1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.97 2008/10/17 19:37:35 jreed Exp $ -->
22 <book xmlns:xi="http://www.w3.org/2001/XInclude">
23 <title>BIND 9 Administrator Reference Manual</title>
32 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
39 <holder>Internet Software Consortium.</holder>
43 <chapter id="Bv9ARM.ch01">
44 <title>Introduction</title>
46 The Internet Domain Name System (<acronym>DNS</acronym>)
47 consists of the syntax
48 to specify the names of entities in the Internet in a hierarchical
49 manner, the rules used for delegating authority over names, and the
50 system implementation that actually maps names to Internet
51 addresses. <acronym>DNS</acronym> data is maintained in a
53 hierarchical databases.
57 <title>Scope of Document</title>
60 The Berkeley Internet Name Domain
61 (<acronym>BIND</acronym>) implements a
62 domain name server for a number of operating systems. This
63 document provides basic information about the installation and
64 care of the Internet Systems Consortium (<acronym>ISC</acronym>)
65 <acronym>BIND</acronym> version 9 software package for
66 system administrators.
70 This version of the manual corresponds to BIND version 9.4.
75 <title>Organization of This Document</title>
77 In this document, <emphasis>Section 1</emphasis> introduces
78 the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
79 describes resource requirements for running <acronym>BIND</acronym> in various
80 environments. Information in <emphasis>Section 3</emphasis> is
81 <emphasis>task-oriented</emphasis> in its presentation and is
82 organized functionally, to aid in the process of installing the
83 <acronym>BIND</acronym> 9 software. The task-oriented
84 section is followed by
85 <emphasis>Section 4</emphasis>, which contains more advanced
86 concepts that the system administrator may need for implementing
87 certain options. <emphasis>Section 5</emphasis>
88 describes the <acronym>BIND</acronym> 9 lightweight
89 resolver. The contents of <emphasis>Section 6</emphasis> are
90 organized as in a reference manual to aid in the ongoing
91 maintenance of the software. <emphasis>Section 7</emphasis> addresses
92 security considerations, and
93 <emphasis>Section 8</emphasis> contains troubleshooting help. The
94 main body of the document is followed by several
95 <emphasis>appendices</emphasis> which contain useful reference
96 information, such as a <emphasis>bibliography</emphasis> and
97 historic information related to <acronym>BIND</acronym>
103 <title>Conventions Used in This Document</title>
106 In this document, we use the following general typographic
112 <colspec colname="1" colnum="1" colwidth="3.000in"/>
113 <colspec colname="2" colnum="2" colwidth="2.625in"/>
118 <emphasis>To describe:</emphasis>
123 <emphasis>We use the style:</emphasis>
130 a pathname, filename, URL, hostname,
131 mailing list name, or new term or concept
136 <filename>Fixed width</filename>
149 <userinput>Fixed Width Bold</userinput>
161 <computeroutput>Fixed Width</computeroutput>
170 The following conventions are used in descriptions of the
171 <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
172 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
173 <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
174 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
177 <entry colname="1" colsep="1" rowsep="1">
179 <emphasis>To describe:</emphasis>
182 <entry colname="2" rowsep="1">
184 <emphasis>We use the style:</emphasis>
189 <entry colname="1" colsep="1" rowsep="1">
194 <entry colname="2" rowsep="1">
196 <literal>Fixed Width</literal>
201 <entry colname="1" colsep="1" rowsep="1">
206 <entry colname="2" rowsep="1">
208 <varname>Fixed Width</varname>
213 <entry colname="1" colsep="1">
220 <optional>Text is enclosed in square brackets</optional>
230 <title>The Domain Name System (<acronym>DNS</acronym>)</title>
232 The purpose of this document is to explain the installation
233 and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
234 Name Domain) software package, and we
235 begin by reviewing the fundamentals of the Domain Name System
236 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
240 <title>DNS Fundamentals</title>
243 The Domain Name System (DNS) is a hierarchical, distributed
244 database. It stores information for mapping Internet host names to
246 addresses and vice versa, mail routing information, and other data
247 used by Internet applications.
