2 - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: Bv9ARM.ch06.html,v 1.82.18.73.8.1 2008/05/27 22:07:34 each Exp $ -->
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Chapter 6. BIND 9 Configuration Reference</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
26 <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
42 <div class="chapter" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
46 <p><b>Table of Contents</b></p>
48 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
50 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
51 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573480">Comment Syntax</a></span></dt>
53 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
55 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574092"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
56 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
58 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574282"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
59 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
61 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
62 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574726"><span><strong class="command">include</strong></span> Statement Definition and
64 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574749"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
65 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574771"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
66 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574930"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
67 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575056"><span><strong class="command">logging</strong></span> Statement Definition and
69 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576406"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
70 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576480"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
71 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576544"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
72 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576587"><span><strong class="command">masters</strong></span> Statement Definition and
74 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576602"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
75 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
77 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
78 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
80 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585361"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
81 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585410"><span><strong class="command">trusted-keys</strong></span> Statement Definition
82 and Usage</a></span></dt>
83 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
84 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585490"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
85 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
86 Statement Grammar</a></span></dt>
87 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
89 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589080">Zone File</a></span></dt>
91 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
92 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591101">Discussion of MX Records</a></span></dt>
93 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
94 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591653">Inverse Mapping in IPv4</a></span></dt>
95 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591848">Other Zone File Directives</a></span></dt>
96 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592173"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
97 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
102 <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
103 to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
105 of configuration, such as views. <acronym class="acronym">BIND</acronym>
106 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
107 9, although more complex configurations should be reviewed to check
108 if they can be more efficiently implemented using the new features
109 found in <acronym class="acronym">BIND</acronym> 9.
112 <acronym class="acronym">BIND</acronym> 4 configuration files can be
113 converted to the new format
114 using the shell script
115 <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
117 <div class="sect1" lang="en">
118 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
119 <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
121 Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
124 <div class="informaltable"><table border="1">
133 <code class="varname">acl_name</code>
138 The name of an <code class="varname">address_match_list</code> as
139 defined by the <span><strong class="command">acl</strong></span> statement.
146 <code class="varname">address_match_list</code>
151 A list of one or more
152 <code class="varname">ip_addr</code>,
153 <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
154 or <code class="varname">acl_name</code> elements, see
155 <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
162 <code class="varname">masters_list</code>
167 A named list of one or more <code class="varname">ip_addr</code>
168 with optional <code class="varname">key_id</code> and/or
169 <code class="varname">ip_port</code>.
170 A <code class="varname">masters_list</code> may include other
171 <code class="varname">masters_lists</code>.
178 <code class="varname">domain_name</code>
183 A quoted string which will be used as
184 a DNS name, for example "<code class="literal">my.test.domain</code>".
191 <code class="varname">dotted_decimal</code>
196 One to four integers valued 0 through
197 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
198 <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
205 <code class="varname">ip4_addr</code>
210 An IPv4 address with exactly four elements
211 in <code class="varname">dotted_decimal</code> notation.
218 <code class="varname">ip6_addr</code>
223 An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
224 IPv6 scoped addresses that have ambiguity on their scope
226 disambiguated by an appropriate zone ID with the percent
229 It is strongly recommended to use string zone names rather
231 numeric identifiers, in order to be robust against system
232 configuration changes.
233 However, since there is no standard mapping for such names
235 identifier values, currently only interface names as link
237 are supported, assuming one-to-one mapping between
238 interfaces and links.
239 For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
240 link attached to the interface <span><strong class="command">ne0</strong></span>
241 can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
242 Note that on most systems link-local addresses always have
244 ambiguity, and need to be disambiguated.
251 <code class="varname">ip_addr</code>
256 An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
263 <code class="varname">ip_port</code>
268 An IP port <code class="varname">number</code>.
269 The <code class="varname">number</code> is limited to 0
270 through 65535, with values
271 below 1024 typically restricted to use by processes running
273 In some cases, an asterisk (`*') character can be used as a
275 select a random high-numbered port.
282 <code class="varname">ip_prefix</code>
287 An IP network specified as an <code class="varname">ip_addr</code>,
288 followed by a slash (`/') and then the number of bits in the
290 Trailing zeros in a <code class="varname">ip_addr</code>
292 For example, <span><strong class="command">127/8</strong></span> is the
293 network <span><strong class="command">127.0.0.0</strong></span> with
294 netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
295 network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
302 <code class="varname">key_id</code>
307 A <code class="varname">domain_name</code> representing
308 the name of a shared key, to be used for transaction
316 <code class="varname">key_list</code>
321 A list of one or more
322 <code class="varname">key_id</code>s,
323 separated by semicolons and ending with a semicolon.
330 <code class="varname">number</code>
335 A non-negative 32-bit integer
336 (i.e., a number between 0 and 4294967295, inclusive).
337 Its acceptable value might further
338 be limited by the context in which it is used.
345 <code class="varname">path_name</code>
350 A quoted string which will be used as
351 a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
358 <code class="varname">size_spec</code>
363 A number, the word <strong class="userinput"><code>unlimited</code></strong>,
364 or the word <strong class="userinput"><code>default</code></strong>.
367 An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
368 use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
369 the limit that was in force when the server was started.
372 A <code class="varname">number</code> can optionally be
373 followed by a scaling factor:
374 <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
376 <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
378 <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
379 which scale by 1024, 1024*1024, and 1024*1024*1024
383 The value must be representable as a 64-bit unsigned integer
384 (0 to 18446744073709551615, inclusive).
385 Using <code class="varname">unlimited</code> is the best
387 to safely set a really large number.
394 <code class="varname">yes_or_no</code>
399 Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
400 The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
401 also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
402 and <strong class="userinput"><code>0</code></strong>.
409 <code class="varname">dialup_option</code>
414 One of <strong class="userinput"><code>yes</code></strong>,
415 <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
416 <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
417 <strong class="userinput"><code>passive</code></strong>.
418 When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
419 <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
420 are restricted to slave and stub zones.
426 <div class="sect2" lang="en">
427 <div class="titlepage"><div><div><h3 class="title">
428 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
429 <div class="sect3" lang="en">
430 <div class="titlepage"><div><div><h4 class="title">
431 <a name="id2573277"></a>Syntax</h4></div></div></div>
432 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
433 [<span class="optional"> address_match_list_element; ... </span>]
434 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
435 key key_id | acl_name | { address_match_list } )
438 <div class="sect3" lang="en">
439 <div class="titlepage"><div><div><h4 class="title">
440 <a name="id2573305"></a>Definition and Usage</h4></div></div></div>
442 Address match lists are primarily used to determine access
443 control for various server operations. They are also used in
444 the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
445 statements. The elements
446 which constitute an address match list can be any of the
449 <div class="itemizedlist"><ul type="disc">
450 <li>an IP address (IPv4 or IPv6)</li>
451 <li>an IP prefix (in `/' notation)</li>
453 a key ID, as defined by the <span><strong class="command">key</strong></span>
456 <li>the name of an address match list defined with
457 the <span><strong class="command">acl</strong></span> statement
459 <li>a nested address match list enclosed in braces</li>
462 Elements can be negated with a leading exclamation mark (`!'),
463 and the match list names "any", "none", "localhost", and
465 are predefined. More information on those names can be found in
466 the description of the acl statement.
469 The addition of the key clause made the name of this syntactic
470 element something of a misnomer, since security keys can be used
471 to validate access without regard to a host or network address.
473 the term "address match list" is still used throughout the
477 When a given IP address or prefix is compared to an address
478 match list, the list is traversed in order until an element
480 The interpretation of a match depends on whether the list is being
482 for access control, defining listen-on ports, or in a sortlist,
483 and whether the element was negated.
486 When used as an access control list, a non-negated match
487 allows access and a negated match denies access. If
488 there is no match, access is denied. The clauses
489 <span><strong class="command">allow-notify</strong></span>,
490 <span><strong class="command">allow-query</strong></span>,
491 <span><strong class="command">allow-query-cache</strong></span>,
492 <span><strong class="command">allow-transfer</strong></span>,
493 <span><strong class="command">allow-update</strong></span>,
494 <span><strong class="command">allow-update-forwarding</strong></span>, and
495 <span><strong class="command">blackhole</strong></span> all use address match
496 lists. Similarly, the listen-on option will cause the
497 server to not accept queries on any of the machine's
498 addresses which do not match the list.
501 Because of the first-match aspect of the algorithm, an element
502 that defines a subset of another element in the list should come
503 before the broader element, regardless of whether either is
506 <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
508 completely useless because the algorithm will match any lookup for
509 1.2.3.13 to the 1.2.3/24 element.
510 Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
511 that problem by having 1.2.3.13 blocked by the negation but all
512 other 1.2.3.* hosts fall through.
516 <div class="sect2" lang="en">
517 <div class="titlepage"><div><div><h3 class="title">
518 <a name="id2573480"></a>Comment Syntax</h3></div></div></div>
520 The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
522 anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
523 file. To appeal to programmers of all kinds, they can be written
524 in the C, C++, or shell/perl style.
526 <div class="sect3" lang="en">
527 <div class="titlepage"><div><div><h4 class="title">
528 <a name="id2573495"></a>Syntax</h4></div></div></div>
531 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
534 <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
537 <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre>
541 <div class="sect3" lang="en">
542 <div class="titlepage"><div><div><h4 class="title">
543 <a name="id2573525"></a>Definition and Usage</h4></div></div></div>
545 Comments may appear anywhere that whitespace may appear in
546 a <acronym class="acronym">BIND</acronym> configuration file.
549 C-style comments start with the two characters /* (slash,
550 star) and end with */ (star, slash). Because they are completely
551 delimited with these characters, they can be used to comment only
552 a portion of a line or to span multiple lines.
555 C-style comments cannot be nested. For example, the following
556 is not valid because the entire comment ends with the first */:
561 <pre class="programlisting">/* This is the start of a comment.
562 This is still part of the comment.
563 /* This is an incorrect attempt at nesting a comment. */
564 This is no longer in any comment. */
570 C++-style comments start with the two characters // (slash,
571 slash) and continue to the end of the physical line. They cannot
572 be continued across multiple physical lines; to have one logical
573 comment span multiple lines, each line must use the // pair.
581 <pre class="programlisting">// This is the start of a comment. The next line
582 // is a new comment, even though it is logically
583 // part of the previous comment.
589 Shell-style (or perl-style, if you prefer) comments start
590 with the character <code class="literal">#</code> (number sign)
591 and continue to the end of the
592 physical line, as in C++ comments.
600 <pre class="programlisting"># This is the start of a comment. The next line
601 # is a new comment, even though it is logically
602 # part of the previous comment.
607 <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
608 <h3 class="title">Warning</h3>
610 You cannot use the semicolon (`;') character
611 to start a comment such as you would in a zone file. The
612 semicolon indicates the end of a configuration
619 <div class="sect1" lang="en">
620 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
621 <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
623 A <acronym class="acronym">BIND</acronym> 9 configuration consists of
624 statements and comments.
625 Statements end with a semicolon. Statements and comments are the
626 only elements that can appear without enclosing braces. Many
627 statements contain a block of sub-statements, which are also
628 terminated with a semicolon.
631 The following statements are supported:
633 <div class="informaltable"><table border="1">
641 <p><span><strong class="command">acl</strong></span></p>
645 defines a named IP address
646 matching list, for access control and other uses.
652 <p><span><strong class="command">controls</strong></span></p>
656 declares control channels to be used
657 by the <span><strong class="command">rndc</strong></span> utility.
663 <p><span><strong class="command">include</strong></span></p>
673 <p><span><strong class="command">key</strong></span></p>
677 specifies key information for use in
678 authentication and authorization using TSIG.
684 <p><span><strong class="command">logging</strong></span></p>
688 specifies what the server logs, and where
689 the log messages are sent.
695 <p><span><strong class="command">lwres</strong></span></p>
699 configures <span><strong class="command">named</strong></span> to
700 also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
706 <p><span><strong class="command">masters</strong></span></p>
710 defines a named masters list for
711 inclusion in stub and slave zone masters clauses.
717 <p><span><strong class="command">options</strong></span></p>
721 controls global server configuration
722 options and sets defaults for other statements.
728 <p><span><strong class="command">server</strong></span></p>
732 sets certain configuration options on
739 <p><span><strong class="command">trusted-keys</strong></span></p>
743 defines trusted DNSSEC keys.
749 <p><span><strong class="command">view</strong></span></p>
759 <p><span><strong class="command">zone</strong></span></p>
770 The <span><strong class="command">logging</strong></span> and
771 <span><strong class="command">options</strong></span> statements may only occur once
775 <div class="sect2" lang="en">
776 <div class="titlepage"><div><div><h3 class="title">
777 <a name="id2574092"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
778 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
783 <div class="sect2" lang="en">
784 <div class="titlepage"><div><div><h3 class="title">
785 <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
786 Usage</h3></div></div></div>
788 The <span><strong class="command">acl</strong></span> statement assigns a symbolic
789 name to an address match list. It gets its name from a primary
790 use of address match lists: Access Control Lists (ACLs).
793 Note that an address match list's name must be defined
794 with <span><strong class="command">acl</strong></span> before it can be used
796 forward references are allowed.
799 The following ACLs are built-in:
801 <div class="informaltable"><table border="1">
809 <p><span><strong class="command">any</strong></span></p>
819 <p><span><strong class="command">none</strong></span></p>
829 <p><span><strong class="command">localhost</strong></span></p>
833 Matches the IPv4 and IPv6 addresses of all network
834 interfaces on the system.
840 <p><span><strong class="command">localnets</strong></span></p>
844 Matches any host on an IPv4 or IPv6 network
845 for which the system has an interface.
846 Some systems do not provide a way to determine the prefix
848 local IPv6 addresses.
849 In such a case, <span><strong class="command">localnets</strong></span>
850 only matches the local
851 IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
858 <div class="sect2" lang="en">
859 <div class="titlepage"><div><div><h3 class="title">
860 <a name="id2574282"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
861 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
862 [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
863 keys { <em class="replaceable"><code>key_list</code></em> }; ]
865 [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ]
870 <div class="sect2" lang="en">
871 <div class="titlepage"><div><div><h3 class="title">
872 <a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
873 Usage</h3></div></div></div>
875 The <span><strong class="command">controls</strong></span> statement declares control
876 channels to be used by system administrators to control the
877 operation of the name server. These control channels are
878 used by the <span><strong class="command">rndc</strong></span> utility to send
879 commands to and retrieve non-DNS results from a name server.
882 An <span><strong class="command">inet</strong></span> control channel is a TCP socket
883 listening at the specified <span><strong class="command">ip_port</strong></span> on the
884 specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
885 address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
886 interpreted as the IPv4 wildcard address; connections will be
887 accepted on any of the system's IPv4 addresses.
888 To listen on the IPv6 wildcard address,
889 use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
890 If you will only use <span><strong class="command">rndc</strong></span> on the local host,
891 using the loopback address (<code class="literal">127.0.0.1</code>
892 or <code class="literal">::1</code>) is recommended for maximum security.
895 If no port is specified, port 953 is used. The asterisk
896 "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
899 The ability to issue commands over the control channel is
900 restricted by the <span><strong class="command">allow</strong></span> and
901 <span><strong class="command">keys</strong></span> clauses.
902 Connections to the control channel are permitted based on the
903 <span><strong class="command">address_match_list</strong></span>. This is for simple
904 IP address based filtering only; any <span><strong class="command">key_id</strong></span>
905 elements of the <span><strong class="command">address_match_list</strong></span>
909 A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
910 socket listening at the specified path in the file system.
911 Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
912 <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
913 Note on some platforms (SunOS and Solaris) the permissions
914 (<span><strong class="command">perm</strong></span>) are applied to the parent directory
915 as the permissions on the socket itself are ignored.
918 The primary authorization mechanism of the command
919 channel is the <span><strong class="command">key_list</strong></span>, which
920 contains a list of <span><strong class="command">key_id</strong></span>s.
921 Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
922 is authorized to execute commands over the control channel.
923 See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
924 for information about configuring keys in <span><strong class="command">rndc</strong></span>.
927 If no <span><strong class="command">controls</strong></span> statement is present,
928 <span><strong class="command">named</strong></span> will set up a default
929 control channel listening on the loopback address 127.0.0.1
930 and its IPv6 counterpart ::1.
931 In this case, and also when the <span><strong class="command">controls</strong></span> statement
932 is present but does not have a <span><strong class="command">keys</strong></span> clause,
933 <span><strong class="command">named</strong></span> will attempt to load the command channel key
934 from the file <code class="filename">rndc.key</code> in
935 <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
936 was specified as when <acronym class="acronym">BIND</acronym> was built).
937 To create a <code class="filename">rndc.key</code> file, run
938 <strong class="userinput"><code>rndc-confgen -a</code></strong>.
941 The <code class="filename">rndc.key</code> feature was created to
942 ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
943 which did not have digital signatures on its command channel
944 messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
946 It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
947 configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
948 and still have <span><strong class="command">rndc</strong></span> work the same way
949 <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
950 command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
954 Since the <code class="filename">rndc.key</code> feature
955 is only intended to allow the backward-compatible usage of
956 <acronym class="acronym">BIND</acronym> 8 configuration files, this
958 have a high degree of configurability. You cannot easily change
959 the key name or the size of the secret, so you should make a
960 <code class="filename">rndc.conf</code> with your own key if you
962 those things. The <code class="filename">rndc.key</code> file
964 permissions set such that only the owner of the file (the user that
965 <span><strong class="command">named</strong></span> is running as) can access it.
967 desire greater flexibility in allowing other users to access
968 <span><strong class="command">rndc</strong></span> commands, then you need to create
970 <code class="filename">rndc.conf</code> file and make it group
972 that contains the users who should have access.
975 To disable the command channel, use an empty
976 <span><strong class="command">controls</strong></span> statement:
977 <span><strong class="command">controls { };</strong></span>.
980 <div class="sect2" lang="en">
981 <div class="titlepage"><div><div><h3 class="title">
982 <a name="id2574711"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
983 <pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
985 <div class="sect2" lang="en">
986 <div class="titlepage"><div><div><h3 class="title">
987 <a name="id2574726"></a><span><strong class="command">include</strong></span> Statement Definition and
988 Usage</h3></div></div></div>
990 The <span><strong class="command">include</strong></span> statement inserts the
991 specified file at the point where the <span><strong class="command">include</strong></span>
992 statement is encountered. The <span><strong class="command">include</strong></span>
993 statement facilitates the administration of configuration
995 by permitting the reading or writing of some things but not
996 others. For example, the statement could include private keys
997 that are readable only by the name server.
