
982 specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
983 address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
984 interpreted as the IPv4 wildcard address; connections will be
985 accepted on any of the system's IPv4 addresses.
986 To listen on the IPv6 wildcard address,
987 use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
988 If you will only use <span><strong class="command">rndc</strong></span> on the local host,
989 using the loopback address (<code class="literal">127.0.0.1</code>
990 or <code class="literal">::1</code>) is recommended for maximum security.
993 If no port is specified, port 953 is used. The asterisk
994 "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
997 The ability to issue commands over the control channel is
998 restricted by the <span><strong class="command">allow</strong></span> and
999 <span><strong class="command">keys</strong></span> clauses.
1000 Connections to the control channel are permitted based on the
1001 <span><strong class="command">address_match_list</strong></span>. This is for simple
1002 IP address based filtering only; any <span><strong class="command">key_id</strong></span>
1003 elements of the <span><strong class="command">address_match_list</strong></span>
1007 A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
1008 socket listening at the specified path in the file system.
1009 Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
1010 <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
1011 Note on some platforms (SunOS and Solaris) the permissions
1012 (<span><strong class="command">perm</strong></span>) are applied to the parent directory
1013 as the permissions on the socket itself are ignored.
1016 The primary authorization mechanism of the command
1017 channel is the <span><strong class="command">key_list</strong></span>, which
1018 contains a list of <span><strong class="command">key_id</strong></span>s.
1019 Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
1020 is authorized to execute commands over the control channel.
1021 See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
1022 for information about configuring keys in <span><strong class="command">rndc</strong></span>.
1025 If no <span><strong class="command">controls</strong></span> statement is present,
1026 <span><strong class="command">named</strong></span> will set up a default
1027 control channel listening on the loopback address 127.0.0.1
1028 and its IPv6 counterpart ::1.
1029 In this case, and also when the <span><strong class="command">controls</strong></span> statement
1030 is present but does not have a <span><strong class="command">keys</strong></span> clause,
1031 <span><strong class="command">named</strong></span> will attempt to load the command channel key
1032 from the file <code class="filename">rndc.key</code> in
1033 <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
1034 was specified as when <acronym class="acronym">BIND</acronym> was built).
1035 To create a <code class="filename">rndc.key</code> file, run
1036 <strong class="userinput"><code>rndc-confgen -a</code></strong>.
1039 The <code class="filename">rndc.key</code> feature was created to
1040 ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
1041 which did not have digital signatures on its command channel
1042 messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
1044 It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
1045 configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
1046 and still have <span><strong class="command">rndc</strong></span> work the same way
1047 <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
1048 command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
1052 Since the <code class="filename">rndc.key</code> feature
1053 is only intended to allow the backward-compatible usage of
1054 <acronym class="acronym">BIND</acronym> 8 configuration files, this
1056 have a high degree of configurability. You cannot easily change
1057 the key name or the size of the secret, so you should make a
1058 <code class="filename">rndc.conf</code> with your own key if you
1060 those things. The <code class="filename">rndc.key</code> file
1062 permissions set such that only the owner of the file (the user that
1063 <span><strong class="command">named</strong></span> is running as) can access it.
1065 desire greater flexibility in allowing other users to access
1066 <span><strong class="command">rndc</strong></span> commands, then you need to create
1068 <code class="filename">rndc.conf</code> file and make it group
1070 that contains the users who should have access.
1073 To disable the command channel, use an empty
1074 <span><strong class="command">controls</strong></span> statement:
1075 <span><strong class="command">controls { };</strong></span>.
1078 <div class="sect2" lang="en">
1079 <div class="titlepage"><div><div><h3 class="title">
1080 <a name="id2574451"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
1081 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
1083 <div class="sect2" lang="en">
1084 <div class="titlepage"><div><div><h3 class="title">
1085 <a name="id2574468"></a><span><strong class="command">include</strong></span> Statement Definition and
1086 Usage</h3></div></div></div>
1088 The <span><strong class="command">include</strong></span> statement inserts the
1089 specified file at the point where the <span><strong class="command">include</strong></span>
1090 statement is encountered. The <span><strong class="command">include</strong></span>
1091 statement facilitates the administration of configuration
1093 by permitting the reading or writing of some things but not
1094 others. For example, the statement could include private keys
1095 that are readable only by the name server.
1098 <div class="sect2" lang="en">
1099 <div class="titlepage"><div><div><h3 class="title">
1100 <a name="id2574628"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
1101 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
1102 algorithm <em class="replaceable"><code>string</code></em>;
1103 secret <em class="replaceable"><code>string</code></em>;
1107 <div class="sect2" lang="en">
1108 <div class="titlepage"><div><div><h3 class="title">
1109 <a name="id2574651"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
1111 The <span><strong class="command">key</strong></span> statement defines a shared
1112 secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
1113 or the command channel
1114 (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
1115 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
1119 The <span><strong class="command">key</strong></span> statement can occur at the
1121 of the configuration file or inside a <span><strong class="command">view</strong></span>
1122 statement. Keys defined in top-level <span><strong class="command">key</strong></span>
1123 statements can be used in all views. Keys intended for use in
1124 a <span><strong class="command">controls</strong></span> statement
1125 (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
1126 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
1128 must be defined at the top level.
1131 The <em class="replaceable"><code>key_id</code></em>, also known as the
1132 key name, is a domain name uniquely identifying the key. It can
1133 be used in a <span><strong class="command">server</strong></span>
1134 statement to cause requests sent to that
1135 server to be signed with this key, or in address match lists to
1136 verify that incoming requests have been signed with a key
1137 matching this name, algorithm, and secret.
1140 The <em class="replaceable"><code>algorithm_id</code></em> is a string
1141 that specifies a security/authentication algorithm. Named
1142 supports <code class="literal">hmac-md5</code>,
1143 <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
1144 <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
1145 and <code class="literal">hmac-sha512</code> TSIG authentication.
1146 Truncated hashes are supported by appending the minimum
1147 number of required bits preceded by a dash, e.g.
1148 <code class="literal">hmac-sha1-80</code>. The
1149 <em class="replaceable"><code>secret_string</code></em> is the secret
1150 to be used by the algorithm, and is treated as a base-64
1154 <div class="sect2" lang="en">
1155 <div class="titlepage"><div><div><h3 class="title">
1156 <a name="id2574742"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
1157 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
1158 [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
1159 ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
1160 [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
1161 [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ]
1162 | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
1163 | <span><strong class="command">stderr</strong></span>
1164 | <span><strong class="command">null</strong></span> );
1165 [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
1166 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
1167 [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1168 [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1169 [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1171 [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
1172 <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
1178 <div class="sect2" lang="en">
1179 <div class="titlepage"><div><div><h3 class="title">
1180 <a name="id2574868"></a><span><strong class="command">logging</strong></span> Statement Definition and
1181 Usage</h3></div></div></div>
1183 The <span><strong class="command">logging</strong></span> statement configures a
1185 variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
1186 associates output methods, format options and severity levels with
1187 a name that can then be used with the <span><strong class="command">category</strong></span> phrase
1188 to select how various classes of messages are logged.
1191 Only one <span><strong class="command">logging</strong></span> statement is used to
1193 as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
1194 the logging configuration will be:
1196 <pre class="programlisting">logging {
1197 category default { default_syslog; default_debug; };
1198 category unmatched { null; };
1202 In <acronym class="acronym">BIND</acronym> 9, the logging configuration
1203 is only established when
1204 the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
1205 established as soon as the <span><strong class="command">logging</strong></span>
1207 was parsed. When the server is starting up, all logging messages
1208 regarding syntax errors in the configuration file go to the default
1209 channels, or to standard error if the "<code class="option">-g</code>" option
1212 <div class="sect3" lang="en">
1213 <div class="titlepage"><div><div><h4 class="title">
1214 <a name="id2574920"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
1216 All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
1217 you can make as many of them as you want.
1220 Every channel definition must include a destination clause that
1221 says whether messages selected for the channel go to a file, to a
1222 particular syslog facility, to the standard error stream, or are
1223 discarded. It can optionally also limit the message severity level
1224 that will be accepted by the channel (the default is
1225 <span><strong class="command">info</strong></span>), and whether to include a
1226 <span><strong class="command">named</strong></span>-generated time stamp, the
1228 and/or severity level (the default is not to include any).
1231 The <span><strong class="command">null</strong></span> destination clause
1232 causes all messages sent to the channel to be discarded;
1233 in that case, other options for the channel are meaningless.
1236 The <span><strong class="command">file</strong></span> destination clause directs
1238 to a disk file. It can include limitations
1239 both on how large the file is allowed to become, and how many
1241 of the file will be saved each time the file is opened.
1244 If you use the <span><strong class="command">versions</strong></span> log file
1246 <span><strong class="command">named</strong></span> will retain that many backup
1247 versions of the file by
1248 renaming them when opening. For example, if you choose to keep
1250 of the file <code class="filename">lamers.log</code>, then just
1252 <code class="filename">lamers.log.1</code> is renamed to
1253 <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
1254 to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
1255 renamed to <code class="filename">lamers.log.0</code>.
1256 You can say <span><strong class="command">versions unlimited</strong></span> to
1258 the number of versions.
1259 If a <span><strong class="command">size</strong></span> option is associated with
1261 then renaming is only done when the file being opened exceeds the
1262 indicated size. No backup versions are kept by default; any
1264 log file is simply appended.
1267 The <span><strong class="command">size</strong></span> option for files is used
1269 growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
1270 stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
1271 associated with it. If backup versions are kept, the files are
1273 described above and a new one begun. If there is no
1274 <span><strong class="command">versions</strong></span> option, no more data will
1275 be written to the log
1276 until some out-of-band mechanism removes or truncates the log to
1278 maximum size. The default behavior is not to limit the size of
1283 Example usage of the <span><strong class="command">size</strong></span> and
1284 <span><strong class="command">versions</strong></span> options:
1286 <pre class="programlisting">channel an_example_channel {
1287 file "example.log" versions 3 size 20m;
1293 The <span><strong class="command">syslog</strong></span> destination clause
1295 channel to the system log. Its argument is a
1296 syslog facility as described in the <span><strong class="command">syslog</strong></span> man
1297 page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
1298 <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
1299 <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
1300 <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
1301 <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
1302 <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
1303 <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
1304 <span><strong class="command">local7</strong></span>, however not all facilities
1306 all operating systems.
1307 How <span><strong class="command">syslog</strong></span> will handle messages
1309 this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
1310 page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
1311 only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
1312 then this clause is silently ignored.
1315 On Windows machines syslog messages are directed to the EventViewer.
1318 The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
1319 "priorities", except that they can also be used if you are writing
1320 straight to a file rather than using <span><strong class="command">syslog</strong></span>.
1321 Messages which are not at least of the severity level given will
1322 not be selected for the channel; messages of higher severity
1327 If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
1328 will also determine what eventually passes through. For example,
1329 defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
1330 only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
1331 cause messages of severity <span><strong class="command">info</strong></span> and
1332 <span><strong class="command">notice</strong></span> to
1333 be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
1334 messages of only <span><strong class="command">warning</strong></span> or higher,
1335 then <span><strong class="command">syslogd</strong></span> would
1336 print all messages it received from the channel.
1339 The <span><strong class="command">stderr</strong></span> destination clause
1341 channel to the server's standard error stream. This is intended
1343 use when the server is running as a foreground process, for
1345 when debugging a configuration.
1348 The server can supply extensive debugging information when
1349 it is in debugging mode. If the server's global debug level is
1351 than zero, then debugging mode will be active. The global debug
1352 level is set either by starting the <span><strong class="command">named</strong></span> server
1353 with the <code class="option">-d</code> flag followed by a positive integer,
1354 or by running <span><strong class="command">rndc trace</strong></span>.
1355 The global debug level
1356 can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
1357 notrace</strong></span>. All debugging messages in the server have a debug
1358 level, and higher debug levels give more detailed output. Channels
1359 that specify a specific debug severity, for example:
1361 <pre class="programlisting">channel specific_debug_level {
1367 will get debugging output of level 3 or less any time the
1368 server is in debugging mode, regardless of the global debugging
1369 level. Channels with <span><strong class="command">dynamic</strong></span>
1371 server's global debug level to determine what messages to print.
1374 If <span><strong class="command">print-time</strong></span> has been turned on,
1376 the date and time will be logged. <span><strong class="command">print-time</strong></span> may
1377 be specified for a <span><strong class="command">syslog</strong></span> channel,
1379 pointless since <span><strong class="command">syslog</strong></span> also logs
1381 time. If <span><strong class="command">print-category</strong></span> is
1383 category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
1384 on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
1385 be used in any combination, and will always be printed in the
1387 order: time, category, severity. Here is an example where all
1388 three <span><strong class="command">print-</strong></span> options
1392 <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
1395 There are four predefined channels that are used for
1396 <span><strong class="command">named</strong></span>'s default logging as follows.
1398 used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
1400 <pre class="programlisting">channel default_syslog {
1401 // send to syslog's daemon facility
1403 // only send priority info and higher
1406 channel default_debug {
1407 // write to named.run in the working directory
1408 // Note: stderr is used instead of "named.run" if
1409 // the server is started with the '-f' option.
1411 // log at the server's current debug level
1415 channel default_stderr {
1418 // only send priority info and higher
1423 // toss anything sent to this channel
1428 The <span><strong class="command">default_debug</strong></span> channel has the
1430 property that it only produces output when the server's debug
1432 nonzero. It normally writes to a file called <code class="filename">named.run</code>
1433 in the server's working directory.
1436 For security reasons, when the "<code class="option">-u</code>"
1437 command line option is used, the <code class="filename">named.run</code> file
1438 is created only after <span><strong class="command">named</strong></span> has
1440 new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
1441 starting up and still running as root is discarded. If you need
1442 to capture this output, you must run the server with the "<code class="option">-g</code>"
1443 option and redirect standard error to a file.
1446 Once a channel is defined, it cannot be redefined. Thus you
1447 cannot alter the built-in channels directly, but you can modify
1448 the default logging by pointing categories at channels you have
1452 <div class="sect3" lang="en">
1453 <div class="titlepage"><div><div><h4 class="title">
1454 <a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
1456 There are many categories, so you can send the logs you want
1457 to see wherever you want, without seeing logs you don't want. If
1458 you don't specify a list of channels for a category, then log
1460 in that category will be sent to the <span><strong class="command">default</strong></span> category
1461 instead. If you don't specify a default category, the following
1462 "default default" is used:
1464 <pre class="programlisting">category default { default_syslog; default_debug; };
1467 As an example, let's say you want to log security events to
1468 a file, but you also want keep the default logging behavior. You'd
1469 specify the following:
1471 <pre class="programlisting">channel my_security_channel {
1472 file "my_security_file";
1476 my_security_channel;
1481 To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
1483 <pre class="programlisting">category xfer-out { null; };
1484 category notify { null; };
1487 Following are the available categories and brief descriptions
1488 of the types of log information they contain. More
1489 categories may be added in future <acronym class="acronym">BIND</acronym> releases.
1491 <div class="informaltable"><table border="1">
1499 <p><span><strong class="command">default</strong></span></p>
1503 The default category defines the logging
1504 options for those categories where no specific
1505 configuration has been
1512 <p><span><strong class="command">general</strong></span></p>
1516 The catch-all. Many things still aren't
1517 classified into categories, and they all end up here.
1523 <p><span><strong class="command">database</strong></span></p>
1527 Messages relating to the databases used
1528 internally by the name server to store zone and cache
1535 <p><span><strong class="command">security</strong></span></p>
1539 Approval and denial of requests.
1545 <p><span><strong class="command">config</strong></span></p>
1549 Configuration file parsing and processing.
1555 <p><span><strong class="command">resolver</strong></span></p>
1559 DNS resolution, such as the recursive
1560 lookups performed on behalf of clients by a caching name
1567 <p><span><strong class="command">xfer-in</strong></span></p>
1571 Zone transfers the server is receiving.
1577 <p><span><strong class="command">xfer-out</strong></span></p>
1581 Zone transfers the server is sending.
1587 <p><span><strong class="command">notify</strong></span></p>
1591 The NOTIFY protocol.
1597 <p><span><strong class="command">client</strong></span></p>
1601 Processing of client requests.
1607 <p><span><strong class="command">unmatched</strong></span></p>
1611 Messages that <span><strong class="command">named</strong></span> was unable to determine the
1612 class of or for which there was no matching <span><strong class="command">view</strong></span>.
1613 A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
1614 This category is best sent to a file or stderr, by
1615 default it is sent to
1616 the <span><strong class="command">null</strong></span> channel.
1622 <p><span><strong class="command">network</strong></span></p>
1632 <p><span><strong class="command">update</strong></span></p>
1642 <p><span><strong class="command">update-security</strong></span></p>
1646 Approval and denial of update requests.
1652 <p><span><strong class="command">queries</strong></span></p>
1656 Specify where queries should be logged to.
1659 At startup, specifying the category <span><strong class="command">queries</strong></span> will also
1660 enable query logging unless <span><strong class="command">querylog</strong></span> option has been
1665 The query log entry reports the client's IP
1666 address and port number, and the query name,
1667 class and type. Next it reports whether the
1668 Recursion Desired flag was set (+ if set, -
1669 if not set), if the query was signed (S),
1670 EDNS was in use (E), if TCP was used (T), if
1671 DO (DNSSEC Ok) was set (D), or if CD (Checking
1672 Disabled) was set (C). After this the
1673 destination address the query was sent to is
1678 <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code>
1681 <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code>
1684 (The first part of this log message, showing the
1685 client address/port number and query name, is
1686 repeated in all subsequent log messages related
1693 <p><span><strong class="command">query-errors</strong></span></p>
1697 Information about queries that resulted in some
1704 <p><span><strong class="command">dispatch</strong></span></p>
1708 Dispatching of incoming packets to the
1709 server modules where they are to be processed.
1715 <p><span><strong class="command">dnssec</strong></span></p>
1719 DNSSEC and TSIG protocol processing.
1725 <p><span><strong class="command">lame-servers</strong></span></p>
1729 Lame servers. These are misconfigurations
1730 in remote servers, discovered by BIND 9 when trying to
1731 query those servers during resolution.
1737 <p><span><strong class="command">delegation-only</strong></span></p>
1741 Delegation only. Logs queries that have been
1742 forced to NXDOMAIN as the result of a
1743 delegation-only zone or a
1744 <span><strong class="command">delegation-only</strong></span> in a
1745 forward, hint or stub zone declaration.
1751 <p><span><strong class="command">edns-disabled</strong></span></p>
1755 Log queries that have been forced to use plain
1756 DNS due to timeouts. This is often due to
1757 the remote servers not being RFC 1034 compliant
1758 (not always returning FORMERR or similar to
1759 EDNS queries and other extensions to the DNS
1760 when they are not understood). In other words, this is
1761 targeted at servers that fail to respond to
1762 DNS queries that they don't understand.
1765 Note: the log message can also be due to
1766 packet loss. Before reporting servers for
1767 non-RFC 1034 compliance they should be re-tested
1768 to determine the nature of the non-compliance.
1769 This testing should prevent or reduce the
1770 number of false-positive reports.
1773 Note: eventually <span><strong class="command">named</strong></span> will have to stop
1774 treating such timeouts as due to RFC 1034 non
1775 compliance and start treating it as plain
1776 packet loss. Falsely classifying packet
1777 loss as due to RFC 1034 non compliance impacts
1778 on DNSSEC validation which requires EDNS for
1779 the DNSSEC records to be returned.
1785 <p><span><strong class="command">RPZ</strong></span></p>
1789 Information about errors in response policy zone files,
1790 rewritten responses, and at the highest
1791 <span><strong class="command">debug</strong></span> levels, mere rewriting
1798 <p><span><strong class="command">rate-limit</strong></span></p>
1802 (Only available when <acronym class="acronym">BIND</acronym> 9 is
1803 configured with the <strong class="userinput"><code>--enable-rrl</code></strong>
1804 option at compile time.)
1807 The start, periodic, and final notices of the
1808 rate limiting of a stream of responses are logged at
1809 <span><strong class="command">info</strong></span> severity in this category.
1810 These messages include a hash value of the domain name
1811 of the response and the name itself,
1812 except when there is insufficient memory to record
1813 the name for the final notice
1814 The final notice is normally delayed until about one
1815 minute after rate limit stops.
1816 A lack of memory can hurry the final notice,
1817 in which case it starts with an asterisk (*).
1818 Various internal events are logged at debug 1 level
1822 Rate limiting of individual requests
1823 is logged in the <span><strong class="command">query-errors</strong></span> category.
1830 <div class="sect3" lang="en">
1831 <div class="titlepage"><div><div><h4 class="title">
1832 <a name="id2576491"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
1834 The <span><strong class="command">query-errors</strong></span> category is
1835 specifically intended for debugging purposes: To identify
1836 why and how specific queries result in responses which
1838 Messages of this category are therefore only logged
1839 with <span><strong class="command">debug</strong></span> levels.
1842 At the debug levels of 1 or higher, each response with the
1843 rcode of SERVFAIL is logged as follows:
1846 <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
1849 This means an error resulting in SERVFAIL was
1850 detected at line 3880 of source file
1851 <code class="filename">query.c</code>.
1852 Log messages of this level will particularly
1853 help identify the cause of SERVFAIL for an
1854 authoritative server.
1857 At the debug levels of 2 or higher, detailed context
1858 information of recursive resolutions that resulted in
1860 The log message will look like as follows:
1865 <pre class="programlisting">
1866 fetch completed at resolver.c:2970 for www.example.com/A
1867 in 30.000183: timed out/success [domain:example.com,
1868 referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
1869 badresp:1,adberr:0,findfail:0,valfail:0]
1874 The first part before the colon shows that a recursive
1875 resolution for AAAA records of www.example.com completed
1876 in 30.000183 seconds and the final result that led to the
1877 SERVFAIL was determined at line 2970 of source file
1878 <code class="filename">resolver.c</code>.
1881 The following part shows the detected final result and the
1882 latest result of DNSSEC validation.
1883 The latter is always success when no validation attempt
1885 In this example, this query resulted in SERVFAIL probably
1886 because all name servers are down or unreachable, leading
1887 to a timeout in 30 seconds.
1888 DNSSEC validation was probably not attempted.
1891 The last part enclosed in square brackets shows statistics
1892 information collected for this particular resolution
1894 The <code class="varname">domain</code> field shows the deepest zone
1895 that the resolver reached;
1896 it is the zone where the error was finally detected.
1897 The meaning of the other fields is summarized in the
1900 <div class="informaltable"><table border="1">
1908 <p><code class="varname">referral</code></p>
1912 The number of referrals the resolver received
1913 throughout the resolution process.
1914 In the above example this is 2, which are most
1915 likely com and example.com.
1921 <p><code class="varname">restart</code></p>
1925 The number of cycles that the resolver tried
1926 remote servers at the <code class="varname">domain</code>
1928 In each cycle the resolver sends one query
1929 (possibly resending it, depending on the response)
1930 to each known name server of
1931 the <code class="varname">domain</code> zone.
1937 <p><code class="varname">qrysent</code></p>
1941 The number of queries the resolver sent at the
1942 <code class="varname">domain</code> zone.
1948 <p><code class="varname">timeout</code></p>
1952 The number of timeouts since the resolver
1953 received the last response.
1959 <p><code class="varname">lame</code></p>
1963 The number of lame servers the resolver detected
1964 at the <code class="varname">domain</code> zone.
1965 A server is detected to be lame either by an
1966 invalid response or as a result of lookup in
1967 BIND9's address database (ADB), where lame
1974 <p><code class="varname">neterr</code></p>
1978 The number of erroneous results that the
1979 resolver encountered in sending queries
1980 at the <code class="varname">domain</code> zone.
1981 One common case is the remote server is
1982 unreachable and the resolver receives an ICMP
1983 unreachable error message.
1989 <p><code class="varname">badresp</code></p>
1993 The number of unexpected responses (other than
1994 <code class="varname">lame</code>) to queries sent by the
1995 resolver at the <code class="varname">domain</code> zone.
2001 <p><code class="varname">adberr</code></p>
2005 Failures in finding remote server addresses
2006 of the <code class="varname">domain</code> zone in the ADB.
2007 One common case of this is that the remote
2008 server's name does not have any address records.
2014 <p><code class="varname">findfail</code></p>
2018 Failures of resolving remote server addresses.
2019 This is a total number of failures throughout
2020 the resolution process.
2026 <p><code class="varname">valfail</code></p>
2030 Failures of DNSSEC validation.
2031 Validation failures are counted throughout
2032 the resolution process (not limited to
2033 the <code class="varname">domain</code> zone), but should
2034 only happen in <code class="varname">domain</code>.
2041 At the debug levels of 3 or higher, the same messages
2042 as those at the debug 1 level are logged for other errors
2044 Note that negative responses such as NXDOMAIN are not
2045 regarded as errors here.
2048 At the debug levels of 4 or higher, the same messages
2049 as those at the debug 2 level are logged for other errors
2051 Unlike the above case of level 3, messages are logged for
2053 This is because any unexpected results can be difficult to
2054 debug in the recursion case.
2058 <div class="sect2" lang="en">
2059 <div class="titlepage"><div><div><h3 class="title">
2060 <a name="id2577079"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
2062 This is the grammar of the <span><strong class="command">lwres</strong></span>
2063 statement in the <code class="filename">named.conf</code> file:
2065 <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
2066 [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
2067 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
2068 [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
2069 [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
2070 [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
2074 <div class="sect2" lang="en">
2075 <div class="titlepage"><div><div><h3 class="title">
2076 <a name="id2577153"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
2078 The <span><strong class="command">lwres</strong></span> statement configures the
2080 server to also act as a lightweight resolver server. (See
2081 <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
2082 <span><strong class="command">lwres</strong></span> statements configuring
2083 lightweight resolver servers with different properties.
2086 The <span><strong class="command">listen-on</strong></span> statement specifies a
2088 IPv4 addresses (and ports) that this instance of a lightweight
2090 should accept requests on. If no port is specified, port 921 is
2092 If this statement is omitted, requests will be accepted on
2097 The <span><strong class="command">view</strong></span> statement binds this
2099 lightweight resolver daemon to a view in the DNS namespace, so that
2101 response will be constructed in the same manner as a normal DNS
2103 matching this view. If this statement is omitted, the default view
2105 used, and if there is no default view, an error is triggered.
2108 The <span><strong class="command">search</strong></span> statement is equivalent to
2110 <span><strong class="command">search</strong></span> statement in
2111 <code class="filename">/etc/resolv.conf</code>. It provides a
2113 which are appended to relative names in queries.
2116 The <span><strong class="command">ndots</strong></span> statement is equivalent to
2118 <span><strong class="command">ndots</strong></span> statement in
2119 <code class="filename">/etc/resolv.conf</code>. It indicates the
2121 number of dots in a relative domain name that should result in an
2122 exact match lookup before search path elements are appended.
2125 <div class="sect2" lang="en">
2126 <div class="titlepage"><div><div><h3 class="title">
2127 <a name="id2577285"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
2128 <pre class="programlisting">
2129 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
2130 <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
2133 <div class="sect2" lang="en">
2134 <div class="titlepage"><div><div><h3 class="title">
2135 <a name="id2577329"></a><span><strong class="command">masters</strong></span> Statement Definition and
2136 Usage</h3></div></div></div>
2137 <p><span><strong class="command">masters</strong></span>
2138 lists allow for a common set of masters to be easily used by
2139 multiple stub and slave zones in their <span><strong class="command">masters</strong></span>
2140 or <span><strong class="command">also-notify</strong></span> lists.
2143 <div class="sect2" lang="en">
2144 <div class="titlepage"><div><div><h3 class="title">
2145 <a name="id2577350"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
2147 This is the grammar of the <span><strong class="command">options</strong></span>
2148 statement in the <code class="filename">named.conf</code> file:
2150 <pre class="programlisting"><span><strong class="command">options</strong></span> {
2151 [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
2152 [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
2153 [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
2154 [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
2155 [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
2156 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
2157 [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
2158 [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
2159 [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
2160 [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
2161 [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
2162 [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
2163 [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
2164 [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
2165 [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
2166 [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
2167 [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
2168 [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
2169 [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
2170 [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2171 [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
2172 [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
2173 [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
2174 [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
2175 [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
2176 [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2177 [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2178 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
2179 [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2180 [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2181 [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2182 [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2183 [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2184 [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
2185 [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2186 [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2187 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
2188 [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2189 [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2190 [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2191 [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2192 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2193 [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
2194 [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2195 [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
2196 [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
2197 <em class="replaceable"><code>no</code></em> |
2198 <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
2199 [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
2200 [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2201 [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
2202 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
2203 [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
2204 ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
2205 <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
2207 [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
2208 ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2209 [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2210 [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2211 [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2212 [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2213 [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2214 [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2215 [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2216 [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
2217 [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
2218 [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2219 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2220 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2221 [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2222 [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2223 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2224 [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2225 [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2226 [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2227 [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2228 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2229 [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
2230 [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2231 [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
2232 [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
2233 [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2234 [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2235 [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2236 [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2237 [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2238 [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2239 [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2240 [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
2241 [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2242 [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2243 [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
2244 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
2245 [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
2246 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
2247 [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
2248 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
2249 [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
2250 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
2251 [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2252 [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
2253 [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
2254 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
2255 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
2256 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
2257 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
2258 [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
2259 [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
2260 [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
2261 [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
2262 [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
2263 [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
2264 [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
2265 [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
2266 [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
2267 [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
2268 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2269 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2270 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2271 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
2272 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2273 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2274 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
2275 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2276 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
2277 [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2278 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em>
2279 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ;
2280 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>]
2281 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
2282 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
2283 [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
2284 [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
2285 [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
2286 [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
2287 [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
2288 [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
2289 [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
2290 [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
2291 [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
2292 [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
2293 [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
2294 [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
2295 [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
2296 [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
2297 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
2298 [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
2299 [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
2300 [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
2301 [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
2302 [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2303 [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2304 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2305 [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2306 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
2307 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
2308 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
2309 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
2310 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
2311 [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2312 [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2313 [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
2314 [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
2315 [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2316 [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
2317 [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2318 [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> {
2319 [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2320 [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2321 [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
2322 [<span class="optional"> suffix IPv6-address; </span>]
2323 [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2324 [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
2326 [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
2327 [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
2328 [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
2329 [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
2330 [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
2331 [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>]
2332 [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
2333 [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2334 [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
2335 [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
2336 [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2337 [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
2338 [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
2339 [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
2340 [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
2341 [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>]
2342 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
2343 [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
2344 [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
2345 [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2346 [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
2347 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2348 [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2349 [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
2350 [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
2351 [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
2352 [<span class="optional"> rate-limit {
2353 [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2354 [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2355 [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2356 [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2357 [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2358 [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>]
2359 [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>]
2360 [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
2361 [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>]
2362 [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
2363 [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>]
2364 [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>]
2365 [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
2366 [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>]
2367 [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>]
2369 [<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em>
2370 [<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>]
2371 [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ;
2372 } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>]
2373 [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>] ; </span>]
2377 <div class="sect2" lang="en">
2378 <div class="titlepage"><div><div><h3 class="title">
2379 <a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
2380 Usage</h3></div></div></div>
2382 The <span><strong class="command">options</strong></span> statement sets up global
2384 to be used by <acronym class="acronym">BIND</acronym>. This statement
2386 once in a configuration file. If there is no <span><strong class="command">options</strong></span>
2387 statement, an options block with each option set to its default will
2390 <div class="variablelist"><dl>
2391 <dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
2394 Allows multiple views to share a single cache
2396 Each view has its own cache database by default, but
2397 if multiple views have the same operational policy
2398 for name resolution and caching, those views can
2399 share a single cache to save memory and possibly
2400 improve resolution efficiency by using this option.