251 Clients look up information in the DNS by calling a
252 <emphasis>resolver</emphasis> library, which sends queries to one or
253 more <emphasis>name servers</emphasis> and interprets the responses.
254 The <acronym>BIND</acronym> 9 software distribution
256 name server, <command>named</command>, and two resolver
257 libraries, <command>liblwres</command> and <command>libbind</command>.
261 <title>Domains and Domain Names</title>
264 The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
265 organizational or administrative boundaries. Each node of the tree,
266 called a <emphasis>domain</emphasis>, is given a label. The domain
268 node is the concatenation of all the labels on the path from the
269 node to the <emphasis>root</emphasis> node. This is represented
270 in written form as a string of labels listed from right to left and
271 separated by dots. A label need only be unique within its parent
276 For example, a domain name for a host at the
277 company <emphasis>Example, Inc.</emphasis> could be
278 <literal>ourhost.example.com</literal>,
279 where <literal>com</literal> is the
280 top level domain to which
281 <literal>ourhost.example.com</literal> belongs,
282 <literal>example</literal> is
283 a subdomain of <literal>com</literal>, and
284 <literal>ourhost</literal> is the
289 For administrative purposes, the name space is partitioned into
290 areas called <emphasis>zones</emphasis>, each starting at a node and
291 extending down to the leaf nodes or to nodes where other zones
293 The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
294 <emphasis>DNS protocol</emphasis>.
298 The data associated with each domain name is stored in the
299 form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
300 Some of the supported resource record types are described in
301 <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
305 For more detailed information about the design of the DNS and
306 the DNS protocol, please refer to the standards documents listed in
307 <xref linkend="rfcs"/>.
314 To properly operate a name server, it is important to understand
315 the difference between a <emphasis>zone</emphasis>
316 and a <emphasis>domain</emphasis>.
320 As stated previously, a zone is a point of delegation in
321 the <acronym>DNS</acronym> tree. A zone consists of
322 those contiguous parts of the domain
323 tree for which a name server has complete information and over which
324 it has authority. It contains all domain names from a certain point
325 downward in the domain tree except those which are delegated to
326 other zones. A delegation point is marked by one or more
327 <emphasis>NS records</emphasis> in the
328 parent zone, which should be matched by equivalent NS records at
329 the root of the delegated zone.
333 For instance, consider the <literal>example.com</literal>
334 domain which includes names
335 such as <literal>host.aaa.example.com</literal> and
336 <literal>host.bbb.example.com</literal> even though
337 the <literal>example.com</literal> zone includes
338 only delegations for the <literal>aaa.example.com</literal> and
339 <literal>bbb.example.com</literal> zones. A zone can
341 exactly to a single domain, but could also include only part of a
342 domain, the rest of which could be delegated to other
343 name servers. Every name in the <acronym>DNS</acronym>
345 <emphasis>domain</emphasis>, even if it is
346 <emphasis>terminal</emphasis>, that is, has no
347 <emphasis>subdomains</emphasis>. Every subdomain is a domain and
348 every domain except the root is also a subdomain. The terminology is
349 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
351 gain a complete understanding of this difficult and subtle
356 Though <acronym>BIND</acronym> is called a "domain name
358 it deals primarily in terms of zones. The master and slave
359 declarations in the <filename>named.conf</filename> file
361 zones, not domains. When you ask some other site if it is willing to
362 be a slave server for your <emphasis>domain</emphasis>, you are
363 actually asking for slave service for some collection of zones.
368 <title>Authoritative Name Servers</title>
371 Each zone is served by at least
372 one <emphasis>authoritative name server</emphasis>,
373 which contains the complete data for the zone.
374 To make the DNS tolerant of server and network failures,
375 most zones have two or more authoritative servers, on
380 Responses from authoritative servers have the "authoritative
381 answer" (AA) bit set in the response packets. This makes them
382 easy to identify when debugging DNS configurations using tools like
383 <command>dig</command> (<xref linkend="diagnostic_tools"/>).