1000 <div class="sect2" lang="en">
1001 <div class="titlepage"><div><div><h3 class="title">
1002 <a name="id2574749"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
1003 <pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
1004 algorithm <em class="replaceable"><code>string</code></em>;
1005 secret <em class="replaceable"><code>string</code></em>;
1009 <div class="sect2" lang="en">
1010 <div class="titlepage"><div><div><h3 class="title">
1011 <a name="id2574771"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
1013 The <span><strong class="command">key</strong></span> statement defines a shared
1014 secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
1015 or the command channel
1016 (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
1017 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
1021 The <span><strong class="command">key</strong></span> statement can occur at the
1023 of the configuration file or inside a <span><strong class="command">view</strong></span>
1024 statement. Keys defined in top-level <span><strong class="command">key</strong></span>
1025 statements can be used in all views. Keys intended for use in
1026 a <span><strong class="command">controls</strong></span> statement
1027 (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
1028 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
1030 must be defined at the top level.
1033 The <em class="replaceable"><code>key_id</code></em>, also known as the
1034 key name, is a domain name uniquely identifying the key. It can
1035 be used in a <span><strong class="command">server</strong></span>
1036 statement to cause requests sent to that
1037 server to be signed with this key, or in address match lists to
1038 verify that incoming requests have been signed with a key
1039 matching this name, algorithm, and secret.
1042 The <em class="replaceable"><code>algorithm_id</code></em> is a string
1043 that specifies a security/authentication algorithm. Named
1044 supports <code class="literal">hmac-md5</code>,
1045 <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
1046 <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
1047 and <code class="literal">hmac-sha512</code> TSIG authentication.
1048 Truncated hashes are supported by appending the minimum
1049 number of required bits preceded by a dash, e.g.
1050 <code class="literal">hmac-sha1-80</code>. The
1051 <em class="replaceable"><code>secret_string</code></em> is the secret
1052 to be used by the algorithm, and is treated as a base-64
1056 <div class="sect2" lang="en">
1057 <div class="titlepage"><div><div><h3 class="title">
1058 <a name="id2574930"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
1059 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
1060 [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
1061 ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
1062 [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
1063 [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
1064 | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
1065 | <span><strong class="command">stderr</strong></span>
1066 | <span><strong class="command">null</strong></span> );
1067 [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
1068 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
1069 [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1070 [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1071 [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
1073 [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
1074 <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
1080 <div class="sect2" lang="en">
1081 <div class="titlepage"><div><div><h3 class="title">
1082 <a name="id2575056"></a><span><strong class="command">logging</strong></span> Statement Definition and
1083 Usage</h3></div></div></div>
1085 The <span><strong class="command">logging</strong></span> statement configures a
1087 variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
1088 associates output methods, format options and severity levels with
1089 a name that can then be used with the <span><strong class="command">category</strong></span> phrase
1090 to select how various classes of messages are logged.
1093 Only one <span><strong class="command">logging</strong></span> statement is used to
1095 as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
1096 the logging configuration will be:
1098 <pre class="programlisting">logging {
1099 category default { default_syslog; default_debug; };
1100 category unmatched { null; };
1104 In <acronym class="acronym">BIND</acronym> 9, the logging configuration
1105 is only established when
1106 the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
1107 established as soon as the <span><strong class="command">logging</strong></span>
1109 was parsed. When the server is starting up, all logging messages
1110 regarding syntax errors in the configuration file go to the default
1111 channels, or to standard error if the "<code class="option">-g</code>" option
1114 <div class="sect3" lang="en">
1115 <div class="titlepage"><div><div><h4 class="title">
1116 <a name="id2575108"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
1118 All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
1119 you can make as many of them as you want.
1122 Every channel definition must include a destination clause that
1123 says whether messages selected for the channel go to a file, to a
1124 particular syslog facility, to the standard error stream, or are
1125 discarded. It can optionally also limit the message severity level
1126 that will be accepted by the channel (the default is
1127 <span><strong class="command">info</strong></span>), and whether to include a
1128 <span><strong class="command">named</strong></span>-generated time stamp, the
1130 and/or severity level (the default is not to include any).
1133 The <span><strong class="command">null</strong></span> destination clause
1134 causes all messages sent to the channel to be discarded;
1135 in that case, other options for the channel are meaningless.
1138 The <span><strong class="command">file</strong></span> destination clause directs
1140 to a disk file. It can include limitations
1141 both on how large the file is allowed to become, and how many
1143 of the file will be saved each time the file is opened.
1146 If you use the <span><strong class="command">versions</strong></span> log file
1148 <span><strong class="command">named</strong></span> will retain that many backup
1149 versions of the file by
1150 renaming them when opening. For example, if you choose to keep
1152 of the file <code class="filename">lamers.log</code>, then just
1154 <code class="filename">lamers.log.1</code> is renamed to
1155 <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
1156 to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
1157 renamed to <code class="filename">lamers.log.0</code>.
1158 You can say <span><strong class="command">versions unlimited</strong></span> to
1160 the number of versions.
1161 If a <span><strong class="command">size</strong></span> option is associated with
1163 then renaming is only done when the file being opened exceeds the
1164 indicated size. No backup versions are kept by default; any
1166 log file is simply appended.
1169 The <span><strong class="command">size</strong></span> option for files is used
1171 growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
1172 stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
1173 associated with it. If backup versions are kept, the files are
1175 described above and a new one begun. If there is no
1176 <span><strong class="command">versions</strong></span> option, no more data will
1177 be written to the log
1178 until some out-of-band mechanism removes or truncates the log to
1180 maximum size. The default behavior is not to limit the size of
1185 Example usage of the <span><strong class="command">size</strong></span> and
1186 <span><strong class="command">versions</strong></span> options:
1188 <pre class="programlisting">channel an_example_channel {
1189 file "example.log" versions 3 size 20m;
1195 The <span><strong class="command">syslog</strong></span> destination clause
1197 channel to the system log. Its argument is a
1198 syslog facility as described in the <span><strong class="command">syslog</strong></span> man
1199 page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
1200 <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
1201 <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
1202 <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
1203 <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
1204 <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
1205 <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
1206 <span><strong class="command">local7</strong></span>, however not all facilities
1208 all operating systems.
1209 How <span><strong class="command">syslog</strong></span> will handle messages
1211 this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
1212 page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
1213 only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
1214 then this clause is silently ignored.
1217 The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
1218 "priorities", except that they can also be used if you are writing
1219 straight to a file rather than using <span><strong class="command">syslog</strong></span>.
1220 Messages which are not at least of the severity level given will
1221 not be selected for the channel; messages of higher severity
1226 If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
1227 will also determine what eventually passes through. For example,
1228 defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
1229 only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
1230 cause messages of severity <span><strong class="command">info</strong></span> and
1231 <span><strong class="command">notice</strong></span> to
1232 be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
1233 messages of only <span><strong class="command">warning</strong></span> or higher,
1234 then <span><strong class="command">syslogd</strong></span> would
1235 print all messages it received from the channel.
1238 The <span><strong class="command">stderr</strong></span> destination clause
1240 channel to the server's standard error stream. This is intended
1242 use when the server is running as a foreground process, for
1244 when debugging a configuration.
1247 The server can supply extensive debugging information when
1248 it is in debugging mode. If the server's global debug level is
1250 than zero, then debugging mode will be active. The global debug
1251 level is set either by starting the <span><strong class="command">named</strong></span> server
1252 with the <code class="option">-d</code> flag followed by a positive integer,
1253 or by running <span><strong class="command">rndc trace</strong></span>.
1254 The global debug level
1255 can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
1256 notrace</strong></span>. All debugging messages in the server have a debug
1257 level, and higher debug levels give more detailed output. Channels
1258 that specify a specific debug severity, for example:
1260 <pre class="programlisting">channel specific_debug_level {
1266 will get debugging output of level 3 or less any time the
1267 server is in debugging mode, regardless of the global debugging
1268 level. Channels with <span><strong class="command">dynamic</strong></span>
1270 server's global debug level to determine what messages to print.
1273 If <span><strong class="command">print-time</strong></span> has been turned on,
1275 the date and time will be logged. <span><strong class="command">print-time</strong></span> may
1276 be specified for a <span><strong class="command">syslog</strong></span> channel,
1278 pointless since <span><strong class="command">syslog</strong></span> also prints
1280 time. If <span><strong class="command">print-category</strong></span> is
1282 category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
1283 on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
1284 be used in any combination, and will always be printed in the
1286 order: time, category, severity. Here is an example where all
1287 three <span><strong class="command">print-</strong></span> options
1291 <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
1294 There are four predefined channels that are used for
1295 <span><strong class="command">named</strong></span>'s default logging as follows.
1297 used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
1299 <pre class="programlisting">channel default_syslog {
1300 syslog daemon; // send to syslog's daemon
1302 severity info; // only send priority info
1306 channel default_debug {
1307 file "named.run"; // write to named.run in
1308 // the working directory
1309 // Note: stderr is used instead
1311 // if the server is started
1312 // with the '-f' option.
1313 severity dynamic; // log at the server's
1314 // current debug level
1317 channel default_stderr {
1318 stderr; // writes to stderr
1319 severity info; // only send priority info
1324 null; // toss anything sent to
1329 The <span><strong class="command">default_debug</strong></span> channel has the
1331 property that it only produces output when the server's debug
1333 nonzero. It normally writes to a file called <code class="filename">named.run</code>
1334 in the server's working directory.
1337 For security reasons, when the "<code class="option">-u</code>"
1338 command line option is used, the <code class="filename">named.run</code> file
1339 is created only after <span><strong class="command">named</strong></span> has
1341 new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
1342 starting up and still running as root is discarded. If you need
1343 to capture this output, you must run the server with the "<code class="option">-g</code>"
1344 option and redirect standard error to a file.
1347 Once a channel is defined, it cannot be redefined. Thus you
1348 cannot alter the built-in channels directly, but you can modify
1349 the default logging by pointing categories at channels you have
1353 <div class="sect3" lang="en">
1354 <div class="titlepage"><div><div><h4 class="title">
1355 <a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
1357 There are many categories, so you can send the logs you want
1358 to see wherever you want, without seeing logs you don't want. If
1359 you don't specify a list of channels for a category, then log
1361 in that category will be sent to the <span><strong class="command">default</strong></span> category
1362 instead. If you don't specify a default category, the following
1363 "default default" is used:
1365 <pre class="programlisting">category default { default_syslog; default_debug; };
1368 As an example, let's say you want to log security events to
1369 a file, but you also want keep the default logging behavior. You'd
1370 specify the following:
1372 <pre class="programlisting">channel my_security_channel {
1373 file "my_security_file";
1377 my_security_channel;
1382 To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
1384 <pre class="programlisting">category xfer-out { null; };
1385 category notify { null; };
1388 Following are the available categories and brief descriptions
1389 of the types of log information they contain. More
1390 categories may be added in future <acronym class="acronym">BIND</acronym> releases.
1392 <div class="informaltable"><table border="1">
1400 <p><span><strong class="command">default</strong></span></p>
1404 The default category defines the logging
1405 options for those categories where no specific
1406 configuration has been
1413 <p><span><strong class="command">general</strong></span></p>
1417 The catch-all. Many things still aren't
1418 classified into categories, and they all end up here.
1424 <p><span><strong class="command">database</strong></span></p>
1428 Messages relating to the databases used
1429 internally by the name server to store zone and cache
1436 <p><span><strong class="command">security</strong></span></p>
1440 Approval and denial of requests.
1446 <p><span><strong class="command">config</strong></span></p>
1450 Configuration file parsing and processing.
1456 <p><span><strong class="command">resolver</strong></span></p>
1460 DNS resolution, such as the recursive
1461 lookups performed on behalf of clients by a caching name
1468 <p><span><strong class="command">xfer-in</strong></span></p>
1472 Zone transfers the server is receiving.
1478 <p><span><strong class="command">xfer-out</strong></span></p>
1482 Zone transfers the server is sending.
1488 <p><span><strong class="command">notify</strong></span></p>
1492 The NOTIFY protocol.
1498 <p><span><strong class="command">client</strong></span></p>
1502 Processing of client requests.
1508 <p><span><strong class="command">unmatched</strong></span></p>
1512 Messages that named was unable to determine the
1513 class of or for which there was no matching <span><strong class="command">view</strong></span>.
1514 A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
1515 This category is best sent to a file or stderr, by
1516 default it is sent to
1517 the <span><strong class="command">null</strong></span> channel.
1523 <p><span><strong class="command">network</strong></span></p>
1533 <p><span><strong class="command">update</strong></span></p>
1543 <p><span><strong class="command">update-security</strong></span></p>
1547 Approval and denial of update requests.
1553 <p><span><strong class="command">queries</strong></span></p>
1557 Specify where queries should be logged to.
1560 At startup, specifying the category <span><strong class="command">queries</strong></span> will also
1561 enable query logging unless <span><strong class="command">querylog</strong></span> option has been
1565 The query log entry reports the client's IP address and
1566 port number, and the
1567 query name, class and type. It also reports whether the
1569 flag was set (+ if set, - if not set), EDNS was in use
1571 query was signed (S).
1574 <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
1577 <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
1583 <p><span><strong class="command">dispatch</strong></span></p>
1587 Dispatching of incoming packets to the
1588 server modules where they are to be processed.
1594 <p><span><strong class="command">dnssec</strong></span></p>
1598 DNSSEC and TSIG protocol processing.
1604 <p><span><strong class="command">lame-servers</strong></span></p>
1608 Lame servers. These are misconfigurations
1609 in remote servers, discovered by BIND 9 when trying to
1611 those servers during resolution.
1617 <p><span><strong class="command">delegation-only</strong></span></p>
1621 Delegation only. Logs queries that have have
1622 been forced to NXDOMAIN as the result of a
1623 delegation-only zone or
1624 a <span><strong class="command">delegation-only</strong></span> in a
1625 hint or stub zone declaration.
1633 <div class="sect2" lang="en">
1634 <div class="titlepage"><div><div><h3 class="title">
1635 <a name="id2576406"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
1637 This is the grammar of the <span><strong class="command">lwres</strong></span>
1638 statement in the <code class="filename">named.conf</code> file:
1640 <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
1641 [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
1642 [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
1643 [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
1644 [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
1648 <div class="sect2" lang="en">
1649 <div class="titlepage"><div><div><h3 class="title">
1650 <a name="id2576480"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
1652 The <span><strong class="command">lwres</strong></span> statement configures the
1654 server to also act as a lightweight resolver server. (See
1655 <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
1656 <span><strong class="command">lwres</strong></span> statements configuring
1657 lightweight resolver servers with different properties.
1660 The <span><strong class="command">listen-on</strong></span> statement specifies a
1662 addresses (and ports) that this instance of a lightweight resolver
1664 should accept requests on. If no port is specified, port 921 is
1666 If this statement is omitted, requests will be accepted on
1671 The <span><strong class="command">view</strong></span> statement binds this
1673 lightweight resolver daemon to a view in the DNS namespace, so that
1675 response will be constructed in the same manner as a normal DNS
1677 matching this view. If this statement is omitted, the default view
1679 used, and if there is no default view, an error is triggered.
1682 The <span><strong class="command">search</strong></span> statement is equivalent to
1684 <span><strong class="command">search</strong></span> statement in
1685 <code class="filename">/etc/resolv.conf</code>. It provides a
1687 which are appended to relative names in queries.
1690 The <span><strong class="command">ndots</strong></span> statement is equivalent to
1692 <span><strong class="command">ndots</strong></span> statement in
1693 <code class="filename">/etc/resolv.conf</code>. It indicates the
1695 number of dots in a relative domain name that should result in an
1696 exact match lookup before search path elements are appended.
1699 <div class="sect2" lang="en">
1700 <div class="titlepage"><div><div><h3 class="title">
1701 <a name="id2576544"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
1702 <pre class="programlisting">
1703 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
1706 <div class="sect2" lang="en">
1707 <div class="titlepage"><div><div><h3 class="title">
1708 <a name="id2576587"></a><span><strong class="command">masters</strong></span> Statement Definition and
1709 Usage</h3></div></div></div>
1710 <p><span><strong class="command">masters</strong></span>
1711 lists allow for a common set of masters to be easily used by
1712 multiple stub and slave zones.
1715 <div class="sect2" lang="en">
1716 <div class="titlepage"><div><div><h3 class="title">
1717 <a name="id2576602"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
1719 This is the grammar of the <span><strong class="command">options</strong></span>
1720 statement in the <code class="filename">named.conf</code> file:
1722 <pre class="programlisting">options {
1723 [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
1724 [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
1725 [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
1726 [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
1727 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
1728 [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
1729 [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
1730 [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
1731 [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
1732 [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
1733 [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
1734 [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
1735 [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
1736 [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
1737 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1738 [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1739 [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1740 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
1741 [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1742 [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1743 [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1744 [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1745 [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1746 [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
1747 [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1748 [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1749 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
1750 [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1751 [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1752 [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1753 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1754 [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1755 [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1756 [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
1757 [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
1758 [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1759 [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
1760 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
1761 [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
1762 ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
1763 <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
1765 [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
1766 ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
1767 [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
1768 [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1769 [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1770 [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
1771 [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
1772 [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1773 [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1774 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1775 [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1776 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1777 [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1778 [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1779 [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1780 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1781 [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1782 [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1783 [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
1784 [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
1785 [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1786 [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
1787 [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
1788 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
1789 [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
1790 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
1791 [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
1792 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
1793 [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
1794 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
1795 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
1796 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
1797 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
1798 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
1799 [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
1800 [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
1801 [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
1802 [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
1803 [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
1804 [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
1805 [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
1806 [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
1807 [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
1808 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
1809 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
1810 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
1811 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
1812 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1813 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
1814 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
1815 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
1816 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
1817 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
1818 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
1819 [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
1820 [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
1821 [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
1822 [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
1823 [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
1824 [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
1825 [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
1826 [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
1827 [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
1828 [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
1829 [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
1830 [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
1831 [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
1832 [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
1833 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
1834 [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
1835 [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1836 [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1837 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1838 [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1839 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
1840 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
1841 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
1842 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
1843 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
1844 [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1845 [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1846 [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
1847 [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
1848 [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
1849 [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
1850 [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
1851 [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
1852 [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
1853 [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1854 [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
1855 [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1856 [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
1857 [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
1858 [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
1859 [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
1860 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
1861 [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
1862 [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
1863 [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1864 [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
1865 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1866 [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
1870 <div class="sect2" lang="en">
1871 <div class="titlepage"><div><div><h3 class="title">
1872 <a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
1873 Usage</h3></div></div></div>
1875 The <span><strong class="command">options</strong></span> statement sets up global
1877 to be used by <acronym class="acronym">BIND</acronym>. This statement
1879 once in a configuration file. If there is no <span><strong class="command">options</strong></span>
1880 statement, an options block with each option set to its default will
1883 <div class="variablelist"><dl>
1884 <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
1886 The working directory of the server.
1887 Any non-absolute pathnames in the configuration file will be
1889 as relative to this directory. The default location for most
1891 output files (e.g. <code class="filename">named.run</code>)
1893 If a directory is not specified, the working directory
1894 defaults to `<code class="filename">.</code>', the directory from
1896 was started. The directory specified should be an absolute
1899 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
1901 When performing dynamic update of secure zones, the
1902 directory where the public and private key files should be
1904 if different than the current working directory. The
1906 must be an absolute path.