2403 The <span><strong class="command">attach-cache</strong></span> option
2404 may also be specified in <span><strong class="command">view</strong></span>
2405 statements, in which case it overrides the
2406 global <span><strong class="command">attach-cache</strong></span> option.
2409 The <em class="replaceable"><code>cache_name</code></em> specifies
2410 the cache to be shared.
2411 When the <span><strong class="command">named</strong></span> server configures
2412 views which are supposed to share a cache, it
2413 creates a cache with the specified name for the
2414 first view of these sharing views.
2415 The rest of the views will simply refer to the
2416 already created cache.
2419 One common configuration to share a cache would be to
2420 allow all views to share a single cache.
2421 This can be done by specifying
2422 the <span><strong class="command">attach-cache</strong></span> as a global
2423 option with an arbitrary name.
2426 Another possible operation is to allow a subset of
2427 all views to share a cache while the others to
2428 retain their own caches.
2429 For example, if there are three views A, B, and C,
2430 and only A and B should share a cache, specify the
2431 <span><strong class="command">attach-cache</strong></span> option as a view A (or
2432 B)'s option, referring to the other view name:
2434 <pre class="programlisting">
2436 // this view has its own cache
2440 // this view refers to A's cache
2444 // this view has its own cache
2449 Views that share a cache must have the same policy
2450 on configurable parameters that may affect caching.
2451 The current implementation requires the following
2452 configurable options be consistent among these
2454 <span><strong class="command">check-names</strong></span>,
2455 <span><strong class="command">cleaning-interval</strong></span>,
2456 <span><strong class="command">dnssec-accept-expired</strong></span>,
2457 <span><strong class="command">dnssec-validation</strong></span>,
2458 <span><strong class="command">max-cache-ttl</strong></span>,
2459 <span><strong class="command">max-ncache-ttl</strong></span>,
2460 <span><strong class="command">max-cache-size</strong></span>, and
2461 <span><strong class="command">zero-no-soa-ttl</strong></span>.
2464 Note that there may be other parameters that may
2465 cause confusion if they are inconsistent for
2466 different views that share a single cache.
2467 For example, if these views define different sets of
2468 forwarders that can return different answers for the
2469 same question, sharing the answer does not make
2470 sense or could even be harmful.
2471 It is administrator's responsibility to ensure
2472 configuration differences in different views do
2473 not cause disruption with a shared cache.
2476 <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
2478 The working directory of the server.
2479 Any non-absolute pathnames in the configuration file will be
2481 as relative to this directory. The default location for most
2483 output files (e.g. <code class="filename">named.run</code>)
2485 If a directory is not specified, the working directory
2486 defaults to `<code class="filename">.</code>', the directory from
2488 was started. The directory specified should be an absolute
2491 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
2493 When performing dynamic update of secure zones, the
2494 directory where the public and private DNSSEC key files
2495 should be found, if different than the current working
2496 directory. (Note that this option has no effect on the
2497 paths for files containing non-DNSSEC keys such as
2498 <code class="filename">bind.keys</code>,
2499 <code class="filename">rndc.key</code> or
2500 <code class="filename">session.key</code>.)
2502 <dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
2505 Specifies the directory in which to store the files that
2506 track managed DNSSEC keys. By default, this is the working
2510 If <span><strong class="command">named</strong></span> is not configured to use views,
2511 then managed keys for the server will be tracked in a single
2512 file called <code class="filename">managed-keys.bind</code>.
2513 Otherwise, managed keys will be tracked in separate files,
2514 one file per view; each file name will be the SHA256 hash
2515 of the view name, followed by the extension
2516 <code class="filename">.mkeys</code>.
2519 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
2521 <span class="emphasis"><em>This option is obsolete.</em></span> It
2522 was used in <acronym class="acronym">BIND</acronym> 8 to specify
2523 the pathname to the <span><strong class="command">named-xfer</strong></span>
2524 program. In <acronym class="acronym">BIND</acronym> 9, no separate
2525 <span><strong class="command">named-xfer</strong></span> program is needed;
2526 its functionality is built into the name server.
2528 <dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
2530 The KRB5 keytab file to use for GSS-TSIG updates. If
2531 this option is set and tkey-gssapi-credential is not
2532 set, then updates will be allowed with any key
2533 matching a principal in the specified keytab.
2535 <dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
2537 The security credential with which the server should
2538 authenticate keys requested by the GSS-TSIG protocol.
2539 Currently only Kerberos 5 authentication is available
2540 and the credential is a Kerberos principal which the
2541 server can acquire through the default system key
2542 file, normally <code class="filename">/etc/krb5.keytab</code>.
2543 The location keytab file can be overridden using the
2544 tkey-gssapi-keytab option. Normally this principal is
2545 of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
2546 To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
2547 also be set if a specific keytab is not set with
2550 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
2552 The domain appended to the names of all shared keys
2553 generated with <span><strong class="command">TKEY</strong></span>. When a
2554 client requests a <span><strong class="command">TKEY</strong></span> exchange,
2555 it may or may not specify the desired name for the
2556 key. If present, the name of the shared key will
2557 be <code class="varname">client specified part</code> +
2558 <code class="varname">tkey-domain</code>. Otherwise, the
2559 name of the shared key will be <code class="varname">random hex
2560 digits</code> + <code class="varname">tkey-domain</code>.
2561 In most cases, the <span><strong class="command">domainname</strong></span>
2562 should be the server's domain name, or an otherwise
2563 non-existent subdomain like
2564 "_tkey.<code class="varname">domainname</code>". If you are
2565 using GSS-TSIG, this variable must be defined, unless
2566 you specify a specific keytab using tkey-gssapi-keytab.
2568 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
2570 The Diffie-Hellman key used by the server
2571 to generate shared keys with clients using the Diffie-Hellman
2573 of <span><strong class="command">TKEY</strong></span>. The server must be
2575 public and private keys from files in the working directory.
2577 most cases, the keyname should be the server's host name.
2579 <dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
2581 This is for testing only. Do not use.
2583 <dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
2585 The pathname of the file the server dumps
2586 the database to when instructed to do so with
2587 <span><strong class="command">rndc dumpdb</strong></span>.
2588 If not specified, the default is <code class="filename">named_dump.db</code>.
2590 <dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
2592 The pathname of the file the server writes memory
2593 usage statistics to on exit. If not specified,
2594 the default is <code class="filename">named.memstats</code>.
2596 <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
2598 The pathname of the file the server writes its process ID
2599 in. If not specified, the default is
2600 <code class="filename">/var/run/named/named.pid</code>.
2601 The PID file is used by programs that want to send signals to
2603 name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
2604 use of a PID file — no file will be written and any
2605 existing one will be removed. Note that <span><strong class="command">none</strong></span>
2606 is a keyword, not a filename, and therefore is not enclosed
2610 <dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
2612 The pathname of the file the server dumps
2613 the queries that are currently recursing when instructed
2614 to do so with <span><strong class="command">rndc recursing</strong></span>.
2615 If not specified, the default is <code class="filename">named.recursing</code>.
2617 <dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
2619 The pathname of the file the server appends statistics
2620 to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
2621 If not specified, the default is <code class="filename">named.stats</code> in the
2622 server's current directory. The format of the file is
2624 in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
2626 <dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
2628 The pathname of a file to override the built-in trusted
2629 keys provided by <span><strong class="command">named</strong></span>.
2630 See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
2631 and <span><strong class="command">dnssec-validation</strong></span> for details.
2632 If not specified, the default is
2633 <code class="filename">/etc/bind.keys</code>.
2635 <dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
2637 The pathname of the file the server dumps
2638 security roots to when instructed to do so with
2639 <span><strong class="command">rndc secroots</strong></span>.
2640 If not specified, the default is
2641 <code class="filename">named.secroots</code>.
2643 <dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
2645 The pathname of the file into which to write a TSIG
2646 session key generated by <span><strong class="command">named</strong></span> for use by
2647 <span><strong class="command">nsupdate -l</strong></span>. If not specified, the
2648 default is <code class="filename">/var/run/named/session.key</code>.
2649 (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
2650 particular the discussion of the
2651 <span><strong class="command">update-policy</strong></span> statement's
2652 <strong class="userinput"><code>local</code></strong> option for more
2653 information about this feature.)
2655 <dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
2657 The key name to use for the TSIG session key.
2658 If not specified, the default is "local-ddns".
2660 <dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
2662 The algorithm to use for the TSIG session key.
2663 Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
2664 hmac-sha384, hmac-sha512 and hmac-md5. If not
2665 specified, the default is hmac-sha256.
2667 <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
2669 The UDP/TCP port number the server uses for
2670 receiving and sending DNS protocol traffic.
2671 The default is 53. This option is mainly intended for server
2673 a server using a port other than 53 will not be able to
2677 <dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
2679 The source of entropy to be used by the server. Entropy is
2681 for DNSSEC operations, such as TKEY transactions and dynamic
2683 zones. This options specifies the device (or file) from which
2685 entropy. If this is a file, operations requiring entropy will
2687 file has been exhausted. If not specified, the default value
2689 <code class="filename">/dev/random</code>
2690 (or equivalent) when present, and none otherwise. The
2691 <span><strong class="command">random-device</strong></span> option takes
2693 the initial configuration load at server startup time and
2694 is ignored on subsequent reloads.
2696 <dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
2698 If specified, the listed type (A or AAAA) will be emitted
2700 in the additional section of a query response.
2701 The default is not to prefer any type (NONE).
2704 <a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
2708 Turn on enforcement of delegation-only in TLDs
2709 (top level domains) and root zones with an optional
2713 DS queries are expected to be made to and be answered by
2714 delegation only zones. Such queries and responses are
2715 treated as an exception to delegation-only processing
2716 and are not converted to NXDOMAIN responses provided
2717 a CNAME is not discovered at the query name.
2720 If a delegation only zone server also serves a child
2721 zone it is not always possible to determine whether
2722 an answer comes from the delegation only zone or the
2723 child zone. SOA NS and DNSKEY records are apex
2724 only records and a matching response that contains
2725 these records or DS is treated as coming from a
2726 child zone. RRSIG records are also examined to see
2727 if they are signed by a child zone or not. The
2728 authority section is also examined to see if there
2729 is evidence that the answer is from the child zone.
2730 Answers that are determined to be from a child zone
2731 are not converted to NXDOMAIN responses. Despite
2732 all these checks there is still a possibility of
2733 false negatives when a child zone is being served.
2736 Similarly false positives can arise from empty nodes
2737 (no records at the name) in the delegation only zone
2738 when the query type is not ANY.
2741 Note some TLDs are not delegation only (e.g. "DE", "LV",
2742 "US" and "MUSEUM"). This list is not exhaustive.
2744 <pre class="programlisting">
2746 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
2750 <dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
2752 Disable the specified DNSSEC algorithms at and below the
2754 Multiple <span><strong class="command">disable-algorithms</strong></span>
2755 statements are allowed.
2756 Only the most specific will be applied.
2758 <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
2761 When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
2762 validator with an alternate method to validate DNSKEY
2763 records at the top of a zone. When a DNSKEY is at or
2764 below a domain specified by the deepest
2765 <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
2766 validation has left the key untrusted, the trust-anchor
2767 will be appended to the key name and a DLV record will be
2768 looked up to see if it can validate the key. If the DLV
2769 record validates a DNSKEY (similarly to the way a DS
2770 record does) the DNSKEY RRset is deemed to be trusted.
2773 If <span><strong class="command">dnssec-lookaside</strong></span> is set to
2774 <strong class="userinput"><code>auto</code></strong>, then built-in default
2775 values for the DLV domain and trust anchor will be
2776 used, along with a built-in key for validation.
2779 If <span><strong class="command">dnssec-lookaside</strong></span> is set to
2780 <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
2784 The default DLV key is stored in the file
2785 <code class="filename">bind.keys</code>;
2786 <span><strong class="command">named</strong></span> will load that key at
2787 startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
2788 <code class="constant">auto</code>. A copy of the file is
2789 installed along with <acronym class="acronym">BIND</acronym> 9, and is
2790 current as of the release date. If the DLV key expires, a
2791 new copy of <code class="filename">bind.keys</code> can be downloaded
2792 from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>.
2795 (To prevent problems if <code class="filename">bind.keys</code> is
2796 not found, the current key is also compiled in to
2797 <span><strong class="command">named</strong></span>. Relying on this is not
2798 recommended, however, as it requires <span><strong class="command">named</strong></span>
2799 to be recompiled with a new key when the DLV key expires.)
2802 NOTE: <span><strong class="command">named</strong></span> only loads certain specific
2803 keys from <code class="filename">bind.keys</code>: those for the
2804 DLV zone and for the DNS root zone. The file cannot be
2805 used to store keys for other zones.
2808 <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
2810 Specify hierarchies which must be or may not be secure
2811 (signed and validated). If <strong class="userinput"><code>yes</code></strong>,
2812 then <span><strong class="command">named</strong></span> will only accept answers if
2813 they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
2814 DNSSEC validation applies allowing for insecure answers to
2815 be accepted. The specified domain must be under a
2816 <span><strong class="command">trusted-keys</strong></span> or
2817 <span><strong class="command">managed-keys</strong></span> statement, or
2818 <span><strong class="command">dnssec-lookaside</strong></span> must be active.
2820 <dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
2823 This directive instructs <span><strong class="command">named</strong></span> to
2824 return mapped IPv4 addresses to AAAA queries when
2825 there are no AAAA records. It is intended to be
2826 used in conjunction with a NAT64. Each
2827 <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
2828 Multiple DNS64 prefixes can be defined.
2831 Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
2832 64 and 96 as per RFC 6052.
2835 Additionally a reverse IP6.ARPA zone will be created for
2836 the prefix to provide a mapping from the IP6.ARPA names
2837 to the corresponding IN-ADDR.ARPA names using synthesized
2838 CNAMEs. <span><strong class="command">dns64-server</strong></span> and
2839 <span><strong class="command">dns64-contact</strong></span> can be used to specify
2840 the name of the server and contact for the zones. These
2841 are settable at the view / options level. These are
2842 not settable on a per-prefix basis.
2845 Each <span><strong class="command">dns64</strong></span> supports an optional
2846 <span><strong class="command">clients</strong></span> ACL that determines which
2847 clients are affected by this directive. If not defined,
2848 it defaults to <strong class="userinput"><code>any;</code></strong>.
2851 Each <span><strong class="command">dns64</strong></span> supports an optional
2852 <span><strong class="command">mapped</strong></span> ACL that selects which
2853 IPv4 addresses are to be mapped in the corresponding
2854 A RRset. If not defined it defaults to
2855 <strong class="userinput"><code>any;</code></strong>.
2858 Normally, DNS64 won't apply to a domain name that
2859 owns one or more AAAA records; these records will
2860 simply be returned. The optional
2861 <span><strong class="command">exclude</strong></span> ACL allows specification
2862 of a list of IPv6 addresses that will be ignored
2863 if they appear in a domain name's AAAA records, and
2864 DNS64 will be applied to any A records the domain
2865 name owns. If not defined, <span><strong class="command">exclude</strong></span>
2869 A optional <span><strong class="command">suffix</strong></span> can also
2870 be defined to set the bits trailing the mapped
2871 IPv4 address bits. By default these bits are
2872 set to <strong class="userinput"><code>::</code></strong>. The bits
2873 matching the prefix and mapped IPv4 address
2877 If <span><strong class="command">recursive-only</strong></span> is set to
2878 <span><strong class="command">yes</strong></span> the DNS64 synthesis will
2879 only happen for recursive queries. The default
2880 is <span><strong class="command">no</strong></span>.
2883 If <span><strong class="command">break-dnssec</strong></span> is set to
2884 <span><strong class="command">yes</strong></span> the DNS64 synthesis will
2885 happen even if the result, if validated, would
2886 cause a DNSSEC validation failure. If this option
2887 is set to <span><strong class="command">no</strong></span> (the default), the DO
2888 is set on the incoming query, and there are RRSIGs on
2889 the applicable records, then synthesis will not happen.
2891 <pre class="programlisting">
2892 acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
2894 dns64 64:FF9B::/96 {
2896 mapped { !rfc1918; any; };
2897 exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
2902 <dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
2905 If this option is set to its default value of
2906 <code class="literal">maintain</code> in a zone of type
2907 <code class="literal">master</code> which is DNSSEC-signed
2908 and configured to allow dynamic updates (see
2909 <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and
2910 if <span><strong class="command">named</strong></span> has access to the
2911 private signing key(s) for the zone, then
2912 <span><strong class="command">named</strong></span> will automatically sign all new
2913 or changed records and maintain signatures for the zone
2914 by regenerating RRSIG records whenever they approach
2915 their expiration date.
2918 If the option is changed to <code class="literal">no-resign</code>,
2919 then <span><strong class="command">named</strong></span> will sign all new or
2920 changed records, but scheduled maintenance of
2921 signatures is disabled.
2924 With either of these settings, <span><strong class="command">named</strong></span>
2925 will reject updates to a DNSSEC-signed zone when the
2926 signing keys are inactive or unavailable to
2927 <span><strong class="command">named</strong></span>. (A planned third option,
2928 <code class="literal">external</code>, will disable all automatic
2929 signing and allow DNSSEC data to be submitted into a zone
2930 via dynamic update; this is not yet implemented.)
2933 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
2936 If <strong class="userinput"><code>full</code></strong>, the server will collect
2937 statistical data on all zones (unless specifically
2938 turned off on a per-zone basis by specifying
2939 <span><strong class="command">zone-statistics terse</strong></span> or
2940 <span><strong class="command">zone-statistics none</strong></span>
2941 in the <span><strong class="command">zone</strong></span> statement).
2942 The default is <strong class="userinput"><code>terse</code></strong>, providing
2943 minimal statistics on zones (including name and
2944 current serial number, but not query type
2948 These statistics may be accessed via the
2949 <span><strong class="command">statistics-channel</strong></span> or
2950 using <span><strong class="command">rndc stats</strong></span>, which
2951 will dump them to the file listed
2952 in the <span><strong class="command">statistics-file</strong></span>. See
2953 also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
2956 For backward compatibility with earlier versions
2957 of BIND 9, the <span><strong class="command">zone-statistics</strong></span>
2958 option can also accept <strong class="userinput"><code>yes</code></strong>
2959 or <strong class="userinput"><code>no</code></strong>, which have the same
2960 effect as <strong class="userinput"><code>full</code></strong> and
2961 <strong class="userinput"><code>terse</code></strong>, respectively.
2965 <div class="sect3" lang="en">
2966 <div class="titlepage"><div><div><h4 class="title">
2967 <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
2968 <div class="variablelist"><dl>
2969 <dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
2971 If <strong class="userinput"><code>yes</code></strong>, then zones can be
2972 added at runtime via <span><strong class="command">rndc addzone</strong></span>
2973 or deleted via <span><strong class="command">rndc delzone</strong></span>.
2974 The default is <strong class="userinput"><code>no</code></strong>.
2976 <dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
2978 If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
2979 is always set on NXDOMAIN responses, even if the server is
2981 authoritative. The default is <strong class="userinput"><code>no</code></strong>;
2983 a change from <acronym class="acronym">BIND</acronym> 8. If you
2984 are using very old DNS software, you
2985 may need to set it to <strong class="userinput"><code>yes</code></strong>.
2987 <dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
2989 This option was used in <acronym class="acronym">BIND</acronym>
2990 8 to enable checking
2991 for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
2994 <dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
2996 Write memory statistics to the file specified by
2997 <span><strong class="command">memstatistics-file</strong></span> at exit.
2998 The default is <strong class="userinput"><code>no</code></strong> unless
2999 '-m record' is specified on the command line in
3000 which case it is <strong class="userinput"><code>yes</code></strong>.
3002 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
3005 If <strong class="userinput"><code>yes</code></strong>, then the
3006 server treats all zones as if they are doing zone transfers
3008 a dial-on-demand dialup link, which can be brought up by
3010 originating from this server. This has different effects
3012 to zone type and concentrates the zone maintenance so that
3014 happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
3015 hopefully during the one call. It also suppresses some of
3017 zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
3020 The <span><strong class="command">dialup</strong></span> option
3021 may also be specified in the <span><strong class="command">view</strong></span> and
3022 <span><strong class="command">zone</strong></span> statements,
3023 in which case it overrides the global <span><strong class="command">dialup</strong></span>
3027 If the zone is a master zone, then the server will send out a
3029 request to all the slaves (default). This should trigger the
3031 number check in the slave (providing it supports NOTIFY)
3033 to verify the zone while the connection is active.
3034 The set of servers to which NOTIFY is sent can be controlled
3036 <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
3040 zone is a slave or stub zone, then the server will suppress
3042 "zone up to date" (refresh) queries and only perform them
3044 <span><strong class="command">heartbeat-interval</strong></span> expires in
3049 Finer control can be achieved by using
3050 <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
3052 <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
3054 suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
3055 which suppresses normal refresh processing and sends refresh
3057 when the <span><strong class="command">heartbeat-interval</strong></span>
3059 <strong class="userinput"><code>passive</code></strong> which just disables normal
3063 <div class="informaltable"><table border="1">
3095 <p><span><strong class="command">no</strong></span> (default)</p>
3115 <p><span><strong class="command">yes</strong></span></p>
3135 <p><span><strong class="command">notify</strong></span></p>
3155 <p><span><strong class="command">refresh</strong></span></p>
3175 <p><span><strong class="command">passive</strong></span></p>
3195 <p><span><strong class="command">notify-passive</strong></span></p>
3216 Note that normal NOTIFY processing is not affected by
3217 <span><strong class="command">dialup</strong></span>.
3220 <dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
3222 In <acronym class="acronym">BIND</acronym> 8, this option
3223 enabled simulating the obsolete DNS query type
3224 IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
3227 <dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
3229 This option is obsolete.
3230 In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
3231 caused the server to attempt to fetch glue resource records
3233 didn't have when constructing the additional
3234 data section of a response. This is now considered a bad
3236 and BIND 9 never does it.
3238 <dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
3240 When the nameserver exits due receiving SIGTERM,
3241 flush or do not flush any pending zone writes. The default
3243 <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
3245 <dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
3247 This option was incorrectly implemented
3248 in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
3249 To achieve the intended effect
3251 <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
3252 the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
3253 and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
3255 <dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
3257 In BIND 8, this enables keeping of
3258 statistics for every host that the name server interacts
3260 Not implemented in BIND 9.
3262 <dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
3264 <span class="emphasis"><em>This option is obsolete</em></span>.
3265 It was used in <acronym class="acronym">BIND</acronym> 8 to
3266 determine whether a transaction log was
3267 kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
3268 log whenever possible. If you need to disable outgoing
3270 transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
3272 <dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
3274 If <strong class="userinput"><code>yes</code></strong>, then when generating
3275 responses the server will only add records to the authority
3276 and additional data sections when they are required (e.g.
3277 delegations, negative responses). This may improve the
3278 performance of the server.
3279 The default is <strong class="userinput"><code>no</code></strong>.
3281 <dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
3283 This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
3284 a domain name to have multiple CNAME records in violation of
3285 the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
3286 always strictly enforces the CNAME rules both in master
3287 files and dynamic updates.
3289 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
3292 If <strong class="userinput"><code>yes</code></strong> (the default),
3293 DNS NOTIFY messages are sent when a zone the server is
3295 changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
3297 servers listed in the zone's NS records (except the master
3299 in the SOA MNAME field), and to any servers listed in the
3300 <span><strong class="command">also-notify</strong></span> option.
3303 If <strong class="userinput"><code>master-only</code></strong>, notifies are only
3306 If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
3308 servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
3309 If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
3312 The <span><strong class="command">notify</strong></span> option may also be
3313 specified in the <span><strong class="command">zone</strong></span>
3315 in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
3316 It would only be necessary to turn off this option if it
3321 <dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
3323 If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
3324 in the NS RRset against the SOA MNAME. Normally a NOTIFY
3325 message is not sent to the SOA MNAME (SOA ORIGIN) as it is
3326 supposed to contain the name of the ultimate master.
3327 Sometimes, however, a slave is listed as the SOA MNAME in
3328 hidden master configurations and in that case you would
3329 want the ultimate master to still send NOTIFY messages to
3330 all the nameservers listed in the NS RRset.
3332 <dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
3334 If <strong class="userinput"><code>yes</code></strong>, and a
3335 DNS query requests recursion, then the server will attempt
3337 all the work required to answer the query. If recursion is
3339 and the server does not already know the answer, it will
3341 referral response. The default is
3342 <strong class="userinput"><code>yes</code></strong>.
3343 Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
3344 clients from getting data from the server's cache; it only
3345 prevents new data from being cached as an effect of client
3347 Caching may still occur as an effect the server's internal
3348 operation, such as NOTIFY address lookups.
3349 See also <span><strong class="command">fetch-glue</strong></span> above.
3351 <dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt>
3353 If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0)
3354 NSID (Name Server Identifier) option is sent with all
3355 queries to authoritative name servers during iterative
3356 resolution. If the authoritative server returns an NSID
3357 option in its response, then its contents are logged in
3358 the <span><strong class="command">resolver</strong></span> category at level
3359 <span><strong class="command">info</strong></span>.
3360 The default is <strong class="userinput"><code>no</code></strong>.
3362 <dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
3365 Setting this to <strong class="userinput"><code>yes</code></strong> will
3366 cause the server to send NS records along with the SOA
3368 answers. The default is <strong class="userinput"><code>no</code></strong>.
3370 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3371 <h3 class="title">Note</h3>
3373 Not yet implemented in <acronym class="acronym">BIND</acronym>
3378 <dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
3380 <span class="emphasis"><em>This option is obsolete</em></span>.
3381 <acronym class="acronym">BIND</acronym> 9 always allocates query
3384 <dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
3386 <span class="emphasis"><em>This option is obsolete</em></span>.
3387 If you need to disable IXFR to a particular server or
3389 the information on the <span><strong class="command">provide-ixfr</strong></span> option
3390 in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
3391 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
3394 <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
3396 <dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
3398 See the description of
3399 <span><strong class="command">provide-ixfr</strong></span> in
3400 <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
3401 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
3404 <dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
3406 See the description of
3407 <span><strong class="command">request-ixfr</strong></span> in
3408 <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
3409 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
3412 <dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
3414 This option was used in <acronym class="acronym">BIND</acronym>
3416 the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
3417 as a space or tab character,
3418 to facilitate loading of zone files on a UNIX system that
3420 on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
3421 and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
3422 are always accepted,
3423 and the option is ignored.
3426 <span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
3430 These options control the behavior of an authoritative
3432 answering queries which have additional data, or when
3437 When both of these options are set to <strong class="userinput"><code>yes</code></strong>
3439 query is being answered from authoritative data (a zone
3440 configured into the server), the additional data section of
3442 reply will be filled in using data from other authoritative
3444 and from the cache. In some situations this is undesirable,
3446 as when there is concern over the correctness of the cache,
3448 in servers where slave zones may be added and modified by
3449 untrusted third parties. Also, avoiding
3450 the search for this additional data will speed up server
3452 at the possible expense of additional queries to resolve
3454 otherwise be provided in the additional section.
3457 For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
3458 and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
3459 records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
3460 if known, even though they are not in the example.com zone.
3461 Setting these options to <span><strong class="command">no</strong></span>
3462 disables this behavior and makes
3463 the server only search for additional data in the zone it
3467 These options are intended for use in authoritative-only
3468 servers, or in authoritative-only views. Attempts to set
3469 them to <span><strong class="command">no</strong></span> without also
3471 <span><strong class="command">recursion no</strong></span> will cause the
3473 ignore the options and log a warning message.
3476 Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
3477 disables the use of the cache not only for additional data
3479 but also when looking up the answer. This is usually the
3481 behavior in an authoritative-only server where the
3483 the cached data is an issue.
3486 When a name server is non-recursively queried for a name
3488 below the apex of any served zone, it normally answers with
3490 "upwards referral" to the root servers or the servers of
3492 known parent of the query name. Since the data in an
3494 comes from the cache, the server will not be able to provide
3496 referrals when <span><strong class="command">additional-from-cache no</strong></span>
3497 has been specified. Instead, it will respond to such
3499 with REFUSED. This should not cause any problems since
3500 upwards referrals are not required for the resolution
3504 <dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
3507 If <strong class="userinput"><code>yes</code></strong>, then an
3508 IPv4-mapped IPv6 address will match any address match
3509 list entries that match the corresponding IPv4 address.
3512 This option was introduced to work around a kernel quirk
3513 in some operating systems that causes IPv4 TCP
3514 connections, such as zone transfers, to be accepted on an
3515 IPv6 socket using mapped addresses. This caused address
3516 match lists designed for IPv4 to fail to match. However,
3517 <span><strong class="command">named</strong></span> now solves this problem
3518 internally. The use of this option is discouraged.
3521 <dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
3524 This option is only available when
3525 <acronym class="acronym">BIND</acronym> 9 is compiled with the
3526 <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
3527 "configure" command line. It is intended to help the
3528 transition from IPv4 to IPv6 by not giving IPv6 addresses
3529 to DNS clients unless they have connections to the IPv6
3530 Internet. This is not recommended unless absolutely
3531 necessary. The default is <strong class="userinput"><code>no</code></strong>.
3532 The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
3533 may also be specified in <span><strong class="command">view</strong></span> statements
3534 to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
3538 If <strong class="userinput"><code>yes</code></strong>,
3539 the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
3540 and if the response does not include DNSSEC signatures,
3541 then all AAAA records are deleted from the response.
3542 This filtering applies to all responses and not only
3543 authoritative responses.
3546 If <strong class="userinput"><code>break-dnssec</code></strong>,
3547 then AAAA records are deleted even when dnssec is enabled.
3548 As suggested by the name, this makes the response not verify,
3549 because the DNSSEC protocol is designed detect deletions.
3552 This mechanism can erroneously cause other servers to
3553 not give AAAA records to their clients.
3554 A recursing server with both IPv6 and IPv4 network connections
3555 that queries an authoritative server using this mechanism
3556 via IPv4 will be denied AAAA records even if its client is
3560 This mechanism is applied to authoritative as well as
3561 non-authoritative records.
3562 A client using IPv4 that is not allowed recursion can
3563 erroneously be given AAAA records because the server is not
3564 allowed to check for A records.
3567 Some AAAA records are given to IPv4 clients in glue records.
3568 IPv4 clients that are servers can then erroneously
3569 answer requests for AAAA records received via IPv4.
3572 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
3575 When <strong class="userinput"><code>yes</code></strong> and the server loads a new
3576 version of a master zone from its zone file or receives a
3577 new version of a slave file via zone transfer, it will
3578 compare the new version to the previous one and calculate
3579 a set of differences. The differences are then logged in
3580 the zone's journal file such that the changes can be
3581 transmitted to downstream slaves as an incremental zone
3585 By allowing incremental zone transfers to be used for
3586 non-dynamic zones, this option saves bandwidth at the
3587 expense of increased CPU and memory consumption at the
3589 In particular, if the new version of a zone is completely
3590 different from the previous one, the set of differences
3591 will be of a size comparable to the combined size of the
3592 old and new zone version, and the server will need to
3593 temporarily allocate memory to hold this complete
3596 <p><span><strong class="command">ixfr-from-differences</strong></span>
3597 also accepts <span><strong class="command">master</strong></span> and
3598 <span><strong class="command">slave</strong></span> at the view and options
3600 <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
3601 all <span><strong class="command">master</strong></span> or
3602 <span><strong class="command">slave</strong></span> zones respectively.