387 <title>The Primary Master</title>
390 The authoritative server where the master copy of the zone
391 data is maintained is called the
392 <emphasis>primary master</emphasis> server, or simply the
393 <emphasis>primary</emphasis>. Typically it loads the zone
394 contents from some local file edited by humans or perhaps
395 generated mechanically from some other local file which is
396 edited by humans. This file is called the
397 <emphasis>zone file</emphasis> or
398 <emphasis>master file</emphasis>.
402 In some cases, however, the master file may not be edited
403 by humans at all, but may instead be the result of
404 <emphasis>dynamic update</emphasis> operations.
409 <title>Slave Servers</title>
411 The other authoritative servers, the <emphasis>slave</emphasis>
412 servers (also known as <emphasis>secondary</emphasis> servers)
414 the zone contents from another server using a replication process
415 known as a <emphasis>zone transfer</emphasis>. Typically the data
417 transferred directly from the primary master, but it is also
419 to transfer it from another slave. In other words, a slave server
420 may itself act as a master to a subordinate slave server.
425 <title>Stealth Servers</title>
428 Usually all of the zone's authoritative servers are listed in
429 NS records in the parent zone. These NS records constitute
430 a <emphasis>delegation</emphasis> of the zone from the parent.
431 The authoritative servers are also listed in the zone file itself,
432 at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
433 of the zone. You can list servers in the zone's top-level NS
434 records that are not in the parent's NS delegation, but you cannot
435 list servers in the parent's delegation that are not present at
436 the zone's top level.
440 A <emphasis>stealth server</emphasis> is a server that is
441 authoritative for a zone but is not listed in that zone's NS
442 records. Stealth servers can be used for keeping a local copy of
444 zone to speed up access to the zone's records or to make sure that
446 zone is available even if all the "official" servers for the zone
452 A configuration where the primary master server itself is a
453 stealth server is often referred to as a "hidden primary"
454 configuration. One use for this configuration is when the primary
456 is behind a firewall and therefore unable to communicate directly
457 with the outside world.
465 <title>Caching Name Servers</title>
468 - Terminology here is inconsistent. Probably ought to
469 - convert to using "recursive name server" everywhere
470 - with just a note about "caching" terminology.
474 The resolver libraries provided by most operating systems are
475 <emphasis>stub resolvers</emphasis>, meaning that they are not
477 performing the full DNS resolution process by themselves by talking
478 directly to the authoritative servers. Instead, they rely on a
480 name server to perform the resolution on their behalf. Such a
482 is called a <emphasis>recursive</emphasis> name server; it performs
483 <emphasis>recursive lookups</emphasis> for local clients.
487 To improve performance, recursive servers cache the results of
488 the lookups they perform. Since the processes of recursion and
489 caching are intimately connected, the terms
490 <emphasis>recursive server</emphasis> and
491 <emphasis>caching server</emphasis> are often used synonymously.
495 The length of time for which a record may be retained in
496 the cache of a caching name server is controlled by the
497 Time To Live (TTL) field associated with each resource record.
501 <title>Forwarding</title>
504 Even a caching name server does not necessarily perform
505 the complete recursive lookup itself. Instead, it can
506 <emphasis>forward</emphasis> some or all of the queries
507 that it cannot satisfy from its cache to another caching name
509 commonly referred to as a <emphasis>forwarder</emphasis>.
513 There may be one or more forwarders,
514 and they are queried in turn until the list is exhausted or an
516 is found. Forwarders are typically used when you do not
517 wish all the servers at a given site to interact directly with the
519 the Internet servers. A typical scenario would involve a number
520 of internal <acronym>DNS</acronym> servers and an
521 Internet firewall. Servers unable
522 to pass packets through the firewall would forward to the server
523 that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
524 on the internal server's behalf.
531 <title>Name Servers in Multiple Roles</title>
534 The <acronym>BIND</acronym> name server can
535 simultaneously act as
536 a master for some zones, a slave for other zones, and as a caching
537 (recursive) server for a set of local clients.
541 However, since the functions of authoritative name service
542 and caching/recursive name service are logically separate, it is
543 often advantageous to run them on separate server machines.
545 A server that only provides authoritative name service
546 (an <emphasis>authoritative-only</emphasis> server) can run with
547 recursion disabled, improving reliability and security.