1908 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
1910 <span class="emphasis"><em>This option is obsolete.</em></span>
1911 It was used in <acronym class="acronym">BIND</acronym> 8 to
1912 specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
1913 In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
1914 needed; its functionality is built into the name server.
1916 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
1918 The domain appended to the names of all
1919 shared keys generated with
1920 <span><strong class="command">TKEY</strong></span>. When a client
1921 requests a <span><strong class="command">TKEY</strong></span> exchange, it
1922 may or may not specify
1923 the desired name for the key. If present, the name of the
1925 key will be "<code class="varname">client specified part</code>" +
1926 "<code class="varname">tkey-domain</code>".
1927 Otherwise, the name of the shared key will be "<code class="varname">random hex
1928 digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
1929 the <span><strong class="command">domainname</strong></span> should be the
1933 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
1935 The Diffie-Hellman key used by the server
1936 to generate shared keys with clients using the Diffie-Hellman
1938 of <span><strong class="command">TKEY</strong></span>. The server must be
1940 public and private keys from files in the working directory.
1942 most cases, the keyname should be the server's host name.
1944 <dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
1946 This is for testing only. Do not use.
1948 <dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
1950 The pathname of the file the server dumps
1951 the database to when instructed to do so with
1952 <span><strong class="command">rndc dumpdb</strong></span>.
1953 If not specified, the default is <code class="filename">named_dump.db</code>.
1955 <dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
1958 The pathname of the file the server writes memory
1959 usage statistics to on exit. If specified the
1960 statistics will be written to the file on exit.
1963 In <acronym class="acronym">BIND</acronym> 9.5 and later this will
1964 default to <code class="filename">named.memstats</code>.
1965 <acronym class="acronym">BIND</acronym> 9.5 will also introduce
1966 <span><strong class="command">memstatistics</strong></span> to control the
1970 <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
1972 The pathname of the file the server writes its process ID
1973 in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
1974 The pid-file is used by programs that want to send signals to
1976 name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
1977 use of a PID file — no file will be written and any
1978 existing one will be removed. Note that <span><strong class="command">none</strong></span>
1979 is a keyword, not a filename, and therefore is not enclosed
1983 <dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
1985 The pathname of the file the server dumps
1986 the queries that are currently recursing when instructed
1987 to do so with <span><strong class="command">rndc recursing</strong></span>.
1988 If not specified, the default is <code class="filename">named.recursing</code>.
1990 <dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
1992 The pathname of the file the server appends statistics
1993 to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
1994 If not specified, the default is <code class="filename">named.stats</code> in the
1995 server's current directory. The format of the file is
1997 in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
1999 <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
2001 The UDP/TCP port number the server uses for
2002 receiving and sending DNS protocol traffic.
2003 The default is 53. This option is mainly intended for server
2005 a server using a port other than 53 will not be able to
2009 <dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
2011 The source of entropy to be used by the server. Entropy is
2013 for DNSSEC operations, such as TKEY transactions and dynamic
2015 zones. This options specifies the device (or file) from which
2017 entropy. If this is a file, operations requiring entropy will
2019 file has been exhausted. If not specified, the default value
2021 <code class="filename">/dev/random</code>
2022 (or equivalent) when present, and none otherwise. The
2023 <span><strong class="command">random-device</strong></span> option takes
2025 the initial configuration load at server startup time and
2026 is ignored on subsequent reloads.
2028 <dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
2030 If specified, the listed type (A or AAAA) will be emitted
2032 in the additional section of a query response.
2033 The default is not to prefer any type (NONE).
2035 <dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
2038 Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
2043 Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
2046 <pre class="programlisting">
2048 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
2052 <dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
2054 Disable the specified DNSSEC algorithms at and below the
2056 Multiple <span><strong class="command">disable-algorithms</strong></span>
2057 statements are allowed.
2058 Only the most specific will be applied.
2060 <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
2062 When set, <span><strong class="command">dnssec-lookaside</strong></span>
2064 validator with an alternate method to validate DNSKEY records
2066 top of a zone. When a DNSKEY is at or below a domain
2068 deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
2069 the normal dnssec validation
2070 has left the key untrusted, the trust-anchor will be append to
2072 name and a DLV record will be looked up to see if it can
2074 key. If the DLV record validates a DNSKEY (similarly to the
2076 record does) the DNSKEY RRset is deemed to be trusted.
2078 <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
2080 Specify hierarchies which must be or may not be secure (signed and
2082 If <strong class="userinput"><code>yes</code></strong>, then named will only accept
2085 If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
2087 allowing for insecure answers to be accepted.
2088 The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
2089 <span><strong class="command">dnssec-lookaside</strong></span> must be
2093 <div class="sect3" lang="en">
2094 <div class="titlepage"><div><div><h4 class="title">
2095 <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
2096 <div class="variablelist"><dl>
2097 <dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
2099 If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
2100 is always set on NXDOMAIN responses, even if the server is
2102 authoritative. The default is <strong class="userinput"><code>no</code></strong>;
2104 a change from <acronym class="acronym">BIND</acronym> 8. If you
2105 are using very old DNS software, you
2106 may need to set it to <strong class="userinput"><code>yes</code></strong>.
2108 <dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
2110 This option was used in <acronym class="acronym">BIND</acronym>
2111 8 to enable checking
2112 for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
2115 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
2118 If <strong class="userinput"><code>yes</code></strong>, then the
2119 server treats all zones as if they are doing zone transfers
2121 a dial-on-demand dialup link, which can be brought up by
2123 originating from this server. This has different effects
2125 to zone type and concentrates the zone maintenance so that
2127 happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
2128 hopefully during the one call. It also suppresses some of
2130 zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
2133 The <span><strong class="command">dialup</strong></span> option
2134 may also be specified in the <span><strong class="command">view</strong></span> and
2135 <span><strong class="command">zone</strong></span> statements,
2136 in which case it overrides the global <span><strong class="command">dialup</strong></span>
2140 If the zone is a master zone, then the server will send out a
2142 request to all the slaves (default). This should trigger the
2144 number check in the slave (providing it supports NOTIFY)
2146 to verify the zone while the connection is active.
2147 The set of servers to which NOTIFY is sent can be controlled
2149 <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
2153 zone is a slave or stub zone, then the server will suppress
2155 "zone up to date" (refresh) queries and only perform them
2157 <span><strong class="command">heartbeat-interval</strong></span> expires in
2162 Finer control can be achieved by using
2163 <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
2165 <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
2167 suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
2168 which suppresses normal refresh processing and sends refresh
2170 when the <span><strong class="command">heartbeat-interval</strong></span>
2172 <strong class="userinput"><code>passive</code></strong> which just disables normal
2176 <div class="informaltable"><table border="1">
2208 <p><span><strong class="command">no</strong></span> (default)</p>
2228 <p><span><strong class="command">yes</strong></span></p>
2248 <p><span><strong class="command">notify</strong></span></p>
2268 <p><span><strong class="command">refresh</strong></span></p>
2288 <p><span><strong class="command">passive</strong></span></p>
2308 <p><span><strong class="command">notify-passive</strong></span></p>
2329 Note that normal NOTIFY processing is not affected by
2330 <span><strong class="command">dialup</strong></span>.
2333 <dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
2335 In <acronym class="acronym">BIND</acronym> 8, this option
2336 enabled simulating the obsolete DNS query type
2337 IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
2340 <dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
2342 This option is obsolete.
2343 In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
2344 caused the server to attempt to fetch glue resource records
2346 didn't have when constructing the additional
2347 data section of a response. This is now considered a bad
2349 and BIND 9 never does it.
2351 <dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
2353 When the nameserver exits due receiving SIGTERM,
2354 flush or do not flush any pending zone writes. The default
2356 <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
2358 <dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
2360 This option was incorrectly implemented
2361 in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
2362 To achieve the intended effect
2364 <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
2365 the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
2366 and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
2368 <dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
2370 In BIND 8, this enables keeping of
2371 statistics for every host that the name server interacts
2373 Not implemented in BIND 9.
2375 <dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
2377 <span class="emphasis"><em>This option is obsolete</em></span>.
2378 It was used in <acronym class="acronym">BIND</acronym> 8 to
2379 determine whether a transaction log was
2380 kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
2381 log whenever possible. If you need to disable outgoing
2383 transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
2385 <dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
2387 If <strong class="userinput"><code>yes</code></strong>, then when generating
2388 responses the server will only add records to the authority
2389 and additional data sections when they are required (e.g.
2390 delegations, negative responses). This may improve the
2391 performance of the server.
2392 The default is <strong class="userinput"><code>no</code></strong>.
2394 <dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
2396 This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
2397 a domain name to have multiple CNAME records in violation of
2398 the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
2399 always strictly enforces the CNAME rules both in master
2400 files and dynamic updates.
2402 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
2405 If <strong class="userinput"><code>yes</code></strong> (the default),
2406 DNS NOTIFY messages are sent when a zone the server is
2408 changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
2410 servers listed in the zone's NS records (except the master
2412 in the SOA MNAME field), and to any servers listed in the
2413 <span><strong class="command">also-notify</strong></span> option.
2416 If <strong class="userinput"><code>master-only</code></strong>, notifies are only
2419 If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
2421 servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
2422 If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
2425 The <span><strong class="command">notify</strong></span> option may also be
2426 specified in the <span><strong class="command">zone</strong></span>
2428 in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
2429 It would only be necessary to turn off this option if it
2434 <dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
2436 If <strong class="userinput"><code>yes</code></strong>, and a
2437 DNS query requests recursion, then the server will attempt
2439 all the work required to answer the query. If recursion is
2441 and the server does not already know the answer, it will
2443 referral response. The default is
2444 <strong class="userinput"><code>yes</code></strong>.
2445 Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
2446 clients from getting data from the server's cache; it only
2447 prevents new data from being cached as an effect of client
2449 Caching may still occur as an effect the server's internal
2450 operation, such as NOTIFY address lookups.
2451 See also <span><strong class="command">fetch-glue</strong></span> above.
2453 <dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
2456 Setting this to <strong class="userinput"><code>yes</code></strong> will
2457 cause the server to send NS records along with the SOA
2459 answers. The default is <strong class="userinput"><code>no</code></strong>.
2461 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
2462 <h3 class="title">Note</h3>
2464 Not yet implemented in <acronym class="acronym">BIND</acronym>
2469 <dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
2471 <span class="emphasis"><em>This option is obsolete</em></span>.
2472 <acronym class="acronym">BIND</acronym> 9 always allocates query
2475 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
2477 If <strong class="userinput"><code>yes</code></strong>, the server will collect
2478 statistical data on all zones (unless specifically turned
2480 on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
2481 in the <span><strong class="command">zone</strong></span> statement).
2482 These statistics may be accessed
2483 using <span><strong class="command">rndc stats</strong></span>, which will
2484 dump them to the file listed
2485 in the <span><strong class="command">statistics-file</strong></span>. See
2486 also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
2488 <dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
2490 <span class="emphasis"><em>This option is obsolete</em></span>.
2491 If you need to disable IXFR to a particular server or
2493 the information on the <span><strong class="command">provide-ixfr</strong></span> option
2494 in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
2495 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
2498 <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
2500 <dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
2502 See the description of
2503 <span><strong class="command">provide-ixfr</strong></span> in
2504 <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
2505 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
2508 <dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
2510 See the description of
2511 <span><strong class="command">request-ixfr</strong></span> in
2512 <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
2513 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
2516 <dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
2518 This option was used in <acronym class="acronym">BIND</acronym>
2520 the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
2521 as a space or tab character,
2522 to facilitate loading of zone files on a UNIX system that
2524 on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
2525 and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
2526 are always accepted,
2527 and the option is ignored.
2530 <span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
2534 These options control the behavior of an authoritative
2536 answering queries which have additional data, or when
2541 When both of these options are set to <strong class="userinput"><code>yes</code></strong>
2543 query is being answered from authoritative data (a zone
2544 configured into the server), the additional data section of
2546 reply will be filled in using data from other authoritative
2548 and from the cache. In some situations this is undesirable,
2550 as when there is concern over the correctness of the cache,
2552 in servers where slave zones may be added and modified by
2553 untrusted third parties. Also, avoiding
2554 the search for this additional data will speed up server
2556 at the possible expense of additional queries to resolve
2558 otherwise be provided in the additional section.
2561 For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
2562 and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
2563 records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
2564 if known, even though they are not in the example.com zone.
2565 Setting these options to <span><strong class="command">no</strong></span>
2566 disables this behavior and makes
2567 the server only search for additional data in the zone it
2571 These options are intended for use in authoritative-only
2572 servers, or in authoritative-only views. Attempts to set
2573 them to <span><strong class="command">no</strong></span> without also
2575 <span><strong class="command">recursion no</strong></span> will cause the
2577 ignore the options and log a warning message.
2580 Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
2581 disables the use of the cache not only for additional data
2583 but also when looking up the answer. This is usually the
2585 behavior in an authoritative-only server where the
2587 the cached data is an issue.
2590 When a name server is non-recursively queried for a name
2592 below the apex of any served zone, it normally answers with
2594 "upwards referral" to the root servers or the servers of
2596 known parent of the query name. Since the data in an
2598 comes from the cache, the server will not be able to provide
2600 referrals when <span><strong class="command">additional-from-cache no</strong></span>
2601 has been specified. Instead, it will respond to such
2603 with REFUSED. This should not cause any problems since
2604 upwards referrals are not required for the resolution
2608 <dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
2610 If <strong class="userinput"><code>yes</code></strong>, then an
2611 IPv4-mapped IPv6 address will match any address match
2612 list entries that match the corresponding IPv4 address.
2613 Enabling this option is sometimes useful on IPv6-enabled
2615 systems, to work around a kernel quirk that causes IPv4
2616 TCP connections such as zone transfers to be accepted
2617 on an IPv6 socket using mapped addresses, causing
2618 address match lists designed for IPv4 to fail to match.
2619 The use of this option for any other purpose is discouraged.
2621 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
2624 When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
2625 zone from its zone file or receives a new version of a slave
2626 file by a non-incremental zone transfer, it will compare
2627 the new version to the previous one and calculate a set
2628 of differences. The differences are then logged in the
2629 zone's journal file such that the changes can be transmitted
2630 to downstream slaves as an incremental zone transfer.
2633 By allowing incremental zone transfers to be used for
2634 non-dynamic zones, this option saves bandwidth at the
2635 expense of increased CPU and memory consumption at the
2637 In particular, if the new version of a zone is completely
2638 different from the previous one, the set of differences
2639 will be of a size comparable to the combined size of the
2640 old and new zone version, and the server will need to
2641 temporarily allocate memory to hold this complete
2644 <p><span><strong class="command">ixfr-from-differences</strong></span>
2645 also accepts <span><strong class="command">master</strong></span> and
2646 <span><strong class="command">slave</strong></span> at the view and options
2648 <span><strong class="command">ixfr-from-differences</strong></span> to apply to
2649 all <span><strong class="command">master</strong></span> or
2650 <span><strong class="command">slave</strong></span> zones respectively.
2653 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
2655 This should be set when you have multiple masters for a zone
2657 addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will
2659 when the serial number on the master is less than what named
2661 has. The default is <strong class="userinput"><code>no</code></strong>.
2663 <dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
2665 Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>,
2666 named behaves as if it does not support DNSSEC.
2667 The default is <strong class="userinput"><code>yes</code></strong>.
2669 <dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
2671 Enable DNSSEC validation in named.
2672 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
2673 set to <strong class="userinput"><code>yes</code></strong> to be effective.
2674 The default is <strong class="userinput"><code>no</code></strong>.
2676 <dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
2678 Accept expired signatures when verifying DNSSEC signatures.
2679 The default is <strong class="userinput"><code>no</code></strong>.
2680 Setting this option to "yes" leaves named vulnerable to replay attacks.
2682 <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
2684 Specify whether query logging should be started when named
2686 If <span><strong class="command">querylog</strong></span> is not specified,
2687 then the query logging
2688 is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
2690 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
2693 This option is used to restrict the character set and syntax
2695 certain domain names in master files and/or DNS responses
2697 from the network. The default varies according to usage
2699 <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
2700 For <span><strong class="command">slave</strong></span> zones the default
2701 is <span><strong class="command">warn</strong></span>.
2702 For answers received from the network (<span><strong class="command">response</strong></span>)
2703 the default is <span><strong class="command">ignore</strong></span>.
2706 The rules for legal hostnames and mail domains are derived
2707 from RFC 952 and RFC 821 as modified by RFC 1123.
2709 <p><span><strong class="command">check-names</strong></span>
2710 applies to the owner names of A, AAA and MX records.
2711 It also applies to the domain names in the RDATA of NS, SOA
2713 It also applies to the RDATA of PTR records where the owner
2714 name indicated that it is a reverse lookup of a hostname
2715 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
2718 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
2720 Check whether the MX record appears to refer to a IP address.
2721 The default is to <span><strong class="command">warn</strong></span>. Other possible
2722 values are <span><strong class="command">fail</strong></span> and
2723 <span><strong class="command">ignore</strong></span>.
2725 <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
2727 This option is used to check for non-terminal wildcards.
2728 The use of non-terminal wildcards is almost always as a
2730 to understand the wildcard matching algorithm (RFC 1034).
2732 affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
2733 for non-terminal wildcards and issue a warning.
2735 <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
2737 Perform post load zone integrity checks on master
2738 zones. This checks that MX and SRV records refer
2739 to address (A or AAAA) records and that glue
2740 address records exist for delegated zones. For
2741 MX and SRV records only in-zone hostnames are
2742 checked (for out-of-zone hostnames use named-checkzone).
2743 For NS records only names below top of zone are
2744 checked (for out-of-zone names and glue consistency
2745 checks use named-checkzone). The default is
2746 <span><strong class="command">yes</strong></span>.
2748 <dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
2750 If <span><strong class="command">check-integrity</strong></span> is set then
2751 fail, warn or ignore MX records that refer
2752 to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
2754 <dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
2756 If <span><strong class="command">check-integrity</strong></span> is set then
2757 fail, warn or ignore SRV records that refer
2758 to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
2760 <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
2762 When performing integrity checks, also check that
2763 sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
2765 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
2767 When returning authoritative negative responses to
2768 SOA queries set the TTL of the SOA recored returned in
2769 the authority section to zero.