3603 It is off by default.
3606 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
3608 This should be set when you have multiple masters for a zone
3610 addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
3612 when the serial number on the master is less than what <span><strong class="command">named</strong></span>
3614 has. The default is <strong class="userinput"><code>no</code></strong>.
3616 <dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
3618 Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
3619 <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
3620 The default is <strong class="userinput"><code>yes</code></strong>.
3622 <dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
3624 Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
3625 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
3626 set to <strong class="userinput"><code>yes</code></strong> to be effective.
3627 If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
3628 is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
3629 DNSSEC validation is enabled, and a default
3630 trust-anchor for the DNS root zone is used. If set to
3631 <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
3632 but a trust anchor must be manually configured using
3633 a <span><strong class="command">trusted-keys</strong></span> or
3634 <span><strong class="command">managed-keys</strong></span> statement. The default
3635 is <strong class="userinput"><code>yes</code></strong>.
3637 <dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
3639 Accept expired signatures when verifying DNSSEC signatures.
3640 The default is <strong class="userinput"><code>no</code></strong>.
3641 Setting this option to <strong class="userinput"><code>yes</code></strong>
3642 leaves <span><strong class="command">named</strong></span> vulnerable to
3645 <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
3647 Specify whether query logging should be started when <span><strong class="command">named</strong></span>
3649 If <span><strong class="command">querylog</strong></span> is not specified,
3650 then the query logging
3651 is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
3653 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
3656 This option is used to restrict the character set and syntax
3658 certain domain names in master files and/or DNS responses
3660 from the network. The default varies according to usage
3662 <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
3663 For <span><strong class="command">slave</strong></span> zones the default
3664 is <span><strong class="command">warn</strong></span>.
3665 For answers received from the network (<span><strong class="command">response</strong></span>)
3666 the default is <span><strong class="command">ignore</strong></span>.
3669 The rules for legal hostnames and mail domains are derived
3670 from RFC 952 and RFC 821 as modified by RFC 1123.
3672 <p><span><strong class="command">check-names</strong></span>
3673 applies to the owner names of A, AAAA and MX records.
3674 It also applies to the domain names in the RDATA of NS, SOA,
3675 MX, and SRV records.
3676 It also applies to the RDATA of PTR records where the owner
3677 name indicated that it is a reverse lookup of a hostname
3678 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
3681 <dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
3683 Check master zones for records that are treated as different
3684 by DNSSEC but are semantically equal in plain DNS. The
3685 default is to <span><strong class="command">warn</strong></span>. Other possible
3686 values are <span><strong class="command">fail</strong></span> and
3687 <span><strong class="command">ignore</strong></span>.
3689 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
3691 Check whether the MX record appears to refer to a IP address.
3692 The default is to <span><strong class="command">warn</strong></span>. Other possible
3693 values are <span><strong class="command">fail</strong></span> and
3694 <span><strong class="command">ignore</strong></span>.
3696 <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
3698 This option is used to check for non-terminal wildcards.
3699 The use of non-terminal wildcards is almost always as a
3701 to understand the wildcard matching algorithm (RFC 1034).
3703 affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
3704 for non-terminal wildcards and issue a warning.
3706 <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
3709 Perform post load zone integrity checks on master
3710 zones. This checks that MX and SRV records refer
3711 to address (A or AAAA) records and that glue
3712 address records exist for delegated zones. For
3713 MX and SRV records only in-zone hostnames are
3714 checked (for out-of-zone hostnames use
3715 <span><strong class="command">named-checkzone</strong></span>).
3716 For NS records only names below top of zone are
3717 checked (for out-of-zone names and glue consistency
3718 checks use <span><strong class="command">named-checkzone</strong></span>).
3719 The default is <span><strong class="command">yes</strong></span>.
3722 The use of the SPF record for publishing Sender
3723 Policy Framework is deprecated as the migration
3724 from using TXT records to SPF records was abandoned.
3725 Enabling this option also checks that a TXT Sender
3726 Policy Framework record exists (starts with "v=spf1")
3727 if there is an SPF record. Warnings are emitted if the
3728 TXT record does not exist and can be suppressed with
3729 <span><strong class="command">check-spf</strong></span>.
3732 <dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
3734 If <span><strong class="command">check-integrity</strong></span> is set then
3735 fail, warn or ignore MX records that refer
3736 to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
3738 <dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
3740 If <span><strong class="command">check-integrity</strong></span> is set then
3741 fail, warn or ignore SRV records that refer
3742 to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
3744 <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
3746 When performing integrity checks, also check that
3747 sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
3749 <dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
3751 If <span><strong class="command">check-integrity</strong></span> is set then
3752 check that there is a TXT Sender Policy Framework
3753 record present (starts with "v=spf1") if there is an
3754 SPF record present. The default is
3755 <span><strong class="command">warn</strong></span>.
3757 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
3759 When returning authoritative negative responses to
3760 SOA queries set the TTL of the SOA record returned in
3761 the authority section to zero.
3762 The default is <span><strong class="command">yes</strong></span>.
3764 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
3766 When caching a negative response to a SOA query
3767 set the TTL to zero.
3768 The default is <span><strong class="command">no</strong></span>.
3770 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
3773 When set to the default value of <code class="literal">yes</code>,
3774 check the KSK bit in each key to determine how the key
3775 should be used when generating RRSIGs for a secure zone.
3778 Ordinarily, zone-signing keys (that is, keys without the
3779 KSK bit set) are used to sign the entire zone, while
3780 key-signing keys (keys with the KSK bit set) are only
3781 used to sign the DNSKEY RRset at the zone apex.
3782 However, if this option is set to <code class="literal">no</code>,
3783 then the KSK bit is ignored; KSKs are treated as if they
3784 were ZSKs and are used to sign the entire zone. This is
3785 similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
3786 command line option.
3789 When this option is set to <code class="literal">yes</code>, there
3790 must be at least two active keys for every algorithm
3791 represented in the DNSKEY RRset: at least one KSK and one
3792 ZSK per algorithm. If there is any algorithm for which
3793 this requirement is not met, this option will be ignored
3797 <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
3800 When this option and <span><strong class="command">update-check-ksk</strong></span>
3801 are both set to <code class="literal">yes</code>, only key-signing
3802 keys (that is, keys with the KSK bit set) will be used
3803 to sign the DNSKEY RRset at the zone apex. Zone-signing
3804 keys (keys without the KSK bit set) will be used to sign
3805 the remainder of the zone, but not the DNSKEY RRset.
3806 This is similar to the
3807 <span><strong class="command">dnssec-signzone -x</strong></span> command line option.
3810 The default is <span><strong class="command">no</strong></span>. If
3811 <span><strong class="command">update-check-ksk</strong></span> is set to
3812 <code class="literal">no</code>, this option is ignored.
3815 <dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt>
3817 When a zone is configured with <span><strong class="command">auto-dnssec
3818 maintain;</strong></span> its key repository must be checked
3819 periodically to see if any new keys have been added
3820 or any existing keys' timing metadata has been updated
3821 (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
3822 <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The
3823 <span><strong class="command">dnssec-loadkeys-interval</strong></span> option
3824 sets the frequency of automatic repository checks, in
3825 minutes. The default is <code class="literal">60</code> (1 hour),
3826 the minimum is <code class="literal">1</code> (1 minute), and the
3827 maximum is <code class="literal">1440</code> (24 hours); any higher
3828 value is silently reduced.
3830 <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
3832 Try to refresh the zone using TCP if UDP queries fail.
3833 For BIND 8 compatibility, the default is
3834 <span><strong class="command">yes</strong></span>.
3836 <dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
3839 Allow a dynamic zone to transition from secure to
3840 insecure (i.e., signed to unsigned) by deleting all
3841 of the DNSKEY records. The default is <span><strong class="command">no</strong></span>.
3842 If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
3843 at the zone apex is deleted, all RRSIG and NSEC records
3844 will be removed from the zone as well.
3847 If the zone uses NSEC3, then it is also necessary to
3848 delete the NSEC3PARAM RRset from the zone apex; this will
3849 cause the removal of all corresponding NSEC3 records.
3850 (It is expected that this requirement will be eliminated
3851 in a future release.)
3854 Note that if a zone has been configured with
3855 <span><strong class="command">auto-dnssec maintain</strong></span> and the
3856 private keys remain accessible in the key repository,
3857 then the zone will be automatically signed again the
3858 next time <span><strong class="command">named</strong></span> is started.
3863 <div class="sect3" lang="en">
3864 <div class="titlepage"><div><div><h4 class="title">
3865 <a name="id2583425"></a>Forwarding</h4></div></div></div>
3867 The forwarding facility can be used to create a large site-wide
3868 cache on a few servers, reducing traffic over links to external
3869 name servers. It can also be used to allow queries by servers that
3870 do not have direct access to the Internet, but wish to look up
3872 names anyway. Forwarding occurs only on those queries for which
3873 the server is not authoritative and does not have the answer in
3876 <div class="variablelist"><dl>
3877 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
3879 This option is only meaningful if the
3880 forwarders list is not empty. A value of <code class="varname">first</code>,
3881 the default, causes the server to query the forwarders
3883 if that doesn't answer the question, the server will then
3885 the answer itself. If <code class="varname">only</code> is
3887 server will only query the forwarders.
3889 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
3891 Specifies the IP addresses to be used
3892 for forwarding. The default is the empty list (no
3897 Forwarding can also be configured on a per-domain basis, allowing
3898 for the global forwarding options to be overridden in a variety
3899 of ways. You can set particular domains to use different
3901 or have a different <span><strong class="command">forward only/first</strong></span> behavior,
3902 or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
3903 Statement Grammar">the section called “<span><strong class="command">zone</strong></span>
3904 Statement Grammar”</a>.
3907 <div class="sect3" lang="en">
3908 <div class="titlepage"><div><div><h4 class="title">
3909 <a name="id2583483"></a>Dual-stack Servers</h4></div></div></div>
3911 Dual-stack servers are used as servers of last resort to work
3913 problems in reachability due the lack of support for either IPv4
3915 on the host machine.
3917 <div class="variablelist"><dl>
3918 <dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
3920 Specifies host names or addresses of machines with access to
3921 both IPv4 and IPv6 transports. If a hostname is used, the
3923 to resolve the name using only the transport it has. If the
3925 stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
3926 access to a transport has been disabled on the command line
3927 (e.g. <span><strong class="command">named -4</strong></span>).
3931 <div class="sect3" lang="en">
3932 <div class="titlepage"><div><div><h4 class="title">
3933 <a name="access_control"></a>Access Control</h4></div></div></div>
3935 Access to the server can be restricted based on the IP address
3936 of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
3937 details on how to specify IP address lists.
3939 <div class="variablelist"><dl>
3940 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
3942 Specifies which hosts are allowed to
3943 notify this server, a slave, of zone changes in addition
3944 to the zone masters.
3945 <span><strong class="command">allow-notify</strong></span> may also be
3947 <span><strong class="command">zone</strong></span> statement, in which case
3949 <span><strong class="command">options allow-notify</strong></span>
3950 statement. It is only meaningful
3951 for a slave zone. If not specified, the default is to
3952 process notify messages
3953 only from a zone's master.
3955 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
3958 Specifies which hosts are allowed to ask ordinary
3959 DNS questions. <span><strong class="command">allow-query</strong></span> may
3960 also be specified in the <span><strong class="command">zone</strong></span>
3961 statement, in which case it overrides the
3962 <span><strong class="command">options allow-query</strong></span> statement.
3963 If not specified, the default is to allow queries
3966 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3967 <h3 class="title">Note</h3>
3969 <span><strong class="command">allow-query-cache</strong></span> is now
3970 used to specify access to the cache.
3974 <dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
3977 Specifies which local addresses can accept ordinary
3978 DNS questions. This makes it possible, for instance,
3979 to allow queries on internal-facing interfaces but
3980 disallow them on external-facing ones, without
3981 necessarily knowing the internal network's addresses.
3984 Note that <span><strong class="command">allow-query-on</strong></span> is only
3985 checked for queries that are permitted by
3986 <span><strong class="command">allow-query</strong></span>. A query must be
3987 allowed by both ACLs, or it will be refused.
3990 <span><strong class="command">allow-query-on</strong></span> may
3991 also be specified in the <span><strong class="command">zone</strong></span>
3992 statement, in which case it overrides the
3993 <span><strong class="command">options allow-query-on</strong></span> statement.
3996 If not specified, the default is to allow queries
3999 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4000 <h3 class="title">Note</h3>
4002 <span><strong class="command">allow-query-cache</strong></span> is
4003 used to specify access to the cache.
4007 <dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
4009 Specifies which hosts are allowed to get answers
4010 from the cache. If <span><strong class="command">allow-query-cache</strong></span>
4011 is not set then <span><strong class="command">allow-recursion</strong></span>
4012 is used if set, otherwise <span><strong class="command">allow-query</strong></span>
4013 is used if set unless <span><strong class="command">recursion no;</strong></span> is
4014 set in which case <span><strong class="command">none;</strong></span> is used,
4015 otherwise the default (<span><strong class="command">localnets;</strong></span>
4016 <span><strong class="command">localhost;</strong></span>) is used.
4018 <dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
4020 Specifies which local addresses can give answers
4021 from the cache. If not specified, the default is
4022 to allow cache queries on any address,
4023 <span><strong class="command">localnets</strong></span> and
4024 <span><strong class="command">localhost</strong></span>.
4026 <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
4028 Specifies which hosts are allowed to make recursive
4029 queries through this server. If
4030 <span><strong class="command">allow-recursion</strong></span> is not set
4031 then <span><strong class="command">allow-query-cache</strong></span> is
4032 used if set, otherwise <span><strong class="command">allow-query</strong></span>
4033 is used if set, otherwise the default
4034 (<span><strong class="command">localnets;</strong></span>
4035 <span><strong class="command">localhost;</strong></span>) is used.
4037 <dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
4039 Specifies which local addresses can accept recursive
4040 queries. If not specified, the default is to allow
4041 recursive queries on all addresses.
4043 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
4045 Specifies which hosts are allowed to
4046 submit Dynamic DNS updates for master zones. The default is
4048 updates from all hosts. Note that allowing updates based
4049 on the requestor's IP address is insecure; see
4050 <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
4052 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
4055 Specifies which hosts are allowed to
4056 submit Dynamic DNS updates to slave zones to be forwarded to
4058 master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
4060 means that no update forwarding will be performed. To
4062 update forwarding, specify
4063 <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
4064 Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
4065 <strong class="userinput"><code>{ any; }</code></strong> is usually
4066 counterproductive, since
4067 the responsibility for update access control should rest
4069 master server, not the slaves.
4072 Note that enabling the update forwarding feature on a slave
4074 may expose master servers relying on insecure IP address
4076 access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
4080 <dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
4082 This option was introduced for the smooth transition from
4084 to A6 and from "nibble labels" to binary labels.
4085 However, since both A6 and binary labels were then
4087 this option was also deprecated.
4088 It is now ignored with some warning messages.
4090 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
4092 Specifies which hosts are allowed to
4093 receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
4094 also be specified in the <span><strong class="command">zone</strong></span>
4096 case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
4097 If not specified, the default is to allow transfers to all
4100 <dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
4102 Specifies a list of addresses that the
4103 server will not accept queries from or use to resolve a
4105 from these addresses will not be responded to. The default
4106 is <strong class="userinput"><code>none</code></strong>.
4108 <dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
4110 Specifies a list of addresses to which
4111 <span><strong class="command">filter-aaaa-on-v4</strong></span>
4112 is applies. The default is <strong class="userinput"><code>any</code></strong>.
4114 <dt><span class="term"><span><strong class="command">no-case-compress</strong></span></span></dt>
4117 Specifies a list of addresses which require responses
4118 to use case-insensitive compression. This ACL can be
4119 used when <span><strong class="command">named</strong></span> needs to work with
4120 clients that do not comply with the requirement in RFC
4121 1034 to use case-insensitive name comparisons when
4122 checking for matching domain names.
4125 If left undefined, the ACL defaults to
4126 <span><strong class="command">none</strong></span>: case-insensitive compression
4127 will be used for all clients. If the ACL is defined and
4128 matches a client, then case will be ignored when
4129 compressing domain names in DNS responses sent to that
4133 This can result in slightly smaller responses: if
4134 a response contains the names "example.com" and
4135 "example.COM", case-insensitive compression would treat
4136 the second one as a duplicate. It also ensures
4137 that the case of the query name exactly matches the
4138 case of the owner names of returned records, rather
4139 than matching the case of the records entered in
4140 the zone file. This allows responses to exactly
4141 match the query, which is required by some clients
4142 due to incorrect use of case-sensitive comparisons.
4145 Case-insensitive compression is <span class="emphasis"><em>always</em></span>
4146 used in AXFR and IXFR responses, regardless of whether
4147 the client matches this ACL.
4150 There are circumstances in which <span><strong class="command">named</strong></span>
4151 will not preserve the case of owner names of records:
4152 if a zone file defines records of different types with
4153 the same name, but the capitalization of the name is
4154 different (e.g., "www.example.com/A" and
4155 "WWW.EXAMPLE.COM/AAAA"), then all responses for that
4156 name will use the <span class="emphasis"><em>first</em></span> version
4157 of the name that was used in the zone file. This
4158 limitation may be addressed in a future release. However,
4159 domain names specified in the rdata of resource records
4160 (i.e., records of type NS, MX, CNAME, etc) will always
4161 have their case preserved unless the client matches this
4165 <dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
4167 The amount of time the resolver will spend attempting
4168 to resolve a recursive query before failing. The default
4169 and minimum is <code class="literal">10</code> and the maximum is
4170 <code class="literal">30</code>. Setting it to <code class="literal">0</code>
4171 will result in the default being used.
4175 <div class="sect3" lang="en">
4176 <div class="titlepage"><div><div><h4 class="title">
4177 <a name="id2584157"></a>Interfaces</h4></div></div></div>
4179 The interfaces and ports that the server will answer queries
4180 from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
4181 an optional port and an <code class="varname">address_match_list</code>
4182 of IPv4 addresses. (IPv6 addresses are ignored, with a
4184 The server will listen on all interfaces allowed by the address
4185 match list. If a port is not specified, port 53 will be used.
4188 Multiple <span><strong class="command">listen-on</strong></span> statements are
4192 <pre class="programlisting">listen-on { 5.6.7.8; };
4193 listen-on port 1234 { !1.2.3.4; 1.2/16; };
4196 will enable the name server on port 53 for the IP address
4197 5.6.7.8, and on port 1234 of an address on the machine in net
4198 1.2 that is not 1.2.3.4.
4201 If no <span><strong class="command">listen-on</strong></span> is specified, the
4202 server will listen on port 53 on all IPv4 interfaces.
4205 The <span><strong class="command">listen-on-v6</strong></span> option is used to
4206 specify the interfaces and the ports on which the server will
4208 for incoming queries sent using IPv6.
4212 <pre class="programlisting">{ any; }</pre>
4215 as the <code class="varname">address_match_list</code> for the
4216 <span><strong class="command">listen-on-v6</strong></span> option,
4217 the server does not bind a separate socket to each IPv6 interface
4218 address as it does for IPv4 if the operating system has enough API
4219 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
4221 Instead, it listens on the IPv6 wildcard address.
4222 If the system only has incomplete API support for IPv6, however,
4223 the behavior is the same as that for IPv4.
4226 A list of particular IPv6 addresses can also be specified, in
4228 the server listens on a separate socket for each specified
4230 regardless of whether the desired API is supported by the system.
4231 IPv4 addresses specified in <span><strong class="command">listen-on-v6</strong></span>
4232 will be ignored, with a logged warning.
4235 Multiple <span><strong class="command">listen-on-v6</strong></span> options can
4239 <pre class="programlisting">listen-on-v6 { any; };
4240 listen-on-v6 port 1234 { !2001:db8::/32; any; };
4243 will enable the name server on port 53 for any IPv6 addresses
4244 (with a single wildcard socket),
4245 and on port 1234 of IPv6 addresses that is not in the prefix
4246 2001:db8::/32 (with separate sockets for each matched address.)
4249 To make the server not listen on any IPv6 address, use
4251 <pre class="programlisting">listen-on-v6 { none; };
4254 If no <span><strong class="command">listen-on-v6</strong></span> option is
4255 specified, the server will not listen on any IPv6 address
4256 unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
4257 invoked. If <span><strong class="command">-6</strong></span> is specified then
4258 <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
4261 <div class="sect3" lang="en">
4262 <div class="titlepage"><div><div><h4 class="title">
4263 <a name="query_address"></a>Query Address</h4></div></div></div>
4265 If the server doesn't know the answer to a question, it will
4266 query other name servers. <span><strong class="command">query-source</strong></span> specifies
4267 the address and port used for such queries. For queries sent over
4268 IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
4269 If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
4270 a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
4274 If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
4275 a random port number from a pre-configured
4276 range is picked up and will be used for each query.
4277 The port range(s) is that specified in
4278 the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4)
4279 and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6)
4280 options, excluding the ranges specified in
4281 the <span><strong class="command">avoid-v4-udp-ports</strong></span>
4282 and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively.
4285 The defaults of the <span><strong class="command">query-source</strong></span> and
4286 <span><strong class="command">query-source-v6</strong></span> options
4289 <pre class="programlisting">query-source address * port *;
4290 query-source-v6 address * port *;
4293 If <span><strong class="command">use-v4-udp-ports</strong></span> or
4294 <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified,
4295 <span><strong class="command">named</strong></span> will check if the operating
4296 system provides a programming interface to retrieve the
4297 system's default range for ephemeral ports.
4298 If such an interface is available,
4299 <span><strong class="command">named</strong></span> will use the corresponding system
4300 default range; otherwise, it will use its own defaults:
4302 <pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
4303 use-v6-udp-ports { range 1024 65535; };
4306 Note: make sure the ranges be sufficiently large for
4307 security. A desirable size depends on various parameters,
4308 but we generally recommend it contain at least 16384 ports
4309 (14 bits of entropy).
4310 Note also that the system's default range when used may be
4311 too small for this purpose, and that the range may even be
4312 changed while <span><strong class="command">named</strong></span> is running; the new
4313 range will automatically be applied when <span><strong class="command">named</strong></span>
4316 configure <span><strong class="command">use-v4-udp-ports</strong></span> and
4317 <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the
4318 ranges are sufficiently large and are reasonably
4319 independent from the ranges used by other applications.
4322 Note: the operational configuration
4323 where <span><strong class="command">named</strong></span> runs may prohibit the use
4324 of some ports. For example, UNIX systems will not allow
4325 <span><strong class="command">named</strong></span> running without a root privilege
4326 to use ports less than 1024.
4327 If such ports are included in the specified (or detected)
4328 set of query ports, the corresponding query attempts will
4329 fail, resulting in resolution failures or delay.
4330 It is therefore important to configure the set of ports
4331 that can be safely used in the expected operational environment.
4334 The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and
4335 <span><strong class="command">avoid-v6-udp-ports</strong></span> options
4338 <pre class="programlisting">avoid-v4-udp-ports {};
4339 avoid-v6-udp-ports {};
4342 Note: BIND 9.5.0 introduced
4343 the <span><strong class="command">use-queryport-pool</strong></span>
4344 option to support a pool of such random ports, but this
4345 option is now obsolete because reusing the same ports in
4346 the pool may not be sufficiently secure.
4347 For the same reason, it is generally strongly discouraged to
4348 specify a particular port for the
4349 <span><strong class="command">query-source</strong></span> or
4350 <span><strong class="command">query-source-v6</strong></span> options;
4351 it implicitly disables the use of randomized port numbers.
4353 <div class="variablelist"><dl>
4354 <dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
4356 This option is obsolete.
4358 <dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
4360 This option is obsolete.
4362 <dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
4364 This option is obsolete.
4367 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4368 <h3 class="title">Note</h3>
4370 The address specified in the <span><strong class="command">query-source</strong></span> option
4371 is used for both UDP and TCP queries, but the port applies only
4372 to UDP queries. TCP queries always use a random
4376 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4377 <h3 class="title">Note</h3>
4379 Solaris 2.5.1 and earlier does not support setting the source
4380 address for TCP sockets.
4383 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4384 <h3 class="title">Note</h3>
4386 See also <span><strong class="command">transfer-source</strong></span> and
4387 <span><strong class="command">notify-source</strong></span>.
4391 <div class="sect3" lang="en">
4392 <div class="titlepage"><div><div><h4 class="title">
4393 <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
4395 <acronym class="acronym">BIND</acronym> has mechanisms in place to
4396 facilitate zone transfers
4397 and set limits on the amount of load that transfers place on the
4398 system. The following options apply to zone transfers.
4400 <div class="variablelist"><dl>
4401 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
4404 Defines a global list of IP addresses of name servers
4405 that are also sent NOTIFY messages whenever a fresh copy of
4407 zone is loaded, in addition to the servers listed in the
4409 This helps to ensure that copies of the zones will
4410 quickly converge on stealth servers.
4411 Optionally, a port may be specified with each
4412 <span><strong class="command">also-notify</strong></span> address to send
4413 the notify messages to a port other than the
4415 An optional TSIG key can also be specified with each
4416 address to cause the notify messages to be signed; this
4417 can be useful when sending notifies to multiple views.
4418 In place of explicit addresses, one or more named
4419 <span><strong class="command">masters</strong></span> lists can be used.
4422 If an <span><strong class="command">also-notify</strong></span> list
4423 is given in a <span><strong class="command">zone</strong></span> statement,
4425 the <span><strong class="command">options also-notify</strong></span>
4426 statement. When a <span><strong class="command">zone notify</strong></span>
4428 is set to <span><strong class="command">no</strong></span>, the IP
4429 addresses in the global <span><strong class="command">also-notify</strong></span> list will
4430 not be sent NOTIFY messages for that zone. The default is
4432 list (no global notification list).
4435 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
4437 Inbound zone transfers running longer than
4438 this many minutes will be terminated. The default is 120
4440 (2 hours). The maximum value is 28 days (40320 minutes).
4442 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
4444 Inbound zone transfers making no progress
4445 in this many minutes will be terminated. The default is 60
4447 (1 hour). The maximum value is 28 days (40320 minutes).
4449 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
4451 Outbound zone transfers running longer than
4452 this many minutes will be terminated. The default is 120
4454 (2 hours). The maximum value is 28 days (40320 minutes).
4456 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
4458 Outbound zone transfers making no progress
4459 in this many minutes will be terminated. The default is 60
4461 hour). The maximum value is 28 days (40320 minutes).
4463 <dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
4466 Slave servers will periodically query master
4467 servers to find out if zone serial numbers have
4468 changed. Each such query uses a minute amount of
4469 the slave server's network bandwidth. To limit
4470 the amount of bandwidth used, BIND 9 limits the
4471 rate at which queries are sent. The value of the
4472 <span><strong class="command">serial-query-rate</strong></span> option, an
4473 integer, is the maximum number of queries sent
4474 per second. The default is 20.
4477 In addition to controlling the rate SOA refresh
4478 queries are issued at
4479 <span><strong class="command">serial-query-rate</strong></span> also controls
4480 the rate at which NOTIFY messages are sent from
4481 both master and slave zones.
4484 <dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
4486 In BIND 8, the <span><strong class="command">serial-queries</strong></span>
4488 set the maximum number of concurrent serial number queries
4489 allowed to be outstanding at any given time.
4490 BIND 9 does not limit the number of outstanding
4491 serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
4492 Instead, it limits the rate at which the queries are sent
4493 as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
4495 <dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
4497 Zone transfers can be sent using two different formats,
4498 <span><strong class="command">one-answer</strong></span> and
4499 <span><strong class="command">many-answers</strong></span>.
4500 The <span><strong class="command">transfer-format</strong></span> option is used
4501 on the master server to determine which format it sends.
4502 <span><strong class="command">one-answer</strong></span> uses one DNS message per
4503 resource record transferred.
4504 <span><strong class="command">many-answers</strong></span> packs as many resource
4505 records as possible into a message.
4506 <span><strong class="command">many-answers</strong></span> is more efficient, but is
4507 only supported by relatively new slave servers,
4508 such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
4509 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
4510 The <span><strong class="command">many-answers</strong></span> format is also supported by
4511 recent Microsoft Windows nameservers.
4512 The default is <span><strong class="command">many-answers</strong></span>.
4513 <span><strong class="command">transfer-format</strong></span> may be overridden on a
4514 per-server basis by using the <span><strong class="command">server</strong></span>
4517 <dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
4519 The maximum number of inbound zone transfers
4520 that can be running concurrently. The default value is <code class="literal">10</code>.
4521 Increasing <span><strong class="command">transfers-in</strong></span> may
4522 speed up the convergence
4523 of slave zones, but it also may increase the load on the
4526 <dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
4528 The maximum number of outbound zone transfers
4529 that can be running concurrently. Zone transfer requests in
4531 of the limit will be refused. The default value is <code class="literal">10</code>.
4533 <dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
4535 The maximum number of inbound zone transfers
4536 that can be concurrently transferring from a given remote
4538 The default value is <code class="literal">2</code>.
4539 Increasing <span><strong class="command">transfers-per-ns</strong></span>
4541 speed up the convergence of slave zones, but it also may
4543 the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
4544 be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
4545 of the <span><strong class="command">server</strong></span> statement.
4547 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
4549 <p><span><strong class="command">transfer-source</strong></span>
4550 determines which local address will be bound to IPv4
4551 TCP connections used to fetch zones transferred
4552 inbound by the server. It also determines the
4553 source IPv4 address, and optionally the UDP port,
4554 used for the refresh queries and forwarded dynamic
4555 updates. If not set, it defaults to a system
4556 controlled value which will usually be the address
4557 of the interface "closest to" the remote end. This
4558 address must appear in the remote end's
4559 <span><strong class="command">allow-transfer</strong></span> option for the
4560 zone being transferred, if one is specified. This
4562 <span><strong class="command">transfer-source</strong></span> for all zones,
4563 but can be overridden on a per-view or per-zone
4564 basis by including a
4565 <span><strong class="command">transfer-source</strong></span> statement within
4566 the <span><strong class="command">view</strong></span> or
4567 <span><strong class="command">zone</strong></span> block in the configuration
4570 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4571 <h3 class="title">Note</h3>
4573 Solaris 2.5.1 and earlier does not support setting the
4574 source address for TCP sockets.
4578 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
4580 The same as <span><strong class="command">transfer-source</strong></span>,
4581 except zone transfers are performed using IPv6.
4583 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
4586 An alternate transfer source if the one listed in
4587 <span><strong class="command">transfer-source</strong></span> fails and
4588 <span><strong class="command">use-alt-transfer-source</strong></span> is
4591 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4592 <h3 class="title">Note</h3>
4593 If you do not wish the alternate transfer source
4594 to be used, you should set
4595 <span><strong class="command">use-alt-transfer-source</strong></span>
4596 appropriately and you should not depend upon
4597 getting an answer back to the first refresh
4601 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
4603 An alternate transfer source if the one listed in
4604 <span><strong class="command">transfer-source-v6</strong></span> fails and
4605 <span><strong class="command">use-alt-transfer-source</strong></span> is
4608 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
4610 Use the alternate transfer sources or not. If views are
4611 specified this defaults to <span><strong class="command">no</strong></span>
4612 otherwise it defaults to
4613 <span><strong class="command">yes</strong></span> (for BIND 8
4616 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
4618 <p><span><strong class="command">notify-source</strong></span>
4619 determines which local source address, and
4620 optionally UDP port, will be used to send NOTIFY
4621 messages. This address must appear in the slave
4622 server's <span><strong class="command">masters</strong></span> zone clause or
4623 in an <span><strong class="command">allow-notify</strong></span> clause. This
4624 statement sets the <span><strong class="command">notify-source</strong></span>
4625 for all zones, but can be overridden on a per-zone or
4626 per-view basis by including a
4627 <span><strong class="command">notify-source</strong></span> statement within
4628 the <span><strong class="command">zone</strong></span> or
4629 <span><strong class="command">view</strong></span> block in the configuration
4632 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4633 <h3 class="title">Note</h3>
4635 Solaris 2.5.1 and earlier does not support setting the
4636 source address for TCP sockets.