549 A server that is not authoritative for any zones and only provides
550 recursive service to local
551 clients (a <emphasis>caching-only</emphasis> server)
552 does not need to be reachable from the Internet at large and can
553 be placed inside a firewall.
561 <chapter id="Bv9ARM.ch02">
562 <title><acronym>BIND</acronym> Resource Requirements</title>
565 <title>Hardware requirements</title>
568 <acronym>DNS</acronym> hardware requirements have
569 traditionally been quite modest.
570 For many installations, servers that have been pensioned off from
571 active duty have performed admirably as <acronym>DNS</acronym> servers.
574 The DNSSEC features of <acronym>BIND</acronym> 9
575 may prove to be quite
576 CPU intensive however, so organizations that make heavy use of these
577 features may wish to consider larger systems for these applications.
578 <acronym>BIND</acronym> 9 is fully multithreaded, allowing
580 multiprocessor systems for installations that need it.
584 <title>CPU Requirements</title>
586 CPU requirements for <acronym>BIND</acronym> 9 range from
588 for serving of static zones without caching, to enterprise-class
589 machines if you intend to process many dynamic updates and DNSSEC
590 signed zones, serving many thousands of queries per second.
595 <title>Memory Requirements</title>
597 The memory of the server has to be large enough to fit the
598 cache and zones loaded off disk. The <command>max-cache-size</command>
599 option can be used to limit the amount of memory used by the cache,
600 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
602 Additionally, if additional section caching
603 (<xref linkend="acache"/>) is enabled,
604 the <command>max-acache-size</command> option can be used to
606 of memory used by the mechanism.
607 It is still good practice to have enough memory to load
608 all zone and cache data into memory — unfortunately, the best
610 to determine this for a given installation is to watch the name server
611 in operation. After a few weeks the server process should reach
612 a relatively stable size where entries are expiring from the cache as
613 fast as they are being inserted.
616 - Add something here about leaving overhead for attacks?
617 - How much overhead? Percentage?
622 <title>Name Server Intensive Environment Issues</title>
624 For name server intensive environments, there are two alternative
625 configurations that may be used. The first is where clients and
626 any second-level internal name servers query a main name server, which
627 has enough memory to build a large cache. This approach minimizes
628 the bandwidth used by external name lookups. The second alternative
629 is to set up second-level internal name servers to make queries
631 In this configuration, none of the individual machines needs to
632 have as much memory or CPU power as in the first alternative, but
633 this has the disadvantage of making many more external queries,
634 as none of the name servers share their cached data.
639 <title>Supported Operating Systems</title>
641 ISC <acronym>BIND</acronym> 9 compiles and runs on a large
642 number of Unix-like operating systems, and on some versions of
643 Microsoft Windows including Windows XP, Windows 2003, and
644 Windows 2008. For an up-to-date list of supported systems,
645 see the README file in the top level directory of the BIND 9
651 <chapter id="Bv9ARM.ch03">
652 <title>Name Server Configuration</title>
654 In this section we provide some suggested configurations along
655 with guidelines for their use. We suggest reasonable values for
656 certain option settings.
659 <sect1 id="sample_configuration">
660 <title>Sample Configurations</title>
662 <title>A Caching-only Name Server</title>
664 The following sample configuration is appropriate for a caching-only
665 name server for use by clients internal to a corporation. All
667 from outside clients are refused using the <command>allow-query</command>
668 option. Alternatively, the same effect could be achieved using
674 // Two corporate subnets we wish to allow queries from.
675 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
677 directory "/etc/namedb"; // Working directory
678 allow-query { corpnets; };
680 // Provide a reverse mapping for the loopback address 127.0.0.1
681 zone "0.0.127.in-addr.arpa" {
683 file "localhost.rev";
691 <title>An Authoritative-only Name Server</title>
693 This sample configuration is for an authoritative-only server
694 that is the master server for "<filename>example.com</filename>"
695 and a slave for the subdomain "<filename>eng.example.com</filename>".