2770 The default is <span><strong class="command">yes</strong></span>.
2772 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
2774 When caching a negative response to a SOA query
2775 set the TTL to zero.
2776 The default is <span><strong class="command">no</strong></span>.
2778 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
2780 When regenerating the RRSIGs following a UPDATE
2781 request to a secure zone, check the KSK flag on
2782 the DNSKEY RR to determine if this key should be
2783 used to generate the RRSIG. This flag is ignored
2784 if there are not DNSKEY RRs both with and without
2786 The default is <span><strong class="command">yes</strong></span>.
2790 <div class="sect3" lang="en">
2791 <div class="titlepage"><div><div><h4 class="title">
2792 <a name="id2580536"></a>Forwarding</h4></div></div></div>
2794 The forwarding facility can be used to create a large site-wide
2795 cache on a few servers, reducing traffic over links to external
2796 name servers. It can also be used to allow queries by servers that
2797 do not have direct access to the Internet, but wish to look up
2799 names anyway. Forwarding occurs only on those queries for which
2800 the server is not authoritative and does not have the answer in
2803 <div class="variablelist"><dl>
2804 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
2806 This option is only meaningful if the
2807 forwarders list is not empty. A value of <code class="varname">first</code>,
2808 the default, causes the server to query the forwarders
2810 if that doesn't answer the question, the server will then
2812 the answer itself. If <code class="varname">only</code> is
2814 server will only query the forwarders.
2816 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
2818 Specifies the IP addresses to be used
2819 for forwarding. The default is the empty list (no
2824 Forwarding can also be configured on a per-domain basis, allowing
2825 for the global forwarding options to be overridden in a variety
2826 of ways. You can set particular domains to use different
2828 or have a different <span><strong class="command">forward only/first</strong></span> behavior,
2829 or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
2830 Statement Grammar">the section called “<span><strong class="command">zone</strong></span>
2831 Statement Grammar”</a>.
2834 <div class="sect3" lang="en">
2835 <div class="titlepage"><div><div><h4 class="title">
2836 <a name="id2580595"></a>Dual-stack Servers</h4></div></div></div>
2838 Dual-stack servers are used as servers of last resort to work
2840 problems in reachability due the lack of support for either IPv4
2842 on the host machine.
2844 <div class="variablelist"><dl>
2845 <dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
2847 Specifies host names or addresses of machines with access to
2848 both IPv4 and IPv6 transports. If a hostname is used, the
2850 to resolve the name using only the transport it has. If the
2852 stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
2853 access to a transport has been disabled on the command line
2854 (e.g. <span><strong class="command">named -4</strong></span>).
2858 <div class="sect3" lang="en">
2859 <div class="titlepage"><div><div><h4 class="title">
2860 <a name="access_control"></a>Access Control</h4></div></div></div>
2862 Access to the server can be restricted based on the IP address
2863 of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
2864 details on how to specify IP address lists.
2866 <div class="variablelist"><dl>
2867 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
2869 Specifies which hosts are allowed to
2870 notify this server, a slave, of zone changes in addition
2871 to the zone masters.
2872 <span><strong class="command">allow-notify</strong></span> may also be
2874 <span><strong class="command">zone</strong></span> statement, in which case
2876 <span><strong class="command">options allow-notify</strong></span>
2877 statement. It is only meaningful
2878 for a slave zone. If not specified, the default is to
2879 process notify messages
2880 only from a zone's master.
2882 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
2885 Specifies which hosts are allowed to ask ordinary
2886 DNS questions. <span><strong class="command">allow-query</strong></span> may
2887 also be specified in the <span><strong class="command">zone</strong></span>
2888 statement, in which case it overrides the
2889 <span><strong class="command">options allow-query</strong></span> statement.
2890 If not specified, the default is to allow queries
2893 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
2894 <h3 class="title">Note</h3>
2896 <span><strong class="command">allow-query-cache</strong></span> is now
2897 used to specify access to the cache.
2901 <dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
2903 Specifies which hosts are allowed to get answers
2904 from the cache. If <span><strong class="command">allow-query-cache</strong></span>
2905 is not set then <span><strong class="command">allow-recursion</strong></span>
2906 is used if set, otherwise <span><strong class="command">allow-query</strong></span>
2907 is used if set, otherwise the default
2908 (<span><strong class="command">localnets;</strong></span>
2909 <span><strong class="command">localhost;</strong></span>) is used.
2911 <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
2913 Specifies which hosts are allowed to make recursive
2914 queries through this server. If
2915 <span><strong class="command">allow-recursion</strong></span> is not set
2916 then <span><strong class="command">allow-query-cache</strong></span> is
2917 used if set, otherwise <span><strong class="command">allow-query</strong></span>
2918 is used if set, otherwise the default
2919 (<span><strong class="command">localnets;</strong></span>
2920 <span><strong class="command">localhost;</strong></span>) is used.
2922 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
2924 Specifies which hosts are allowed to
2925 submit Dynamic DNS updates for master zones. The default is
2927 updates from all hosts. Note that allowing updates based
2928 on the requestor's IP address is insecure; see
2929 <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
2931 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
2934 Specifies which hosts are allowed to
2935 submit Dynamic DNS updates to slave zones to be forwarded to
2937 master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
2939 means that no update forwarding will be performed. To
2941 update forwarding, specify
2942 <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
2943 Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
2944 <strong class="userinput"><code>{ any; }</code></strong> is usually
2945 counterproductive, since
2946 the responsibility for update access control should rest
2948 master server, not the slaves.
2951 Note that enabling the update forwarding feature on a slave
2953 may expose master servers relying on insecure IP address
2955 access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
2959 <dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
2961 This option was introduced for the smooth transition from
2963 to A6 and from "nibble labels" to binary labels.
2964 However, since both A6 and binary labels were then
2966 this option was also deprecated.
2967 It is now ignored with some warning messages.
2969 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
2971 Specifies which hosts are allowed to
2972 receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
2973 also be specified in the <span><strong class="command">zone</strong></span>
2975 case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
2976 If not specified, the default is to allow transfers to all
2979 <dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
2981 Specifies a list of addresses that the
2982 server will not accept queries from or use to resolve a
2984 from these addresses will not be responded to. The default
2985 is <strong class="userinput"><code>none</code></strong>.
2989 <div class="sect3" lang="en">
2990 <div class="titlepage"><div><div><h4 class="title">
2991 <a name="id2581153"></a>Interfaces</h4></div></div></div>
2993 The interfaces and ports that the server will answer queries
2994 from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
2995 an optional port, and an <code class="varname">address_match_list</code>.
2996 The server will listen on all interfaces allowed by the address
2997 match list. If a port is not specified, port 53 will be used.
3000 Multiple <span><strong class="command">listen-on</strong></span> statements are
3004 <pre class="programlisting">listen-on { 5.6.7.8; };
3005 listen-on port 1234 { !1.2.3.4; 1.2/16; };
3008 will enable the name server on port 53 for the IP address
3009 5.6.7.8, and on port 1234 of an address on the machine in net
3010 1.2 that is not 1.2.3.4.
3013 If no <span><strong class="command">listen-on</strong></span> is specified, the
3014 server will listen on port 53 on all interfaces.
3017 The <span><strong class="command">listen-on-v6</strong></span> option is used to
3018 specify the interfaces and the ports on which the server will
3020 for incoming queries sent using IPv6.
3024 <pre class="programlisting">{ any; }</pre>
3027 as the <code class="varname">address_match_list</code> for the
3028 <span><strong class="command">listen-on-v6</strong></span> option,
3029 the server does not bind a separate socket to each IPv6 interface
3030 address as it does for IPv4 if the operating system has enough API
3031 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
3033 Instead, it listens on the IPv6 wildcard address.
3034 If the system only has incomplete API support for IPv6, however,
3035 the behavior is the same as that for IPv4.
3038 A list of particular IPv6 addresses can also be specified, in
3040 the server listens on a separate socket for each specified
3042 regardless of whether the desired API is supported by the system.
3045 Multiple <span><strong class="command">listen-on-v6</strong></span> options can
3049 <pre class="programlisting">listen-on-v6 { any; };
3050 listen-on-v6 port 1234 { !2001:db8::/32; any; };
3053 will enable the name server on port 53 for any IPv6 addresses
3054 (with a single wildcard socket),
3055 and on port 1234 of IPv6 addresses that is not in the prefix
3056 2001:db8::/32 (with separate sockets for each matched address.)
3059 To make the server not listen on any IPv6 address, use
3061 <pre class="programlisting">listen-on-v6 { none; };
3064 If no <span><strong class="command">listen-on-v6</strong></span> option is
3066 the server will not listen on any IPv6 address.
3069 <div class="sect3" lang="en">
3070 <div class="titlepage"><div><div><h4 class="title">
3071 <a name="id2581241"></a>Query Address</h4></div></div></div>
3073 If the server doesn't know the answer to a question, it will
3074 query other name servers. <span><strong class="command">query-source</strong></span> specifies
3075 the address and port used for such queries. For queries sent over
3076 IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
3077 If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
3078 a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
3080 If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
3081 a random unprivileged port number is picked up and will be
3082 used for each query.
3083 It is generally strongly discouraged to
3084 specify a particular port for the
3085 <span><strong class="command">query-source</strong></span> or
3086 <span><strong class="command">query-source-v6</strong></span>
3087 options; it implicitly disables the use of randomized port numbers
3088 and leads to insecure operation.
3089 The <span><strong class="command">avoid-v4-udp-ports</strong></span>
3090 and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used
3092 from selecting certain ports. The defaults are:
3094 <pre class="programlisting">query-source address * port *;
3095 query-source-v6 address * port *;
3097 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3098 <h3 class="title">Note</h3>
3100 The address specified in the <span><strong class="command">query-source</strong></span> option
3101 is used for both UDP and TCP queries, but the port applies only
3103 UDP queries. TCP queries always use a random
3107 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3108 <h3 class="title">Note</h3>
3110 Solaris 2.5.1 and earlier does not support setting the source
3111 address for TCP sockets.
3114 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3115 <h3 class="title">Note</h3>
3117 See also <span><strong class="command">transfer-source</strong></span> and
3118 <span><strong class="command">notify-source</strong></span>.
3122 <div class="sect3" lang="en">
3123 <div class="titlepage"><div><div><h4 class="title">
3124 <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
3126 <acronym class="acronym">BIND</acronym> has mechanisms in place to
3127 facilitate zone transfers
3128 and set limits on the amount of load that transfers place on the
3129 system. The following options apply to zone transfers.
3131 <div class="variablelist"><dl>
3132 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
3134 Defines a global list of IP addresses of name servers
3135 that are also sent NOTIFY messages whenever a fresh copy of
3137 zone is loaded, in addition to the servers listed in the
3139 This helps to ensure that copies of the zones will
3140 quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
3141 is given in a <span><strong class="command">zone</strong></span> statement,
3143 the <span><strong class="command">options also-notify</strong></span>
3144 statement. When a <span><strong class="command">zone notify</strong></span>
3146 is set to <span><strong class="command">no</strong></span>, the IP
3147 addresses in the global <span><strong class="command">also-notify</strong></span> list will
3148 not be sent NOTIFY messages for that zone. The default is
3150 list (no global notification list).
3152 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
3154 Inbound zone transfers running longer than
3155 this many minutes will be terminated. The default is 120
3157 (2 hours). The maximum value is 28 days (40320 minutes).
3159 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
3161 Inbound zone transfers making no progress
3162 in this many minutes will be terminated. The default is 60
3164 (1 hour). The maximum value is 28 days (40320 minutes).
3166 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
3168 Outbound zone transfers running longer than
3169 this many minutes will be terminated. The default is 120
3171 (2 hours). The maximum value is 28 days (40320 minutes).
3173 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
3175 Outbound zone transfers making no progress
3176 in this many minutes will be terminated. The default is 60
3178 hour). The maximum value is 28 days (40320 minutes).
3180 <dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
3182 Slave servers will periodically query master servers
3183 to find out if zone serial numbers have changed. Each such
3185 a minute amount of the slave server's network bandwidth. To
3187 amount of bandwidth used, BIND 9 limits the rate at which
3189 sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option,
3190 an integer, is the maximum number of queries sent per
3194 <dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
3196 In BIND 8, the <span><strong class="command">serial-queries</strong></span>
3198 set the maximum number of concurrent serial number queries
3199 allowed to be outstanding at any given time.
3200 BIND 9 does not limit the number of outstanding
3201 serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
3202 Instead, it limits the rate at which the queries are sent
3203 as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
3205 <dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
3207 Zone transfers can be sent using two different formats,
3208 <span><strong class="command">one-answer</strong></span> and
3209 <span><strong class="command">many-answers</strong></span>.
3210 The <span><strong class="command">transfer-format</strong></span> option is used
3211 on the master server to determine which format it sends.
3212 <span><strong class="command">one-answer</strong></span> uses one DNS message per
3213 resource record transferred.
3214 <span><strong class="command">many-answers</strong></span> packs as many resource
3215 records as possible into a message.
3216 <span><strong class="command">many-answers</strong></span> is more efficient, but is
3217 only supported by relatively new slave servers,
3218 such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
3219 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
3220 The <span><strong class="command">many-answers</strong></span> format is also supported by
3221 recent Microsoft Windows nameservers.
3222 The default is <span><strong class="command">many-answers</strong></span>.
3223 <span><strong class="command">transfer-format</strong></span> may be overridden on a
3224 per-server basis by using the <span><strong class="command">server</strong></span>
3227 <dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
3229 The maximum number of inbound zone transfers
3230 that can be running concurrently. The default value is <code class="literal">10</code>.
3231 Increasing <span><strong class="command">transfers-in</strong></span> may
3232 speed up the convergence
3233 of slave zones, but it also may increase the load on the
3236 <dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
3238 The maximum number of outbound zone transfers
3239 that can be running concurrently. Zone transfer requests in
3241 of the limit will be refused. The default value is <code class="literal">10</code>.
3243 <dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
3245 The maximum number of inbound zone transfers
3246 that can be concurrently transferring from a given remote
3248 The default value is <code class="literal">2</code>.
3249 Increasing <span><strong class="command">transfers-per-ns</strong></span>
3251 speed up the convergence of slave zones, but it also may
3253 the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
3254 be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
3255 of the <span><strong class="command">server</strong></span> statement.
3257 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
3259 <p><span><strong class="command">transfer-source</strong></span>
3260 determines which local address will be bound to IPv4
3261 TCP connections used to fetch zones transferred
3262 inbound by the server. It also determines the
3263 source IPv4 address, and optionally the UDP port,
3264 used for the refresh queries and forwarded dynamic
3265 updates. If not set, it defaults to a system
3266 controlled value which will usually be the address
3267 of the interface "closest to" the remote end. This
3268 address must appear in the remote end's
3269 <span><strong class="command">allow-transfer</strong></span> option for the
3270 zone being transferred, if one is specified. This
3272 <span><strong class="command">transfer-source</strong></span> for all zones,
3273 but can be overridden on a per-view or per-zone
3274 basis by including a
3275 <span><strong class="command">transfer-source</strong></span> statement within
3276 the <span><strong class="command">view</strong></span> or
3277 <span><strong class="command">zone</strong></span> block in the configuration
3280 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3281 <h3 class="title">Note</h3>
3283 Solaris 2.5.1 and earlier does not support setting the
3284 source address for TCP sockets.
3288 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
3290 The same as <span><strong class="command">transfer-source</strong></span>,
3291 except zone transfers are performed using IPv6.
3293 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
3296 An alternate transfer source if the one listed in
3297 <span><strong class="command">transfer-source</strong></span> fails and
3298 <span><strong class="command">use-alt-transfer-source</strong></span> is
3301 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3302 <h3 class="title">Note</h3>
3303 If you do not wish the alternate transfer source
3304 to be used, you should set
3305 <span><strong class="command">use-alt-transfer-source</strong></span>
3306 appropriately and you should not depend upon
3307 getting a answer back to the first refresh
3311 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
3313 An alternate transfer source if the one listed in
3314 <span><strong class="command">transfer-source-v6</strong></span> fails and
3315 <span><strong class="command">use-alt-transfer-source</strong></span> is
3318 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
3320 Use the alternate transfer sources or not. If views are
3321 specified this defaults to <span><strong class="command">no</strong></span>
3322 otherwise it defaults to
3323 <span><strong class="command">yes</strong></span> (for BIND 8
3326 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
3328 <p><span><strong class="command">notify-source</strong></span>
3329 determines which local source address, and
3330 optionally UDP port, will be used to send NOTIFY
3331 messages. This address must appear in the slave
3332 server's <span><strong class="command">masters</strong></span> zone clause or
3333 in an <span><strong class="command">allow-notify</strong></span> clause. This
3334 statement sets the <span><strong class="command">notify-source</strong></span>
3335 for all zones, but can be overridden on a per-zone or
3336 per-view basis by including a
3337 <span><strong class="command">notify-source</strong></span> statement within
3338 the <span><strong class="command">zone</strong></span> or
3339 <span><strong class="command">view</strong></span> block in the configuration
3342 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3343 <h3 class="title">Note</h3>
3345 Solaris 2.5.1 and earlier does not support setting the
3346 source address for TCP sockets.
3350 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
3352 Like <span><strong class="command">notify-source</strong></span>,
3353 but applies to notify messages sent to IPv6 addresses.
3357 <div class="sect3" lang="en">
3358 <div class="titlepage"><div><div><h4 class="title">
3359 <a name="id2581988"></a>Bad UDP Port Lists</h4></div></div></div>
3360 <p><span><strong class="command">avoid-v4-udp-ports</strong></span>
3361 and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list
3362 of IPv4 and IPv6 UDP ports that will not be used as system
3363 assigned source ports for UDP sockets. These lists
3364 prevent named from choosing as its random source port a
3365 port that is blocked by your firewall. If a query went
3366 out with such a source port, the answer would not get by
3367 the firewall and the name server would have to query
3371 <div class="sect3" lang="en">
3372 <div class="titlepage"><div><div><h4 class="title">
3373 <a name="id2582003"></a>Operating System Resource Limits</h4></div></div></div>
3375 The server's usage of many system resources can be limited.
3376 Scaled values are allowed when specifying resource limits. For
3377 example, <span><strong class="command">1G</strong></span> can be used instead of
3378 <span><strong class="command">1073741824</strong></span> to specify a limit of
3380 gigabyte. <span><strong class="command">unlimited</strong></span> requests
3381 unlimited use, or the
3382 maximum available amount. <span><strong class="command">default</strong></span>
3384 that was in force when the server was started. See the description
3385 of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
3388 The following options set operating system resource limits for
3389 the name server process. Some operating systems don't support
3391 any of the limits. On such systems, a warning will be issued if
3393 unsupported limit is used.