4640 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
4642 Like <span><strong class="command">notify-source</strong></span>,
4643 but applies to notify messages sent to IPv6 addresses.
4647 <div class="sect3" lang="en">
4648 <div class="titlepage"><div><div><h4 class="title">
4649 <a name="id2585310"></a>UDP Port Lists</h4></div></div></div>
4651 <span><strong class="command">use-v4-udp-ports</strong></span>,
4652 <span><strong class="command">avoid-v4-udp-ports</strong></span>,
4653 <span><strong class="command">use-v6-udp-ports</strong></span>, and
4654 <span><strong class="command">avoid-v6-udp-ports</strong></span>
4655 specify a list of IPv4 and IPv6 UDP ports that will be
4656 used or not used as source ports for UDP messages.
4657 See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
4658 available ports are determined.
4659 For example, with the following configuration
4661 <pre class="programlisting">
4662 use-v6-udp-ports { range 32768 65535; };
4663 avoid-v6-udp-ports { 40000; range 50000 60000; };
4666 UDP ports of IPv6 messages sent
4667 from <span><strong class="command">named</strong></span> will be in one
4668 of the following ranges: 32768 to 39999, 40001 to 49999,
4672 <span><strong class="command">avoid-v4-udp-ports</strong></span> and
4673 <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used
4674 to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
4675 port that is blocked by your firewall or a port that is
4676 used by other applications;
4677 if a query went out with a source port blocked by a
4679 answer would not get by the firewall and the name server would
4680 have to query again.
4681 Note: the desired range can also be represented only with
4682 <span><strong class="command">use-v4-udp-ports</strong></span> and
4683 <span><strong class="command">use-v6-udp-ports</strong></span>, and the
4684 <span><strong class="command">avoid-</strong></span> options are redundant in that
4685 sense; they are provided for backward compatibility and
4686 to possibly simplify the port specification.
4689 <div class="sect3" lang="en">
4690 <div class="titlepage"><div><div><h4 class="title">
4691 <a name="id2585438"></a>Operating System Resource Limits</h4></div></div></div>
4693 The server's usage of many system resources can be limited.
4694 Scaled values are allowed when specifying resource limits. For
4695 example, <span><strong class="command">1G</strong></span> can be used instead of
4696 <span><strong class="command">1073741824</strong></span> to specify a limit of
4698 gigabyte. <span><strong class="command">unlimited</strong></span> requests
4699 unlimited use, or the
4700 maximum available amount. <span><strong class="command">default</strong></span>
4702 that was in force when the server was started. See the description
4703 of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
4706 The following options set operating system resource limits for
4707 the name server process. Some operating systems don't support
4709 any of the limits. On such systems, a warning will be issued if
4711 unsupported limit is used.
4713 <div class="variablelist"><dl>
4714 <dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
4716 The maximum size of a core dump. The default
4717 is <code class="literal">default</code>.
4719 <dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
4721 The maximum amount of data memory the server
4722 may use. The default is <code class="literal">default</code>.
4723 This is a hard limit on server memory usage.
4724 If the server attempts to allocate memory in excess of this
4725 limit, the allocation will fail, which may in turn leave
4726 the server unable to perform DNS service. Therefore,
4727 this option is rarely useful as a way of limiting the
4728 amount of memory used by the server, but it can be used
4729 to raise an operating system data size limit that is
4730 too small by default. If you wish to limit the amount
4731 of memory used by the server, use the
4732 <span><strong class="command">max-cache-size</strong></span> and
4733 <span><strong class="command">recursive-clients</strong></span>
4736 <dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
4738 The maximum number of files the server
4739 may have open concurrently. The default is <code class="literal">unlimited</code>.
4741 <dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
4743 The maximum amount of stack memory the server
4744 may use. The default is <code class="literal">default</code>.
4748 <div class="sect3" lang="en">
4749 <div class="titlepage"><div><div><h4 class="title">
4750 <a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div>
4752 The following options set limits on the server's
4753 resource consumption that are enforced internally by the
4754 server rather than the operating system.
4756 <div class="variablelist"><dl>
4757 <dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
4759 This option is obsolete; it is accepted
4760 and ignored for BIND 8 compatibility. The option
4761 <span><strong class="command">max-journal-size</strong></span> performs a
4762 similar function in BIND 9.
4764 <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
4766 Sets a maximum size for each journal file
4767 (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
4769 the specified size, some of the oldest transactions in the
4771 will be automatically removed. The largest permitted
4772 value is 2 gigabytes. The default is
4773 <code class="literal">unlimited</code>, which also
4775 This may also be set on a per-zone basis.
4777 <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
4779 In BIND 8, specifies the maximum number of host statistics
4781 Not implemented in BIND 9.
4783 <dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
4785 The maximum number of simultaneous recursive lookups
4786 the server will perform on behalf of clients. The default
4788 <code class="literal">1000</code>. Because each recursing
4790 bit of memory, on the order of 20 kilobytes, the value of
4792 <span><strong class="command">recursive-clients</strong></span> option may
4793 have to be decreased
4794 on hosts with limited memory.
4796 <dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
4798 The maximum number of simultaneous client TCP
4799 connections that the server will accept.
4800 The default is <code class="literal">100</code>.
4802 <dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt>
4805 The number of file descriptors reserved for TCP, stdio,
4806 etc. This needs to be big enough to cover the number of
4807 interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
4808 to provide room for outgoing TCP queries and incoming zone
4809 transfers. The default is <code class="literal">512</code>.
4810 The minimum value is <code class="literal">128</code> and the
4811 maximum value is <code class="literal">128</code> less than
4812 maxsockets (-S). This option may be removed in the future.
4815 This option has little effect on Windows.
4818 <dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
4820 The maximum amount of memory to use for the
4821 server's cache, in bytes.
4822 When the amount of data in the cache
4823 reaches this limit, the server will cause records to expire
4824 prematurely based on an LRU based strategy so that
4825 the limit is not exceeded.
4826 A value of 0 is special, meaning that
4827 records are purged from the cache only when their
4829 Another special keyword <strong class="userinput"><code>unlimited</code></strong>
4830 means the maximum value of 32-bit unsigned integers
4831 (0xffffffff), which may not have the same effect as
4832 0 on machines that support more than 32 bits of
4834 Any positive values less than 2MB will be ignored reset
4836 In a server with multiple views, the limit applies
4837 separately to the cache of each view.
4840 <dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
4842 The listen queue depth. The default and minimum is 10.
4843 If the kernel supports the accept filter "dataready" this
4845 many TCP connections that will be queued in kernel space
4847 some data before being passed to accept. Nonzero values
4848 less than 10 will be silently raised. A value of 0 may also
4849 be used; on most platforms this sets the listen queue
4850 length to a system-defined default value.
4854 <div class="sect3" lang="en">
4855 <div class="titlepage"><div><div><h4 class="title">
4856 <a name="id2585861"></a>Periodic Task Intervals</h4></div></div></div>
4857 <div class="variablelist"><dl>
4858 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
4860 This interval is effectively obsolete. Previously,
4861 the server would remove expired resource records
4862 from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
4863 <acronym class="acronym">BIND</acronym> 9 now manages cache
4864 memory in a more sophisticated manner and does not
4865 rely on the periodic cleaning any more.
4866 Specifying this option therefore has no effect on
4867 the server's behavior.
4869 <dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
4871 The server will perform zone maintenance tasks
4872 for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
4873 interval expires. The default is 60 minutes. Reasonable
4875 to 1 day (1440 minutes). The maximum value is 28 days
4877 If set to 0, no zone maintenance for these zones will occur.
4879 <dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
4881 The server will scan the network interface list
4882 every <span><strong class="command">interface-interval</strong></span>
4883 minutes. The default
4884 is 60 minutes. The maximum value is 28 days (40320 minutes).
4885 If set to 0, interface scanning will only occur when
4886 the configuration file is loaded. After the scan, the
4888 begin listening for queries on any newly discovered
4889 interfaces (provided they are allowed by the
4890 <span><strong class="command">listen-on</strong></span> configuration), and
4892 stop listening on interfaces that have gone away.
4894 <dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
4897 Name server statistics will be logged
4898 every <span><strong class="command">statistics-interval</strong></span>
4899 minutes. The default is
4900 60. The maximum value is 28 days (40320 minutes).
4901 If set to 0, no statistics will be logged.
4903 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4904 <h3 class="title">Note</h3>
4906 Not yet implemented in
4907 <acronym class="acronym">BIND</acronym> 9.
4913 <div class="sect3" lang="en">
4914 <div class="titlepage"><div><div><h4 class="title">
4915 <a name="topology"></a>Topology</h4></div></div></div>
4917 All other things being equal, when the server chooses a name
4919 to query from a list of name servers, it prefers the one that is
4920 topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
4921 takes an <span><strong class="command">address_match_list</strong></span> and
4923 in a special way. Each top-level list element is assigned a
4925 Non-negated elements get a distance based on their position in the
4926 list, where the closer the match is to the start of the list, the
4927 shorter the distance is between it and the server. A negated match
4928 will be assigned the maximum distance from the server. If there
4929 is no match, the address will get a distance which is further than
4930 any non-negated list element, and closer than any negated element.
4933 <pre class="programlisting">topology {
4939 will prefer servers on network 10 the most, followed by hosts
4940 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
4941 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
4942 is preferred least of all.
4945 The default topology is
4947 <pre class="programlisting"> topology { localhost; localnets; };
4949 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4950 <h3 class="title">Note</h3>
4952 The <span><strong class="command">topology</strong></span> option
4953 is not implemented in <acronym class="acronym">BIND</acronym> 9.
4957 <div class="sect3" lang="en">
4958 <div class="titlepage"><div><div><h4 class="title">
4959 <a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
4961 The response to a DNS query may consist of multiple resource
4962 records (RRs) forming a resource records set (RRset).
4963 The name server will normally return the
4964 RRs within the RRset in an indeterminate order
4965 (but see the <span><strong class="command">rrset-order</strong></span>
4966 statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
4967 The client resolver code should rearrange the RRs as appropriate,
4968 that is, using any addresses on the local net in preference to
4970 However, not all resolvers can do this or are correctly
4972 When a client is using a local server, the sorting can be performed
4973 in the server, based on the client's address. This only requires
4974 configuring the name servers, not all the clients.
4977 The <span><strong class="command">sortlist</strong></span> statement (see below)
4979 an <span><strong class="command">address_match_list</strong></span> and
4981 more specifically than the <span><strong class="command">topology</strong></span>
4983 does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
4984 Each top level statement in the <span><strong class="command">sortlist</strong></span> must
4985 itself be an explicit <span><strong class="command">address_match_list</strong></span> with
4986 one or two elements. The first element (which may be an IP
4988 an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
4989 of each top level list is checked against the source address of
4990 the query until a match is found.
4993 Once the source address of the query has been matched, if
4994 the top level statement contains only one element, the actual
4996 element that matched the source address is used to select the
4998 in the response to move to the beginning of the response. If the
4999 statement is a list of two elements, then the second element is
5000 treated the same as the <span><strong class="command">address_match_list</strong></span> in
5001 a <span><strong class="command">topology</strong></span> statement. Each top
5003 is assigned a distance and the address in the response with the
5005 distance is moved to the beginning of the response.
5008 In the following example, any queries received from any of
5009 the addresses of the host itself will get responses preferring
5011 on any of the locally connected networks. Next most preferred are
5013 on the 192.168.1/24 network, and after that either the
5016 192.168.3/24 network with no preference shown between these two
5017 networks. Queries received from a host on the 192.168.1/24 network
5018 will prefer other addresses on that network to the 192.168.2/24
5020 192.168.3/24 networks. Queries received from a host on the
5022 or the 192.168.5/24 network will only prefer other addresses on
5023 their directly connected networks.
5025 <pre class="programlisting">sortlist {
5026 // IF the local host
5027 // THEN first fit on the following nets
5031 { 192.168.2/24; 192.168.3/24; }; }; };
5032 // IF on class C 192.168.1 THEN use .1, or .2 or .3
5035 { 192.168.2/24; 192.168.3/24; }; }; };
5036 // IF on class C 192.168.2 THEN use .2, or .1 or .3
5039 { 192.168.1/24; 192.168.3/24; }; }; };
5040 // IF on class C 192.168.3 THEN use .3, or .1 or .2
5043 { 192.168.1/24; 192.168.2/24; }; }; };
5044 // IF .4 or .5 THEN prefer that net
5045 { { 192.168.4/24; 192.168.5/24; };
5049 The following example will give reasonable behavior for the
5050 local host and hosts on directly connected networks. It is similar
5051 to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
5052 to queries from the local host will favor any of the directly
5054 networks. Responses sent to queries from any other hosts on a
5056 connected network will prefer addresses on that same network.
5058 to other queries will not be sorted.
5060 <pre class="programlisting">sortlist {
5061 { localhost; localnets; };
5066 <div class="sect3" lang="en">
5067 <div class="titlepage"><div><div><h4 class="title">
5068 <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
5070 When multiple records are returned in an answer it may be
5071 useful to configure the order of the records placed into the
5073 The <span><strong class="command">rrset-order</strong></span> statement permits
5075 of the ordering of the records in a multiple record response.
5076 See also the <span><strong class="command">sortlist</strong></span> statement,
5077 <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
5080 An <span><strong class="command">order_spec</strong></span> is defined as
5084 [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
5085 [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
5086 [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
5087 order <em class="replaceable"><code>ordering</code></em>
5090 If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
5091 If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
5092 If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
5095 The legal values for <span><strong class="command">ordering</strong></span> are:
5097 <div class="informaltable"><table border="1">
5105 <p><span><strong class="command">fixed</strong></span></p>
5109 Records are returned in the order they
5110 are defined in the zone file.
5116 <p><span><strong class="command">random</strong></span></p>
5120 Records are returned in some random order.
5126 <p><span><strong class="command">cyclic</strong></span></p>
5130 Records are returned in a cyclic round-robin order.
5133 If <acronym class="acronym">BIND</acronym> is configured with the
5134 "--enable-fixed-rrset" option at compile time, then
5135 the initial ordering of the RRset will match the
5136 one specified in the zone file.
5145 <pre class="programlisting">rrset-order {
5146 class IN type A name "host.example.com" order random;
5151 will cause any responses for type A records in class IN that
5152 have "<code class="literal">host.example.com</code>" as a
5153 suffix, to always be returned
5154 in random order. All other records are returned in cyclic order.
5157 If multiple <span><strong class="command">rrset-order</strong></span> statements
5158 appear, they are not combined — the last one applies.
5161 By default, all records are returned in random order.
5163 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5164 <h3 class="title">Note</h3>
5166 In this release of <acronym class="acronym">BIND</acronym> 9, the
5167 <span><strong class="command">rrset-order</strong></span> statement does not support
5168 "fixed" ordering by default. Fixed ordering can be enabled
5169 at compile time by specifying "--enable-fixed-rrset" on
5170 the "configure" command line.
5174 <div class="sect3" lang="en">
5175 <div class="titlepage"><div><div><h4 class="title">
5176 <a name="tuning"></a>Tuning</h4></div></div></div>
5177 <div class="variablelist"><dl>
5178 <dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
5181 Sets the number of seconds to cache a
5182 lame server indication. 0 disables caching. (This is
5183 <span class="bold"><strong>NOT</strong></span> recommended.)
5184 The default is <code class="literal">600</code> (10 minutes) and the
5186 <code class="literal">1800</code> (30 minutes).
5189 Lame-ttl also controls the amount of time DNSSEC
5190 validation failures are cached. There is a minimum
5191 of 30 seconds applied to bad cache entries if the
5192 lame-ttl is set to less than 30 seconds.
5195 <dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
5197 To reduce network traffic and increase performance,
5198 the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
5199 used to set a maximum retention time for these answers in
5201 in seconds. The default
5202 <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
5203 <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
5205 be silently truncated to 7 days if set to a greater value.
5207 <dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
5209 Sets the maximum time for which the server will
5210 cache ordinary (positive) answers. The default is
5212 A value of zero may cause all queries to return
5213 SERVFAIL, because of lost caches of intermediate
5214 RRsets (such as NS and glue AAAA/A records) in the
5217 <dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
5220 The minimum number of root servers that
5221 is required for a request for the root servers to be
5222 accepted. The default
5223 is <strong class="userinput"><code>2</code></strong>.
5225 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5226 <h3 class="title">Note</h3>
5228 Not implemented in <acronym class="acronym">BIND</acronym> 9.
5232 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
5235 Specifies the number of days into the future when
5236 DNSSEC signatures automatically generated as a
5237 result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
5238 is an optional second field which specifies how
5239 long before expiry that the signatures will be
5240 regenerated. If not specified, the signatures will
5241 be regenerated at 1/4 of base interval. The second
5242 field is specified in days if the base interval is
5243 greater than 7 days otherwise it is specified in hours.
5244 The default base interval is <code class="literal">30</code> days
5245 giving a re-signing interval of 7 1/2 days. The maximum
5246 values are 10 years (3660 days).
5249 The signature inception time is unconditionally
5250 set to one hour before the current time to allow
5251 for a limited amount of clock skew.
5254 The <span><strong class="command">sig-validity-interval</strong></span>
5255 should be, at least, several multiples of the SOA
5256 expire interval to allow for reasonable interaction
5257 between the various timer and expiry dates.
5260 <dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
5262 Specify the maximum number of nodes to be
5263 examined in each quantum when signing a zone with
5264 a new DNSKEY. The default is
5265 <code class="literal">100</code>.
5267 <dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
5269 Specify a threshold number of signatures that
5270 will terminate processing a quantum when signing
5271 a zone with a new DNSKEY. The default is
5272 <code class="literal">10</code>.
5274 <dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
5277 Specify a private RDATA type to be used when generating
5278 signing state records. The default is
5279 <code class="literal">65534</code>.
5282 It is expected that this parameter may be removed
5283 in a future version once there is a standard type.
5286 Signing state records are used to internally by
5287 <span><strong class="command">named</strong></span> to track the current state of
5288 a zone-signing process, i.e., whether it is still active
5289 or has been completed. The records can be inspected
5291 <span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>.
5292 Once <span><strong class="command">named</strong></span> has finished signing
5293 a zone with a particular key, the signing state
5294 record associated with that key can be removed from
5296 <span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>.
5297 To clear all of the completed signing state
5298 records for a zone, use
5299 <span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>.
5303 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
5307 These options control the server's behavior on refreshing a
5309 (querying for SOA changes) or retrying failed transfers.
5310 Usually the SOA values for the zone are used, but these
5312 are set by the master, giving slave server administrators
5314 control over their contents.
5317 These options allow the administrator to set a minimum and
5319 refresh and retry time either per-zone, per-view, or
5321 These options are valid for slave and stub zones,
5322 and clamp the SOA refresh and retry times to the specified
5326 The following defaults apply.
5327 <span><strong class="command">min-refresh-time</strong></span> 300 seconds,
5328 <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds
5329 (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds,
5330 and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds
5334 <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
5337 Sets the advertised EDNS UDP buffer size in bytes
5338 to control the size of packets received.
5339 Valid values are 512 to 4096 (values outside this range
5340 will be silently adjusted). The default value
5341 is 4096. The usual reason for setting
5342 <span><strong class="command">edns-udp-size</strong></span> to a non-default
5343 value is to get UDP answers to pass through broken
5344 firewalls that block fragmented packets and/or
5345 block UDP packets that are greater than 512 bytes.
5348 <span><strong class="command">named</strong></span> will fallback to using 512 bytes
5349 if it get a series of timeout at the initial value. 512
5350 bytes is not being offered to encourage sites to fix their
5351 firewalls. Small EDNS UDP sizes will result in the
5352 excessive use of TCP.
5355 <dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
5358 Sets the maximum EDNS UDP message size
5359 <span><strong class="command">named</strong></span> will send in bytes.
5360 Valid values are 512 to 4096 (values outside this
5361 range will be silently adjusted). The default
5362 value is 4096. The usual reason for setting
5363 <span><strong class="command">max-udp-size</strong></span> to a non-default
5364 value is to get UDP answers to pass through broken
5365 firewalls that block fragmented packets and/or
5366 block UDP packets that are greater than 512 bytes.
5367 This is independent of the advertised receive
5368 buffer (<span><strong class="command">edns-udp-size</strong></span>).
5371 Setting this to a low value will encourage additional
5372 TCP traffic to the nameserver.
5375 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
5378 the file format of zone files (see
5379 <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
5380 The default value is <code class="constant">text</code>, which is the
5381 standard textual representation, except for slave zones,
5382 in which the default value is <code class="constant">raw</code>.
5383 Files in other formats than <code class="constant">text</code> are
5384 typically expected to be generated by the
5385 <span><strong class="command">named-compilezone</strong></span> tool, or dumped by
5386 <span><strong class="command">named</strong></span>.
5389 Note that when a zone file in a different format than
5390 <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
5391 may omit some of the checks which would be performed for a
5392 file in the <code class="constant">text</code> format. In particular,
5393 <span><strong class="command">check-names</strong></span> checks do not apply
5394 for the <code class="constant">raw</code> format. This means
5395 a zone file in the <code class="constant">raw</code> format
5396 must be generated with the same check level as that
5397 specified in the <span><strong class="command">named</strong></span> configuration
5398 file. This statement sets the
5399 <span><strong class="command">masterfile-format</strong></span> for all zones,
5400 but can be overridden on a per-zone or per-view basis
5401 by including a <span><strong class="command">masterfile-format</strong></span>
5402 statement within the <span><strong class="command">zone</strong></span> or
5403 <span><strong class="command">view</strong></span> block in the configuration
5408 <a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
5412 initial value (minimum) and maximum number of recursive
5413 simultaneous clients for any given query
5414 (<qname,qtype,qclass>) that the server will accept
5415 before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
5416 self tune this value and changes will be logged. The
5417 default values are 10 and 100.
5420 This value should reflect how many queries come in for
5421 a given name in the time it takes to resolve that name.
5422 If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
5423 assume that it is dealing with a non-responsive zone
5424 and will drop additional queries. If it gets a response
5425 after dropping queries, it will raise the estimate. The
5426 estimate will then be lowered in 20 minutes if it has
5430 If <span><strong class="command">clients-per-query</strong></span> is set to zero,
5431 then there is no limit on the number of clients per query
5432 and no queries will be dropped.
5435 If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
5436 then there is no upper bound other than imposed by
5437 <span><strong class="command">recursive-clients</strong></span>.
5441 <a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span>
5444 Sets the maximum number of levels of recursion
5445 that are permitted at any one time while servicing
5446 a recursive query. Resolving a name may require
5447 looking up a name server address, which in turn
5448 requires resolving another name, etc; if the number
5449 of indirections exceeds this value, the recursive
5450 query is terminated and returns SERVFAIL. The
5454 <a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span>
5457 Sets the maximum number of iterative queries that
5458 may be sent while servicing a recursive query.
5459 If more queries are sent, the recursive query
5460 is terminated and returns SERVFAIL. The default
5463 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
5466 The delay, in seconds, between sending sets of notify
5467 messages for a zone. The default is five (5) seconds.
5470 The overall rate that NOTIFY messages are sent for all
5471 zones is controlled by <span><strong class="command">serial-query-rate</strong></span>.
5474 <dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt>
5476 The maximum RSA exponent size, in bits, that will
5477 be accepted when validating. Valid values are 35
5478 to 4096 bits. The default zero (0) is also accepted
5479 and is equivalent to 4096.
5483 <div class="sect3" lang="en">
5484 <div class="titlepage"><div><div><h4 class="title">
5485 <a name="builtin"></a>Built-in server information zones</h4></div></div></div>
5487 The server provides some helpful diagnostic information
5488 through a number of built-in zones under the
5489 pseudo-top-level-domain <code class="literal">bind</code> in the
5490 <span><strong class="command">CHAOS</strong></span> class. These zones are part
5492 built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
5494 <span><strong class="command">CHAOS</strong></span> which is separate from the
5495 default view of class <span><strong class="command">IN</strong></span>. Most global
5496 configuration options (<span><strong class="command">allow-query</strong></span>,
5497 etc) will apply to this view, but some are locally
5498 overridden: <span><strong class="command">notify</strong></span>,
5499 <span><strong class="command">recursion</strong></span> and
5500 <span><strong class="command">allow-new-zones</strong></span> are
5501 always set to <strong class="userinput"><code>no</code></strong>.
5504 If you need to disable these zones, use the options
5505 below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
5507 defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
5508 that matches all clients.
5510 <div class="variablelist"><dl>
5511 <dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
5513 The version the server should report
5514 via a query of the name <code class="literal">version.bind</code>
5515 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
5516 The default is the real version number of this server.
5517 Specifying <span><strong class="command">version none</strong></span>
5518 disables processing of the queries.
5520 <dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
5522 The hostname the server should report via a query of
5523 the name <code class="filename">hostname.bind</code>
5524 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
5525 This defaults to the hostname of the machine hosting the
5527 found by the gethostname() function. The primary purpose of such queries
5529 identify which of a group of anycast servers is actually
5530 answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
5531 disables processing of the queries.
5533 <dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
5535 The ID the server should report when receiving a Name
5536 Server Identifier (NSID) query, or a query of the name
5537 <code class="filename">ID.SERVER</code> with type
5538 <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
5539 The primary purpose of such queries is to
5540 identify which of a group of anycast servers is actually
5541 answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
5542 disables processing of the queries.
5543 Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
5544 use the hostname as found by the gethostname() function.
5545 The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
5549 <div class="sect3" lang="en">
5550 <div class="titlepage"><div><div><h4 class="title">
5551 <a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
5553 Named has some built-in empty zones (SOA and NS records only).
5554 These are for zones that should normally be answered locally
5555 and which queries should not be sent to the Internet's root
5556 servers. The official servers which cover these namespaces
5557 return NXDOMAIN responses to these queries. In particular,
5558 these cover the reverse namespaces for addresses from
5559 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the
5560 reverse namespace for IPv6 local address (locally assigned),
5561 IPv6 link local addresses, the IPv6 loopback address and the
5562 IPv6 unknown address.
5565 Named will attempt to determine if a built-in zone already exists
5566 or is active (covered by a forward-only forwarding declaration)
5567 and will not create an empty zone in that case.
5570 The current list of empty zones is:
5572 <div class="itemizedlist"><ul type="disc">
5573 <li>10.IN-ADDR.ARPA</li>
5574 <li>16.172.IN-ADDR.ARPA</li>
5575 <li>17.172.IN-ADDR.ARPA</li>
5576 <li>18.172.IN-ADDR.ARPA</li>
5577 <li>19.172.IN-ADDR.ARPA</li>
5578 <li>20.172.IN-ADDR.ARPA</li>
5579 <li>21.172.IN-ADDR.ARPA</li>
5580 <li>22.172.IN-ADDR.ARPA</li>
5581 <li>23.172.IN-ADDR.ARPA</li>
5582 <li>24.172.IN-ADDR.ARPA</li>
5583 <li>25.172.IN-ADDR.ARPA</li>
5584 <li>26.172.IN-ADDR.ARPA</li>
5585 <li>27.172.IN-ADDR.ARPA</li>
5586 <li>28.172.IN-ADDR.ARPA</li>
5587 <li>29.172.IN-ADDR.ARPA</li>
5588 <li>30.172.IN-ADDR.ARPA</li>
5589 <li>31.172.IN-ADDR.ARPA</li>
5590 <li>168.192.IN-ADDR.ARPA</li>
5591 <li>64.100.IN-ADDR.ARPA</li>
5592 <li>65.100.IN-ADDR.ARPA</li>
5593 <li>66.100.IN-ADDR.ARPA</li>
5594 <li>67.100.IN-ADDR.ARPA</li>
5595 <li>68.100.IN-ADDR.ARPA</li>
5596 <li>69.100.IN-ADDR.ARPA</li>
5597 <li>70.100.IN-ADDR.ARPA</li>
5598 <li>71.100.IN-ADDR.ARPA</li>
5599 <li>72.100.IN-ADDR.ARPA</li>
5600 <li>73.100.IN-ADDR.ARPA</li>
5601 <li>74.100.IN-ADDR.ARPA</li>
5602 <li>75.100.IN-ADDR.ARPA</li>
5603 <li>76.100.IN-ADDR.ARPA</li>
5604 <li>77.100.IN-ADDR.ARPA</li>
5605 <li>78.100.IN-ADDR.ARPA</li>
5606 <li>79.100.IN-ADDR.ARPA</li>
5607 <li>80.100.IN-ADDR.ARPA</li>
5608 <li>81.100.IN-ADDR.ARPA</li>
5609 <li>82.100.IN-ADDR.ARPA</li>
5610 <li>83.100.IN-ADDR.ARPA</li>
5611 <li>84.100.IN-ADDR.ARPA</li>
5612 <li>85.100.IN-ADDR.ARPA</li>
5613 <li>86.100.IN-ADDR.ARPA</li>
5614 <li>87.100.IN-ADDR.ARPA</li>
5615 <li>88.100.IN-ADDR.ARPA</li>
5616 <li>89.100.IN-ADDR.ARPA</li>
5617 <li>90.100.IN-ADDR.ARPA</li>
5618 <li>91.100.IN-ADDR.ARPA</li>
5619 <li>92.100.IN-ADDR.ARPA</li>
5620 <li>93.100.IN-ADDR.ARPA</li>
5621 <li>94.100.IN-ADDR.ARPA</li>
5622 <li>95.100.IN-ADDR.ARPA</li>
5623 <li>96.100.IN-ADDR.ARPA</li>
5624 <li>97.100.IN-ADDR.ARPA</li>
5625 <li>98.100.IN-ADDR.ARPA</li>
5626 <li>99.100.IN-ADDR.ARPA</li>
5627 <li>100.100.IN-ADDR.ARPA</li>
5628 <li>101.100.IN-ADDR.ARPA</li>
5629 <li>102.100.IN-ADDR.ARPA</li>
5630 <li>103.100.IN-ADDR.ARPA</li>
5631 <li>104.100.IN-ADDR.ARPA</li>
5632 <li>105.100.IN-ADDR.ARPA</li>
5633 <li>106.100.IN-ADDR.ARPA</li>
5634 <li>107.100.IN-ADDR.ARPA</li>
5635 <li>108.100.IN-ADDR.ARPA</li>
5636 <li>109.100.IN-ADDR.ARPA</li>
5637 <li>110.100.IN-ADDR.ARPA</li>
5638 <li>111.100.IN-ADDR.ARPA</li>
5639 <li>112.100.IN-ADDR.ARPA</li>
5640 <li>113.100.IN-ADDR.ARPA</li>
5641 <li>114.100.IN-ADDR.ARPA</li>
5642 <li>115.100.IN-ADDR.ARPA</li>
5643 <li>116.100.IN-ADDR.ARPA</li>
5644 <li>117.100.IN-ADDR.ARPA</li>
5645 <li>118.100.IN-ADDR.ARPA</li>
5646 <li>119.100.IN-ADDR.ARPA</li>
5647 <li>120.100.IN-ADDR.ARPA</li>
5648 <li>121.100.IN-ADDR.ARPA</li>
5649 <li>122.100.IN-ADDR.ARPA</li>
5650 <li>123.100.IN-ADDR.ARPA</li>
5651 <li>124.100.IN-ADDR.ARPA</li>
5652 <li>125.100.IN-ADDR.ARPA</li>
5653 <li>126.100.IN-ADDR.ARPA</li>
5654 <li>127.100.IN-ADDR.ARPA</li>
5655 <li>0.IN-ADDR.ARPA</li>
5656 <li>127.IN-ADDR.ARPA</li>
5657 <li>254.169.IN-ADDR.ARPA</li>
5658 <li>2.0.192.IN-ADDR.ARPA</li>
5659 <li>100.51.198.IN-ADDR.ARPA</li>
5660 <li>113.0.203.IN-ADDR.ARPA</li>
5661 <li>255.255.255.255.IN-ADDR.ARPA</li>
5662 <li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
5663 <li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
5664 <li>8.B.D.0.1.0.0.2.IP6.ARPA</li>
5665 <li>D.F.IP6.ARPA</li>
5666 <li>8.E.F.IP6.ARPA</li>
5667 <li>9.E.F.IP6.ARPA</li>
5668 <li>A.E.F.IP6.ARPA</li>
5669 <li>B.E.F.IP6.ARPA</li>
5674 Empty zones are settable at the view level and only apply to
5675 views of class IN. Disabled empty zones are only inherited
5676 from options if there are no disabled empty zones specified
5677 at the view level. To override the options list of disabled
5678 zones, you can disable the root zone at the view level, for example:
5680 <pre class="programlisting">
5681 disable-empty-zone ".";
5686 If you are using the address ranges covered here, you should
5687 already have reverse zones covering the addresses you use.