700 directory "/etc/namedb"; // Working directory
701 allow-query-cache { none; }; // Do not allow access to cache
702 allow-query { any; }; // This is the default
703 recursion no; // Do not provide recursive service
706 // Provide a reverse mapping for the loopback address 127.0.0.1
707 zone "0.0.127.in-addr.arpa" {
709 file "localhost.rev";
712 // We are the master server for example.com
715 file "example.com.db";
716 // IP addresses of slave servers allowed to transfer example.com
722 // We are a slave server for eng.example.com
723 zone "eng.example.com" {
725 file "eng.example.com.bk";
726 // IP address of eng.example.com master server
727 masters { 192.168.4.12; };
735 <title>Load Balancing</title>
737 - Add explanation of why load balancing is fragile at best
738 - and completely pointless in the general case.
742 A primitive form of load balancing can be achieved in
743 the <acronym>DNS</acronym> by using multiple records
744 (such as multiple A records) for one name.
748 For example, if you have three WWW servers with network addresses
749 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
750 following means that clients will connect to each machine one third
754 <informaltable colsep="0" rowsep="0">
755 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
756 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
757 <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
758 <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
759 <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
760 <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
785 Resource Record (RR) Data
792 <literal>www</literal>
797 <literal>600</literal>
802 <literal>IN</literal>
812 <literal>10.0.0.1</literal>
822 <literal>600</literal>
827 <literal>IN</literal>
837 <literal>10.0.0.2</literal>
847 <literal>600</literal>
852 <literal>IN</literal>
862 <literal>10.0.0.3</literal>
870 When a resolver queries for these records, <acronym>BIND</acronym> will rotate
871 them and respond to the query with the records in a different
872 order. In the example above, clients will randomly receive
873 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
874 will use the first record returned and discard the rest.
877 For more detail on ordering responses, check the
878 <command>rrset-order</command> substatement in the
879 <command>options</command> statement, see
880 <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
886 <title>Name Server Operations</title>
889 <title>Tools for Use With the Name Server Daemon</title>
891 This section describes several indispensable diagnostic,
892 administrative and monitoring tools available to the system
893 administrator for controlling and debugging the name server
896 <sect3 id="diagnostic_tools">
897 <title>Diagnostic Tools</title>
899 The <command>dig</command>, <command>host</command>, and
900 <command>nslookup</command> programs are all command
902 for manually querying name servers. They differ in style and
908 <term id="dig"><command>dig</command></term>
911 The domain information groper (<command>dig</command>)
912 is the most versatile and complete of these lookup tools.
913 It has two modes: simple interactive
914 mode for a single query, and batch mode which executes a
916 each in a list of several query lines. All query options are
918 from the command line.
920 <cmdsynopsis label="Usage">
921 <command>dig</command>
922 <arg>@<replaceable>server</replaceable></arg>
923 <arg choice="plain"><replaceable>domain</replaceable></arg>
924 <arg><replaceable>query-type</replaceable></arg>
925 <arg><replaceable>query-class</replaceable></arg>
926 <arg>+<replaceable>query-option</replaceable></arg>
927 <arg>-<replaceable>dig-option</replaceable></arg>
928 <arg>%<replaceable>comment</replaceable></arg>
931 The usual simple use of dig will take the form
934 <command>dig @server domain query-type query-class</command>
937 For more information and a list of available commands and
938 options, see the <command>dig</command> man
945 <term><command>host</command></term>
948 The <command>host</command> utility emphasizes
950 and ease of use. By default, it converts
951 between host names and Internet addresses, but its
953 can be extended with the use of options.