3395 <div class="variablelist"><dl>
3396 <dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
3398 The maximum size of a core dump. The default
3399 is <code class="literal">default</code>.
3401 <dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
3403 The maximum amount of data memory the server
3404 may use. The default is <code class="literal">default</code>.
3405 This is a hard limit on server memory usage.
3406 If the server attempts to allocate memory in excess of this
3407 limit, the allocation will fail, which may in turn leave
3408 the server unable to perform DNS service. Therefore,
3409 this option is rarely useful as a way of limiting the
3410 amount of memory used by the server, but it can be used
3411 to raise an operating system data size limit that is
3412 too small by default. If you wish to limit the amount
3413 of memory used by the server, use the
3414 <span><strong class="command">max-cache-size</strong></span> and
3415 <span><strong class="command">recursive-clients</strong></span>
3418 <dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
3420 The maximum number of files the server
3421 may have open concurrently. The default is <code class="literal">unlimited</code>.
3423 <dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
3425 The maximum amount of stack memory the server
3426 may use. The default is <code class="literal">default</code>.
3430 <div class="sect3" lang="en">
3431 <div class="titlepage"><div><div><h4 class="title">
3432 <a name="id2582186"></a>Server Resource Limits</h4></div></div></div>
3434 The following options set limits on the server's
3435 resource consumption that are enforced internally by the
3436 server rather than the operating system.
3438 <div class="variablelist"><dl>
3439 <dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
3441 This option is obsolete; it is accepted
3442 and ignored for BIND 8 compatibility. The option
3443 <span><strong class="command">max-journal-size</strong></span> performs a
3444 similar function in BIND 9.
3446 <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
3448 Sets a maximum size for each journal file
3449 (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
3451 the specified size, some of the oldest transactions in the
3453 will be automatically removed. The default is
3454 <code class="literal">unlimited</code>.
3456 <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
3458 In BIND 8, specifies the maximum number of host statistics
3460 Not implemented in BIND 9.
3462 <dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
3464 The maximum number of simultaneous recursive lookups
3465 the server will perform on behalf of clients. The default
3467 <code class="literal">1000</code>. Because each recursing
3469 bit of memory, on the order of 20 kilobytes, the value of
3471 <span><strong class="command">recursive-clients</strong></span> option may
3472 have to be decreased
3473 on hosts with limited memory.
3475 <dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
3477 The maximum number of simultaneous client TCP
3478 connections that the server will accept.
3479 The default is <code class="literal">100</code>.
3481 <dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
3483 The maximum amount of memory to use for the
3484 server's cache, in bytes. When the amount of data in the
3486 reaches this limit, the server will cause records to expire
3487 prematurely so that the limit is not exceeded. In a server
3489 multiple views, the limit applies separately to the cache of
3491 view. The default is <code class="literal">unlimited</code>, meaning that
3492 records are purged from the cache only when their TTLs
3495 <dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
3497 The listen queue depth. The default and minimum is 3.
3498 If the kernel supports the accept filter "dataready" this
3500 many TCP connections that will be queued in kernel space
3502 some data before being passed to accept. Values less than 3
3508 <div class="sect3" lang="en">
3509 <div class="titlepage"><div><div><h4 class="title">
3510 <a name="id2582320"></a>Periodic Task Intervals</h4></div></div></div>
3511 <div class="variablelist"><dl>
3512 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
3514 The server will remove expired resource records
3515 from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
3516 The default is 60 minutes. The maximum value is 28 days
3518 If set to 0, no periodic cleaning will occur.
3520 <dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
3522 The server will perform zone maintenance tasks
3523 for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
3524 interval expires. The default is 60 minutes. Reasonable
3526 to 1 day (1440 minutes). The maximum value is 28 days
3528 If set to 0, no zone maintenance for these zones will occur.
3530 <dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
3532 The server will scan the network interface list
3533 every <span><strong class="command">interface-interval</strong></span>
3534 minutes. The default
3535 is 60 minutes. The maximum value is 28 days (40320 minutes).
3536 If set to 0, interface scanning will only occur when
3537 the configuration file is loaded. After the scan, the
3539 begin listening for queries on any newly discovered
3540 interfaces (provided they are allowed by the
3541 <span><strong class="command">listen-on</strong></span> configuration), and
3543 stop listening on interfaces that have gone away.
3545 <dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
3548 Name server statistics will be logged
3549 every <span><strong class="command">statistics-interval</strong></span>
3550 minutes. The default is
3551 60. The maximum value is 28 days (40320 minutes).
3552 If set to 0, no statistics will be logged.
3554 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3555 <h3 class="title">Note</h3>
3557 Not yet implemented in
3558 <acronym class="acronym">BIND</acronym> 9.
3564 <div class="sect3" lang="en">
3565 <div class="titlepage"><div><div><h4 class="title">
3566 <a name="topology"></a>Topology</h4></div></div></div>
3568 All other things being equal, when the server chooses a name
3570 to query from a list of name servers, it prefers the one that is
3571 topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
3572 takes an <span><strong class="command">address_match_list</strong></span> and
3574 in a special way. Each top-level list element is assigned a
3576 Non-negated elements get a distance based on their position in the
3577 list, where the closer the match is to the start of the list, the
3578 shorter the distance is between it and the server. A negated match
3579 will be assigned the maximum distance from the server. If there
3580 is no match, the address will get a distance which is further than
3581 any non-negated list element, and closer than any negated element.
3584 <pre class="programlisting">topology {
3590 will prefer servers on network 10 the most, followed by hosts
3591 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
3592 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
3593 is preferred least of all.
3596 The default topology is
3598 <pre class="programlisting"> topology { localhost; localnets; };
3600 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3601 <h3 class="title">Note</h3>
3603 The <span><strong class="command">topology</strong></span> option
3604 is not implemented in <acronym class="acronym">BIND</acronym> 9.
3608 <div class="sect3" lang="en">
3609 <div class="titlepage"><div><div><h4 class="title">
3610 <a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
3612 The response to a DNS query may consist of multiple resource
3613 records (RRs) forming a resource records set (RRset).
3614 The name server will normally return the
3615 RRs within the RRset in an indeterminate order
3616 (but see the <span><strong class="command">rrset-order</strong></span>
3617 statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
3618 The client resolver code should rearrange the RRs as appropriate,
3619 that is, using any addresses on the local net in preference to
3621 However, not all resolvers can do this or are correctly
3623 When a client is using a local server, the sorting can be performed
3624 in the server, based on the client's address. This only requires
3625 configuring the name servers, not all the clients.
3628 The <span><strong class="command">sortlist</strong></span> statement (see below)
3630 an <span><strong class="command">address_match_list</strong></span> and
3632 more specifically than the <span><strong class="command">topology</strong></span>
3634 does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
3635 Each top level statement in the <span><strong class="command">sortlist</strong></span> must
3636 itself be an explicit <span><strong class="command">address_match_list</strong></span> with
3637 one or two elements. The first element (which may be an IP
3639 an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
3640 of each top level list is checked against the source address of
3641 the query until a match is found.
3644 Once the source address of the query has been matched, if
3645 the top level statement contains only one element, the actual
3647 element that matched the source address is used to select the
3649 in the response to move to the beginning of the response. If the
3650 statement is a list of two elements, then the second element is
3651 treated the same as the <span><strong class="command">address_match_list</strong></span> in
3652 a <span><strong class="command">topology</strong></span> statement. Each top
3654 is assigned a distance and the address in the response with the
3656 distance is moved to the beginning of the response.
3659 In the following example, any queries received from any of
3660 the addresses of the host itself will get responses preferring
3662 on any of the locally connected networks. Next most preferred are
3664 on the 192.168.1/24 network, and after that either the
3667 192.168.3/24 network with no preference shown between these two
3668 networks. Queries received from a host on the 192.168.1/24 network
3669 will prefer other addresses on that network to the 192.168.2/24
3671 192.168.3/24 networks. Queries received from a host on the
3673 or the 192.168.5/24 network will only prefer other addresses on
3674 their directly connected networks.
3676 <pre class="programlisting">sortlist {
3677 { localhost; // IF the local host
3678 { localnets; // THEN first fit on the
3679 192.168.1/24; // following nets
3680 { 192.168.2/24; 192.168.3/24; }; }; };
3681 { 192.168.1/24; // IF on class C 192.168.1
3682 { 192.168.1/24; // THEN use .1, or .2 or .3
3683 { 192.168.2/24; 192.168.3/24; }; }; };
3684 { 192.168.2/24; // IF on class C 192.168.2
3685 { 192.168.2/24; // THEN use .2, or .1 or .3
3686 { 192.168.1/24; 192.168.3/24; }; }; };
3687 { 192.168.3/24; // IF on class C 192.168.3
3688 { 192.168.3/24; // THEN use .3, or .1 or .2
3689 { 192.168.1/24; 192.168.2/24; }; }; };
3690 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
3694 The following example will give reasonable behavior for the
3695 local host and hosts on directly connected networks. It is similar
3696 to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
3697 to queries from the local host will favor any of the directly
3699 networks. Responses sent to queries from any other hosts on a
3701 connected network will prefer addresses on that same network.
3703 to other queries will not be sorted.
3705 <pre class="programlisting">sortlist {
3706 { localhost; localnets; };
3711 <div class="sect3" lang="en">
3712 <div class="titlepage"><div><div><h4 class="title">
3713 <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
3715 When multiple records are returned in an answer it may be
3716 useful to configure the order of the records placed into the
3718 The <span><strong class="command">rrset-order</strong></span> statement permits
3720 of the ordering of the records in a multiple record response.
3721 See also the <span><strong class="command">sortlist</strong></span> statement,
3722 <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
3725 An <span><strong class="command">order_spec</strong></span> is defined as
3729 [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
3730 [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
3731 [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
3732 order <em class="replaceable"><code>ordering</code></em>
3735 If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
3736 If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
3737 If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
3740 The legal values for <span><strong class="command">ordering</strong></span> are:
3742 <div class="informaltable"><table border="1">
3750 <p><span><strong class="command">fixed</strong></span></p>
3754 Records are returned in the order they
3755 are defined in the zone file.
3761 <p><span><strong class="command">random</strong></span></p>
3765 Records are returned in some random order.
3771 <p><span><strong class="command">cyclic</strong></span></p>
3775 Records are returned in a round-robin
3785 <pre class="programlisting">rrset-order {
3786 class IN type A name "host.example.com" order random;
3791 will cause any responses for type A records in class IN that
3792 have "<code class="literal">host.example.com</code>" as a
3793 suffix, to always be returned
3794 in random order. All other records are returned in cyclic order.
3797 If multiple <span><strong class="command">rrset-order</strong></span> statements
3799 they are not combined — the last one applies.
3801 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3802 <h3 class="title">Note</h3>
3804 The <span><strong class="command">rrset-order</strong></span> statement
3805 is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
3806 BIND 9 currently does not fully support "fixed" ordering.
3810 <div class="sect3" lang="en">
3811 <div class="titlepage"><div><div><h4 class="title">
3812 <a name="tuning"></a>Tuning</h4></div></div></div>
3813 <div class="variablelist"><dl>
3814 <dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
3816 Sets the number of seconds to cache a
3817 lame server indication. 0 disables caching. (This is
3818 <span class="bold"><strong>NOT</strong></span> recommended.)
3819 The default is <code class="literal">600</code> (10 minutes) and the
3821 <code class="literal">1800</code> (30 minutes).
3823 <dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
3825 To reduce network traffic and increase performance,
3826 the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
3827 used to set a maximum retention time for these answers in
3829 in seconds. The default
3830 <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
3831 <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
3833 be silently truncated to 7 days if set to a greater value.
3835 <dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
3837 Sets the maximum time for which the server will
3838 cache ordinary (positive) answers. The default is
3841 <dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
3844 The minimum number of root servers that
3845 is required for a request for the root servers to be
3846 accepted. The default
3847 is <strong class="userinput"><code>2</code></strong>.
3849 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
3850 <h3 class="title">Note</h3>
3852 Not implemented in <acronym class="acronym">BIND</acronym> 9.
3856 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
3858 Specifies the number of days into the
3859 future when DNSSEC signatures automatically generated as a
3861 of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>)
3862 will expire. The default is <code class="literal">30</code> days.
3863 The maximum value is 10 years (3660 days). The signature
3864 inception time is unconditionally set to one hour before the
3866 to allow for a limited amount of clock skew.
3869 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
3873 These options control the server's behavior on refreshing a
3875 (querying for SOA changes) or retrying failed transfers.
3876 Usually the SOA values for the zone are used, but these
3878 are set by the master, giving slave server administrators
3880 control over their contents.
3883 These options allow the administrator to set a minimum and
3885 refresh and retry time either per-zone, per-view, or
3887 These options are valid for slave and stub zones,
3888 and clamp the SOA refresh and retry times to the specified
3892 <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
3894 Sets the advertised EDNS UDP buffer size in bytes. Valid
3895 values are 512 to 4096 (values outside this range
3896 will be silently adjusted). The default value is
3897 4096. The usual reason for setting edns-udp-size to
3898 a non-default value is to get UDP answers to pass
3899 through broken firewalls that block fragmented
3900 packets and/or block UDP packets that are greater
3903 <dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
3905 Sets the maximum EDNS UDP message size named will
3906 send in bytes. Valid values are 512 to 4096 (values outside
3907 this range will be silently adjusted). The default
3908 value is 4096. The usual reason for setting
3909 max-udp-size to a non-default value is to get UDP
3910 answers to pass through broken firewalls that
3911 block fragmented packets and/or block UDP packets
3912 that are greater than 512 bytes.
3913 This is independent of the advertised receive
3914 buffer (<span><strong class="command">edns-udp-size</strong></span>).
3916 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
3918 the file format of zone files (see
3919 <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
3920 The default value is <code class="constant">text</code>, which is the
3921 standard textual representation. Files in other formats
3922 than <code class="constant">text</code> are typically expected
3923 to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
3924 Note that when a zone file in a different format than
3925 <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
3926 may omit some of the checks which would be performed for a
3927 file in the <code class="constant">text</code> format. In particular,
3928 <span><strong class="command">check-names</strong></span> checks do not apply
3929 for the <code class="constant">raw</code> format. This means
3930 a zone file in the <code class="constant">raw</code> format
3931 must be generated with the same check level as that
3932 specified in the <span><strong class="command">named</strong></span> configuration
3933 file. This statement sets the
3934 <span><strong class="command">masterfile-format</strong></span> for all zones,
3935 but can be overridden on a per-zone or per-view basis
3936 by including a <span><strong class="command">masterfile-format</strong></span>
3937 statement within the <span><strong class="command">zone</strong></span> or
3938 <span><strong class="command">view</strong></span> block in the configuration
3942 <span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
3946 initial value (minimum) and maximum number of recursive
3947 simultanious clients for any given query
3948 (<qname,qtype,qclass>) that the server will accept
3949 before dropping additional clients. named will attempt to
3950 self tune this value and changes will be logged. The
3951 default values are 10 and 100.
3954 This value should reflect how many queries come in for
3955 a given name in the time it takes to resolve that name.
3956 If the number of queries exceed this value, named will
3957 assume that it is dealing with a non-responsive zone
3958 and will drop additional queries. If it gets a response
3959 after dropping queries, it will raise the estimate. The
3960 estimate will then be lowered in 20 minutes if it has
3964 If <span><strong class="command">clients-per-query</strong></span> is set to zero,
3965 then there is no limit on the number of clients per query
3966 and no queries will be dropped.
3969 If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
3970 then there is no upper bound other than imposed by
3971 <span><strong class="command">recursive-clients</strong></span>.
3974 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
3976 The delay, in seconds, between sending sets of notify
3977 messages for a zone. The default is zero.
3981 <div class="sect3" lang="en">
3982 <div class="titlepage"><div><div><h4 class="title">
3983 <a name="builtin"></a>Built-in server information zones</h4></div></div></div>
3985 The server provides some helpful diagnostic information
3986 through a number of built-in zones under the
3987 pseudo-top-level-domain <code class="literal">bind</code> in the
3988 <span><strong class="command">CHAOS</strong></span> class. These zones are part
3990 built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
3992 <span><strong class="command">CHAOS</strong></span> which is separate from the
3994 class <span><strong class="command">IN</strong></span>; therefore, any global
3996 such as <span><strong class="command">allow-query</strong></span> do not apply
3998 If you feel the need to disable these zones, use the options
3999 below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
4001 defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
4002 that matches all clients.
4004 <div class="variablelist"><dl>
4005 <dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
4007 The version the server should report
4008 via a query of the name <code class="literal">version.bind</code>
4009 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
4010 The default is the real version number of this server.
4011 Specifying <span><strong class="command">version none</strong></span>
4012 disables processing of the queries.
4014 <dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
4016 The hostname the server should report via a query of
4017 the name <code class="filename">hostname.bind</code>
4018 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
4019 This defaults to the hostname of the machine hosting the
4021 found by the gethostname() function. The primary purpose of such queries
4023 identify which of a group of anycast servers is actually
4024 answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
4025 disables processing of the queries.
4027 <dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
4029 The ID of the server should report via a query of
4030 the name <code class="filename">ID.SERVER</code>
4031 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
4032 The primary purpose of such queries is to
4033 identify which of a group of anycast servers is actually
4034 answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
4035 disables processing of the queries.
4036 Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
4037 use the hostname as found by the gethostname() function.
4038 The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
4042 <div class="sect3" lang="en">
4043 <div class="titlepage"><div><div><h4 class="title">
4044 <a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
4046 Named has some built-in empty zones (SOA and NS records only).
4047 These are for zones that should normally be answered locally
4048 and which queries should not be sent to the Internet's root
4049 servers. The official servers which cover these namespaces
4050 return NXDOMAIN responses to these queries. In particular,
4051 these cover the reverse namespace for addresses from RFC 1918 and
4052 RFC 3330. They also include the reverse namespace for IPv6 local
4053 address (locally assigned), IPv6 link local addresses, the IPv6
4054 loopback address and the IPv6 unknown addresss.
4057 Named will attempt to determine if a built in zone already exists
4058 or is active (covered by a forward-only forwarding declaration)
4059 and will not not create a empty zone in that case.