5688 In practice this appears to not be the case with many queries
5689 being made to the infrastructure servers for names in these
5690 spaces. So many in fact that sacrificial servers were needed
5691 to be deployed to channel the query load away from the
5692 infrastructure servers.
5694 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
5695 <h3 class="title">Note</h3>
5696 The real parent servers for these zones should disable all
5697 empty zone under the parent zone they serve. For the real
5698 root servers, this is all built-in empty zones. This will
5699 enable them to return referrals to deeper in the tree.
5701 <div class="variablelist"><dl>
5702 <dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
5704 Specify what server name will appear in the returned
5705 SOA record for empty zones. If none is specified, then
5706 the zone's name will be used.
5708 <dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
5710 Specify what contact name will appear in the returned
5711 SOA record for empty zones. If none is specified, then
5714 <dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
5716 Enable or disable all empty zones. By default, they
5719 <dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
5721 Disable individual empty zones. By default, none are
5722 disabled. This option can be specified multiple times.
5726 <div class="sect3" lang="en">
5727 <div class="titlepage"><div><div><h4 class="title">
5728 <a name="acache"></a>Additional Section Caching</h4></div></div></div>
5730 The additional section cache, also called <span><strong class="command">acache</strong></span>,
5731 is an internal cache to improve the response performance of BIND 9.
5732 When additional section caching is enabled, BIND 9 will
5733 cache an internal short-cut to the additional section content for
5735 Note that <span><strong class="command">acache</strong></span> is an internal caching
5736 mechanism of BIND 9, and is not related to the DNS caching
5740 Additional section caching does not change the
5741 response content (except the RRsets ordering of the additional
5742 section, see below), but can improve the response performance
5744 It is particularly effective when BIND 9 acts as an authoritative
5745 server for a zone that has many delegations with many glue RRs.
5748 In order to obtain the maximum performance improvement
5749 from additional section caching, setting
5750 <span><strong class="command">additional-from-cache</strong></span>
5751 to <span><strong class="command">no</strong></span> is recommended, since the current
5752 implementation of <span><strong class="command">acache</strong></span>
5753 does not short-cut of additional section information from the
5757 One obvious disadvantage of <span><strong class="command">acache</strong></span> is
5758 that it requires much more
5759 memory for the internal cached data.
5760 Thus, if the response performance does not matter and memory
5761 consumption is much more critical, the
5762 <span><strong class="command">acache</strong></span> mechanism can be
5763 disabled by setting <span><strong class="command">acache-enable</strong></span> to
5764 <span><strong class="command">no</strong></span>.
5765 It is also possible to specify the upper limit of memory
5767 for acache by using <span><strong class="command">max-acache-size</strong></span>.
5770 Additional section caching also has a minor effect on the
5771 RRset ordering in the additional section.
5772 Without <span><strong class="command">acache</strong></span>,
5773 <span><strong class="command">cyclic</strong></span> order is effective for the additional
5774 section as well as the answer and authority sections.
5775 However, additional section caching fixes the ordering when it
5776 first caches an RRset for the additional section, and the same
5777 ordering will be kept in succeeding responses, regardless of the
5778 setting of <span><strong class="command">rrset-order</strong></span>.
5779 The effect of this should be minor, however, since an
5780 RRset in the additional section
5781 typically only contains a small number of RRs (and in many cases
5782 it only contains a single RR), in which case the
5783 ordering does not matter much.
5786 The following is a summary of options related to
5787 <span><strong class="command">acache</strong></span>.
5789 <div class="variablelist"><dl>
5790 <dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
5792 If <span><strong class="command">yes</strong></span>, additional section caching is
5793 enabled. The default value is <span><strong class="command">no</strong></span>.
5795 <dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
5797 The server will remove stale cache entries, based on an LRU
5799 algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
5800 The default is 60 minutes.
5801 If set to 0, no periodic cleaning will occur.
5803 <dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
5805 The maximum amount of memory in bytes to use for the server's acache.
5806 When the amount of data in the acache reaches this limit,
5808 will clean more aggressively so that the limit is not
5810 In a server with multiple views, the limit applies
5812 acache of each view.
5813 The default is <code class="literal">16M</code>.
5817 <div class="sect3" lang="en">
5818 <div class="titlepage"><div><div><h4 class="title">
5819 <a name="id2588485"></a>Content Filtering</h4></div></div></div>
5821 <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
5822 out DNS responses from external DNS servers containing
5823 certain types of data in the answer section.
5824 Specifically, it can reject address (A or AAAA) records if
5825 the corresponding IPv4 or IPv6 addresses match the given
5826 <code class="varname">address_match_list</code> of the
5827 <span><strong class="command">deny-answer-addresses</strong></span> option.
5828 It can also reject CNAME or DNAME records if the "alias"
5829 name (i.e., the CNAME alias or the substituted query name
5830 due to DNAME) matches the
5831 given <code class="varname">namelist</code> of the
5832 <span><strong class="command">deny-answer-aliases</strong></span> option, where
5833 "match" means the alias name is a subdomain of one of
5834 the <code class="varname">name_list</code> elements.
5835 If the optional <code class="varname">namelist</code> is specified
5836 with <span><strong class="command">except-from</strong></span>, records whose query name
5837 matches the list will be accepted regardless of the filter
5839 Likewise, if the alias name is a subdomain of the
5840 corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
5841 filter will not apply;
5842 for example, even if "example.com" is specified for
5843 <span><strong class="command">deny-answer-aliases</strong></span>,
5845 <pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
5847 returned by an "example.com" server will be accepted.
5850 In the <code class="varname">address_match_list</code> of the
5851 <span><strong class="command">deny-answer-addresses</strong></span> option, only
5852 <code class="varname">ip_addr</code>
5853 and <code class="varname">ip_prefix</code>
5855 any <code class="varname">key_id</code> will be silently ignored.
5858 If a response message is rejected due to the filtering,
5859 the entire message is discarded without being cached, and
5860 a SERVFAIL error will be returned to the client.
5863 This filtering is intended to prevent "DNS rebinding attacks," in
5864 which an attacker, in response to a query for a domain name the
5865 attacker controls, returns an IP address within your own network or
5866 an alias name within your own domain.
5867 A naive web browser or script could then serve as an
5868 unintended proxy, allowing the attacker
5869 to get access to an internal node of your local network
5870 that couldn't be externally accessed otherwise.
5871 See the paper available at
5872 <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top">
5873 http://portal.acm.org/citation.cfm?id=1315245.1315298
5875 for more details about the attacks.
5878 For example, if you own a domain named "example.net" and
5879 your internal network uses an IPv4 prefix 192.0.2.0/24,
5880 you might specify the following rules:
5882 <pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
5883 deny-answer-aliases { "example.net"; };
5886 If an external attacker lets a web browser in your local
5887 network look up an IPv4 address of "attacker.example.com",
5888 the attacker's DNS server would return a response like this:
5890 <pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
5892 in the answer section.
5893 Since the rdata of this record (the IPv4 address) matches
5894 the specified prefix 192.0.2.0/24, this response will be
5898 On the other hand, if the browser looks up a legitimate
5899 internal web server "www.example.net" and the
5900 following response is returned to
5901 the <acronym class="acronym">BIND</acronym> 9 server
5903 <pre class="programlisting">www.example.net. A 192.0.2.2</pre>
5905 it will be accepted since the owner name "www.example.net"
5906 matches the <span><strong class="command">except-from</strong></span> element,
5910 Note that this is not really an attack on the DNS per se.
5911 In fact, there is nothing wrong for an "external" name to
5912 be mapped to your "internal" IP address or domain name
5913 from the DNS point of view.
5914 It might actually be provided for a legitimate purpose,
5915 such as for debugging.
5916 As long as the mapping is provided by the correct owner,
5917 it is not possible or does not make sense to detect
5918 whether the intent of the mapping is legitimate or not
5920 The "rebinding" attack must primarily be protected at the
5921 application that uses the DNS.
5922 For a large site, however, it may be difficult to protect
5923 all possible applications at once.
5924 This filtering feature is provided only to help such an
5925 operational environment;
5926 it is generally discouraged to turn it on unless you are
5927 very sure you have no other choice and the attack is a
5928 real threat for your applications.
5931 Care should be particularly taken if you want to use this
5932 option for addresses within 127.0.0.0/8.
5933 These addresses are obviously "internal", but many
5934 applications conventionally rely on a DNS mapping from
5935 some name to such an address.
5936 Filtering out DNS records containing this address
5937 spuriously can break such applications.
5940 <div class="sect3" lang="en">
5941 <div class="titlepage"><div><div><h4 class="title">
5942 <a name="id2588747"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
5944 <acronym class="acronym">BIND</acronym> 9 includes a limited
5945 mechanism to modify DNS responses for requests
5946 analogous to email anti-spam DNS blacklists.
5947 Responses can be changed to deny the existence of domains(NXDOMAIN),
5948 deny the existence of IP addresses for domains (NODATA),
5949 or contain other IP addresses or data.
5952 Response policy zones are named in the
5953 <span><strong class="command">response-policy</strong></span> option for the view or among the
5954 global options if there is no response-policy option for the view.
5955 RPZs are ordinary DNS zones containing RRsets
5956 that can be queried normally if allowed.
5957 It is usually best to restrict those queries with something like
5958 <span><strong class="command">allow-query { localhost; };</strong></span>.
5961 Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP,
5963 QNAME RPZ records triggered by query names of requests and targets
5964 of CNAME records resolved to generate the response.
5965 The owner name of a QNAME RPZ record is the query name relativized
5969 The second kind of RPZ trigger is an IP address in an A and AAAA
5970 record in the ANSWER section of a response.
5971 IP address triggers are encoded in records that have owner names
5972 that are subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized
5973 to the RPZ origin name and encode an IP address or address block.
5974 IPv4 trigger addresses are represented as
5975 <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
5976 The prefix length must be between 1 and 32.
5977 All four bytes, B4, B3, B2, and B1, must be present.
5978 B4 is the decimal value of the least significant byte of the
5979 IPv4 address as in IN-ADDR.ARPA.
5980 IPv6 addresses are encoded in a format similar to the standard
5981 IPv6 text representation,
5982 <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
5983 Each of W8,...,W1 is a one to four digit hexadecimal number
5984 representing 16 bits of the IPv6 address as in the standard text
5985 representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
5986 All 8 words must be present except when consecutive
5987 zero words are replaced with <strong class="userinput"><code>.zz.</code></strong>
5988 analogous to double colons (::) in standard IPv6 text encodings.
5989 The prefix length must be between 1 and 128.
5992 NSDNAME triggers match names of authoritative servers
5993 for the query name, a parent of the query name, a CNAME for
5994 query name, or a parent of a CNAME.
5995 They are encoded as subdomains of
5996 <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
5997 to the RPZ origin name.
5998 NSIP triggers match IP addresses in A and
5999 AAAA RRsets for domains that can be checked against NSDNAME
6001 NSIP triggers are encoded like IP triggers except as subdomains of
6002 <strong class="userinput"><code>rpz-nsip</code></strong>.
6003 NSDNAME and NSIP triggers are checked only for names with at
6004 least <span><strong class="command">min-ns-dots</strong></span> dots.
6005 The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to
6006 exclude top level domains.
6009 The query response is checked against all RPZs, so
6010 two or more policy records can be triggered by a response.
6011 Because DNS responses can be rewritten according to at most one
6012 policy record, a single record encoding an action (other than
6013 <span><strong class="command">DISABLED</strong></span> actions) must be chosen.
6014 Triggers or the records that encode them are chosen in
6015 the following order:
6017 <div class="itemizedlist"><ul type="disc">
6018 <li>Choose the triggered record in the zone that appears
6019 first in the response-policy option.
6021 <li>Prefer QNAME to IP to NSDNAME to NSIP triggers
6024 <li>Among NSDNAME triggers, prefer the
6025 trigger that matches the smallest name under the DNSSEC ordering.
6027 <li>Among IP or NSIP triggers, prefer the trigger
6028 with the longest prefix.
6030 <li>Among triggers with the same prefex length,
6031 prefer the IP or NSIP trigger that matches
6032 the smallest IP address.
6038 When the processing of a response is restarted to resolve
6039 DNAME or CNAME records and a policy record set has
6041 all RPZs are again consulted for the DNAME or CNAME names
6045 RPZ record sets are sets of any types of DNS record except
6046 DNAME or DNSSEC that encode actions or responses to queries.
6048 <div class="itemizedlist"><ul type="disc">
6049 <li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded
6050 by a CNAME whose target is the root domain (.)
6052 <li>A CNAME whose target is the wildcard top-level
6053 domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action,
6054 which rewrites the response to NODATA or ANCOUNT=1.
6056 <li>The <span><strong class="command">Local Data</strong></span> action is
6057 represented by a set ordinary DNS records that are used
6058 to answer queries. Queries for record types not the
6059 set are answered with NODATA.
6061 A special form of local data is a CNAME whose target is a
6062 wildcard such as *.example.com.
6063 It is used as if were an ordinary CNAME after the astrisk (*)
6064 has been replaced with the query name.
6065 The purpose for this special form is query logging in the
6066 walled garden's authority DNS server.
6068 <li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified
6069 by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span>
6070 It causes the response to not be rewritten
6071 and is most often used to "poke holes" in policies for
6073 (A CNAME whose target is the variable part of its owner name
6074 is an obsolete specification of the PASSTHRU policy.)
6080 The actions specified in an RPZ can be overridden with a
6081 <span><strong class="command">policy</strong></span> clause in the
6082 <span><strong class="command">response-policy</strong></span> option.
6083 An organization using an RPZ provided by another organization might
6084 use this mechanism to redirect domains to its own walled garden.
6086 <div class="itemizedlist"><ul type="disc">
6088 <span><strong class="command">GIVEN</strong></span> says "do not override but
6089 perform the action specified in the zone."
6092 <span><strong class="command">DISABLED</strong></span> causes policy records to do
6093 nothing but log what they might have done.
6094 The response to the DNS query will be written according to
6095 any triggered policy records that are not disabled.
6096 Disabled policy zones should appear first,
6097 because they will often not be logged
6098 if a higher precedence trigger is found first.
6101 <span><strong class="command">PASSTHRU</strong></span> causes all policy records
6102 to act as if they were CNAME records with targets the variable
6103 part of their owner name. They protect the response from
6107 <span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records
6108 to specify NXDOMAIN policies.
6111 <span><strong class="command">NODATA</strong></span> overrides with the
6115 <span><strong class="command">CNAME domain</strong></span> causes all RPZ
6116 policy records to act as if they were "cname domain" records.
6122 By default, the actions encoded in an RPZ are applied
6123 only to queries that ask for recursion (RD=1).
6124 That default can be changed for a single RPZ or all RPZs in a view
6125 with a <span><strong class="command">recursive-only no</strong></span> clause.
6126 This feature is useful for serving the same zone files
6127 both inside and outside an RFC 1918 cloud and using RPZ to
6128 delete answers that would otherwise contain RFC 1918 values
6129 on the externally visible name server or view.
6132 Also by default, RPZ actions are applied only to DNS requests that
6133 either do not request DNSSEC metadata (DO=0) or when no DNSSEC
6134 records are available for request name in the original zone (not
6135 the response policy zone).
6136 This default can be changed for all RPZs in a view with a
6137 <span><strong class="command">break-dnssec yes</strong></span> clause.
6138 In that case, RPZ actions are applied regardless of DNSSEC.
6139 The name of the clause option reflects the fact that results
6140 rewritten by RPZ actions cannot verify.
6143 The TTL of a record modified by RPZ policies is set from the
6144 TTL of the relevant record in policy zone. It is then limited
6146 The <span><strong class="command">max-policy-ttl</strong></span> clause changes that
6147 maximum from its default of 5.
6150 For example, you might use this option statement
6152 <pre class="programlisting"> response-policy { zone "badlist"; };</pre>
6154 and this zone statement
6156 <pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
6160 <pre class="programlisting">$TTL 1H
6161 @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
6164 ; QNAME policy records. There are no periods (.) after the owner names.
6165 nxdomain.domain.com CNAME . ; NXDOMAIN policy
6166 nodata.domain.com CNAME *. ; NODATA policy
6167 bad.domain.com A 10.0.0.1 ; redirect to a walled garden
6170 ; do not rewrite (PASSTHRU) OK.DOMAIN.COM
6171 ok.domain.com CNAME rpz-passthru.
6173 bzone.domain.com CNAME garden.example.com.
6175 ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
6176 *.bzone.domain.com CNAME *.garden.example.com.
6179 ; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
6180 8.0.0.0.127.rpz-ip CNAME .
6181 32.1.0.0.127.rpz-ip CNAME rpz-passthru.
6183 ; NSDNAME and NSIP policy records
6184 ns.domain.com.rpz-nsdname CNAME .
6185 48.zz.2.2001.rpz-nsip CNAME .
6188 RPZ can affect server performance.
6189 Each configured response policy zone requires the server to
6190 perform one to four additional database lookups before a
6191 query can be answered.
6192 For example, a DNS server with four policy zones, each with all
6193 four kinds of response triggers, QNAME, IP, NSIP, and
6194 NSDNAME, requires a total of 17 times as many database
6195 lookups as a similar DNS server with no response policy zones.
6196 A <acronym class="acronym">BIND9</acronym> server with adequate memory and one
6197 response policy zone with QNAME and IP triggers might achieve a
6198 maximum queries-per-second rate about 20% lower.
6199 A server with four response policy zones with QNAME and IP
6200 triggers might have a maximum QPS rate about 50% lower.
6203 Responses rewritten by RPZ are counted in the
6204 <span><strong class="command">RPZRewrites</strong></span> statistics.
6207 <div class="sect3" lang="en">
6208 <div class="titlepage"><div><div><h4 class="title">
6209 <a name="id2589177"></a>Response Rate Limiting</h4></div></div></div>
6211 This feature is only available when <acronym class="acronym">BIND</acronym> 9
6212 is compiled with the <strong class="userinput"><code>--enable-rrl</code></strong>
6213 option on the "configure" command line.
6216 Excessive almost identical UDP <span class="emphasis"><em>responses</em></span>
6217 can be controlled by configuring a
6218 <span><strong class="command">rate-limit</strong></span> clause in an
6219 <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement.
6220 This mechanism keeps authoritative BIND 9 from being used
6221 in amplifying reflection denial of service (DoS) attacks.
6222 Short truncated (TC=1) responses can be sent to provide
6223 rate-limited responses to legitimate clients within
6224 a range of forged, attacked IP addresses.
6225 Legitimate clients react to dropped or truncated response
6226 by retrying with UDP or with TCP respectively.
6229 This mechanism is intended for authoritative DNS servers.
6230 It can be used on recursive servers but can slow
6231 applications such as SMTP servers (mail receivers) and
6232 HTTP clients (web browsers) that repeatedly request the
6234 When possible, closing "open" recursive servers is better.
6237 Response rate limiting uses a "credit" or "token bucket" scheme.
6238 Each combination of identical response and client
6239 has a conceptual account that earns a specified number
6240 of credits every second.
6241 A prospective response debits its account by one.
6242 Responses are dropped or truncated
6243 while the account is negative.
6244 Responses are tracked within a rolling window of time
6245 which defaults to 15 seconds, but can be configured with
6246 the <span><strong class="command">window</strong></span> option to any value from
6247 1 to 3600 seconds (1 hour).
6248 The account cannot become more positive than
6249 the per-second limit
6250 or more negative than <span><strong class="command">window</strong></span>
6251 times the per-second limit.
6252 When the specified number of credits for a class of
6253 responses is set to 0, those responses are not rate limited.
6256 The notions of "identical response" and "DNS client"
6257 for rate limiting are not simplistic.
6258 All responses to an address block are counted as if to a
6260 The prefix lengths of addresses blocks are
6261 specified with <span><strong class="command">ipv4-prefix-length</strong></span> (default 24)
6262 and <span><strong class="command">ipv6-prefix-length</strong></span> (default 56).
6265 All non-empty responses for a valid domain name (qname)
6266 and record type (qtype) are identical and have a limit specified
6267 with <span><strong class="command">responses-per-second</strong></span>
6268 (default 0 or no limit).
6269 All empty (NODATA) responses for a valid domain,
6270 regardless of query type, are identical.
6271 Responses in the NODATA class are limited by
6272 <span><strong class="command">nodata-per-second</strong></span>
6273 (default <span><strong class="command">responses-per-second</strong></span>).
6274 Requests for any and all undefined subdomains of a given
6275 valid domain result in NXDOMAIN errors, and are identical
6276 regardless of query type.
6277 They are limited by <span><strong class="command">nxdomain-per-second</strong></span>
6278 (default <span><strong class="command">responses-per-second</strong></span>).
6279 This controls some attacks using random names, but
6280 can be relaxed or turned off (set to 0)
6281 on servers that expect many legitimate
6282 NXDOMAIN responses, such as from anti-spam blacklists.
6283 Referrals or delegations to the server of a given
6284 domain are identical and are limited by
6285 <span><strong class="command">referrals-per-second</strong></span>
6286 (default <span><strong class="command">responses-per-second</strong></span>).
6289 Responses generated from local wildcards are counted and limited
6290 as if they were for the parent domain name.
6291 This controls flooding using random.wild.example.com.
6294 All requests that result in DNS errors other
6295 than NXDOMAIN, such as SERVFAIL and FORMERR, are identical
6296 regardless of requested name (qname) or record type (qtype).
6297 This controls attacks using invalid requests or distant,
6298 broken authoritative servers.
6299 By default the limit on errors is the same as the
6300 <span><strong class="command">responses-per-second</strong></span> value,
6301 but it can be set separately with
6302 <span><strong class="command">errors-per-second</strong></span>.
6305 Many attacks using DNS involve UDP requests with forged source
6307 Rate limiting prevents the use of BIND 9 to flood a network
6308 with responses to requests with forged source addresses,
6309 but could let a third party block responses to legitimate requests.
6310 There is a mechanism that can answer some legitimate
6311 requests from a client whose address is being forged in a flood.
6312 Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every
6313 other UDP request to be answered with a small truncated (TC=1)
6315 The small size and reduced frequency, and so lack of
6316 amplification, of "slipped" responses make them unattractive
6317 for reflection DoS attacks.
6318 <span><strong class="command">slip</strong></span> must be between 0 and 10.
6319 A value of 0 does not "slip":
6320 no truncated responses are sent due to rate limiting,
6321 all responses are dropped.
6322 A value of 1 causes every response to slip;
6323 values between 2 and 10 cause every n'th response to slip.
6324 Some error responses including REFUSED and SERVFAIL
6325 cannot be replaced with truncated responses and are instead
6326 leaked at the <span><strong class="command">slip</strong></span> rate.
6329 (NOTE: Dropped responses from an authoritative server may
6330 reduce the difficulty of a third party successfully forging
6331 a response to a recursive resolver. The best security
6332 against forged responses is for authoritative operators
6333 to sign their zones using DNSSEC and for resolver operators
6334 to validate the responses. When this is not an option,
6335 operators who are more concerned with response integrity
6336 than with flood mitigation may consider setting
6337 <span><strong class="command">slip</strong></span> to 1, causing all rate-limited
6338 responses to be truncated rather than dropped. This reduces
6339 the effectiveness of rate-limiting against reflection attacks.)
6342 When the approximate query per second rate exceeds
6343 the <span><strong class="command">qps-scale</strong></span> value,
6344 then the <span><strong class="command">responses-per-second</strong></span>,
6345 <span><strong class="command">errors-per-second</strong></span>,
6346 <span><strong class="command">nxdomains-per-second</strong></span> and
6347 <span><strong class="command">all-per-second</strong></span> values are reduced by the
6348 ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value.
6349 This feature can tighten defenses during attacks.
6351 <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and
6352 a total query rate of 1000 queries/second for all queries from
6353 all DNS clients including via TCP,
6354 then the effective responses/second limit changes to
6356 Responses sent via TCP are not limited
6357 but are counted to compute the query per second rate.
6360 Communities of DNS clients can be given their own parameters or no
6361 rate limiting by putting
6362 <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span>
6363 statements instead of the global <span><strong class="command">option</strong></span>
6365 A <span><strong class="command">rate-limit</strong></span> statement in a view replaces,
6366 rather than supplementing, a <span><strong class="command">rate-limit</strong></span>
6367 statement among the main options.
6368 DNS clients within a view can be exempted from rate limits
6369 with the <span><strong class="command">exempt-clients</strong></span> clause.
6372 UDP responses of all kinds can be limited with the
6373 <span><strong class="command">all-per-second</strong></span> phrase.
6374 This rate limiting is unlike the rate limiting provided by
6375 <span><strong class="command">responses-per-second</strong></span>,
6376 <span><strong class="command">errors-per-second</strong></span>, and
6377 <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server
6378 which are often invisible to the victim of a DNS reflection attack.
6379 Unless the forged requests of the attack are the same as the
6380 legitimate requests of the victim, the victim's requests are
6382 Responses affected by an <span><strong class="command">all-per-second</strong></span> limit
6383 are always dropped; the <span><strong class="command">slip</strong></span> value has no
6385 An <span><strong class="command">all-per-second</strong></span> limit should be
6386 at least 4 times as large as the other limits,
6387 because single DNS clients often send bursts of legitimate
6389 For example, the receipt of a single mail message can prompt
6390 requests from an SMTP server for NS, PTR, A, and AAAA records
6391 as the incoming SMTP/TCP/IP connection is considered.
6392 The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF
6393 records as it considers the STMP <span><strong class="command">Mail From</strong></span>
6395 Web browsers often repeatedly resolve the same names that
6396 are repeated in HTML <IMG> tags in a page.
6397 <span><strong class="command">All-per-second</strong></span> is similar to the
6398 rate limiting offered by firewalls but often inferior.
6399 Attacks that justify ignoring the
6400 contents of DNS responses are likely to be attacks on the
6402 They usually should be discarded before the DNS server
6403 spends resources making TCP connections or parsing DNS requests,
6404 but that rate limiting must be done before the
6405 DNS server sees the requests.
6408 The maximum size of the table used to track requests and
6409 rate limit responses is set with <span><strong class="command">max-table-size</strong></span>.
6410 Each entry in the table is between 40 and 80 bytes.
6411 The table needs approximately as many entries as the number
6412 of requests received per second.
6413 The default is 20,000.
6414 To reduce the cold start of growing the table,
6415 <span><strong class="command">min-table-size</strong></span> (default 500)
6416 can set the minimum table size.
6417 Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor
6418 expansions of the table and inform
6419 choices for the initial and maximum table size.
6422 Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters
6423 without actually dropping any requests.
6426 Responses dropped by rate limits are included in the
6427 <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span>
6429 Responses that truncated by rate limits are included in
6430 <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>.
6434 <div class="sect2" lang="en">
6435 <div class="titlepage"><div><div><h3 class="title">
6436 <a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
6437 <pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
6438 [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6439 [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6440 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6441 [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6442 [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
6443 [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
6444 [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
6445 [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
6446 [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
6447 [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
6448 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6449 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6450 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6451 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
6452 [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
6453 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
6454 [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
6455 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
6456 [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
6457 [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
6458 [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
6462 <div class="sect2" lang="en">
6463 <div class="titlepage"><div><div><h3 class="title">
6464 <a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
6465 Usage</h3></div></div></div>
6467 The <span><strong class="command">server</strong></span> statement defines
6469 to be associated with a remote name server. If a prefix length is
6470 specified, then a range of servers is covered. Only the most
6472 server clause applies regardless of the order in
6473 <code class="filename">named.conf</code>.
6476 The <span><strong class="command">server</strong></span> statement can occur at
6477 the top level of the
6478 configuration file or inside a <span><strong class="command">view</strong></span>
6480 If a <span><strong class="command">view</strong></span> statement contains
6481 one or more <span><strong class="command">server</strong></span> statements, only
6483 apply to the view and any top-level ones are ignored.
6484 If a view contains no <span><strong class="command">server</strong></span>
6486 any top-level <span><strong class="command">server</strong></span> statements are
6491 If you discover that a remote server is giving out bad data,
6492 marking it as bogus will prevent further queries to it. The
6494 value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
6497 The <span><strong class="command">provide-ixfr</strong></span> clause determines
6499 the local server, acting as master, will respond with an
6501 zone transfer when the given remote server, a slave, requests it.
6502 If set to <span><strong class="command">yes</strong></span>, incremental transfer
6504 whenever possible. If set to <span><strong class="command">no</strong></span>,
6506 to the remote server will be non-incremental. If not set, the
6508 of the <span><strong class="command">provide-ixfr</strong></span> option in the
6510 global options block is used as a default.
6513 The <span><strong class="command">request-ixfr</strong></span> clause determines
6515 the local server, acting as a slave, will request incremental zone
6516 transfers from the given remote server, a master. If not set, the
6517 value of the <span><strong class="command">request-ixfr</strong></span> option in
6518 the view or global options block is used as a default. It may
6519 also be set in the zone block and, if set there, it will
6520 override the global or view setting for that zone.
6523 IXFR requests to servers that do not support IXFR will
6525 fall back to AXFR. Therefore, there is no need to manually list
6526 which servers support IXFR and which ones do not; the global
6528 of <span><strong class="command">yes</strong></span> should always work.
6529 The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
6530 <span><strong class="command">request-ixfr</strong></span> clauses is
6531 to make it possible to disable the use of IXFR even when both
6533 and slave claim to support it, for example if one of the servers
6534 is buggy and crashes or corrupts data when IXFR is used.
6537 The <span><strong class="command">edns</strong></span> clause determines whether
6538 the local server will attempt to use EDNS when communicating
6539 with the remote server. The default is <span><strong class="command">yes</strong></span>.
6542 The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
6543 that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
6544 Valid values are 512 to 4096 bytes (values outside this range will be
6545 silently adjusted). This option is useful when you wish to
6546 advertises a different value to this server than the value you
6547 advertise globally, for example, when there is a firewall at the
6548 remote site that is blocking large replies.