955 <cmdsynopsis label="Usage">
956 <command>host</command>
957 <arg>-aCdlnrsTwv</arg>
958 <arg>-c <replaceable>class</replaceable></arg>
959 <arg>-N <replaceable>ndots</replaceable></arg>
960 <arg>-t <replaceable>type</replaceable></arg>
961 <arg>-W <replaceable>timeout</replaceable></arg>
962 <arg>-R <replaceable>retries</replaceable></arg>
963 <arg>-m <replaceable>flag</replaceable></arg>
966 <arg choice="plain"><replaceable>hostname</replaceable></arg>
967 <arg><replaceable>server</replaceable></arg>
970 For more information and a list of available commands and
971 options, see the <command>host</command> man
978 <term><command>nslookup</command></term>
980 <para><command>nslookup</command>
981 has two modes: interactive and
982 non-interactive. Interactive mode allows the user to
983 query name servers for information about various
984 hosts and domains or to print a list of hosts in a
985 domain. Non-interactive mode is used to print just
986 the name and requested information for a host or
989 <cmdsynopsis label="Usage">
990 <command>nslookup</command>
991 <arg rep="repeat">-option</arg>
993 <arg><replaceable>host-to-find</replaceable></arg>
994 <arg>- <arg>server</arg></arg>
998 Interactive mode is entered when no arguments are given (the
999 default name server will be used) or when the first argument
1001 hyphen (`-') and the second argument is the host name or
1006 Non-interactive mode is used when the name or Internet
1008 of the host to be looked up is given as the first argument.
1010 optional second argument specifies the host name or address
1014 Due to its arcane user interface and frequently inconsistent
1015 behavior, we do not recommend the use of <command>nslookup</command>.
1016 Use <command>dig</command> instead.
1024 <sect3 id="admin_tools">
1025 <title>Administrative Tools</title>
1027 Administrative tools play an integral part in the management
1031 <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1033 <term><command>named-checkconf</command></term>
1036 The <command>named-checkconf</command> program
1037 checks the syntax of a <filename>named.conf</filename> file.
1039 <cmdsynopsis label="Usage">
1040 <command>named-checkconf</command>
1042 <arg>-t <replaceable>directory</replaceable></arg>
1043 <arg><replaceable>filename</replaceable></arg>
1047 <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1049 <term><command>named-checkzone</command></term>
1052 The <command>named-checkzone</command> program
1053 checks a master file for
1054 syntax and consistency.
1056 <cmdsynopsis label="Usage">
1057 <command>named-checkzone</command>
1059 <arg>-c <replaceable>class</replaceable></arg>
1060 <arg>-o <replaceable>output</replaceable></arg>
1061 <arg>-t <replaceable>directory</replaceable></arg>
1062 <arg>-w <replaceable>directory</replaceable></arg>
1063 <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1064 <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1065 <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1066 <arg choice="plain"><replaceable>zone</replaceable></arg>
1067 <arg><replaceable>filename</replaceable></arg>
1071 <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
1072 <term><command>named-compilezone</command></term>
1075 Similar to <command>named-checkzone,</command> but
1076 it always dumps the zone content to a specified file
1077 (typically in a different format).
1081 <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1083 <term><command>rndc</command></term>
1086 The remote name daemon control
1087 (<command>rndc</command>) program allows the
1089 administrator to control the operation of a name server.
1090 Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1091 supports all the commands of the BIND 8 <command>ndc</command>
1092 utility except <command>ndc start</command> and
1093 <command>ndc restart</command>, which were also
1094 not supported in <command>ndc</command>'s
1096 If you run <command>rndc</command> without any
1098 it will display a usage message as follows:
1100 <cmdsynopsis label="Usage">
1101 <command>rndc</command>
1102 <arg>-c <replaceable>config</replaceable></arg>
1103 <arg>-s <replaceable>server</replaceable></arg>
1104 <arg>-p <replaceable>port</replaceable></arg>
1105 <arg>-y <replaceable>key</replaceable></arg>
1106 <arg choice="plain"><replaceable>command</replaceable></arg>
1107 <arg rep="repeat"><replaceable>command</replaceable></arg>
1109 <para>The <command>command</command>
1110 is one of the following:
1116 <term><userinput>reload</userinput></term>
1119 Reload configuration file and zones.
1125 <term><userinput>reload <replaceable>zone</replaceable>
1126 <optional><replaceable>class</replaceable>
1127 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1130 Reload the given zone.
1136 <term><userinput>refresh <replaceable>zone</replaceable>
1137 <optional><replaceable>class</replaceable>
1138 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1141 Schedule zone maintenance for the given zone.