4062 The current list of empty zones is:
4064 <div class="itemizedlist"><ul type="disc">
4065 <li>10.IN-ADDR.ARPA</li>
4066 <li>127.IN-ADDR.ARPA</li>
4067 <li>254.169.IN-ADDR.ARPA</li>
4068 <li>16.172.IN-ADDR.ARPA</li>
4069 <li>17.172.IN-ADDR.ARPA</li>
4070 <li>18.172.IN-ADDR.ARPA</li>
4071 <li>19.172.IN-ADDR.ARPA</li>
4072 <li>20.172.IN-ADDR.ARPA</li>
4073 <li>21.172.IN-ADDR.ARPA</li>
4074 <li>22.172.IN-ADDR.ARPA</li>
4075 <li>23.172.IN-ADDR.ARPA</li>
4076 <li>24.172.IN-ADDR.ARPA</li>
4077 <li>25.172.IN-ADDR.ARPA</li>
4078 <li>26.172.IN-ADDR.ARPA</li>
4079 <li>27.172.IN-ADDR.ARPA</li>
4080 <li>28.172.IN-ADDR.ARPA</li>
4081 <li>29.172.IN-ADDR.ARPA</li>
4082 <li>30.172.IN-ADDR.ARPA</li>
4083 <li>31.172.IN-ADDR.ARPA</li>
4084 <li>168.192.IN-ADDR.ARPA</li>
4085 <li>2.0.192.IN-ADDR.ARPA</li>
4086 <li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
4087 <li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
4088 <li>D.F.IP6.ARPA</li>
4089 <li>8.E.F.IP6.ARPA</li>
4090 <li>9.E.F.IP6.ARPA</li>
4091 <li>A.E.F.IP6.ARPA</li>
4092 <li>B.E.F.IP6.ARPA</li>
4097 Empty zones are settable at the view level and only apply to
4098 views of class IN. Disabled empty zones are only inherited
4099 from options if there are no disabled empty zones specified
4100 at the view level. To override the options list of disabled
4101 zones, you can disable the root zone at the view level, for example:
4103 <pre class="programlisting">
4104 disable-empty-zone ".";
4109 If you are using the address ranges covered here, you should
4110 already have reverse zones covering the addresses you use.
4111 In practice this appears to not be the case with many queries
4112 being made to the infrastructure servers for names in these
4113 spaces. So many in fact that sacrificial servers were needed
4114 to be deployed to channel the query load away from the
4115 infrastructure servers.
4117 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4118 <h3 class="title">Note</h3>
4119 The real parent servers for these zones should disable all
4120 empty zone under the parent zone they serve. For the real
4121 root servers, this is all built in empty zones. This will
4122 enable them to return referrals to deeper in the tree.
4124 <div class="variablelist"><dl>
4125 <dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
4127 Specify what server name will appear in the returned
4128 SOA record for empty zones. If none is specified, then
4129 the zone's name will be used.
4131 <dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
4133 Specify what contact name will appear in the returned
4134 SOA record for empty zones. If none is specified, then
4137 <dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
4139 Enable or disable all empty zones. By default they
4142 <dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
4144 Disable individual empty zones. By default none are
4145 disabled. This option can be specified multiple times.
4149 <div class="sect3" lang="en">
4150 <div class="titlepage"><div><div><h4 class="title">
4151 <a name="statsfile"></a>The Statistics File</h4></div></div></div>
4153 The statistics file generated by <acronym class="acronym">BIND</acronym> 9
4154 is similar, but not identical, to that
4155 generated by <acronym class="acronym">BIND</acronym> 8.
4158 The statistics dump begins with a line, like:
4161 <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
4164 The number in parentheses is a standard
4165 Unix-style timestamp, measured as seconds since January 1, 1970.
4167 that line are a series of lines containing a counter type, the
4169 counter, optionally a zone name, and optionally a view name.
4170 The lines without view and zone listed are global statistics for
4172 Lines with a zone and view name for the given view and zone (the
4174 omitted for the default view).
4177 The statistics dump ends with the line where the
4178 number is identical to the number in the beginning line; for example:
4181 <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
4184 The following statistics counters are maintained:
4186 <div class="informaltable"><table border="1">
4194 <p><span><strong class="command">success</strong></span></p>
4199 successful queries made to the server or zone. A
4201 is defined as query which returns a NOERROR response
4209 <p><span><strong class="command">referral</strong></span></p>
4213 The number of queries which resulted
4214 in referral responses.
4220 <p><span><strong class="command">nxrrset</strong></span></p>
4224 The number of queries which resulted in
4225 NOERROR responses with no data.
4231 <p><span><strong class="command">nxdomain</strong></span></p>
4236 of queries which resulted in NXDOMAIN responses.
4242 <p><span><strong class="command">failure</strong></span></p>
4246 The number of queries which resulted in a
4247 failure response other than those above.
4253 <p><span><strong class="command">recursion</strong></span></p>
4257 The number of queries which caused the server
4258 to perform recursion in order to find the final answer.
4264 <p><span><strong class="command">duplicate</strong></span></p>
4268 The number of queries which the server attempted to
4269 recurse but discover a existing query with the same
4270 IP address, port, query id, name, type and class
4271 already being processed.
4277 <p><span><strong class="command">dropped</strong></span></p>
4281 The number of queries for which the server
4282 discovered a excessive number of existing
4283 recursive queries for the same name, type and
4284 class and were subsequently dropped.
4291 Each query received by the server will cause exactly one of
4292 <span><strong class="command">success</strong></span>,
4293 <span><strong class="command">referral</strong></span>,
4294 <span><strong class="command">nxrrset</strong></span>,
4295 <span><strong class="command">nxdomain</strong></span>, or
4296 <span><strong class="command">failure</strong></span>
4297 to be incremented, and may additionally cause the
4298 <span><strong class="command">recursion</strong></span> counter to be
4302 <div class="sect3" lang="en">
4303 <div class="titlepage"><div><div><h4 class="title">
4304 <a name="acache"></a>Additional Section Caching</h4></div></div></div>
4306 The additional section cache, also called <span><strong class="command">acache</strong></span>,
4307 is an internal cache to improve the response performance of BIND 9.
4308 When additional section caching is enabled, BIND 9 will
4309 cache an internal short-cut to the additional section content for
4311 Note that <span><strong class="command">acache</strong></span> is an internal caching
4312 mechanism of BIND 9, and is not related to the DNS caching
4316 Additional section caching does not change the
4317 response content (except the RRsets ordering of the additional
4318 section, see below), but can improve the response performance
4320 It is particularly effective when BIND 9 acts as an authoritative
4321 server for a zone that has many delegations with many glue RRs.
4324 In order to obtain the maximum performance improvement
4325 from additional section caching, setting
4326 <span><strong class="command">additional-from-cache</strong></span>
4327 to <span><strong class="command">no</strong></span> is recommended, since the current
4328 implementation of <span><strong class="command">acache</strong></span>
4329 does not short-cut of additional section information from the
4333 One obvious disadvantage of <span><strong class="command">acache</strong></span> is
4334 that it requires much more
4335 memory for the internal cached data.
4336 Thus, if the response performance does not matter and memory
4337 consumption is much more critical, the
4338 <span><strong class="command">acache</strong></span> mechanism can be
4339 disabled by setting <span><strong class="command">acache-enable</strong></span> to
4340 <span><strong class="command">no</strong></span>.
4341 It is also possible to specify the upper limit of memory
4343 for acache by using <span><strong class="command">max-acache-size</strong></span>.
4346 Additional section caching also has a minor effect on the
4347 RRset ordering in the additional section.
4348 Without <span><strong class="command">acache</strong></span>,
4349 <span><strong class="command">cyclic</strong></span> order is effective for the additional
4350 section as well as the answer and authority sections.
4351 However, additional section caching fixes the ordering when it
4352 first caches an RRset for the additional section, and the same
4353 ordering will be kept in succeeding responses, regardless of the
4354 setting of <span><strong class="command">rrset-order</strong></span>.
4355 The effect of this should be minor, however, since an
4356 RRset in the additional section
4357 typically only contains a small number of RRs (and in many cases
4358 it only contains a single RR), in which case the
4359 ordering does not matter much.
4362 The following is a summary of options related to
4363 <span><strong class="command">acache</strong></span>.
4365 <div class="variablelist"><dl>
4366 <dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
4368 If <span><strong class="command">yes</strong></span>, additional section caching is
4369 enabled. The default value is <span><strong class="command">no</strong></span>.
4371 <dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
4373 The server will remove stale cache entries, based on an LRU
4375 algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
4376 The default is 60 minutes.
4377 If set to 0, no periodic cleaning will occur.
4379 <dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
4381 The maximum amount of memory in bytes to use for the server's acache.
4382 When the amount of data in the acache reaches this limit,
4384 will clean more aggressively so that the limit is not
4386 In a server with multiple views, the limit applies
4388 acache of each view.
4389 The default is <code class="literal">unlimited</code>,
4391 entries are purged from the acache only at the
4392 periodic cleaning time.
4397 <div class="sect2" lang="en">
4398 <div class="titlepage"><div><div><h3 class="title">
4399 <a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
4400 <pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
4401 [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4402 [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4403 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4404 [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4405 [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
4406 [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
4407 [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
4408 [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
4409 [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
4410 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4411 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4412 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4413 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4414 [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
4415 [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
4419 <div class="sect2" lang="en">
4420 <div class="titlepage"><div><div><h3 class="title">
4421 <a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
4422 Usage</h3></div></div></div>
4424 The <span><strong class="command">server</strong></span> statement defines
4426 to be associated with a remote name server. If a prefix length is
4427 specified, then a range of servers is covered. Only the most
4429 server clause applies regardless of the order in
4430 <code class="filename">named.conf</code>.
4433 The <span><strong class="command">server</strong></span> statement can occur at
4434 the top level of the
4435 configuration file or inside a <span><strong class="command">view</strong></span>
4437 If a <span><strong class="command">view</strong></span> statement contains
4438 one or more <span><strong class="command">server</strong></span> statements, only
4440 apply to the view and any top-level ones are ignored.
4441 If a view contains no <span><strong class="command">server</strong></span>
4443 any top-level <span><strong class="command">server</strong></span> statements are
4448 If you discover that a remote server is giving out bad data,
4449 marking it as bogus will prevent further queries to it. The
4451 value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
4454 The <span><strong class="command">provide-ixfr</strong></span> clause determines
4456 the local server, acting as master, will respond with an
4458 zone transfer when the given remote server, a slave, requests it.
4459 If set to <span><strong class="command">yes</strong></span>, incremental transfer
4461 whenever possible. If set to <span><strong class="command">no</strong></span>,
4463 to the remote server will be non-incremental. If not set, the
4465 of the <span><strong class="command">provide-ixfr</strong></span> option in the
4467 global options block is used as a default.
4470 The <span><strong class="command">request-ixfr</strong></span> clause determines
4472 the local server, acting as a slave, will request incremental zone
4473 transfers from the given remote server, a master. If not set, the
4474 value of the <span><strong class="command">request-ixfr</strong></span> option in
4476 global options block is used as a default.
4479 IXFR requests to servers that do not support IXFR will
4481 fall back to AXFR. Therefore, there is no need to manually list
4482 which servers support IXFR and which ones do not; the global
4484 of <span><strong class="command">yes</strong></span> should always work.
4485 The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
4486 <span><strong class="command">request-ixfr</strong></span> clauses is
4487 to make it possible to disable the use of IXFR even when both
4489 and slave claim to support it, for example if one of the servers
4490 is buggy and crashes or corrupts data when IXFR is used.
4493 The <span><strong class="command">edns</strong></span> clause determines whether
4494 the local server will attempt to use EDNS when communicating
4495 with the remote server. The default is <span><strong class="command">yes</strong></span>.
4498 The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
4499 that is advertised by named when querying the remote server.
4500 Valid values are 512 to 4096 bytes (values outside this range will be
4501 silently adjusted). This option is useful when you wish to
4502 advertises a different value to this server than the value you
4503 advertise globally, for example, when there is a firewall at the
4504 remote site that is blocking large replies.
4507 The <span><strong class="command">max-udp-size</strong></span> option sets the
4508 maximum EDNS UDP message size named will send. Valid
4509 values are 512 to 4096 bytes (values outside this range will
4510 be silently adjusted). This option is useful when you
4511 know that there is a firewall that is blocking large
4515 The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
4516 uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
4517 as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
4518 more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
4519 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
4520 4.9.5. You can specify which method
4521 to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
4522 If <span><strong class="command">transfer-format</strong></span> is not
4523 specified, the <span><strong class="command">transfer-format</strong></span>
4525 by the <span><strong class="command">options</strong></span> statement will be
4528 <p><span><strong class="command">transfers</strong></span>
4529 is used to limit the number of concurrent inbound zone
4530 transfers from the specified server. If no
4531 <span><strong class="command">transfers</strong></span> clause is specified, the
4532 limit is set according to the
4533 <span><strong class="command">transfers-per-ns</strong></span> option.
4536 The <span><strong class="command">keys</strong></span> clause identifies a
4537 <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
4538 to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
4539 when talking to the remote server.
4540 When a request is sent to the remote server, a request signature
4541 will be generated using the key specified here and appended to the
4542 message. A request originating from the remote server is not
4544 to be signed by this key.
4547 Although the grammar of the <span><strong class="command">keys</strong></span>
4549 allows for multiple keys, only a single key per server is
4554 The <span><strong class="command">transfer-source</strong></span> and
4555 <span><strong class="command">transfer-source-v6</strong></span> clauses specify
4556 the IPv4 and IPv6 source
4557 address to be used for zone transfer with the remote server,
4559 For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
4561 Similarly, for an IPv6 remote server, only
4562 <span><strong class="command">transfer-source-v6</strong></span> can be
4564 For more details, see the description of
4565 <span><strong class="command">transfer-source</strong></span> and
4566 <span><strong class="command">transfer-source-v6</strong></span> in
4567 <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
4570 The <span><strong class="command">notify-source</strong></span> and
4571 <span><strong class="command">notify-source-v6</strong></span> clauses specify the
4572 IPv4 and IPv6 source address to be used for notify
4573 messages sent to remote servers, respectively. For an
4574 IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
4575 can be specified. Similarly, for an IPv6 remote server,
4576 only <span><strong class="command">notify-source-v6</strong></span> can be specified.
4579 The <span><strong class="command">query-source</strong></span> and
4580 <span><strong class="command">query-source-v6</strong></span> clauses specify the
4581 IPv4 and IPv6 source address to be used for queries
4582 sent to remote servers, respectively. For an IPv4
4583 remote server, only <span><strong class="command">query-source</strong></span> can
4584 be specified. Similarly, for an IPv6 remote server,
4585 only <span><strong class="command">query-source-v6</strong></span> can be specified.
4588 <div class="sect2" lang="en">
4589 <div class="titlepage"><div><div><h3 class="title">
4590 <a name="id2585361"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
4591 <pre class="programlisting">trusted-keys {
4592 <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
4593 [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
4597 <div class="sect2" lang="en">
4598 <div class="titlepage"><div><div><h3 class="title">
4599 <a name="id2585410"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
4600 and Usage</h3></div></div></div>
4602 The <span><strong class="command">trusted-keys</strong></span> statement defines
4603 DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
4604 public key for a non-authoritative zone is known, but
4605 cannot be securely obtained through DNS, either because
4606 it is the DNS root zone or because its parent zone is
4607 unsigned. Once a key has been configured as a trusted
4608 key, it is treated as if it had been validated and
4609 proven secure. The resolver attempts DNSSEC validation
4610 on all DNS data in subdomains of a security root.
4613 All keys (and corresponding zones) listed in
4614 <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
4615 of what parent zones say. Similarly for all keys listed in
4616 <span><strong class="command">trusted-keys</strong></span> only those keys are
4617 used to validate the DNSKEY RRset. The parent's DS RRset
4621 The <span><strong class="command">trusted-keys</strong></span> statement can contain
4622 multiple key entries, each consisting of the key's
4623 domain name, flags, protocol, algorithm, and the Base-64
4624 representation of the key data.
4627 <div class="sect2" lang="en">
4628 <div class="titlepage"><div><div><h3 class="title">
4629 <a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
4630 <pre class="programlisting">view <em class="replaceable"><code>view_name</code></em>
4631 [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4632 match-clients { <em class="replaceable"><code>address_match_list</code></em> };
4633 match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
4634 match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
4635 [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
4636 [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
4640 <div class="sect2" lang="en">
4641 <div class="titlepage"><div><div><h3 class="title">
4642 <a name="id2585490"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
4644 The <span><strong class="command">view</strong></span> statement is a powerful
4646 of <acronym class="acronym">BIND</acronym> 9 that lets a name server
4647 answer a DNS query differently
4648 depending on who is asking. It is particularly useful for
4650 split DNS setups without having to run multiple servers.
4653 Each <span><strong class="command">view</strong></span> statement defines a view
4655 DNS namespace that will be seen by a subset of clients. A client
4657 a view if its source IP address matches the
4658 <code class="varname">address_match_list</code> of the view's
4659 <span><strong class="command">match-clients</strong></span> clause and its
4660 destination IP address matches
4661 the <code class="varname">address_match_list</code> of the
4663 <span><strong class="command">match-destinations</strong></span> clause. If not
4665 <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
4666 default to matching all addresses. In addition to checking IP
4668 <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
4669 can also take <span><strong class="command">keys</strong></span> which provide an
4671 client to select the view. A view can also be specified
4672 as <span><strong class="command">match-recursive-only</strong></span>, which
4673 means that only recursive
4674 requests from matching clients will match that view.
4675 The order of the <span><strong class="command">view</strong></span> statements is
4677 a client request will be resolved in the context of the first
4678 <span><strong class="command">view</strong></span> that it matches.
4681 Zones defined within a <span><strong class="command">view</strong></span>
4683 be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
4684 By defining a zone of the same name in multiple views, different
4685 zone data can be given to different clients, for example,
4687 and "external" clients in a split DNS setup.
4690 Many of the options given in the <span><strong class="command">options</strong></span> statement
4691 can also be used within a <span><strong class="command">view</strong></span>
4693 apply only when resolving queries with that view. When no
4695 value is given, the value in the <span><strong class="command">options</strong></span> statement
4696 is used as a default. Also, zone options can have default values
4698 in the <span><strong class="command">view</strong></span> statement; these
4699 view-specific defaults
4700 take precedence over those in the <span><strong class="command">options</strong></span> statement.
4703 Views are class specific. If no class is given, class IN
4704 is assumed. Note that all non-IN views must contain a hint zone,
4705 since only the IN class has compiled-in default hints.
4708 If there are no <span><strong class="command">view</strong></span> statements in
4710 file, a default view that matches any client is automatically
4712 in class IN. Any <span><strong class="command">zone</strong></span> statements
4714 the top level of the configuration file are considered to be part
4716 this default view, and the <span><strong class="command">options</strong></span>
4718 apply to the default view. If any explicit <span><strong class="command">view</strong></span>
4719 statements are present, all <span><strong class="command">zone</strong></span>
4721 occur inside <span><strong class="command">view</strong></span> statements.
4724 Here is an example of a typical split DNS setup implemented
4725 using <span><strong class="command">view</strong></span> statements:
4727 <pre class="programlisting">view "internal" {
4728 // This should match our internal networks.