6551 The <span><strong class="command">max-udp-size</strong></span> option sets the
6552 maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid
6553 values are 512 to 4096 bytes (values outside this range will
6554 be silently adjusted). This option is useful when you
6555 know that there is a firewall that is blocking large
6556 replies from <span><strong class="command">named</strong></span>.
6559 The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
6560 uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
6561 as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
6562 more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
6563 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
6564 4.9.5. You can specify which method
6565 to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
6566 If <span><strong class="command">transfer-format</strong></span> is not
6567 specified, the <span><strong class="command">transfer-format</strong></span>
6569 by the <span><strong class="command">options</strong></span> statement will be
6572 <p><span><strong class="command">transfers</strong></span>
6573 is used to limit the number of concurrent inbound zone
6574 transfers from the specified server. If no
6575 <span><strong class="command">transfers</strong></span> clause is specified, the
6576 limit is set according to the
6577 <span><strong class="command">transfers-per-ns</strong></span> option.
6580 The <span><strong class="command">keys</strong></span> clause identifies a
6581 <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
6582 to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
6583 when talking to the remote server.
6584 When a request is sent to the remote server, a request signature
6585 will be generated using the key specified here and appended to the
6586 message. A request originating from the remote server is not
6588 to be signed by this key.
6591 Although the grammar of the <span><strong class="command">keys</strong></span>
6593 allows for multiple keys, only a single key per server is
6598 The <span><strong class="command">transfer-source</strong></span> and
6599 <span><strong class="command">transfer-source-v6</strong></span> clauses specify
6600 the IPv4 and IPv6 source
6601 address to be used for zone transfer with the remote server,
6603 For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
6605 Similarly, for an IPv6 remote server, only
6606 <span><strong class="command">transfer-source-v6</strong></span> can be
6608 For more details, see the description of
6609 <span><strong class="command">transfer-source</strong></span> and
6610 <span><strong class="command">transfer-source-v6</strong></span> in
6611 <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
6614 The <span><strong class="command">notify-source</strong></span> and
6615 <span><strong class="command">notify-source-v6</strong></span> clauses specify the
6616 IPv4 and IPv6 source address to be used for notify
6617 messages sent to remote servers, respectively. For an
6618 IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
6619 can be specified. Similarly, for an IPv6 remote server,
6620 only <span><strong class="command">notify-source-v6</strong></span> can be specified.
6623 The <span><strong class="command">query-source</strong></span> and
6624 <span><strong class="command">query-source-v6</strong></span> clauses specify the
6625 IPv4 and IPv6 source address to be used for queries
6626 sent to remote servers, respectively. For an IPv4
6627 remote server, only <span><strong class="command">query-source</strong></span> can
6628 be specified. Similarly, for an IPv6 remote server,
6629 only <span><strong class="command">query-source-v6</strong></span> can be specified.
6632 The <span><strong class="command">request-nsid</strong></span> clause determines
6633 whether the local server will add a NSID EDNS option
6634 to requests sent to the server. This overrides
6635 <span><strong class="command">request-nsid</strong></span> set at the view or
6639 <div class="sect2" lang="en">
6640 <div class="titlepage"><div><div><h3 class="title">
6641 <a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
6642 <pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
6643 [ inet ( ip_addr | * ) [ port ip_port ]
6644 [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
6649 <div class="sect2" lang="en">
6650 <div class="titlepage"><div><div><h3 class="title">
6651 <a name="id2590471"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
6652 Usage</h3></div></div></div>
6654 The <span><strong class="command">statistics-channels</strong></span> statement
6655 declares communication channels to be used by system
6656 administrators to get access to statistics information of
6660 This statement intends to be flexible to support multiple
6661 communication protocols in the future, but currently only
6662 HTTP access is supported.
6663 It requires that BIND 9 be compiled with libxml2;
6664 the <span><strong class="command">statistics-channels</strong></span> statement is
6665 still accepted even if it is built without the library,
6666 but any HTTP access will fail with an error.
6669 An <span><strong class="command">inet</strong></span> control channel is a TCP socket
6670 listening at the specified <span><strong class="command">ip_port</strong></span> on the
6671 specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
6672 address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
6673 interpreted as the IPv4 wildcard address; connections will be
6674 accepted on any of the system's IPv4 addresses.
6675 To listen on the IPv6 wildcard address,
6676 use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
6679 If no port is specified, port 80 is used for HTTP channels.
6680 The asterisk "<code class="literal">*</code>" cannot be used for
6681 <span><strong class="command">ip_port</strong></span>.
6684 The attempt of opening a statistics channel is
6685 restricted by the optional <span><strong class="command">allow</strong></span> clause.
6686 Connections to the statistics channel are permitted based on the
6687 <span><strong class="command">address_match_list</strong></span>.
6688 If no <span><strong class="command">allow</strong></span> clause is present,
6689 <span><strong class="command">named</strong></span> accepts connection
6690 attempts from any address; since the statistics may
6691 contain sensitive internal information, it is highly
6692 recommended to restrict the source of connection requests
6696 If no <span><strong class="command">statistics-channels</strong></span> statement is present,
6697 <span><strong class="command">named</strong></span> will not open any communication channels.
6700 If the statistics channel is configured to listen on 127.0.0.1
6701 port 8888, then the statistics are accessible in XML format at
6702 <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or
6703 <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is
6704 included which can format the XML statistics into tables
6705 when viewed with a stylesheet-capable browser. When
6706 <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats,
6707 a new XML schema is used (version 3) which adds additional
6708 zone statistics and uses a flatter tree for more efficient
6709 parsing. The stylesheet included uses the Google Charts API
6710 to render data into into charts and graphs when using a
6711 javascript-capable browser.
6714 Applications that depend on a particular XML schema
6716 <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2
6717 of the statistics XML schema or
6718 <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3.
6719 If the requested schema is supported by the server, then
6720 it will respond; if not, it will return a "page not found"
6724 <div class="sect2" lang="en">
6725 <div class="titlepage"><div><div><h3 class="title">
6726 <a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
6727 <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
6728 <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
6729 [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
6733 <div class="sect2" lang="en">
6734 <div class="titlepage"><div><div><h3 class="title">
6735 <a name="id2590642"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
6736 and Usage</h3></div></div></div>
6738 The <span><strong class="command">trusted-keys</strong></span> statement defines
6739 DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
6740 public key for a non-authoritative zone is known, but
6741 cannot be securely obtained through DNS, either because
6742 it is the DNS root zone or because its parent zone is
6743 unsigned. Once a key has been configured as a trusted
6744 key, it is treated as if it had been validated and
6745 proven secure. The resolver attempts DNSSEC validation
6746 on all DNS data in subdomains of a security root.
6749 All keys (and corresponding zones) listed in
6750 <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
6751 of what parent zones say. Similarly for all keys listed in
6752 <span><strong class="command">trusted-keys</strong></span> only those keys are
6753 used to validate the DNSKEY RRset. The parent's DS RRset
6757 The <span><strong class="command">trusted-keys</strong></span> statement can contain
6758 multiple key entries, each consisting of the key's
6759 domain name, flags, protocol, algorithm, and the Base-64
6760 representation of the key data.
6761 Spaces, tabs, newlines and carriage returns are ignored
6762 in the key data, so the configuration may be split up into
6766 <span><strong class="command">trusted-keys</strong></span> may be set at the top level
6767 of <code class="filename">named.conf</code> or within a view. If it is
6768 set in both places, they are additive: keys defined at the top
6769 level are inherited by all views, but keys defined in a view
6770 are only used within that view.
6773 <div class="sect2" lang="en">
6774 <div class="titlepage"><div><div><h3 class="title">
6775 <a name="id2590757"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
6776 <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
6777 <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ;
6778 [<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>]
6782 <div class="sect2" lang="en">
6783 <div class="titlepage"><div><div><h3 class="title">
6784 <a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
6785 and Usage</h3></div></div></div>
6787 The <span><strong class="command">managed-keys</strong></span> statement, like
6788 <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC
6789 security roots. The difference is that
6790 <span><strong class="command">managed-keys</strong></span> can be kept up to date
6791 automatically, without intervention from the resolver
6795 Suppose, for example, that a zone's key-signing
6796 key was compromised, and the zone owner had to revoke and
6797 replace the key. A resolver which had the old key in a
6798 <span><strong class="command">trusted-keys</strong></span> statement would be
6799 unable to validate this zone any longer; it would
6800 reply with a SERVFAIL response code. This would
6801 continue until the resolver operator had updated the
6802 <span><strong class="command">trusted-keys</strong></span> statement with the new key.
6805 If, however, the zone were listed in a
6806 <span><strong class="command">managed-keys</strong></span> statement instead, then the
6807 zone owner could add a "stand-by" key to the zone in advance.
6808 <span><strong class="command">named</strong></span> would store the stand-by key, and
6809 when the original key was revoked, <span><strong class="command">named</strong></span>
6810 would be able to transition smoothly to the new key. It would
6811 also recognize that the old key had been revoked, and cease
6812 using that key to validate answers, minimizing the damage that
6813 the compromised key could do.
6816 A <span><strong class="command">managed-keys</strong></span> statement contains a list of
6817 the keys to be managed, along with information about how the
6818 keys are to be initialized for the first time. The only
6819 initialization method currently supported (as of
6820 <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
6821 This means the <span><strong class="command">managed-keys</strong></span> statement must
6822 contain a copy of the initializing key. (Future releases may
6823 allow keys to be initialized by other methods, eliminating this
6827 Consequently, a <span><strong class="command">managed-keys</strong></span> statement
6828 appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing
6829 in the presence of the second field, containing the keyword
6830 <code class="literal">initial-key</code>. The difference is, whereas the
6831 keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be
6832 trusted until they are removed from
6833 <code class="filename">named.conf</code>, an initializing key listed
6834 in a <span><strong class="command">managed-keys</strong></span> statement is only trusted
6835 <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
6836 managed key database and start the RFC 5011 key maintenance
6840 The first time <span><strong class="command">named</strong></span> runs with a managed key
6841 configured in <code class="filename">named.conf</code>, it fetches the
6842 DNSKEY RRset directly from the zone apex, and validates it
6843 using the key specified in the <span><strong class="command">managed-keys</strong></span>
6844 statement. If the DNSKEY RRset is validly signed, then it is
6845 used as the basis for a new managed keys database.
6848 From that point on, whenever <span><strong class="command">named</strong></span> runs, it
6849 sees the <span><strong class="command">managed-keys</strong></span> statement, checks to
6850 make sure RFC 5011 key maintenance has already been initialized
6851 for the specified domain, and if so, it simply moves on. The
6852 key specified in the <span><strong class="command">managed-keys</strong></span> is not
6853 used to validate answers; it has been superseded by the key or
6854 keys stored in the managed keys database.
6857 The next time <span><strong class="command">named</strong></span> runs after a name
6858 has been <span class="emphasis"><em>removed</em></span> from the
6859 <span><strong class="command">managed-keys</strong></span> statement, the corresponding
6860 zone will be removed from the managed keys database,
6861 and RFC 5011 key maintenance will no longer be used for that
6865 <span><strong class="command">named</strong></span> only maintains a single managed keys
6866 database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>,
6867 <span><strong class="command">managed-keys</strong></span> may only be set at the top
6868 level of <code class="filename">named.conf</code>, not within a view.
6871 In the current implementation, the managed keys database is
6872 stored as a master-format zone file called
6873 <code class="filename">managed-keys.bind</code>. When the key database
6874 is changed, the zone is updated. As with any other dynamic
6875 zone, changes will be written into a journal file,
6876 <code class="filename">managed-keys.bind.jnl</code>. They are committed
6877 to the master file as soon as possible afterward; in the case
6878 of the managed key database, this will usually occur within 30
6879 seconds. So, whenever <span><strong class="command">named</strong></span> is using
6880 automatic key maintenance, those two files can be expected to
6881 exist in the working directory. (For this reason among others,
6882 the working directory should be always be writable by
6883 <span><strong class="command">named</strong></span>.)
6886 If the <span><strong class="command">dnssec-validation</strong></span> option is
6887 set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
6888 will automatically initialize a managed key for the
6889 root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span>
6890 option is set to <strong class="userinput"><code>auto</code></strong>,
6891 <span><strong class="command">named</strong></span> will automatically initialize
6892 a managed key for the zone <code class="literal">dlv.isc.org</code>.
6893 In both cases, the key that is used to initialize the key
6894 maintenance process is built into <span><strong class="command">named</strong></span>,
6895 and can be overridden from <span><strong class="command">bindkeys-file</strong></span>.
6898 <div class="sect2" lang="en">
6899 <div class="titlepage"><div><div><h3 class="title">
6900 <a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
6901 <pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
6902 [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
6903 match-clients { <em class="replaceable"><code>address_match_list</code></em> };
6904 match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
6905 match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
6906 [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
6907 [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
6911 <div class="sect2" lang="en">
6912 <div class="titlepage"><div><div><h3 class="title">
6913 <a name="id2591192"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
6915 The <span><strong class="command">view</strong></span> statement is a powerful
6917 of <acronym class="acronym">BIND</acronym> 9 that lets a name server
6918 answer a DNS query differently
6919 depending on who is asking. It is particularly useful for
6921 split DNS setups without having to run multiple servers.
6924 Each <span><strong class="command">view</strong></span> statement defines a view
6926 DNS namespace that will be seen by a subset of clients. A client
6928 a view if its source IP address matches the
6929 <code class="varname">address_match_list</code> of the view's
6930 <span><strong class="command">match-clients</strong></span> clause and its
6931 destination IP address matches
6932 the <code class="varname">address_match_list</code> of the
6934 <span><strong class="command">match-destinations</strong></span> clause. If not
6936 <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
6937 default to matching all addresses. In addition to checking IP
6939 <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
6940 can also take <span><strong class="command">keys</strong></span> which provide an
6942 client to select the view. A view can also be specified
6943 as <span><strong class="command">match-recursive-only</strong></span>, which
6944 means that only recursive
6945 requests from matching clients will match that view.
6946 The order of the <span><strong class="command">view</strong></span> statements is
6948 a client request will be resolved in the context of the first
6949 <span><strong class="command">view</strong></span> that it matches.
6952 Zones defined within a <span><strong class="command">view</strong></span>
6954 only be accessible to clients that match the <span><strong class="command">view</strong></span>.
6955 By defining a zone of the same name in multiple views, different
6956 zone data can be given to different clients, for example,
6958 and "external" clients in a split DNS setup.
6961 Many of the options given in the <span><strong class="command">options</strong></span> statement
6962 can also be used within a <span><strong class="command">view</strong></span>
6964 apply only when resolving queries with that view. When no
6966 value is given, the value in the <span><strong class="command">options</strong></span> statement
6967 is used as a default. Also, zone options can have default values
6969 in the <span><strong class="command">view</strong></span> statement; these
6970 view-specific defaults
6971 take precedence over those in the <span><strong class="command">options</strong></span> statement.
6974 Views are class specific. If no class is given, class IN
6975 is assumed. Note that all non-IN views must contain a hint zone,
6976 since only the IN class has compiled-in default hints.
6979 If there are no <span><strong class="command">view</strong></span> statements in
6981 file, a default view that matches any client is automatically
6983 in class IN. Any <span><strong class="command">zone</strong></span> statements
6985 the top level of the configuration file are considered to be part
6987 this default view, and the <span><strong class="command">options</strong></span>
6989 apply to the default view. If any explicit <span><strong class="command">view</strong></span>
6990 statements are present, all <span><strong class="command">zone</strong></span>
6992 occur inside <span><strong class="command">view</strong></span> statements.
6995 Here is an example of a typical split DNS setup implemented
6996 using <span><strong class="command">view</strong></span> statements:
6998 <pre class="programlisting">view "internal" {
6999 // This should match our internal networks.
7000 match-clients { 10.0.0.0/8; };
7002 // Provide recursive service to internal
7006 // Provide a complete view of the example.com
7007 // zone including addresses of internal hosts.
7008 zone "example.com" {
7010 file "example-internal.db";
7015 // Match all clients not matched by the
7017 match-clients { any; };
7019 // Refuse recursive service to external clients.
7022 // Provide a restricted view of the example.com
7023 // zone containing only publicly accessible hosts.
7024 zone "example.com" {
7026 file "example-external.db";
7031 <div class="sect2" lang="en">
7032 <div class="titlepage"><div><div><h3 class="title">
7033 <a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
7034 Statement Grammar</h3></div></div></div>
7035 <pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7037 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7038 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7039 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7040 [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7041 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7042 [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7043 [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
7044 [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
7045 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
7046 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7047 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7048 [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7049 [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7050 [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
7051 [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7052 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
7053 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
7054 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7055 [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
7056 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
7057 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7058 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7059 [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
7060 [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7061 [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
7062 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7063 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7064 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
7065 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
7066 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
7067 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
7068 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
7069 [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7070 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
7071 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7072 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7073 [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
7074 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
7075 [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
7076 [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
7077 [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
7078 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
7079 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7080 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7081 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7082 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7083 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
7084 [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
7085 [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7086 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7087 [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>]
7090 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7092 [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7093 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7094 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7095 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7096 [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7097 [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
7098 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7099 [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7100 [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>]
7101 [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7102 [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7103 [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
7104 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
7105 [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
7106 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7107 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
7108 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
7109 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7110 [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
7111 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
7112 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7113 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7114 [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
7115 [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7116 [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
7117 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7118 [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
7119 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
7120 [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
7121 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
7122 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
7123 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
7124 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
7125 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
7126 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
7127 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
7128 [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7129 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
7130 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7131 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7132 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7133 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
7134 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7135 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7136 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7137 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7138 [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>]
7139 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
7140 [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
7141 [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
7142 [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
7143 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
7144 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7145 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7146 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7147 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7148 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
7149 [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
7150 [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7151 [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7152 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7155 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7157 file <em class="replaceable"><code>string</code></em> ;
7158 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7159 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
7162 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7164 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7165 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7166 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
7167 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
7168 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7169 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
7170 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7171 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7172 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7173 [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
7174 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
7175 [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
7176 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
7177 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
7178 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
7179 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7180 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
7181 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7182 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7183 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
7184 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
7185 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
7186 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7187 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
7188 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7189 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
7190 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7191 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
7192 [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7195 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7197 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7198 [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
7199 [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
7200 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7203 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7205 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
7206 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
7207 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
7210 zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7212 file <em class="replaceable"><code>string</code></em> ;
7213 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
7214 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
7217 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
7218 type delegation-only;
7223 <div class="sect2" lang="en">
7224 <div class="titlepage"><div><div><h3 class="title">
7225 <a name="id2592901"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
7226 <div class="sect3" lang="en">
7227 <div class="titlepage"><div><div><h4 class="title">
7228 <a name="id2592908"></a>Zone Types</h4></div></div></div>
7229 <div class="informaltable"><table border="1">
7238 <code class="varname">master</code>
7243 The server has a master copy of the data
7244 for the zone and will be able to provide authoritative
7253 <code class="varname">slave</code>
7258 A slave zone is a replica of a master
7259 zone. The <span><strong class="command">masters</strong></span> list
7260 specifies one or more IP addresses
7261 of master servers that the slave contacts to update
7262 its copy of the zone.
7263 Masters list elements can also be names of other
7265 By default, transfers are made from port 53 on the
7267 be changed for all servers by specifying a port number
7269 list of IP addresses, or on a per-server basis after
7271 Authentication to the master can also be done with
7272 per-server TSIG keys.
7273 If a file is specified, then the
7274 replica will be written to this file whenever the zone
7276 and reloaded from this file on a server restart. Use
7278 recommended, since it often speeds server startup and
7280 a needless waste of bandwidth. Note that for large
7282 tens or hundreds of thousands) of zones per server, it
7284 use a two-level naming scheme for zone filenames. For
7286 a slave server for the zone <code class="literal">example.com</code> might place
7287 the zone contents into a file called
7288 <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
7289 just the first two letters of the zone name. (Most
7291 behave very slowly if you put 100000 files into
7292 a single directory.)
7299 <code class="varname">stub</code>
7304 A stub zone is similar to a slave zone,
7305 except that it replicates only the NS records of a
7307 of the entire zone. Stub zones are not a standard part
7309 they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
7313 Stub zones can be used to eliminate the need for glue
7315 in a parent zone at the expense of maintaining a stub
7317 a set of name server addresses in <code class="filename">named.conf</code>.
7318 This usage is not recommended for new configurations,
7320 supports it only in a limited way.
7321 In <acronym class="acronym">BIND</acronym> 4/8, zone
7322 transfers of a parent zone
7323 included the NS records from stub children of that
7325 that, in some cases, users could get away with
7326 configuring child stubs
7327 only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
7328 9 never mixes together zone data from different zones
7330 way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
7331 zone has child stub zones configured, all the slave
7333 parent zone also need to have the same child stub
7339 Stub zones can also be used as a way of forcing the
7341 of a given domain to use a particular set of
7342 authoritative servers.
7343 For example, the caching name servers on a private
7345 RFC1918 addressing may be configured with stub zones
7347 <code class="literal">10.in-addr.arpa</code>
7348 to use a set of internal name servers as the
7350 servers for that domain.
7357 <code class="varname">static-stub</code>
7362 A static-stub zone is similar to a stub zone
7363 with the following exceptions:
7364 the zone data is statically configured, rather
7365 than transferred from a master server;
7366 when recursion is necessary for a query that
7367 matches a static-stub zone, the locally
7368 configured data (nameserver names and glue addresses)
7369 is always used even if different authoritative
7370 information is cached.
7373 Zone data is configured via the
7374 <span><strong class="command">server-addresses</strong></span> and
7375 <span><strong class="command">server-names</strong></span> zone options.
7378 The zone data is maintained in the form of NS
7379 and (if necessary) glue A or AAAA RRs
7380 internally, which can be seen by dumping zone
7381 databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
7382 The configured RRs are considered local configuration
7383 parameters rather than public data.
7384 Non recursive queries (i.e., those with the RD
7385 bit off) to a static-stub zone are therefore
7386 prohibited and will be responded with REFUSED.
7389 Since the data is statically configured, no
7390 zone maintenance action takes place for a static-stub
7392 For example, there is no periodic refresh
7393 attempt, and an incoming notify message
7394 will be rejected with an rcode of NOTAUTH.
7397 Each static-stub zone is configured with
7398 internally generated NS and (if necessary)
7406 <code class="varname">forward</code>
7411 A "forward zone" is a way to configure
7412 forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
7413 of type <span><strong class="command">forward</strong></span> can
7414 contain a <span><strong class="command">forward</strong></span>
7415 and/or <span><strong class="command">forwarders</strong></span>
7417 which will apply to queries within the domain given by
7419 name. If no <span><strong class="command">forwarders</strong></span>
7420 statement is present or
7421 an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
7422 forwarding will be done for the domain, canceling the
7424 any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
7425 if you want to use this type of zone to change the
7427 global <span><strong class="command">forward</strong></span> option
7428 (that is, "forward first"
7429 to, then "forward only", or vice versa, but want to
7431 servers as set globally) you need to re-specify the
7439 <code class="varname">hint</code>
7444 The initial set of root name servers is
7445 specified using a "hint zone". When the server starts
7447 the root hints to find a root name server and get the
7449 list of root name servers. If no hint zone is
7451 IN, the server uses a compiled-in default set of root
7453 Classes other than IN have no built-in defaults hints.
7460 <code class="varname">redirect</code>
7465 Redirect zones are used to provide answers to
7466 queries when normal resolution would result in
7467 NXDOMAIN being returned.
7468 Only one redirect zone is supported
7469 per view. <span><strong class="command">allow-query</strong></span> can be
7470 used to restrict which clients see these answers.
7473 If the client has requested DNSSEC records (DO=1) and
7474 the NXDOMAIN response is signed then no substitution
7478 To redirect all NXDOMAIN responses to
7480 2001:ffff:ffff::100.100.100.2, one would
7481 configure a type redirect zone named ".",
7482 with the zone file containing wildcard records
7483 that point to the desired addresses:
7484 <code class="literal">"*. IN A 100.100.100.2"</code>
7486 <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>.
7489 To redirect all Spanish names (under .ES) one
7490 would use similar entries but with the names
7491 "*.ES." instead of "*.". To redirect all
7492 commercial Spanish names (under COM.ES) one
7493 would use wildcard entries called "*.COM.ES.".
7496 Note that the redirect zone supports all
7497 possible types; it is not limited to A and
7501 Because redirect zones are not referenced
7502 directly by name, they are not kept in the
7503 zone lookup table with normal master and slave
7504 zones. Consequently, it is not currently possible
7506 <span><strong class="command">rndc reload
7507 <em class="replaceable"><code>zonename</code></em></strong></span>
7508 to reload a redirect zone. However, when using
7509 <span><strong class="command">rndc reload</strong></span> without specifying
7510 a zone name, redirect zones will be reloaded along
7518 <code class="varname">delegation-only</code>
7523 This is used to enforce the delegation-only
7524 status of infrastructure zones (e.g. COM,
7525 NET, ORG). Any answer that is received
7526 without an explicit or implicit delegation
7527 in the authority section will be treated
7528 as NXDOMAIN. This does not apply to the
7529 zone apex. This should not be applied to
7533 <code class="varname">delegation-only</code> has no
7534 effect on answers received from forwarders.
7537 See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
7544 <div class="sect3" lang="en">
7545 <div class="titlepage"><div><div><h4 class="title">
7546 <a name="id2593653"></a>Class</h4></div></div></div>
7548 The zone's name may optionally be followed by a class. If
7549 a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
7550 is assumed. This is correct for the vast majority of cases.
7553 The <code class="literal">hesiod</code> class is
7554 named for an information service from MIT's Project Athena. It
7556 used to share information about various systems databases, such
7557 as users, groups, printers and so on. The keyword
7558 <code class="literal">HS</code> is
7559 a synonym for hesiod.
7562 Another MIT development is Chaosnet, a LAN protocol created
7563 in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
7566 <div class="sect3" lang="en">
7567 <div class="titlepage"><div><div><h4 class="title">
7568 <a name="id2593686"></a>Zone Options</h4></div></div></div>
7569 <div class="variablelist"><dl>
7570 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
7572 See the description of
7573 <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
7575 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
7577 See the description of
7578 <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
7580 <dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
7582 See the description of
7583 <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
7585 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
7587 See the description of <span><strong class="command">allow-transfer</strong></span>
7588 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
7590 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
7592 See the description of <span><strong class="command">allow-update</strong></span>
7593 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
7595 <dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
7597 Specifies a "Simple Secure Update" policy. See
7598 <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
7600 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
7602 See the description of <span><strong class="command">allow-update-forwarding</strong></span>
7603 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
7605 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
7607 Only meaningful if <span><strong class="command">notify</strong></span>
7609 active for this zone. The set of machines that will
7611 <code class="literal">DNS NOTIFY</code> message
7612 for this zone is made up of all the listed name servers
7614 the primary master) for the zone plus any IP addresses
7616 with <span><strong class="command">also-notify</strong></span>. A port
7618 with each <span><strong class="command">also-notify</strong></span>
7619 address to send the notify
7620 messages to a port other than the default of 53.
7621 A TSIG key may also be specified to cause the
7622 <code class="literal">NOTIFY</code> to be signed by the
7624 <span><strong class="command">also-notify</strong></span> is not
7625 meaningful for stub zones.
7626 The default is the empty list.
7628 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
7630 This option is used to restrict the character set and
7632 certain domain names in master files and/or DNS responses
7634 network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
7635 zones the default is <span><strong class="command">warn</strong></span>.
7636 It is not implemented for <span><strong class="command">hint</strong></span> zones.
7638 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
7640 See the description of
7641 <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7643 <dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt>
7645 See the description of
7646 <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7648 <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
7650 See the description of
7651 <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7653 <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
7655 See the description of
7656 <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7658 <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
7660 See the description of
7661 <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7663 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
7665 See the description of
7666 <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7668 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
7670 See the description of
7671 <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7673 <dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt>
7675 See the description of
7676 <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
7677 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
7680 <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
7682 See the description of
7683 <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7685 <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
7687 See the description of
7688 <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7690 <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
7693 Specify the type of database to be used for storing the
7694 zone data. The string following the <span><strong class="command">database</strong></span> keyword
7695 is interpreted as a list of whitespace-delimited words.
7697 identifies the database type, and any subsequent words are
7699 as arguments to the database to be interpreted in a way
7701 to the database type.
7704 The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
7706 red-black-tree database. This database does not take
7710 Other values are possible if additional database drivers
7711 have been linked into the server. Some sample drivers are
7713 with the distribution but none are linked in by default.
7716 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
7718 See the description of
7719 <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7721 <dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
7724 The flag only applies to forward, hint and stub
7725 zones. If set to <strong class="userinput"><code>yes</code></strong>,
7726 then the zone will also be treated as if it is
7727 also a delegation-only type zone.
7730 See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
7733 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
7735 Only meaningful if the zone has a forwarders
7736 list. The <span><strong class="command">only</strong></span> value causes
7738 after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
7739 allow a normal lookup to be tried.
7741 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
7743 Used to override the list of global forwarders.
7744 If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
7745 no forwarding is done for the zone and the global options are
7748 <dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
7750 Was used in <acronym class="acronym">BIND</acronym> 8 to
7752 of the transaction log (journal) file for dynamic update
7754 <acronym class="acronym">BIND</acronym> 9 ignores the option
7755 and constructs the name of the journal
7756 file by appending "<code class="filename">.jnl</code>"
7760 <dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
7762 Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
7763 Ignored in <acronym class="acronym">BIND</acronym> 9.
7765 <dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
7767 Allow the default journal's filename to be overridden.
7768 The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
7769 This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
7771 <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
7773 See the description of
7774 <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
7776 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
7778 See the description of
7779 <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7781 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
7783 See the description of
7784 <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7786 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
7788 See the description of
7789 <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7791 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
7793 See the description of
7794 <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7796 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
7798 See the description of
7799 <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7801 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
7803 See the description of
7804 <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
7806 <dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
7808 See the description of
7809 <span><strong class="command">notify-to-soa</strong></span> in
7810 <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7812 <dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
7814 In <acronym class="acronym">BIND</acronym> 8, this option was
7815 intended for specifying
7816 a public zone key for verification of signatures in DNSSEC
7818 zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
7819 on load and ignores the option.
7821 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
7823 If <strong class="userinput"><code>yes</code></strong>, the server will keep
7825 information for this zone, which can be dumped to the
7826 <span><strong class="command">statistics-file</strong></span> defined in
7829 <dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
7832 Only meaningful for static-stub zones.
7833 This is a list of IP addresses to which queries
7834 should be sent in recursive resolution for the
7836 A non empty list for this option will internally
7837 configure the apex NS RR with associated glue A or
7841 For example, if "example.com" is configured as a
7842 static-stub zone with 192.0.2.1 and 2001:db8::1234
7843 in a <span><strong class="command">server-addresses</strong></span> option,
7844 the following RRs will be internally configured.
7846 <pre class="programlisting">example.com. NS example.com.
7847 example.com. A 192.0.2.1
7848 example.com. AAAA 2001:db8::1234</pre>
7850 These records are internally used to resolve
7851 names under the static-stub zone.
7852 For instance, if the server receives a query for
7853 "www.example.com" with the RD bit on, the server
7854 will initiate recursive resolution and send
7855 queries to 192.0.2.1 and/or 2001:db8::1234.
7858 <dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
7861 Only meaningful for static-stub zones.
7862 This is a list of domain names of nameservers that
7863 act as authoritative servers of the static-stub
7865 These names will be resolved to IP addresses when
7866 <span><strong class="command">named</strong></span> needs to send queries to
7868 To make this supplemental resolution successful,
7869 these names must not be a subdomain of the origin
7870 name of static-stub zone.