1147 <term><userinput>retransfer <replaceable>zone</replaceable>
1149 <optional><replaceable>class</replaceable>
1150 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1153 Retransfer the given zone from the master.
1160 <term><userinput>freeze
1161 <optional><replaceable>zone</replaceable>
1162 <optional><replaceable>class</replaceable>
1163 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1166 Suspend updates to a dynamic zone. If no zone is
1168 then all zones are suspended. This allows manual
1169 edits to be made to a zone normally updated by dynamic
1171 also causes changes in the journal file to be synced
1173 and the journal file to be removed. All dynamic
1174 update attempts will
1175 be refused while the zone is frozen.
1181 <term><userinput>thaw
1182 <optional><replaceable>zone</replaceable>
1183 <optional><replaceable>class</replaceable>
1184 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1187 Enable updates to a frozen dynamic zone. If no zone
1189 specified, then all frozen zones are enabled. This
1191 the server to reload the zone from disk, and
1192 re-enables dynamic updates
1193 after the load has completed. After a zone is thawed,
1195 will no longer be refused.
1201 <term><userinput>notify <replaceable>zone</replaceable>
1202 <optional><replaceable>class</replaceable>
1203 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1206 Resend NOTIFY messages for the zone.
1212 <term><userinput>reconfig</userinput></term>
1215 Reload the configuration file and load new zones,
1216 but do not reload existing zone files even if they
1218 This is faster than a full <command>reload</command> when there
1219 is a large number of zones because it avoids the need
1221 modification times of the zones files.
1227 <term><userinput>stats</userinput></term>
1230 Write server statistics to the statistics file.
1236 <term><userinput>querylog</userinput></term>
1239 Toggle query logging. Query logging can also be enabled
1240 by explicitly directing the <command>queries</command>
1241 <command>category</command> to a
1242 <command>channel</command> in the
1243 <command>logging</command> section of
1244 <filename>named.conf</filename> or by specifying
1245 <command>querylog yes;</command> in the
1246 <command>options</command> section of
1247 <filename>named.conf</filename>.
1253 <term><userinput>dumpdb
1254 <optional>-all|-cache|-zone</optional>
1255 <optional><replaceable>view ...</replaceable></optional></userinput></term>
1258 Dump the server's caches (default) and/or zones to
1260 dump file for the specified views. If no view is
1268 <term><userinput>stop <optional>-p</optional></userinput></term>
1271 Stop the server, making sure any recent changes
1272 made through dynamic update or IXFR are first saved to
1273 the master files of the updated zones.
1274 If -p is specified named's process id is returned.
1275 This allows an external process to determine when named
1276 had completed stopping.
1282 <term><userinput>halt <optional>-p</optional></userinput></term>
1285 Stop the server immediately. Recent changes
1286 made through dynamic update or IXFR are not saved to
1287 the master files, but will be rolled forward from the
1288 journal files when the server is restarted.
1289 If -p is specified named's process id is returned.
1290 This allows an external process to determine when named
1291 had completed halting.
1297 <term><userinput>trace</userinput></term>
1300 Increment the servers debugging level by one.
1306 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
1309 Sets the server's debugging level to an explicit
1316 <term><userinput>notrace</userinput></term>
1319 Sets the server's debugging level to 0.
1325 <term><userinput>flush</userinput></term>
1328 Flushes the server's cache.
1334 <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1337 Flushes the given name from the server's cache.
1343 <term><userinput>status</userinput></term>
1346 Display status of the server.
1347 Note that the number of zones includes the internal <command>bind/CH</command> zone
1348 and the default <command>./IN</command>
1349 hint zone if there is not an
1350 explicit root zone configured.
1356 <term><userinput>recursing</userinput></term>
1359 Dump the list of queries named is currently recursing
1368 A configuration file is required, since all
1369 communication with the server is authenticated with
1370 digital signatures that rely on a shared secret, and
1371 there is no way to provide that secret other than with a
1372 configuration file. The default location for the
1373 <command>rndc</command> configuration file is
1374 <filename>/etc/rndc.conf</filename>, but an
1376 location can be specified with the <option>-c</option>
1377 option. If the configuration file is not found,
1378 <command>rndc</command> will also look in
1379 <filename>/etc/rndc.key</filename> (or whatever
1380 <varname>sysconfdir</varname> was defined when
1381 the <acronym>BIND</acronym> build was
1383 The <filename>rndc.key</filename> file is
1385 running <command>rndc-confgen -a</command> as
1387 <xref linkend="controls_statement_definition_and_usage"/>.