4729 match-clients { 10.0.0.0/8; };
4731 // Provide recursive service to internal clients only.
4734 // Provide a complete view of the example.com zone
4735 // including addresses of internal hosts.
4736 zone "example.com" {
4738 file "example-internal.db";
4743 // Match all clients not matched by the previous view.
4744 match-clients { any; };
4746 // Refuse recursive service to external clients.
4749 // Provide a restricted view of the example.com zone
4750 // containing only publicly accessible hosts.
4751 zone "example.com" {
4753 file "example-external.db";
4758 <div class="sect2" lang="en">
4759 <div class="titlepage"><div><div><h3 class="title">
4760 <a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
4761 Statement Grammar</h3></div></div></div>
4762 <pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4764 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4765 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4766 [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4767 [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
4768 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4769 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
4770 [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
4771 [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4772 [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4773 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
4774 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
4775 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
4776 [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
4777 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
4778 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4779 [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
4780 [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
4781 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4782 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
4783 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
4784 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
4785 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
4786 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
4787 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
4788 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4789 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4790 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4791 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
4792 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
4793 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4794 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4795 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4796 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4797 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
4798 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4801 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4803 [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4804 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4805 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4806 [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4807 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4808 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4809 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
4810 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
4811 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
4812 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
4813 [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
4814 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
4815 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4816 [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
4817 [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
4818 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4819 [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
4820 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
4821 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
4822 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
4823 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
4824 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
4825 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
4826 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
4827 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4828 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4829 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4830 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4831 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4832 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4833 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4834 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4835 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
4836 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4837 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4838 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4839 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4840 [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4841 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4844 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4846 file <em class="replaceable"><code>string</code></em> ;
4847 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4848 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>]
4851 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4853 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
4854 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
4855 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
4856 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4857 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
4858 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
4859 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
4860 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4861 [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
4862 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
4863 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
4864 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
4865 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4866 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4867 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4868 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
4869 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
4870 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4871 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
4872 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4873 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
4874 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4875 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
4876 [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4879 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4881 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
4882 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
4883 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
4886 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
4887 type delegation-only;
4892 <div class="sect2" lang="en">
4893 <div class="titlepage"><div><div><h3 class="title">
4894 <a name="id2586798"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
4895 <div class="sect3" lang="en">
4896 <div class="titlepage"><div><div><h4 class="title">
4897 <a name="id2586806"></a>Zone Types</h4></div></div></div>
4898 <div class="informaltable"><table border="1">
4907 <code class="varname">master</code>
4912 The server has a master copy of the data
4913 for the zone and will be able to provide authoritative
4922 <code class="varname">slave</code>
4927 A slave zone is a replica of a master
4928 zone. The <span><strong class="command">masters</strong></span> list
4929 specifies one or more IP addresses
4930 of master servers that the slave contacts to update
4931 its copy of the zone.
4932 Masters list elements can also be names of other
4934 By default, transfers are made from port 53 on the
4936 be changed for all servers by specifying a port number
4938 list of IP addresses, or on a per-server basis after
4940 Authentication to the master can also be done with
4941 per-server TSIG keys.
4942 If a file is specified, then the
4943 replica will be written to this file whenever the zone
4945 and reloaded from this file on a server restart. Use
4947 recommended, since it often speeds server startup and
4949 a needless waste of bandwidth. Note that for large
4951 tens or hundreds of thousands) of zones per server, it
4953 use a two-level naming scheme for zone filenames. For
4955 a slave server for the zone <code class="literal">example.com</code> might place
4956 the zone contents into a file called
4957 <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
4958 just the first two letters of the zone name. (Most
4960 behave very slowly if you put 100 000 files into
4961 a single directory.)
4968 <code class="varname">stub</code>
4973 A stub zone is similar to a slave zone,
4974 except that it replicates only the NS records of a
4976 of the entire zone. Stub zones are not a standard part
4978 they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
4982 Stub zones can be used to eliminate the need for glue
4984 in a parent zone at the expense of maintaining a stub
4986 a set of name server addresses in <code class="filename">named.conf</code>.
4987 This usage is not recommended for new configurations,
4989 supports it only in a limited way.
4990 In <acronym class="acronym">BIND</acronym> 4/8, zone
4991 transfers of a parent zone
4992 included the NS records from stub children of that
4994 that, in some cases, users could get away with
4995 configuring child stubs
4996 only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
4997 9 never mixes together zone data from different zones
4999 way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
5000 zone has child stub zones configured, all the slave
5002 parent zone also need to have the same child stub
5008 Stub zones can also be used as a way of forcing the
5010 of a given domain to use a particular set of
5011 authoritative servers.
5012 For example, the caching name servers on a private
5014 RFC1918 addressing may be configured with stub zones
5016 <code class="literal">10.in-addr.arpa</code>
5017 to use a set of internal name servers as the
5019 servers for that domain.
5026 <code class="varname">forward</code>
5031 A "forward zone" is a way to configure
5032 forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
5033 of type <span><strong class="command">forward</strong></span> can
5034 contain a <span><strong class="command">forward</strong></span>
5035 and/or <span><strong class="command">forwarders</strong></span>
5037 which will apply to queries within the domain given by
5039 name. If no <span><strong class="command">forwarders</strong></span>
5040 statement is present or
5041 an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
5042 forwarding will be done for the domain, canceling the
5044 any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
5045 if you want to use this type of zone to change the
5047 global <span><strong class="command">forward</strong></span> option
5048 (that is, "forward first"
5049 to, then "forward only", or vice versa, but want to
5051 servers as set globally) you need to re-specify the
5059 <code class="varname">hint</code>
5064 The initial set of root name servers is
5065 specified using a "hint zone". When the server starts
5067 the root hints to find a root name server and get the
5069 list of root name servers. If no hint zone is
5071 IN, the server uses a compiled-in default set of root
5073 Classes other than IN have no built-in defaults hints.
5080 <code class="varname">delegation-only</code>
5085 This is used to enforce the delegation-only
5086 status of infrastructure zones (e.g. COM, NET, ORG).
5088 is received without an explicit or implicit delegation
5090 section will be treated as NXDOMAIN. This does not
5092 apex. This should not be applied to leaf zones.
5095 <code class="varname">delegation-only</code> has no
5096 effect on answers received
5104 <div class="sect3" lang="en">
5105 <div class="titlepage"><div><div><h4 class="title">
5106 <a name="id2587362"></a>Class</h4></div></div></div>
5108 The zone's name may optionally be followed by a class. If
5109 a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
5110 is assumed. This is correct for the vast majority of cases.
5113 The <code class="literal">hesiod</code> class is
5114 named for an information service from MIT's Project Athena. It
5116 used to share information about various systems databases, such
5117 as users, groups, printers and so on. The keyword
5118 <code class="literal">HS</code> is
5119 a synonym for hesiod.
5122 Another MIT development is Chaosnet, a LAN protocol created
5123 in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
5126 <div class="sect3" lang="en">
5127 <div class="titlepage"><div><div><h4 class="title">
5128 <a name="id2587395"></a>Zone Options</h4></div></div></div>
5129 <div class="variablelist"><dl>
5130 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
5132 See the description of
5133 <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
5135 <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
5137 See the description of
5138 <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
5140 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
5142 See the description of <span><strong class="command">allow-transfer</strong></span>
5143 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
5145 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
5147 See the description of <span><strong class="command">allow-update</strong></span>
5148 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
5150 <dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
5152 Specifies a "Simple Secure Update" policy. See
5153 <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
5155 <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
5157 See the description of <span><strong class="command">allow-update-forwarding</strong></span>
5158 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
5160 <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
5162 Only meaningful if <span><strong class="command">notify</strong></span>
5164 active for this zone. The set of machines that will
5166 <code class="literal">DNS NOTIFY</code> message
5167 for this zone is made up of all the listed name servers
5169 the primary master) for the zone plus any IP addresses
5171 with <span><strong class="command">also-notify</strong></span>. A port
5173 with each <span><strong class="command">also-notify</strong></span>
5174 address to send the notify
5175 messages to a port other than the default of 53.
5176 <span><strong class="command">also-notify</strong></span> is not
5177 meaningful for stub zones.
5178 The default is the empty list.
5180 <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
5182 This option is used to restrict the character set and
5184 certain domain names in master files and/or DNS responses
5186 network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
5187 zones the default is <span><strong class="command">warn</strong></span>.
5189 <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
5191 See the description of
5192 <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5194 <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
5196 See the description of
5197 <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5199 <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
5201 See the description of
5202 <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5204 <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
5206 See the description of
5207 <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5209 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
5211 See the description of
5212 <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5214 <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
5216 See the description of
5217 <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5219 <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
5222 Specify the type of database to be used for storing the
5223 zone data. The string following the <span><strong class="command">database</strong></span> keyword
5224 is interpreted as a list of whitespace-delimited words.
5226 identifies the database type, and any subsequent words are
5228 as arguments to the database to be interpreted in a way
5230 to the database type.
5233 The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
5235 red-black-tree database. This database does not take
5239 Other values are possible if additional database drivers
5240 have been linked into the server. Some sample drivers are
5242 with the distribution but none are linked in by default.
5245 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
5247 See the description of
5248 <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5250 <dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
5252 The flag only applies to hint and stub zones. If set
5253 to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
5255 is also a delegation-only type zone.
5257 <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
5259 Only meaningful if the zone has a forwarders
5260 list. The <span><strong class="command">only</strong></span> value causes
5262 after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
5263 allow a normal lookup to be tried.
5265 <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
5267 Used to override the list of global forwarders.
5268 If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
5269 no forwarding is done for the zone and the global options are
5272 <dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
5274 Was used in <acronym class="acronym">BIND</acronym> 8 to
5276 of the transaction log (journal) file for dynamic update
5278 <acronym class="acronym">BIND</acronym> 9 ignores the option
5279 and constructs the name of the journal
5280 file by appending "<code class="filename">.jnl</code>"
5284 <dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
5286 Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
5287 Ignored in <acronym class="acronym">BIND</acronym> 9.
5289 <dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
5291 Allow the default journal's filename to be overridden.
5292 The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
5293 This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
5295 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
5297 See the description of
5298 <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5300 <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
5302 See the description of
5303 <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5305 <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
5307 See the description of
5308 <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5310 <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
5312 See the description of
5313 <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5315 <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
5317 See the description of
5318 <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5320 <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
5322 See the description of
5323 <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
5325 <dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
5327 In <acronym class="acronym">BIND</acronym> 8, this option was
5328 intended for specifying
5329 a public zone key for verification of signatures in DNSSEC
5331 zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
5332 on load and ignores the option.
5334 <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
5336 If <strong class="userinput"><code>yes</code></strong>, the server will keep
5338 information for this zone, which can be dumped to the
5339 <span><strong class="command">statistics-file</strong></span> defined in
5342 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
5344 See the description of
5345 <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
5347 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
5349 See the description of
5350 <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5352 <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
5354 See the description of
5355 <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5357 <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
5359 See the description of
5360 <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5362 <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
5364 See the description of
5365 <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5367 <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
5369 See the description of
5370 <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5372 <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
5374 See the description of
5375 <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5377 <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
5379 See the description of
5380 <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
5383 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
5386 See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
5388 <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
5390 See the description of
5391 <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5393 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
5395 See the description of
5396 <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
5397 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
5400 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
5402 See the description of <span><strong class="command">multi-master</strong></span> in
5403 <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
5405 <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
5407 See the description of <span><strong class="command">masterfile-format</strong></span>
5408 in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
5412 <div class="sect3" lang="en">
5413 <div class="titlepage"><div><div><h4 class="title">
5414 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
5416 <acronym class="acronym">BIND</acronym> 9 supports two alternative
5417 methods of granting clients
5418 the right to perform dynamic updates to a zone,
5419 configured by the <span><strong class="command">allow-update</strong></span>
5421 <span><strong class="command">update-policy</strong></span> option,
5425 The <span><strong class="command">allow-update</strong></span> clause works the
5427 way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
5428 permission to update any record of any name in the zone.
5431 The <span><strong class="command">update-policy</strong></span> clause is new
5432 in <acronym class="acronym">BIND</acronym>
5433 9 and allows more fine-grained control over what updates are
5435 A set of rules is specified, where each rule either grants or
5437 permissions for one or more names to be updated by one or more
5439 If the dynamic update request message is signed (that is, it
5441 either a TSIG or SIG(0) record), the identity of the signer can
5445 Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
5446 option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement
5447 is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
5448 to be present. The <span><strong class="command">update-policy</strong></span>
5450 examines the signer of a message; the source address is not
5454 This is how a rule definition looks:
5456 <pre class="programlisting">
5457 ( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
5460 Each rule grants or denies privileges. Once a message has
5461 successfully matched a rule, the operation is immediately
5463 or denied and no further rules are examined. A rule is matched
5464 when the signer matches the identity field, the name matches the
5465 name field in accordance with the nametype field, and the type
5467 the types specified in the type field.
5470 The identity field specifies a name or a wildcard name.
5472 is the name of the TSIG or SIG(0) key used to sign the update
5474 TKEY exchange has been used to create a shared secret, the
5476 shared secret is the same as the identity of the key used to
5478 TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a
5479 wildcard name, it is subject to DNS wildcard expansion, so the
5481 to multiple identities. The <em class="replaceable"><code>identity</code></em> field must
5482 contain a fully-qualified domain name.
5485 The <em class="replaceable"><code>nametype</code></em> field has 6
5487 <code class="varname">name</code>, <code class="varname">subdomain</code>,
5488 <code class="varname">wildcard</code>, <code class="varname">self</code>,
5489 <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
5491 <div class="informaltable"><table border="1">
5500 <code class="varname">name</code>
5505 Exact-match semantics. This rule matches
5506 when the name being updated is identical
5507 to the contents of the
5508 <em class="replaceable"><code>name</code></em> field.
5515 <code class="varname">subdomain</code>
5520 This rule matches when the name being updated
5521 is a subdomain of, or identical to, the
5522 contents of the <em class="replaceable"><code>name</code></em>
5530 <code class="varname">wildcard</code>
5535 The <em class="replaceable"><code>name</code></em> field
5536 is subject to DNS wildcard expansion, and
5537 this rule matches when the name being updated
5538 name is a valid expansion of the wildcard.
5545 <code class="varname">self</code>
5550 This rule matches when the name being updated
5551 matches the contents of the
5552 <em class="replaceable"><code>identity</code></em> field.
5553 The <em class="replaceable"><code>name</code></em> field
5554 is ignored, but should be the same as the
5555 <em class="replaceable"><code>identity</code></em> field.
5556 The <code class="varname">self</code> nametype is
5557 most useful when allowing using one key per
5558 name to update, where the key has the same
5559 name as the name to be updated. The
5560 <em class="replaceable"><code>identity</code></em> would
5561 be specified as <code class="constant">*</code> (an asterisk) in
5569 <code class="varname">selfsub</code>
5574 This rule is similar to <code class="varname">self</code>
5575 except that subdomains of <code class="varname">self</code>
5576 can also be updated.
5583 <code class="varname">selfwild</code>
5588 This rule is similar to <code class="varname">self</code>
5589 except that only subdomains of
5590 <code class="varname">self</code> can be updated.
5597 In all cases, the <em class="replaceable"><code>name</code></em>
5599 specify a fully-qualified domain name.
5602 If no types are explicitly specified, this rule matches all
5604 RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
5605 "ANY" (ANY matches all types except NSEC, which can never be
5607 Note that when an attempt is made to delete all records
5609 name, the rules are checked for each existing record type.
5614 <div class="sect1" lang="en">
5615 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
5616 <a name="id2589080"></a>Zone File</h2></div></div></div>
5617 <div class="sect2" lang="en">
5618 <div class="titlepage"><div><div><h3 class="title">
5619 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
5621 This section, largely borrowed from RFC 1034, describes the
5622 concept of a Resource Record (RR) and explains when each is used.
5623 Since the publication of RFC 1034, several new RRs have been
5625 and implemented in the DNS. These are also included.
5627 <div class="sect3" lang="en">
5628 <div class="titlepage"><div><div><h4 class="title">
5629 <a name="id2589098"></a>Resource Records</h4></div></div></div>
5631 A domain name identifies a node. Each node has a set of
5632 resource information, which may be empty. The set of resource
5633 information associated with a particular name is composed of
5634 separate RRs. The order of RRs in a set is not significant and
5635 need not be preserved by name servers, resolvers, or other
5636 parts of the DNS. However, sorting of multiple RRs is
5637 permitted for optimization purposes, for example, to specify
5638 that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
5641 The components of a Resource Record are:
5643 <div class="informaltable"><table border="1">
5657 The domain name where the RR is found.
5669 An encoded 16-bit value that specifies
5670 the type of the resource record.
5682 The time-to-live of the RR. This field
5683 is a 32-bit integer in units of seconds, and is
5685 resolvers when they cache RRs. The TTL describes how
5687 be cached before it should be discarded.
5699 An encoded 16-bit value that identifies
5700 a protocol family or instance of a protocol.
5712 The resource data. The format of the
5713 data is type (and sometimes class) specific.
5720 The following are <span class="emphasis"><em>types</em></span> of valid RRs:
5722 <div class="informaltable"><table border="1">
5736 A host address. In the IN class, this is a
5737 32-bit IP address. Described in RFC 1035.
5749 IPv6 address. Described in RFC 1886.
5761 IPv6 address. This can be a partial
5762 address (a suffix) and an indirection to the name
5763 where the rest of the
5764 address (the prefix) can be found. Experimental.
5765 Described in RFC 2874.
5777 Location of AFS database servers.
5778 Experimental. Described in RFC 1183.
5790 Address prefix list. Experimental.
5791 Described in RFC 3123.
5803 Holds a digital certificate.
5804 Described in RFC 2538.
5816 Identifies the canonical name of an alias.
5817 Described in RFC 1035.
5829 Replaces the domain name specified with
5830 another name to be looked up, effectively aliasing an
5832 subtree of the domain name space rather than a single
5834 as in the case of the CNAME RR.
5835 Described in RFC 2672.
5847 Stores a public key associated with a signed
5848 DNS zone. Described in RFC 4034.
5860 Stores the hash of a public key associated with a
5861 signed DNS zone. Described in RFC 4034.
5873 Specifies the global position. Superseded by LOC.
5885 Identifies the CPU and OS used by a host.
5886 Described in RFC 1035.
5898 Representation of ISDN addresses.
5899 Experimental. Described in RFC 1183.
5911 Stores a public key associated with a
5912 DNS name. Used in original DNSSEC; replaced
5913 by DNSKEY in DNSSECbis, but still used with
5914 SIG(0). Described in RFCs 2535 and 2931.
5926 Identifies a key exchanger for this
5927 DNS name. Described in RFC 2230.
5939 For storing GPS info. Described in RFC 1876.
5952 Identifies a mail exchange for the domain with
5953 a 16-bit preference value (lower is better)
5954 followed by the host name of the mail exchange.