7871 That is, when "example.net" is the origin of a
7872 static-stub zone, "ns.example" and
7873 "master.example.com" can be specified in the
7874 <span><strong class="command">server-names</strong></span> option, but
7875 "ns.example.net" cannot, and will be rejected by
7876 the configuration parser.
7879 A non empty list for this option will internally
7880 configure the apex NS RR with the specified names.
7881 For example, if "example.com" is configured as a
7882 static-stub zone with "ns1.example.net" and
7884 in a <span><strong class="command">server-names</strong></span> option,
7885 the following RRs will be internally configured.
7887 <pre class="programlisting">example.com. NS ns1.example.net.
7888 example.com. NS ns2.example.net.
7891 These records are internally used to resolve
7892 names under the static-stub zone.
7893 For instance, if the server receives a query for
7894 "www.example.com" with the RD bit on, the server
7895 initiate recursive resolution,
7896 resolve "ns1.example.net" and/or
7897 "ns2.example.net" to IP addresses, and then send
7898 queries to (one or more of) these addresses.
7901 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
7903 See the description of
7904 <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
7906 <dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
7908 See the description of
7909 <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
7911 <dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
7913 See the description of
7914 <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
7916 <dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
7918 See the description of
7919 <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
7921 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
7923 See the description of
7924 <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7926 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
7928 See the description of
7929 <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7931 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
7933 See the description of
7934 <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7936 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
7938 See the description of
7939 <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7941 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
7943 See the description of
7944 <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7946 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
7948 See the description of
7949 <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7951 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
7953 See the description of
7954 <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
7957 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
7960 See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
7962 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
7964 See the description of
7965 <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
7966 (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
7967 <strong class="userinput"><code>master</code></strong> and
7968 <strong class="userinput"><code>slave</code></strong> choices are not
7969 available at the zone level.)
7971 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
7973 See the description of
7974 <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
7975 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
7978 <dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt>
7981 Zones configured for dynamic DNS may also use this
7982 option to allow varying levels of automatic DNSSEC key
7983 management. There are three possible settings:
7986 <span><strong class="command">auto-dnssec allow;</strong></span> permits
7987 keys to be updated and the zone fully re-signed
7988 whenever the user issues the command <span><strong class="command">rndc sign
7989 <em class="replaceable"><code>zonename</code></em></strong></span>.
7992 <span><strong class="command">auto-dnssec maintain;</strong></span> includes the
7993 above, but also automatically adjusts the zone's DNSSEC
7994 keys on schedule, according to the keys' timing metadata
7995 (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
7996 <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
7997 <span><strong class="command">rndc sign
7998 <em class="replaceable"><code>zonename</code></em></strong></span> causes
7999 <span><strong class="command">named</strong></span> to load keys from the key
8000 repository and sign the zone with all keys that are
8002 <span><strong class="command">rndc loadkeys
8003 <em class="replaceable"><code>zonename</code></em></strong></span> causes
8004 <span><strong class="command">named</strong></span> to load keys from the key
8005 repository and schedule key maintenance events to occur
8006 in the future, but it does not sign the full zone
8007 immediately. Note: once keys have been loaded for a
8008 zone the first time, the repository will be searched
8009 for changes periodically, regardless of whether
8010 <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck
8011 interval is defined by
8012 <span><strong class="command">dnssec-loadkeys-interval</strong></span>.)
8015 The default setting is <span><strong class="command">auto-dnssec off</strong></span>.
8018 <dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt>
8021 Zones configured for dynamic DNS may use this
8022 option to set the update method that will be used for
8023 the zone serial number in the SOA record.
8026 With the default setting of
8027 <span><strong class="command">serial-update-method increment;</strong></span>, the
8028 SOA serial number will be incremented by one each time
8029 the zone is updated.
8033 <span><strong class="command">serial-update-method unixtime;</strong></span>, the
8034 SOA serial number will be set to the number of seconds
8035 since the UNIX epoch, unless the serial number is
8036 already greater than or equal to that value, in which
8037 case it is simply incremented by one.
8040 <dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt>
8042 If <code class="literal">yes</code>, this enables
8043 "bump in the wire" signing of a zone, where a
8044 unsigned zone is transferred in or loaded from
8045 disk and a signed version of the zone is served,
8046 with possibly, a different serial number. This
8047 behaviour is disabled by default.
8049 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
8051 See the description of <span><strong class="command">multi-master</strong></span> in
8052 <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
8054 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
8056 See the description of <span><strong class="command">masterfile-format</strong></span>
8057 in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
8059 <dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
8061 See the description of
8062 <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
8066 <div class="sect3" lang="en">
8067 <div class="titlepage"><div><div><h4 class="title">
8068 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
8069 <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
8070 methods of granting clients the right to perform
8071 dynamic updates to a zone, configured by the
8072 <span><strong class="command">allow-update</strong></span> and
8073 <span><strong class="command">update-policy</strong></span> option, respectively.
8076 The <span><strong class="command">allow-update</strong></span> clause works the
8077 same way as in previous versions of <acronym class="acronym">BIND</acronym>.
8078 It grants given clients the permission to update any
8079 record of any name in the zone.
8082 The <span><strong class="command">update-policy</strong></span> clause
8083 allows more fine-grained control over what updates are
8084 allowed. A set of rules is specified, where each rule
8085 either grants or denies permissions for one or more
8086 names to be updated by one or more identities. If
8087 the dynamic update request message is signed (that is,
8088 it includes either a TSIG or SIG(0) record), the
8089 identity of the signer can be determined.
8092 Rules are specified in the <span><strong class="command">update-policy</strong></span>
8093 zone option, and are only meaningful for master zones.
8094 When the <span><strong class="command">update-policy</strong></span> statement
8095 is present, it is a configuration error for the
8096 <span><strong class="command">allow-update</strong></span> statement to be
8097 present. The <span><strong class="command">update-policy</strong></span> statement
8098 only examines the signer of a message; the source
8099 address is not relevant.
8102 There is a pre-defined <span><strong class="command">update-policy</strong></span>
8103 rule which can be switched on with the command
8104 <span><strong class="command">update-policy local;</strong></span>.
8105 Switching on this rule in a zone causes
8106 <span><strong class="command">named</strong></span> to generate a TSIG session
8107 key and place it in a file, and to allow that key
8108 to update the zone. (By default, the file is
8109 <code class="filename">/var/run/named/session.key</code>, the key
8110 name is "local-ddns" and the key algorithm is HMAC-SHA256,
8111 but these values are configurable with the
8112 <span><strong class="command">session-keyfile</strong></span>,
8113 <span><strong class="command">session-keyname</strong></span> and
8114 <span><strong class="command">session-keyalg</strong></span> options, respectively).
8117 A client running on the local system, and with appropriate
8118 permissions, may read that file and use the key to sign update
8119 requests. The zone's update policy will be set to allow that
8120 key to change any record within the zone. Assuming the
8121 key name is "local-ddns", this policy is equivalent to:
8123 <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
8126 The command <span><strong class="command">nsupdate -l</strong></span> sends update
8127 requests to localhost, and signs them using the session key.
8130 Other rule definitions look like this:
8132 <pre class="programlisting">
8133 ( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
8136 Each rule grants or denies privileges. Once a message has
8137 successfully matched a rule, the operation is immediately
8138 granted or denied and no further rules are examined. A rule
8139 is matched when the signer matches the identity field, the
8140 name matches the name field in accordance with the nametype
8141 field, and the type matches the types specified in the type
8145 No signer is required for <em class="replaceable"><code>tcp-self</code></em>
8146 or <em class="replaceable"><code>6to4-self</code></em> however the standard
8147 reverse mapping / prefix conversion must match the identity
8151 The identity field specifies a name or a wildcard
8152 name. Normally, this is the name of the TSIG or
8153 SIG(0) key used to sign the update request. When a
8154 TKEY exchange has been used to create a shared secret,
8155 the identity of the shared secret is the same as the
8156 identity of the key used to authenticate the TKEY
8157 exchange. TKEY is also the negotiation method used
8158 by GSS-TSIG, which establishes an identity that is
8159 the Kerberos principal of the client, such as
8160 <strong class="userinput"><code>"user@host.domain"</code></strong>. When the
8161 <em class="replaceable"><code>identity</code></em> field specifies
8162 a wildcard name, it is subject to DNS wildcard
8163 expansion, so the rule will apply to multiple identities.
8164 The <em class="replaceable"><code>identity</code></em> field must
8165 contain a fully-qualified domain name.
8168 For nametypes <code class="varname">krb5-self</code>,
8169 <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
8170 and <code class="varname">ms-subdomain</code> the
8171 <em class="replaceable"><code>identity</code></em> field specifies
8172 the Windows or Kerberos realm of the machine belongs to.
8175 The <em class="replaceable"><code>nametype</code></em> field has 13
8177 <code class="varname">name</code>, <code class="varname">subdomain</code>,
8178 <code class="varname">wildcard</code>, <code class="varname">self</code>,
8179 <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
8180 <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
8181 <code class="varname">krb5-subdomain</code>,
8182 <code class="varname">ms-subdomain</code>,
8183 <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
8184 <code class="varname">zonesub</code>, and <code class="varname">external</code>.
8186 <div class="informaltable"><table border="1">
8195 <code class="varname">name</code>
8200 Exact-match semantics. This rule matches
8201 when the name being updated is identical
8202 to the contents of the
8203 <em class="replaceable"><code>name</code></em> field.
8210 <code class="varname">subdomain</code>
8215 This rule matches when the name being updated
8216 is a subdomain of, or identical to, the
8217 contents of the <em class="replaceable"><code>name</code></em>
8225 <code class="varname">zonesub</code>
8230 This rule is similar to subdomain, except that
8231 it matches when the name being updated is a
8232 subdomain of the zone in which the
8233 <span><strong class="command">update-policy</strong></span> statement
8234 appears. This obviates the need to type the zone
8235 name twice, and enables the use of a standard
8236 <span><strong class="command">update-policy</strong></span> statement in
8237 multiple zones without modification.
8240 When this rule is used, the
8241 <em class="replaceable"><code>name</code></em> field is omitted.
8248 <code class="varname">wildcard</code>
8253 The <em class="replaceable"><code>name</code></em> field
8254 is subject to DNS wildcard expansion, and
8255 this rule matches when the name being updated
8256 name is a valid expansion of the wildcard.
8263 <code class="varname">self</code>
8268 This rule matches when the name being updated
8269 matches the contents of the
8270 <em class="replaceable"><code>identity</code></em> field.
8271 The <em class="replaceable"><code>name</code></em> field
8272 is ignored, but should be the same as the
8273 <em class="replaceable"><code>identity</code></em> field.
8274 The <code class="varname">self</code> nametype is
8275 most useful when allowing using one key per
8276 name to update, where the key has the same
8277 name as the name to be updated. The
8278 <em class="replaceable"><code>identity</code></em> would
8279 be specified as <code class="constant">*</code> (an asterisk) in
8287 <code class="varname">selfsub</code>
8292 This rule is similar to <code class="varname">self</code>
8293 except that subdomains of <code class="varname">self</code>
8294 can also be updated.
8301 <code class="varname">selfwild</code>
8306 This rule is similar to <code class="varname">self</code>
8307 except that only subdomains of
8308 <code class="varname">self</code> can be updated.
8315 <code class="varname">ms-self</code>
8320 This rule takes a Windows machine principal
8321 (machine$@REALM) for machine in REALM and
8322 and converts it machine.realm allowing the machine
8323 to update machine.realm. The REALM to be matched
8324 is specified in the <em class="replaceable"><code>identity</code></em>
8332 <code class="varname">ms-subdomain</code>
8337 This rule takes a Windows machine principal
8338 (machine$@REALM) for machine in REALM and
8339 converts it to machine.realm allowing the machine
8340 to update subdomains of machine.realm. The REALM
8341 to be matched is specified in the
8342 <em class="replaceable"><code>identity</code></em> field.
8349 <code class="varname">krb5-self</code>
8354 This rule takes a Kerberos machine principal
8355 (host/machine@REALM) for machine in REALM and
8356 and converts it machine.realm allowing the machine
8357 to update machine.realm. The REALM to be matched
8358 is specified in the <em class="replaceable"><code>identity</code></em>
8366 <code class="varname">krb5-subdomain</code>
8371 This rule takes a Kerberos machine principal
8372 (host/machine@REALM) for machine in REALM and
8373 converts it to machine.realm allowing the machine
8374 to update subdomains of machine.realm. The REALM
8375 to be matched is specified in the
8376 <em class="replaceable"><code>identity</code></em> field.
8383 <code class="varname">tcp-self</code>
8388 Allow updates that have been sent via TCP and
8389 for which the standard mapping from the initiating
8390 IP address into the IN-ADDR.ARPA and IP6.ARPA
8391 namespaces match the name to be updated.
8393 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
8394 <h3 class="title">Note</h3>
8395 It is theoretically possible to spoof these TCP
8403 <code class="varname">6to4-self</code>
8408 Allow the 6to4 prefix to be update by any TCP
8409 connection from the 6to4 network or from the
8410 corresponding IPv4 address. This is intended
8411 to allow NS or DNAME RRsets to be added to the
8414 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
8415 <h3 class="title">Note</h3>
8416 It is theoretically possible to spoof these TCP
8424 <code class="varname">external</code>
8429 This rule allows <span><strong class="command">named</strong></span>
8430 to defer the decision of whether to allow a
8431 given update to an external daemon.
8434 The method of communicating with the daemon is
8435 specified in the <em class="replaceable"><code>identity</code></em>
8436 field, the format of which is
8437 "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
8438 where <em class="replaceable"><code>path</code></em> is the location
8439 of a UNIX-domain socket. (Currently, "local" is the
8440 only supported mechanism.)
8443 Requests to the external daemon are sent over the
8444 UNIX-domain socket as datagrams with the following
8447 <pre class="programlisting">
8448 Protocol version number (4 bytes, network byte order, currently 1)
8449 Request length (4 bytes, network byte order)
8450 Signer (null-terminated string)
8451 Name (null-terminated string)
8452 TCP source address (null-terminated string)
8453 Rdata type (null-terminated string)
8454 Key (null-terminated string)
8455 TKEY token length (4 bytes, network byte order)
8456 TKEY token (remainder of packet)</pre>
8458 The daemon replies with a four-byte value in
8459 network byte order, containing either 0 or 1; 0
8460 indicates that the specified update is not
8461 permitted, and 1 indicates that it is.
8468 In all cases, the <em class="replaceable"><code>name</code></em>
8469 field must specify a fully-qualified domain name.
8472 If no types are explicitly specified, this rule matches
8473 all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
8474 may be specified by name, including "ANY" (ANY matches
8475 all types except NSEC and NSEC3, which can never be
8476 updated). Note that when an attempt is made to delete
8477 all records associated with a name, the rules are
8478 checked for each existing record type.
8483 <div class="sect1" lang="en">
8484 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
8485 <a name="id2596587"></a>Zone File</h2></div></div></div>
8486 <div class="sect2" lang="en">
8487 <div class="titlepage"><div><div><h3 class="title">
8488 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
8490 This section, largely borrowed from RFC 1034, describes the
8491 concept of a Resource Record (RR) and explains when each is used.
8492 Since the publication of RFC 1034, several new RRs have been
8494 and implemented in the DNS. These are also included.
8496 <div class="sect3" lang="en">
8497 <div class="titlepage"><div><div><h4 class="title">
8498 <a name="id2596605"></a>Resource Records</h4></div></div></div>
8500 A domain name identifies a node. Each node has a set of
8501 resource information, which may be empty. The set of resource
8502 information associated with a particular name is composed of
8503 separate RRs. The order of RRs in a set is not significant and
8504 need not be preserved by name servers, resolvers, or other
8505 parts of the DNS. However, sorting of multiple RRs is
8506 permitted for optimization purposes, for example, to specify
8507 that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
8510 The components of a Resource Record are:
8512 <div class="informaltable"><table border="1">
8526 The domain name where the RR is found.
8538 An encoded 16-bit value that specifies
8539 the type of the resource record.
8551 The time-to-live of the RR. This field
8552 is a 32-bit integer in units of seconds, and is
8554 resolvers when they cache RRs. The TTL describes how
8556 be cached before it should be discarded.
8568 An encoded 16-bit value that identifies
8569 a protocol family or instance of a protocol.
8581 The resource data. The format of the
8582 data is type (and sometimes class) specific.
8589 The following are <span class="emphasis"><em>types</em></span> of valid RRs:
8591 <div class="informaltable"><table border="1">
8605 A host address. In the IN class, this is a
8606 32-bit IP address. Described in RFC 1035.
8618 IPv6 address. Described in RFC 1886.
8630 IPv6 address. This can be a partial
8631 address (a suffix) and an indirection to the name
8632 where the rest of the
8633 address (the prefix) can be found. Experimental.
8634 Described in RFC 2874.
8646 Location of AFS database servers.
8647 Experimental. Described in RFC 1183.
8659 Address prefix list. Experimental.
8660 Described in RFC 3123.
8672 Holds a digital certificate.
8673 Described in RFC 2538.
8685 Identifies the canonical name of an alias.
8686 Described in RFC 1035.
8698 Is used for identifying which DHCP client is
8699 associated with this name. Described in RFC 4701.
8711 Replaces the domain name specified with
8712 another name to be looked up, effectively aliasing an
8714 subtree of the domain name space rather than a single
8716 as in the case of the CNAME RR.
8717 Described in RFC 2672.
8729 Stores a public key associated with a signed
8730 DNS zone. Described in RFC 4034.
8742 Stores the hash of a public key associated with a
8743 signed DNS zone. Described in RFC 4034.
8755 Specifies the global position. Superseded by LOC.
8767 Identifies the CPU and OS used by a host.
8768 Described in RFC 1035.
8780 Provides a method for storing IPsec keying material in
8781 DNS. Described in RFC 4025.
8793 Representation of ISDN addresses.
8794 Experimental. Described in RFC 1183.
8806 Stores a public key associated with a
8807 DNS name. Used in original DNSSEC; replaced
8808 by DNSKEY in DNSSECbis, but still used with
8809 SIG(0). Described in RFCs 2535 and 2931.
8821 Identifies a key exchanger for this
8822 DNS name. Described in RFC 2230.
8834 For storing GPS info. Described in RFC 1876.
8847 Identifies a mail exchange for the domain with
8848 a 16-bit preference value (lower is better)
8849 followed by the host name of the mail exchange.
8850 Described in RFC 974, RFC 1035.
8862 Name authority pointer. Described in RFC 2915.
8874 A network service access point.
8875 Described in RFC 1706.
8887 The authoritative name server for the
8888 domain. Described in RFC 1035.
8900 Used in DNSSECbis to securely indicate that
8901 RRs with an owner name in a certain name interval do
8903 a zone and indicate what RR types are present for an
8905 Described in RFC 4034.
8917 Used in DNSSECbis to securely indicate that
8918 RRs with an owner name in a certain name
8919 interval do not exist in a zone and indicate
8920 what RR types are present for an existing
8921 name. NSEC3 differs from NSEC in that it
8922 prevents zone enumeration but is more
8923 computationally expensive on both the server
8924 and the client than NSEC. Described in RFC
8937 Used in DNSSECbis to tell the authoritative
8938 server which NSEC3 chains are available to use.
8939 Described in RFC 5155.
8951 Used in DNSSEC to securely indicate that
8952 RRs with an owner name in a certain name interval do
8954 a zone and indicate what RR types are present for an
8956 Used in original DNSSEC; replaced by NSEC in
8958 Described in RFC 2535.
8970 A pointer to another part of the domain
8971 name space. Described in RFC 1035.
8983 Provides mappings between RFC 822 and X.400
8984 addresses. Described in RFC 2163.
8996 Information on persons responsible
8997 for the domain. Experimental. Described in RFC 1183.
9009 Contains DNSSECbis signature data. Described
9022 Route-through binding for hosts that
9023 do not have their own direct wide area network
9025 Experimental. Described in RFC 1183.
9037 Contains DNSSEC signature data. Used in
9038 original DNSSEC; replaced by RRSIG in
9039 DNSSECbis, but still used for SIG(0).
9040 Described in RFCs 2535 and 2931.
9052 Identifies the start of a zone of authority.
9053 Described in RFC 1035.
9065 Contains the Sender Policy Framework information
9066 for a given email domain. Described in RFC 4408.
9078 Information about well known network
9079 services (replaces WKS). Described in RFC 2782.
9091 Provides a way to securely publish a secure shell key's
9092 fingerprint. Described in RFC 4255.
9104 Text records. Described in RFC 1035.
9116 Information about which well known
9117 network services, such as SMTP, that a domain
9118 supports. Historical.
9130 Representation of X.25 network addresses.
9131 Experimental. Described in RFC 1183.
9138 The following <span class="emphasis"><em>classes</em></span> of resource records
9139 are currently valid in the DNS:
9141 <div class="informaltable"><table border="1">
9167 Chaosnet, a LAN protocol created at MIT in the
9169 Rarely used for its historical purpose, but reused for
9171 built-in server information zones, e.g.,
9172 <code class="literal">version.bind</code>.
9184 Hesiod, an information service
9185 developed by MIT's Project Athena. It is used to share
9187 about various systems databases, such as users,
9196 The owner name is often implicit, rather than forming an
9198 part of the RR. For example, many name servers internally form
9200 or hash structures for the name space, and chain RRs off nodes.
9201 The remaining RR parts are the fixed header (type, class, TTL)
9202 which is consistent for all RRs, and a variable part (RDATA)
9204 fits the needs of the resource being described.
9207 The meaning of the TTL field is a time limit on how long an
9208 RR can be kept in a cache. This limit does not apply to
9210 data in zones; it is also timed out, but by the refreshing
9212 for the zone. The TTL is assigned by the administrator for the
9213 zone where the data originates. While short TTLs can be used to
9214 minimize caching, and a zero TTL prohibits caching, the
9216 of Internet performance suggest that these times should be on
9218 order of days for the typical host. If a change can be
9220 the TTL can be reduced prior to the change to minimize
9222 during the change, and then increased back to its former value
9227 The data in the RDATA section of RRs is carried as a combination
9228 of binary strings and domain names. The domain names are
9230 used as "pointers" to other data in the DNS.
9233 <div class="sect3" lang="en">
9234 <div class="titlepage"><div><div><h4 class="title">
9235 <a name="id2598161"></a>Textual expression of RRs</h4></div></div></div>
9237 RRs are represented in binary form in the packets of the DNS
9238 protocol, and are usually represented in highly encoded form
9240 stored in a name server or resolver. In the examples provided
9242 RFC 1034, a style similar to that used in master files was
9244 in order to show the contents of RRs. In this format, most RRs
9245 are shown on a single line, although continuation lines are
9250 The start of the line gives the owner of the RR. If a line
9251 begins with a blank, then the owner is assumed to be the same as
9252 that of the previous RR. Blank lines are often included for
9256 Following the owner, we list the TTL, type, and class of the
9257 RR. Class and type use the mnemonics defined above, and TTL is
9258 an integer before the type field. In order to avoid ambiguity
9260 parsing, type and class mnemonics are disjoint, TTLs are
9262 and the type mnemonic is always last. The IN class and TTL
9264 are often omitted from examples in the interests of clarity.
9267 The resource data or RDATA section of the RR are given using
9268 knowledge of the typical representation for the data.
9271 For example, we might show the RRs carried in a message as:
9273 <div class="informaltable"><table border="1">
9283 <code class="literal">ISI.EDU.</code>
9288 <code class="literal">MX</code>
9293 <code class="literal">10 VENERA.ISI.EDU.</code>
9303 <code class="literal">MX</code>
9308 <code class="literal">10 VAXA.ISI.EDU</code>
9315 <code class="literal">VENERA.ISI.EDU</code>
9320 <code class="literal">A</code>
9325 <code class="literal">128.9.0.32</code>
9335 <code class="literal">A</code>
9340 <code class="literal">10.1.0.52</code>
9347 <code class="literal">VAXA.ISI.EDU</code>
9352 <code class="literal">A</code>
9357 <code class="literal">10.2.0.27</code>
9367 <code class="literal">A</code>
9372 <code class="literal">128.9.0.33</code>
9379 The MX RRs have an RDATA section which consists of a 16-bit
9380 number followed by a domain name. The address RRs use a
9382 IP address format to contain a 32-bit internet address.
9385 The above example shows six RRs, with two RRs at each of three
9389 Similarly we might see:
9391 <div class="informaltable"><table border="1">
9401 <code class="literal">XX.LCS.MIT.EDU.</code>
9406 <code class="literal">IN A</code>
9411 <code class="literal">10.0.0.44</code>
9419 <code class="literal">CH A</code>
9424 <code class="literal">MIT.EDU. 2420</code>
9431 This example shows two addresses for
9432 <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
9436 <div class="sect2" lang="en">
9437 <div class="titlepage"><div><div><h3 class="title">
9438 <a name="id2598681"></a>Discussion of MX Records</h3></div></div></div>
9440 As described above, domain servers store information as a
9441 series of resource records, each of which contains a particular
9442 piece of information about a given domain name (which is usually,
9443 but not always, a host). The simplest way to think of a RR is as
9444 a typed pair of data, a domain name matched with a relevant datum,
9445 and stored with some additional type information to help systems
9446 determine when the RR is relevant.
9449 MX records are used to control delivery of email. The data
9450 specified in the record is a priority and a domain name. The
9452 controls the order in which email delivery is attempted, with the
9453 lowest number first. If two priorities are the same, a server is
9454 chosen randomly. If no servers at a given priority are responding,
9455 the mail transport agent will fall back to the next largest
9457 Priority numbers do not have any absolute meaning — they are
9459 only respective to other MX records for that domain name. The
9461 name given is the machine to which the mail will be delivered.
9462 It <span class="emphasis"><em>must</em></span> have an associated address record
9463 (A or AAAA) — CNAME is not sufficient.
9466 For a given domain, if there is both a CNAME record and an
9467 MX record, the MX record is in error, and will be ignored.
9469 the mail will be delivered to the server specified in the MX
9471 pointed to by the CNAME.
9474 <div class="informaltable"><table border="1">
9486 <code class="literal">example.com.</code>
9491 <code class="literal">IN</code>
9496 <code class="literal">MX</code>
9501 <code class="literal">10</code>
9506 <code class="literal">mail.example.com.</code>
9516 <code class="literal">IN</code>
9521 <code class="literal">MX</code>
9526 <code class="literal">10</code>
9531 <code class="literal">mail2.example.com.</code>
9541 <code class="literal">IN</code>
9546 <code class="literal">MX</code>
9551 <code class="literal">20</code>
9556 <code class="literal">mail.backup.org.</code>
9563 <code class="literal">mail.example.com.</code>
9568 <code class="literal">IN</code>
9573 <code class="literal">A</code>
9578 <code class="literal">10.0.0.1</code>
9588 <code class="literal">mail2.example.com.</code>
9593 <code class="literal">IN</code>
9598 <code class="literal">A</code>
9603 <code class="literal">10.0.0.2</code>
9613 Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
9614 <code class="literal">mail2.example.com</code> (in
9615 any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
9619 <div class="sect2" lang="en">
9620 <div class="titlepage"><div><div><h3 class="title">
9621 <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
9623 The time-to-live of the RR field is a 32-bit integer represented
9624 in units of seconds, and is primarily used by resolvers when they
9625 cache RRs. The TTL describes how long a RR can be cached before it
9626 should be discarded. The following three types of TTL are
9628 used in a zone file.
9630 <div class="informaltable"><table border="1">
9644 The last field in the SOA is the negative
9645 caching TTL. This controls how long other servers will
9646 cache no-such-domain
9647 (NXDOMAIN) responses from you.
9650 The maximum time for
9651 negative caching is 3 hours (3h).
9663 The $TTL directive at the top of the
9664 zone file (before the SOA) gives a default TTL for every
9678 Each RR can have a TTL as the second
9679 field in the RR, which will control how long other
9680 servers can cache it.
9687 All of these TTLs default to units of seconds, though units
9688 can be explicitly specified, for example, <code class="literal">1h30m</code>.
9691 <div class="sect2" lang="en">
9692 <div class="titlepage"><div><div><h3 class="title">
9693 <a name="id2599297"></a>Inverse Mapping in IPv4</h3></div></div></div>
9695 Reverse name resolution (that is, translation from IP address
9696 to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
9697 and PTR records. Entries in the in-addr.arpa domain are made in
9698 least-to-most significant order, read left to right. This is the
9699 opposite order to the way IP addresses are usually written. Thus,
9700 a machine with an IP address of 10.1.2.3 would have a
9702 in-addr.arpa name of
9703 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
9704 whose data field is the name of the machine or, optionally,
9706 PTR records if the machine has more than one name. For example,
9707 in the [<span class="optional">example.com</span>] domain:
9709 <div class="informaltable"><table border="1">
9718 <code class="literal">$ORIGIN</code>
9723 <code class="literal">2.1.10.in-addr.arpa</code>
9730 <code class="literal">3</code>
9735 <code class="literal">IN PTR foo.example.com.</code>
9741 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
9742 <h3 class="title">Note</h3>
9744 The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
9745 are for providing context to the examples only — they do not
9747 appear in the actual usage. They are only used here to indicate
9748 that the example is relative to the listed origin.
9752 <div class="sect2" lang="en">
9753 <div class="titlepage"><div><div><h3 class="title">
9754 <a name="id2599492"></a>Other Zone File Directives</h3></div></div></div>
9756 The Master File Format was initially defined in RFC 1035 and
9757 has subsequently been extended. While the Master File Format
9759 is class independent all records in a Master File must be of the
9764 Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
9765 and <span><strong class="command">$TTL.</strong></span>
9767 <div class="sect3" lang="en">
9768 <div class="titlepage"><div><div><h4 class="title">
9769 <a name="id2599514"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
9771 When used in the label (or name) field, the asperand or
9772 at-sign (@) symbol represents the current origin.
9773 At the start of the zone file, it is the
9774 <<code class="varname">zone_name</code>> (followed by
9778 <div class="sect3" lang="en">
9779 <div class="titlepage"><div><div><h4 class="title">
9780 <a name="id2599530"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
9782 Syntax: <span><strong class="command">$ORIGIN</strong></span>
9783 <em class="replaceable"><code>domain-name</code></em>
9784 [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
9786 <p><span><strong class="command">$ORIGIN</strong></span>
9787 sets the domain name that will be appended to any
9788 unqualified records. When a zone is first read in there
9789 is an implicit <span><strong class="command">$ORIGIN</strong></span>
9790 <<code class="varname">zone_name</code>><span><strong class="command">.</strong></span>
9791 (followed by trailing dot).
9792 The current <span><strong class="command">$ORIGIN</strong></span> is appended to
9793 the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
9794 argument if it is not absolute.
9796 <pre class="programlisting">
9797 $ORIGIN example.com.
9798 WWW CNAME MAIN-SERVER
9803 <pre class="programlisting">
9804 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
9807 <div class="sect3" lang="en">
9808 <div class="titlepage"><div><div><h4 class="title">
9809 <a name="id2599591"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
9811 Syntax: <span><strong class="command">$INCLUDE</strong></span>
9812 <em class="replaceable"><code>filename</code></em>
9813 [<span class="optional">
9814 <em class="replaceable"><code>origin</code></em> </span>]
9815 [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
9818 Read and process the file <code class="filename">filename</code> as
9819 if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
9820 specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
9821 to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
9825 The origin and the current domain name
9826 revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
9827 the file has been read.