5955 Described in RFC 974, RFC 1035.
5967 Name authority pointer. Described in RFC 2915.
5979 A network service access point.
5980 Described in RFC 1706.
5992 The authoritative name server for the
5993 domain. Described in RFC 1035.
6005 Used in DNSSECbis to securely indicate that
6006 RRs with an owner name in a certain name interval do
6008 a zone and indicate what RR types are present for an
6010 Described in RFC 4034.
6022 Used in DNSSEC to securely indicate that
6023 RRs with an owner name in a certain name interval do
6025 a zone and indicate what RR types are present for an
6027 Used in original DNSSEC; replaced by NSEC in
6029 Described in RFC 2535.
6041 A pointer to another part of the domain
6042 name space. Described in RFC 1035.
6054 Provides mappings between RFC 822 and X.400
6055 addresses. Described in RFC 2163.
6067 Information on persons responsible
6068 for the domain. Experimental. Described in RFC 1183.
6080 Contains DNSSECbis signature data. Described
6093 Route-through binding for hosts that
6094 do not have their own direct wide area network
6096 Experimental. Described in RFC 1183.
6108 Contains DNSSEC signature data. Used in
6109 original DNSSEC; replaced by RRSIG in
6110 DNSSECbis, but still used for SIG(0).
6111 Described in RFCs 2535 and 2931.
6123 Identifies the start of a zone of authority.
6124 Described in RFC 1035.
6136 Information about well known network
6137 services (replaces WKS). Described in RFC 2782.
6149 Text records. Described in RFC 1035.
6161 Information about which well known
6162 network services, such as SMTP, that a domain
6163 supports. Historical.
6175 Representation of X.25 network addresses.
6176 Experimental. Described in RFC 1183.
6183 The following <span class="emphasis"><em>classes</em></span> of resource records
6184 are currently valid in the DNS:
6186 <div class="informaltable"><table border="1">
6212 Chaosnet, a LAN protocol created at MIT in the
6214 Rarely used for its historical purpose, but reused for
6216 built-in server information zones, e.g.,
6217 <code class="literal">version.bind</code>.
6229 Hesiod, an information service
6230 developed by MIT's Project Athena. It is used to share
6232 about various systems databases, such as users,
6241 The owner name is often implicit, rather than forming an
6243 part of the RR. For example, many name servers internally form
6245 or hash structures for the name space, and chain RRs off nodes.
6246 The remaining RR parts are the fixed header (type, class, TTL)
6247 which is consistent for all RRs, and a variable part (RDATA)
6249 fits the needs of the resource being described.
6252 The meaning of the TTL field is a time limit on how long an
6253 RR can be kept in a cache. This limit does not apply to
6255 data in zones; it is also timed out, but by the refreshing
6257 for the zone. The TTL is assigned by the administrator for the
6258 zone where the data originates. While short TTLs can be used to
6259 minimize caching, and a zero TTL prohibits caching, the
6261 of Internet performance suggest that these times should be on
6263 order of days for the typical host. If a change can be
6265 the TTL can be reduced prior to the change to minimize
6267 during the change, and then increased back to its former value
6272 The data in the RDATA section of RRs is carried as a combination
6273 of binary strings and domain names. The domain names are
6275 used as "pointers" to other data in the DNS.
6278 <div class="sect3" lang="en">
6279 <div class="titlepage"><div><div><h4 class="title">
6280 <a name="id2590513"></a>Textual expression of RRs</h4></div></div></div>
6282 RRs are represented in binary form in the packets of the DNS
6283 protocol, and are usually represented in highly encoded form
6285 stored in a name server or resolver. In the examples provided
6287 RFC 1034, a style similar to that used in master files was
6289 in order to show the contents of RRs. In this format, most RRs
6290 are shown on a single line, although continuation lines are
6295 The start of the line gives the owner of the RR. If a line
6296 begins with a blank, then the owner is assumed to be the same as
6297 that of the previous RR. Blank lines are often included for
6301 Following the owner, we list the TTL, type, and class of the
6302 RR. Class and type use the mnemonics defined above, and TTL is
6303 an integer before the type field. In order to avoid ambiguity
6305 parsing, type and class mnemonics are disjoint, TTLs are
6307 and the type mnemonic is always last. The IN class and TTL
6309 are often omitted from examples in the interests of clarity.
6312 The resource data or RDATA section of the RR are given using
6313 knowledge of the typical representation for the data.
6316 For example, we might show the RRs carried in a message as:
6318 <div class="informaltable"><table border="1">
6328 <code class="literal">ISI.EDU.</code>
6333 <code class="literal">MX</code>
6338 <code class="literal">10 VENERA.ISI.EDU.</code>
6348 <code class="literal">MX</code>
6353 <code class="literal">10 VAXA.ISI.EDU</code>
6360 <code class="literal">VENERA.ISI.EDU</code>
6365 <code class="literal">A</code>
6370 <code class="literal">128.9.0.32</code>
6380 <code class="literal">A</code>
6385 <code class="literal">10.1.0.52</code>
6392 <code class="literal">VAXA.ISI.EDU</code>
6397 <code class="literal">A</code>
6402 <code class="literal">10.2.0.27</code>
6412 <code class="literal">A</code>
6417 <code class="literal">128.9.0.33</code>
6424 The MX RRs have an RDATA section which consists of a 16-bit
6425 number followed by a domain name. The address RRs use a
6427 IP address format to contain a 32-bit internet address.
6430 The above example shows six RRs, with two RRs at each of three
6434 Similarly we might see:
6436 <div class="informaltable"><table border="1">
6446 <code class="literal">XX.LCS.MIT.EDU.</code>
6451 <code class="literal">IN A</code>
6456 <code class="literal">10.0.0.44</code>
6464 <code class="literal">CH A</code>
6469 <code class="literal">MIT.EDU. 2420</code>
6476 This example shows two addresses for
6477 <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
6481 <div class="sect2" lang="en">
6482 <div class="titlepage"><div><div><h3 class="title">
6483 <a name="id2591101"></a>Discussion of MX Records</h3></div></div></div>
6485 As described above, domain servers store information as a
6486 series of resource records, each of which contains a particular
6487 piece of information about a given domain name (which is usually,
6488 but not always, a host). The simplest way to think of a RR is as
6489 a typed pair of data, a domain name matched with a relevant datum,
6490 and stored with some additional type information to help systems
6491 determine when the RR is relevant.
6494 MX records are used to control delivery of email. The data
6495 specified in the record is a priority and a domain name. The
6497 controls the order in which email delivery is attempted, with the
6498 lowest number first. If two priorities are the same, a server is
6499 chosen randomly. If no servers at a given priority are responding,
6500 the mail transport agent will fall back to the next largest
6502 Priority numbers do not have any absolute meaning — they are
6504 only respective to other MX records for that domain name. The
6506 name given is the machine to which the mail will be delivered.
6507 It <span class="emphasis"><em>must</em></span> have an associated address record
6508 (A or AAAA) — CNAME is not sufficient.
6511 For a given domain, if there is both a CNAME record and an
6512 MX record, the MX record is in error, and will be ignored.
6514 the mail will be delivered to the server specified in the MX
6516 pointed to by the CNAME.
6521 <div class="informaltable"><table border="1">
6533 <code class="literal">example.com.</code>
6538 <code class="literal">IN</code>
6543 <code class="literal">MX</code>
6548 <code class="literal">10</code>
6553 <code class="literal">mail.example.com.</code>
6563 <code class="literal">IN</code>
6568 <code class="literal">MX</code>
6573 <code class="literal">10</code>
6578 <code class="literal">mail2.example.com.</code>
6588 <code class="literal">IN</code>
6593 <code class="literal">MX</code>
6598 <code class="literal">20</code>
6603 <code class="literal">mail.backup.org.</code>
6610 <code class="literal">mail.example.com.</code>
6615 <code class="literal">IN</code>
6620 <code class="literal">A</code>
6625 <code class="literal">10.0.0.1</code>
6635 <code class="literal">mail2.example.com.</code>
6640 <code class="literal">IN</code>
6645 <code class="literal">A</code>
6650 <code class="literal">10.0.0.2</code>
6660 Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
6661 <code class="literal">mail2.example.com</code> (in
6662 any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
6666 <div class="sect2" lang="en">
6667 <div class="titlepage"><div><div><h3 class="title">
6668 <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
6670 The time-to-live of the RR field is a 32-bit integer represented
6671 in units of seconds, and is primarily used by resolvers when they
6672 cache RRs. The TTL describes how long a RR can be cached before it
6673 should be discarded. The following three types of TTL are
6675 used in a zone file.
6677 <div class="informaltable"><table border="1">
6691 The last field in the SOA is the negative
6692 caching TTL. This controls how long other servers will
6693 cache no-such-domain
6694 (NXDOMAIN) responses from you.
6697 The maximum time for
6698 negative caching is 3 hours (3h).
6710 The $TTL directive at the top of the
6711 zone file (before the SOA) gives a default TTL for every
6725 Each RR can have a TTL as the second
6726 field in the RR, which will control how long other
6735 All of these TTLs default to units of seconds, though units
6736 can be explicitly specified, for example, <code class="literal">1h30m</code>.
6739 <div class="sect2" lang="en">
6740 <div class="titlepage"><div><div><h3 class="title">
6741 <a name="id2591653"></a>Inverse Mapping in IPv4</h3></div></div></div>
6743 Reverse name resolution (that is, translation from IP address
6744 to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
6745 and PTR records. Entries in the in-addr.arpa domain are made in
6746 least-to-most significant order, read left to right. This is the
6747 opposite order to the way IP addresses are usually written. Thus,
6748 a machine with an IP address of 10.1.2.3 would have a
6750 in-addr.arpa name of
6751 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
6752 whose data field is the name of the machine or, optionally,
6754 PTR records if the machine has more than one name. For example,
6755 in the [<span class="optional">example.com</span>] domain:
6757 <div class="informaltable"><table border="1">
6766 <code class="literal">$ORIGIN</code>
6771 <code class="literal">2.1.10.in-addr.arpa</code>
6778 <code class="literal">3</code>
6783 <code class="literal">IN PTR foo.example.com.</code>
6789 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
6790 <h3 class="title">Note</h3>
6792 The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
6793 are for providing context to the examples only — they do not
6795 appear in the actual usage. They are only used here to indicate
6796 that the example is relative to the listed origin.
6800 <div class="sect2" lang="en">
6801 <div class="titlepage"><div><div><h3 class="title">
6802 <a name="id2591848"></a>Other Zone File Directives</h3></div></div></div>
6804 The Master File Format was initially defined in RFC 1035 and
6805 has subsequently been extended. While the Master File Format
6807 is class independent all records in a Master File must be of the
6812 Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
6813 and <span><strong class="command">$TTL.</strong></span>
6815 <div class="sect3" lang="en">
6816 <div class="titlepage"><div><div><h4 class="title">
6817 <a name="id2591870"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
6819 Syntax: <span><strong class="command">$ORIGIN</strong></span>
6820 <em class="replaceable"><code>domain-name</code></em>
6821 [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
6823 <p><span><strong class="command">$ORIGIN</strong></span>
6824 sets the domain name that will be appended to any
6825 unqualified records. When a zone is first read in there
6826 is an implicit <span><strong class="command">$ORIGIN</strong></span>
6827 <<code class="varname">zone-name</code>><span><strong class="command">.</strong></span>
6828 The current <span><strong class="command">$ORIGIN</strong></span> is appended to
6829 the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
6830 argument if it is not absolute.
6832 <pre class="programlisting">
6833 $ORIGIN example.com.
6834 WWW CNAME MAIN-SERVER
6839 <pre class="programlisting">
6840 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
6843 <div class="sect3" lang="en">
6844 <div class="titlepage"><div><div><h4 class="title">
6845 <a name="id2592000"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
6847 Syntax: <span><strong class="command">$INCLUDE</strong></span>
6848 <em class="replaceable"><code>filename</code></em>
6849 [<span class="optional">
6850 <em class="replaceable"><code>origin</code></em> </span>]
6851 [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
6854 Read and process the file <code class="filename">filename</code> as
6855 if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
6856 specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
6857 to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
6861 The origin and the current domain name
6862 revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
6863 the file has been read.
6865 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
6866 <h3 class="title">Note</h3>
6868 RFC 1035 specifies that the current origin should be restored
6870 an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
6871 on whether the current
6872 domain name should also be restored. BIND 9 restores both of
6874 This could be construed as a deviation from RFC 1035, a
6879 <div class="sect3" lang="en">
6880 <div class="titlepage"><div><div><h4 class="title">
6881 <a name="id2592069"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
6883 Syntax: <span><strong class="command">$TTL</strong></span>
6884 <em class="replaceable"><code>default-ttl</code></em>
6885 [<span class="optional">
6886 <em class="replaceable"><code>comment</code></em> </span>]
6889 Set the default Time To Live (TTL) for subsequent records
6890 with undefined TTLs. Valid TTLs are of the range 0-2147483647
6893 <p><span><strong class="command">$TTL</strong></span>
6894 is defined in RFC 2308.
6898 <div class="sect2" lang="en">
6899 <div class="titlepage"><div><div><h3 class="title">
6900 <a name="id2592173"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
6902 Syntax: <span><strong class="command">$GENERATE</strong></span>
6903 <em class="replaceable"><code>range</code></em>
6904 <em class="replaceable"><code>lhs</code></em>
6905 [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
6906 [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
6907 <em class="replaceable"><code>type</code></em>
6908 <em class="replaceable"><code>rhs</code></em>
6909 [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
6911 <p><span><strong class="command">$GENERATE</strong></span>
6912 is used to create a series of resource records that only
6913 differ from each other by an
6914 iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
6915 easily generate the sets of records required to support
6916 sub /24 reverse delegations described in RFC 2317:
6917 Classless IN-ADDR.ARPA delegation.
6919 <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
6920 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
6921 $GENERATE 1-127 $ CNAME $.0</pre>
6925 <pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
6926 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
6927 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
6928 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
6930 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
6932 <div class="informaltable"><table border="1">
6940 <p><span><strong class="command">range</strong></span></p>
6944 This can be one of two forms: start-stop
6945 or start-stop/step. If the first form is used, then step
6947 1. All of start, stop and step must be positive.
6953 <p><span><strong class="command">lhs</strong></span></p>
6957 describes the owner name of the resource records
6958 to be created. Any single <span><strong class="command">$</strong></span>
6960 symbols within the <span><strong class="command">lhs</strong></span> side
6961 are replaced by the iterator value.
6963 To get a $ in the output, you need to escape the
6964 <span><strong class="command">$</strong></span> using a backslash
6965 <span><strong class="command">\</strong></span>,
6966 e.g. <span><strong class="command">\$</strong></span>. The
6967 <span><strong class="command">$</strong></span> may optionally be followed
6968 by modifiers which change the offset from the
6969 iterator, field width and base.
6971 Modifiers are introduced by a
6972 <span><strong class="command">{</strong></span> (left brace) immediately following the
6973 <span><strong class="command">$</strong></span> as
6974 <span><strong class="command">${offset[,width[,base]]}</strong></span>.
6975 For example, <span><strong class="command">${-20,3,d}</strong></span>
6976 subtracts 20 from the current value, prints the
6977 result as a decimal in a zero-padded field of
6980 Available output forms are decimal
6981 (<span><strong class="command">d</strong></span>), octal
6982 (<span><strong class="command">o</strong></span>) and hexadecimal
6983 (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
6984 for uppercase). The default modifier is
6985 <span><strong class="command">${0,0,d}</strong></span>. If the
6986 <span><strong class="command">lhs</strong></span> is not absolute, the
6987 current <span><strong class="command">$ORIGIN</strong></span> is appended
6991 For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still
6992 recognized as indicating a literal $ in the output.
6998 <p><span><strong class="command">ttl</strong></span></p>
7002 Specifies the time-to-live of the generated records. If
7003 not specified this will be inherited using the
7004 normal ttl inheritance rules.
7006 <p><span><strong class="command">class</strong></span>
7007 and <span><strong class="command">ttl</strong></span> can be
7008 entered in either order.
7014 <p><span><strong class="command">class</strong></span></p>
7018 Specifies the class of the generated records.
7019 This must match the zone class if it is
7022 <p><span><strong class="command">class</strong></span>
7023 and <span><strong class="command">ttl</strong></span> can be
7024 entered in either order.
7030 <p><span><strong class="command">type</strong></span></p>
7034 At present the only supported types are
7035 PTR, CNAME, DNAME, A, AAAA and NS.
7041 <p><span><strong class="command">rhs</strong></span></p>
7045 <span><strong class="command">rhs</strong></span> is a domain name. It is processed
7053 The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
7054 and not part of the standard zone file format.
7057 BIND 8 does not support the optional TTL and CLASS fields.
7060 <div class="sect2" lang="en">
7061 <div class="titlepage"><div><div><h3 class="title">
7062 <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
7064 In addition to the standard textual format, BIND 9
7065 supports the ability to read or dump to zone files in
7066 other formats. The <code class="constant">raw</code> format is
7067 currently available as an additional format. It is a
7068 binary format representing BIND 9's internal data
7069 structure directly, thereby remarkably improving the
7073 For a primary server, a zone file in the
7074 <code class="constant">raw</code> format is expected to be
7075 generated from a textual zone file by the
7076 <span><strong class="command">named-compilezone</strong></span> command. For a
7077 secondary server or for a dynamic zone, it is automatically
7078 generated (if this format is specified by the
7079 <span><strong class="command">masterfile-format</strong></span> option) when
7080 <span><strong class="command">named</strong></span> dumps the zone contents after
7081 zone transfer or when applying prior updates.
7084 If a zone file in a binary format needs manual modification,
7085 it first must be converted to a textual form by the
7086 <span><strong class="command">named-compilezone</strong></span> command. All
7087 necessary modification should go to the text file, which
7088 should then be converted to the binary form by the
7089 <span><strong class="command">named-compilezone</strong></span> command again.
7092 Although the <code class="constant">raw</code> format uses the
7093 network byte order and avoids architecture-dependent
7094 data alignment so that it is as much portable as
7095 possible, it is primarily expected to be used inside
7096 the same single system. In order to export a zone
7097 file in the <code class="constant">raw</code> format or make a
7098 portable backup of the file, it is recommended to
7099 convert the file to the standard textual representation.
7104 <div class="navfooter">
7106 <table width="100%" summary="Navigation footer">
7108 <td width="40%" align="left">
7109 <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
7110 <td width="20%" align="center"> </td>
7111 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
7115 <td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td>
7116 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
7117 <td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td>