9829 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
9830 <h3 class="title">Note</h3>
9832 RFC 1035 specifies that the current origin should be restored
9834 an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
9835 on whether the current
9836 domain name should also be restored. BIND 9 restores both of
9838 This could be construed as a deviation from RFC 1035, a
9843 <div class="sect3" lang="en">
9844 <div class="titlepage"><div><div><h4 class="title">
9845 <a name="id2599729"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
9847 Syntax: <span><strong class="command">$TTL</strong></span>
9848 <em class="replaceable"><code>default-ttl</code></em>
9849 [<span class="optional">
9850 <em class="replaceable"><code>comment</code></em> </span>]
9853 Set the default Time To Live (TTL) for subsequent records
9854 with undefined TTLs. Valid TTLs are of the range 0-2147483647
9857 <p><span><strong class="command">$TTL</strong></span>
9858 is defined in RFC 2308.
9862 <div class="sect2" lang="en">
9863 <div class="titlepage"><div><div><h3 class="title">
9864 <a name="id2599765"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
9866 Syntax: <span><strong class="command">$GENERATE</strong></span>
9867 <em class="replaceable"><code>range</code></em>
9868 <em class="replaceable"><code>lhs</code></em>
9869 [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
9870 [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
9871 <em class="replaceable"><code>type</code></em>
9872 <em class="replaceable"><code>rhs</code></em>
9873 [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
9875 <p><span><strong class="command">$GENERATE</strong></span>
9876 is used to create a series of resource records that only
9877 differ from each other by an
9878 iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
9879 easily generate the sets of records required to support
9880 sub /24 reverse delegations described in RFC 2317:
9881 Classless IN-ADDR.ARPA delegation.
9883 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
9884 $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
9885 $GENERATE 1-127 $ CNAME $.0</pre>
9889 <pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
9890 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
9891 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
9892 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
9894 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
9897 Generate a set of A and MX records. Note the MX's right hand
9898 side is a quoted string. The quotes will be stripped when the
9899 right hand side is processed.
9901 <pre class="programlisting">
9903 $GENERATE 1-127 HOST-$ A 1.2.3.$
9904 $GENERATE 1-127 HOST-$ MX "0 ."</pre>
9908 <pre class="programlisting">HOST-1.EXAMPLE. A 1.2.3.1
9909 HOST-1.EXAMPLE. MX 0 .
9910 HOST-2.EXAMPLE. A 1.2.3.2
9911 HOST-2.EXAMPLE. MX 0 .
9912 HOST-3.EXAMPLE. A 1.2.3.3
9913 HOST-3.EXAMPLE. MX 0 .
9915 HOST-127.EXAMPLE. A 1.2.3.127
9916 HOST-127.EXAMPLE. MX 0 .
9918 <div class="informaltable"><table border="1">
9926 <p><span><strong class="command">range</strong></span></p>
9930 This can be one of two forms: start-stop
9931 or start-stop/step. If the first form is used, then step
9932 is set to 1. start, stop and step must be positive
9933 integers between 0 and (2^31)-1. start must not be
9940 <p><span><strong class="command">lhs</strong></span></p>
9944 describes the owner name of the resource records
9945 to be created. Any single <span><strong class="command">$</strong></span>
9947 symbols within the <span><strong class="command">lhs</strong></span> string
9948 are replaced by the iterator value.
9950 To get a $ in the output, you need to escape the
9951 <span><strong class="command">$</strong></span> using a backslash
9952 <span><strong class="command">\</strong></span>,
9953 e.g. <span><strong class="command">\$</strong></span>. The
9954 <span><strong class="command">$</strong></span> may optionally be followed
9955 by modifiers which change the offset from the
9956 iterator, field width and base.
9958 Modifiers are introduced by a
9959 <span><strong class="command">{</strong></span> (left brace) immediately following the
9960 <span><strong class="command">$</strong></span> as
9961 <span><strong class="command">${offset[,width[,base]]}</strong></span>.
9962 For example, <span><strong class="command">${-20,3,d}</strong></span>
9963 subtracts 20 from the current value, prints the
9964 result as a decimal in a zero-padded field of
9967 Available output forms are decimal
9968 (<span><strong class="command">d</strong></span>), octal
9969 (<span><strong class="command">o</strong></span>), hexadecimal
9970 (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
9971 for uppercase) and nibble
9972 (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
9973 for uppercase). The default modifier is
9974 <span><strong class="command">${0,0,d}</strong></span>. If the
9975 <span><strong class="command">lhs</strong></span> is not absolute, the
9976 current <span><strong class="command">$ORIGIN</strong></span> is appended
9980 In nibble mode the value will be treated as
9981 if it was a reversed hexadecimal string
9982 with each hexadecimal digit as a separate
9983 label. The width field includes the label
9987 For compatibility with earlier versions,
9988 <span><strong class="command">$$</strong></span> is still recognized as
9989 indicating a literal $ in the output.
9995 <p><span><strong class="command">ttl</strong></span></p>
9999 Specifies the time-to-live of the generated records. If
10000 not specified this will be inherited using the
10001 normal TTL inheritance rules.
10003 <p><span><strong class="command">class</strong></span>
10004 and <span><strong class="command">ttl</strong></span> can be
10005 entered in either order.
10011 <p><span><strong class="command">class</strong></span></p>
10015 Specifies the class of the generated records.
10016 This must match the zone class if it is
10019 <p><span><strong class="command">class</strong></span>
10020 and <span><strong class="command">ttl</strong></span> can be
10021 entered in either order.
10027 <p><span><strong class="command">type</strong></span></p>
10037 <p><span><strong class="command">rhs</strong></span></p>
10041 <span><strong class="command">rhs</strong></span>, optionally, quoted string.
10048 The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
10049 and not part of the standard zone file format.
10052 BIND 8 does not support the optional TTL and CLASS fields.
10055 <div class="sect2" lang="en">
10056 <div class="titlepage"><div><div><h3 class="title">
10057 <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
10059 In addition to the standard textual format, BIND 9
10060 supports the ability to read or dump to zone files in
10061 other formats. The <code class="constant">raw</code> format is
10062 currently available as an additional format. It is a
10063 binary format representing BIND 9's internal data
10064 structure directly, thereby remarkably improving the
10068 For a primary server, a zone file in the
10069 <code class="constant">raw</code> format is expected to be
10070 generated from a textual zone file by the
10071 <span><strong class="command">named-compilezone</strong></span> command. For a
10072 secondary server or for a dynamic zone, it is automatically
10073 generated (if this format is specified by the
10074 <span><strong class="command">masterfile-format</strong></span> option) when
10075 <span><strong class="command">named</strong></span> dumps the zone contents after
10076 zone transfer or when applying prior updates.
10079 If a zone file in a binary format needs manual modification,
10080 it first must be converted to a textual form by the
10081 <span><strong class="command">named-compilezone</strong></span> command. All
10082 necessary modification should go to the text file, which
10083 should then be converted to the binary form by the
10084 <span><strong class="command">named-compilezone</strong></span> command again.
10087 Although the <code class="constant">raw</code> format uses the
10088 network byte order and avoids architecture-dependent
10089 data alignment so that it is as much portable as
10090 possible, it is primarily expected to be used inside
10091 the same single system. In order to export a zone
10092 file in the <code class="constant">raw</code> format or make a
10093 portable backup of the file, it is recommended to
10094 convert the file to the standard textual representation.
10098 <div class="sect1" lang="en">
10099 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
10100 <a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
10102 <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
10103 information and provides several interfaces for users to
10104 get access to the statistics.
10105 The available statistics include all statistics counters
10106 that were available in <acronym class="acronym">BIND</acronym> 8 and
10107 are meaningful in <acronym class="acronym">BIND</acronym> 9,
10108 and other information that is considered useful.
10111 The statistics information is categorized into the following
10114 <div class="informaltable"><table border="1">
10122 <p>Incoming Requests</p>
10126 The number of incoming DNS requests for each OPCODE.
10132 <p>Incoming Queries</p>
10136 The number of incoming queries for each RR type.
10142 <p>Outgoing Queries</p>
10146 The number of outgoing queries for each RR
10147 type sent from the internal resolver.
10148 Maintained per view.
10154 <p>Name Server Statistics</p>
10158 Statistics counters about incoming request processing.
10164 <p>Zone Maintenance Statistics</p>
10168 Statistics counters regarding zone maintenance
10169 operations such as zone transfers.
10175 <p>Resolver Statistics</p>
10179 Statistics counters about name resolution
10180 performed in the internal resolver.
10181 Maintained per view.
10187 <p>Cache DB RRsets</p>
10191 The number of RRsets per RR type and nonexistent
10192 names stored in the cache database.
10193 If the exclamation mark (!) is printed for a RR
10194 type, it means that particular type of RRset is
10195 known to be nonexistent (this is also known as
10197 Maintained per view.
10203 <p>Socket I/O Statistics</p>
10207 Statistics counters about network related events.
10214 A subset of Name Server Statistics is collected and shown
10215 per zone for which the server has the authority when
10216 <span><strong class="command">zone-statistics</strong></span> is set to
10217 <strong class="userinput"><code>yes</code></strong>.
10218 These statistics counters are shown with their zone and view
10220 In some cases the view names are omitted for the default view.
10223 There are currently two user interfaces to get access to the
10225 One is in the plain text format dumped to the file specified
10226 by the <span><strong class="command">statistics-file</strong></span> configuration option.
10227 The other is remotely accessible via a statistics channel
10228 when the <span><strong class="command">statistics-channels</strong></span> statement
10229 is specified in the configuration file
10230 (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
10232 <div class="sect3" lang="en">
10233 <div class="titlepage"><div><div><h4 class="title">
10234 <a name="statsfile"></a>The Statistics File</h4></div></div></div>
10236 The text format statistics dump begins with a line, like:
10239 <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
10242 The number in parentheses is a standard
10243 Unix-style timestamp, measured as seconds since January 1, 1970.
10246 that line is a set of statistics information, which is categorized
10247 as described above.
10248 Each section begins with a line, like:
10251 <span><strong class="command">++ Name Server Statistics ++</strong></span>
10254 Each section consists of lines, each containing the statistics
10255 counter value followed by its textual description.
10256 See below for available counters.
10257 For brevity, counters that have a value of 0 are not shown
10258 in the statistics file.
10261 The statistics dump ends with the line where the
10262 number is identical to the number in the beginning line; for example:
10265 <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
10268 <div class="sect2" lang="en">
10269 <div class="titlepage"><div><div><h3 class="title">
10270 <a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
10272 The following tables summarize statistics counters that
10273 <acronym class="acronym">BIND</acronym> 9 provides.
10274 For each row of the tables, the leftmost column is the
10275 abbreviated symbol name of that counter.
10276 These symbols are shown in the statistics information
10277 accessed via an HTTP statistics channel.
10278 The rightmost column gives the description of the counter,
10279 which is also shown in the statistics file
10280 (but, in this document, possibly with slight modification
10281 for better readability).
10282 Additional notes may also be provided in this column.
10283 When a middle column exists between these two columns,
10284 it gives the corresponding counter name of the
10285 <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
10287 <div class="sect3" lang="en">
10288 <div class="titlepage"><div><div><h4 class="title">
10289 <a name="id2600855"></a>Name Server Statistics Counters</h4></div></div></div>
10290 <div class="informaltable"><table border="1">
10300 <span class="emphasis"><em>Symbol</em></span>
10305 <span class="emphasis"><em>BIND8 Symbol</em></span>
10310 <span class="emphasis"><em>Description</em></span>
10316 <p><span><strong class="command">Requestv4</strong></span></p>
10319 <p><span><strong class="command">RQ</strong></span></p>
10323 IPv4 requests received.
10324 Note: this also counts non query requests.
10330 <p><span><strong class="command">Requestv6</strong></span></p>
10333 <p><span><strong class="command">RQ</strong></span></p>
10337 IPv6 requests received.
10338 Note: this also counts non query requests.
10344 <p><span><strong class="command">ReqEdns0</strong></span></p>
10347 <p><span><strong class="command"></strong></span></p>
10351 Requests with EDNS(0) received.
10357 <p><span><strong class="command">ReqBadEDNSVer</strong></span></p>
10360 <p><span><strong class="command"></strong></span></p>
10364 Requests with unsupported EDNS version received.
10370 <p><span><strong class="command">ReqTSIG</strong></span></p>
10373 <p><span><strong class="command"></strong></span></p>
10377 Requests with TSIG received.
10383 <p><span><strong class="command">ReqSIG0</strong></span></p>
10386 <p><span><strong class="command"></strong></span></p>
10390 Requests with SIG(0) received.
10396 <p><span><strong class="command">ReqBadSIG</strong></span></p>
10399 <p><span><strong class="command"></strong></span></p>
10403 Requests with invalid (TSIG or SIG(0)) signature.
10409 <p><span><strong class="command">ReqTCP</strong></span></p>
10412 <p><span><strong class="command">RTCP</strong></span></p>
10416 TCP requests received.
10422 <p><span><strong class="command">AuthQryRej</strong></span></p>
10425 <p><span><strong class="command">RUQ</strong></span></p>
10429 Authoritative (non recursive) queries rejected.
10435 <p><span><strong class="command">RecQryRej</strong></span></p>
10438 <p><span><strong class="command">RURQ</strong></span></p>
10442 Recursive queries rejected.
10448 <p><span><strong class="command">XfrRej</strong></span></p>
10451 <p><span><strong class="command">RUXFR</strong></span></p>
10455 Zone transfer requests rejected.
10461 <p><span><strong class="command">UpdateRej</strong></span></p>
10464 <p><span><strong class="command">RUUpd</strong></span></p>
10468 Dynamic update requests rejected.
10474 <p><span><strong class="command">Response</strong></span></p>
10477 <p><span><strong class="command">SAns</strong></span></p>
10487 <p><span><strong class="command">RespTruncated</strong></span></p>
10490 <p><span><strong class="command"></strong></span></p>
10494 Truncated responses sent.
10500 <p><span><strong class="command">RespEDNS0</strong></span></p>
10503 <p><span><strong class="command"></strong></span></p>
10507 Responses with EDNS(0) sent.
10513 <p><span><strong class="command">RespTSIG</strong></span></p>
10516 <p><span><strong class="command"></strong></span></p>
10520 Responses with TSIG sent.
10526 <p><span><strong class="command">RespSIG0</strong></span></p>
10529 <p><span><strong class="command"></strong></span></p>
10533 Responses with SIG(0) sent.
10539 <p><span><strong class="command">QrySuccess</strong></span></p>
10542 <p><span><strong class="command"></strong></span></p>
10546 Queries resulted in a successful answer.
10547 This means the query which returns a NOERROR response
10548 with at least one answer RR.
10549 This corresponds to the
10550 <span><strong class="command">success</strong></span> counter
10551 of previous versions of
10552 <acronym class="acronym">BIND</acronym> 9.
10558 <p><span><strong class="command">QryAuthAns</strong></span></p>
10561 <p><span><strong class="command"></strong></span></p>
10565 Queries resulted in authoritative answer.
10571 <p><span><strong class="command">QryNoauthAns</strong></span></p>
10574 <p><span><strong class="command">SNaAns</strong></span></p>
10578 Queries resulted in non authoritative answer.
10584 <p><span><strong class="command">QryReferral</strong></span></p>
10587 <p><span><strong class="command"></strong></span></p>
10591 Queries resulted in referral answer.
10592 This corresponds to the
10593 <span><strong class="command">referral</strong></span> counter
10594 of previous versions of
10595 <acronym class="acronym">BIND</acronym> 9.
10601 <p><span><strong class="command">QryNxrrset</strong></span></p>
10604 <p><span><strong class="command"></strong></span></p>
10608 Queries resulted in NOERROR responses with no data.
10609 This corresponds to the
10610 <span><strong class="command">nxrrset</strong></span> counter
10611 of previous versions of
10612 <acronym class="acronym">BIND</acronym> 9.
10618 <p><span><strong class="command">QrySERVFAIL</strong></span></p>
10621 <p><span><strong class="command">SFail</strong></span></p>
10625 Queries resulted in SERVFAIL.
10631 <p><span><strong class="command">QryFORMERR</strong></span></p>
10634 <p><span><strong class="command">SFErr</strong></span></p>
10638 Queries resulted in FORMERR.
10644 <p><span><strong class="command">QryNXDOMAIN</strong></span></p>
10647 <p><span><strong class="command">SNXD</strong></span></p>
10651 Queries resulted in NXDOMAIN.
10652 This corresponds to the
10653 <span><strong class="command">nxdomain</strong></span> counter
10654 of previous versions of
10655 <acronym class="acronym">BIND</acronym> 9.
10661 <p><span><strong class="command">QryRecursion</strong></span></p>
10664 <p><span><strong class="command">RFwdQ</strong></span></p>
10668 Queries which caused the server
10669 to perform recursion in order to find the final answer.
10670 This corresponds to the
10671 <span><strong class="command">recursion</strong></span> counter
10672 of previous versions of
10673 <acronym class="acronym">BIND</acronym> 9.
10679 <p><span><strong class="command">QryDuplicate</strong></span></p>
10682 <p><span><strong class="command">RDupQ</strong></span></p>
10686 Queries which the server attempted to
10687 recurse but discovered an existing query with the same
10688 IP address, port, query ID, name, type and class
10689 already being processed.
10690 This corresponds to the
10691 <span><strong class="command">duplicate</strong></span> counter
10692 of previous versions of
10693 <acronym class="acronym">BIND</acronym> 9.
10699 <p><span><strong class="command">QryDropped</strong></span></p>
10702 <p><span><strong class="command"></strong></span></p>
10706 Recursive queries for which the server
10707 discovered an excessive number of existing
10708 recursive queries for the same name, type and
10709 class and were subsequently dropped.
10710 This is the number of dropped queries due to
10711 the reason explained with the
10712 <span><strong class="command">clients-per-query</strong></span>
10714 <span><strong class="command">max-clients-per-query</strong></span>
10716 (see the description about
10717 <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
10718 This corresponds to the
10719 <span><strong class="command">dropped</strong></span> counter
10720 of previous versions of
10721 <acronym class="acronym">BIND</acronym> 9.
10727 <p><span><strong class="command">QryFailure</strong></span></p>
10730 <p><span><strong class="command"></strong></span></p>
10734 Other query failures.
10735 This corresponds to the
10736 <span><strong class="command">failure</strong></span> counter
10737 of previous versions of
10738 <acronym class="acronym">BIND</acronym> 9.
10739 Note: this counter is provided mainly for
10740 backward compatibility with the previous versions.
10741 Normally a more fine-grained counters such as
10742 <span><strong class="command">AuthQryRej</strong></span> and
10743 <span><strong class="command">RecQryRej</strong></span>
10744 that would also fall into this counter are provided,
10745 and so this counter would not be of much
10746 interest in practice.
10752 <p><span><strong class="command">XfrReqDone</strong></span></p>
10755 <p><span><strong class="command"></strong></span></p>
10759 Requested zone transfers completed.
10765 <p><span><strong class="command">UpdateReqFwd</strong></span></p>
10768 <p><span><strong class="command"></strong></span></p>
10772 Update requests forwarded.
10778 <p><span><strong class="command">UpdateRespFwd</strong></span></p>
10781 <p><span><strong class="command"></strong></span></p>
10785 Update responses forwarded.
10791 <p><span><strong class="command">UpdateFwdFail</strong></span></p>
10794 <p><span><strong class="command"></strong></span></p>
10798 Dynamic update forward failed.
10804 <p><span><strong class="command">UpdateDone</strong></span></p>
10807 <p><span><strong class="command"></strong></span></p>
10811 Dynamic updates completed.
10817 <p><span><strong class="command">UpdateFail</strong></span></p>
10820 <p><span><strong class="command"></strong></span></p>
10824 Dynamic updates failed.
10830 <p><span><strong class="command">UpdateBadPrereq</strong></span></p>
10833 <p><span><strong class="command"></strong></span></p>
10837 Dynamic updates rejected due to prerequisite failure.
10843 <p><span><strong class="command">RPZRewrites</strong></span></p>
10846 <p><span><strong class="command"></strong></span></p>
10850 Response policy zone rewrites.
10856 <p><span><strong class="command">RateDropped</strong></span></p>
10859 <p><span><strong class="command"></strong></span></p>
10863 Responses dropped by rate limits.
10869 <p><span><strong class="command">RateSlipped</strong></span></p>
10872 <p><span><strong class="command"></strong></span></p>
10876 Responses truncated by rate limits.
10883 <div class="sect3" lang="en">
10884 <div class="titlepage"><div><div><h4 class="title">
10885 <a name="id2602424"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
10886 <div class="informaltable"><table border="1">
10895 <span class="emphasis"><em>Symbol</em></span>
10900 <span class="emphasis"><em>Description</em></span>
10906 <p><span><strong class="command">NotifyOutv4</strong></span></p>
10910 IPv4 notifies sent.
10916 <p><span><strong class="command">NotifyOutv6</strong></span></p>
10920 IPv6 notifies sent.
10926 <p><span><strong class="command">NotifyInv4</strong></span></p>
10930 IPv4 notifies received.
10936 <p><span><strong class="command">NotifyInv6</strong></span></p>
10940 IPv6 notifies received.
10946 <p><span><strong class="command">NotifyRej</strong></span></p>
10950 Incoming notifies rejected.
10956 <p><span><strong class="command">SOAOutv4</strong></span></p>
10960 IPv4 SOA queries sent.
10966 <p><span><strong class="command">SOAOutv6</strong></span></p>
10970 IPv6 SOA queries sent.
10976 <p><span><strong class="command">AXFRReqv4</strong></span></p>
10980 IPv4 AXFR requested.
10986 <p><span><strong class="command">AXFRReqv6</strong></span></p>
10990 IPv6 AXFR requested.
10996 <p><span><strong class="command">IXFRReqv4</strong></span></p>
11000 IPv4 IXFR requested.
11006 <p><span><strong class="command">IXFRReqv6</strong></span></p>
11010 IPv6 IXFR requested.
11016 <p><span><strong class="command">XfrSuccess</strong></span></p>
11020 Zone transfer requests succeeded.
11026 <p><span><strong class="command">XfrFail</strong></span></p>
11030 Zone transfer requests failed.
11037 <div class="sect3" lang="en">
11038 <div class="titlepage"><div><div><h4 class="title">
11039 <a name="id2602875"></a>Resolver Statistics Counters</h4></div></div></div>
11040 <div class="informaltable"><table border="1">
11050 <span class="emphasis"><em>Symbol</em></span>
11055 <span class="emphasis"><em>BIND8 Symbol</em></span>
11060 <span class="emphasis"><em>Description</em></span>
11066 <p><span><strong class="command">Queryv4</strong></span></p>
11069 <p><span><strong class="command">SFwdQ</strong></span></p>
11079 <p><span><strong class="command">Queryv6</strong></span></p>
11082 <p><span><strong class="command">SFwdQ</strong></span></p>
11092 <p><span><strong class="command">Responsev4</strong></span></p>
11095 <p><span><strong class="command">RR</strong></span></p>
11099 IPv4 responses received.
11105 <p><span><strong class="command">Responsev6</strong></span></p>
11108 <p><span><strong class="command">RR</strong></span></p>
11112 IPv6 responses received.
11118 <p><span><strong class="command">NXDOMAIN</strong></span></p>
11121 <p><span><strong class="command">RNXD</strong></span></p>
11131 <p><span><strong class="command">SERVFAIL</strong></span></p>
11134 <p><span><strong class="command">RFail</strong></span></p>
11144 <p><span><strong class="command">FORMERR</strong></span></p>
11147 <p><span><strong class="command">RFErr</strong></span></p>
11157 <p><span><strong class="command">OtherError</strong></span></p>
11160 <p><span><strong class="command">RErr</strong></span></p>
11164 Other errors received.
11170 <p><span><strong class="command">EDNS0Fail</strong></span></p>
11173 <p><span><strong class="command"></strong></span></p>
11177 EDNS(0) query failures.
11183 <p><span><strong class="command">Mismatch</strong></span></p>
11186 <p><span><strong class="command">RDupR</strong></span></p>
11190 Mismatch responses received.
11191 The DNS ID, response's source address,
11192 and/or the response's source port does not
11193 match what was expected.
11194 (The port must be 53 or as defined by
11195 the <span><strong class="command">port</strong></span> option.)
11196 This may be an indication of a cache
11203 <p><span><strong class="command">Truncated</strong></span></p>
11206 <p><span><strong class="command"></strong></span></p>
11210 Truncated responses received.
11216 <p><span><strong class="command">Lame</strong></span></p>
11219 <p><span><strong class="command">RLame</strong></span></p>
11223 Lame delegations received.
11229 <p><span><strong class="command">Retry</strong></span></p>
11232 <p><span><strong class="command">SDupQ</strong></span></p>
11236 Query retries performed.
11242 <p><span><strong class="command">QueryAbort</strong></span></p>
11245 <p><span><strong class="command"></strong></span></p>
11249 Queries aborted due to quota control.
11255 <p><span><strong class="command">QuerySockFail</strong></span></p>
11258 <p><span><strong class="command"></strong></span></p>
11262 Failures in opening query sockets.
11263 One common reason for such failures is a
11264 failure of opening a new socket due to a
11265 limitation on file descriptors.
11271 <p><span><strong class="command">QueryTimeout</strong></span></p>
11274 <p><span><strong class="command"></strong></span></p>
11284 <p><span><strong class="command">GlueFetchv4</strong></span></p>
11287 <p><span><strong class="command">SSysQ</strong></span></p>
11291 IPv4 NS address fetches invoked.
11297 <p><span><strong class="command">GlueFetchv6</strong></span></p>
11300 <p><span><strong class="command">SSysQ</strong></span></p>
11304 IPv6 NS address fetches invoked.
11310 <p><span><strong class="command">GlueFetchv4Fail</strong></span></p>
11313 <p><span><strong class="command"></strong></span></p>
11317 IPv4 NS address fetch failed.
11323 <p><span><strong class="command">GlueFetchv6Fail</strong></span></p>
11326 <p><span><strong class="command"></strong></span></p>
11330 IPv6 NS address fetch failed.
11336 <p><span><strong class="command">ValAttempt</strong></span></p>
11339 <p><span><strong class="command"></strong></span></p>
11343 DNSSEC validation attempted.
11349 <p><span><strong class="command">ValOk</strong></span></p>
11352 <p><span><strong class="command"></strong></span></p>
11356 DNSSEC validation succeeded.
11362 <p><span><strong class="command">ValNegOk</strong></span></p>
11365 <p><span><strong class="command"></strong></span></p>
11369 DNSSEC validation on negative information succeeded.
11375 <p><span><strong class="command">ValFail</strong></span></p>
11378 <p><span><strong class="command"></strong></span></p>
11382 DNSSEC validation failed.
11388 <p><span><strong class="command">QryRTTnn</strong></span></p>
11391 <p><span><strong class="command"></strong></span></p>
11395 Frequency table on round trip times (RTTs) of
11397 Each <span><strong class="command">nn</strong></span> specifies the corresponding
11400 <span><strong class="command">nn_1</strong></span>,
11401 <span><strong class="command">nn_2</strong></span>,
11403 <span><strong class="command">nn_m</strong></span>,
11404 the value of <span><strong class="command">nn_i</strong></span> is the
11405 number of queries whose RTTs are between
11406 <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and
11407 <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds.
11408 For the sake of convenience we define
11409 <span><strong class="command">nn_0</strong></span> to be 0.
11410 The last entry should be represented as
11411 <span><strong class="command">nn_m+</strong></span>, which means the
11412 number of queries whose RTTs are equal to or over
11413 <span><strong class="command">nn_m</strong></span> milliseconds.
11420 <div class="sect3" lang="en">
11421 <div class="titlepage"><div><div><h4 class="title">
11422 <a name="id2603897"></a>Socket I/O Statistics Counters</h4></div></div></div>
11424 Socket I/O statistics counters are defined per socket
11426 <span><strong class="command">UDP4</strong></span> (UDP/IPv4),
11427 <span><strong class="command">UDP6</strong></span> (UDP/IPv6),
11428 <span><strong class="command">TCP4</strong></span> (TCP/IPv4),
11429 <span><strong class="command">TCP6</strong></span> (TCP/IPv6),
11430 <span><strong class="command">Unix</strong></span> (Unix Domain), and
11431 <span><strong class="command">FDwatch</strong></span> (sockets opened outside the
11433 In the following table <span><strong class="command"><TYPE></strong></span>
11434 represents a socket type.
11435 Not all counters are available for all socket types;
11436 exceptions are noted in the description field.
11438 <div class="informaltable"><table border="1">
11447 <span class="emphasis"><em>Symbol</em></span>
11452 <span class="emphasis"><em>Description</em></span>
11458 <p><span><strong class="command"><TYPE>Open</strong></span></p>
11462 Sockets opened successfully.
11463 This counter is not applicable to the
11464 <span><strong class="command">FDwatch</strong></span> type.
11470 <p><span><strong class="command"><TYPE>OpenFail</strong></span></p>
11474 Failures of opening sockets.
11475 This counter is not applicable to the
11476 <span><strong class="command">FDwatch</strong></span> type.
11482 <p><span><strong class="command"><TYPE>Close</strong></span></p>
11492 <p><span><strong class="command"><TYPE>BindFail</strong></span></p>
11496 Failures of binding sockets.
11502 <p><span><strong class="command"><TYPE>ConnFail</strong></span></p>
11506 Failures of connecting sockets.
11512 <p><span><strong class="command"><TYPE>Conn</strong></span></p>
11516 Connections established successfully.
11522 <p><span><strong class="command"><TYPE>AcceptFail</strong></span></p>
11526 Failures of accepting incoming connection requests.
11527 This counter is not applicable to the
11528 <span><strong class="command">UDP</strong></span> and
11529 <span><strong class="command">FDwatch</strong></span> types.
11535 <p><span><strong class="command"><TYPE>Accept</strong></span></p>
11539 Incoming connections successfully accepted.
11540 This counter is not applicable to the
11541 <span><strong class="command">UDP</strong></span> and
11542 <span><strong class="command">FDwatch</strong></span> types.
11548 <p><span><strong class="command"><TYPE>SendErr</strong></span></p>
11552 Errors in socket send operations.
11553 This counter corresponds
11554 to <span><strong class="command">SErr</strong></span> counter of
11555 <span><strong class="command">BIND</strong></span> 8.
11561 <p><span><strong class="command"><TYPE>RecvErr</strong></span></p>
11565 Errors in socket receive operations.
11566 This includes errors of send operations on a
11567 connected UDP socket notified by an ICMP error
11575 <div class="sect3" lang="en">
11576 <div class="titlepage"><div><div><h4 class="title">
11577 <a name="id2604339"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
11579 Most statistics counters that were available
11580 in <span><strong class="command">BIND</strong></span> 8 are also supported in
11581 <span><strong class="command">BIND</strong></span> 9 as shown in the above tables.
11582 Here are notes about other counters that do not appear
11585 <div class="variablelist"><dl>
11586 <dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt>
11588 These counters are not supported
11589 because <span><strong class="command">BIND</strong></span> 9 does not adopt
11590 the notion of <span class="emphasis"><em>forwarding</em></span>
11591 as <span><strong class="command">BIND</strong></span> 8 did.
11593 <dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt>
11595 This counter is accessible in the Incoming Queries section.
11597 <dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt>
11599 This counter is accessible in the Incoming Requests section.
11601 <dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt>
11603 This counter is not supported
11604 because <span><strong class="command">BIND</strong></span> 9 does not care
11605 about IP options in the first place.
11612 <div class="navfooter">
11614 <table width="100%" summary="Navigation footer">
11616 <td width="40%" align="left">
11617 <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
11618 <td width="20%" align="center"> </td>
11619 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
11623 <td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td>
11624 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
11625 <td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>
11629 <p style="text-align: center;">BIND Version 9.9</p>