1391 The format of the configuration file is similar to
1392 that of <filename>named.conf</filename>, but
1394 only four statements, the <command>options</command>,
1395 <command>key</command>, <command>server</command> and
1396 <command>include</command>
1397 statements. These statements are what associate the
1398 secret keys to the servers with which they are meant to
1399 be shared. The order of statements is not
1404 The <command>options</command> statement has
1406 <command>default-server</command>, <command>default-key</command>,
1407 and <command>default-port</command>.
1408 <command>default-server</command> takes a
1409 host name or address argument and represents the server
1411 be contacted if no <option>-s</option>
1412 option is provided on the command line.
1413 <command>default-key</command> takes
1414 the name of a key as its argument, as defined by a <command>key</command> statement.
1415 <command>default-port</command> specifies the
1417 <command>rndc</command> should connect if no
1418 port is given on the command line or in a
1419 <command>server</command> statement.
1423 The <command>key</command> statement defines a
1425 by <command>rndc</command> when authenticating
1427 <command>named</command>. Its syntax is
1429 <command>key</command> statement in named.conf.
1430 The keyword <userinput>key</userinput> is
1431 followed by a key name, which must be a valid
1432 domain name, though it need not actually be hierarchical;
1434 a string like "<userinput>rndc_key</userinput>" is a valid
1436 The <command>key</command> statement has two
1438 <command>algorithm</command> and <command>secret</command>.
1439 While the configuration parser will accept any string as the
1441 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1442 has any meaning. The secret is a base-64 encoded string
1443 as specified in RFC 3548.
1447 The <command>server</command> statement
1449 defined using the <command>key</command>
1450 statement with a server.
1451 The keyword <userinput>server</userinput> is followed by a
1452 host name or address. The <command>server</command> statement
1453 has two clauses: <command>key</command> and <command>port</command>.
1454 The <command>key</command> clause specifies the
1456 to be used when communicating with this server, and the
1457 <command>port</command> clause can be used to
1458 specify the port <command>rndc</command> should
1464 A sample minimal configuration file is as follows:
1469 algorithm "hmac-md5";
1470 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
1473 default-server 127.0.0.1;
1474 default-key rndc_key;
1479 This file, if installed as <filename>/etc/rndc.conf</filename>,
1480 would allow the command:
1484 <prompt>$ </prompt><userinput>rndc reload</userinput>
1488 to connect to 127.0.0.1 port 953 and cause the name server
1489 to reload, if a name server on the local machine were
1491 following controls statements:
1496 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
1501 and it had an identical key statement for
1502 <literal>rndc_key</literal>.
1506 Running the <command>rndc-confgen</command>
1508 conveniently create a <filename>rndc.conf</filename>
1509 file for you, and also display the
1510 corresponding <command>controls</command>
1511 statement that you need to
1512 add to <filename>named.conf</filename>.
1514 you can run <command>rndc-confgen -a</command>
1516 a <filename>rndc.key</filename> file and not
1518 <filename>named.conf</filename> at all.
1529 <title>Signals</title>
1531 Certain UNIX signals cause the name server to take specific
1532 actions, as described in the following table. These signals can
1533 be sent using the <command>kill</command> command.
1535 <informaltable frame="all">
1537 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1538 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1542 <para><command>SIGHUP</command></para>
1546 Causes the server to read <filename>named.conf</filename> and
1547 reload the database.
1553 <para><command>SIGTERM</command></para>
1557 Causes the server to clean up and exit.
1563 <para><command>SIGINT</command></para>
1567 Causes the server to clean up and exit.
1578 <chapter id="Bv9ARM.ch04">
1579 <title>Advanced DNS Features</title>
1583 <title>Notify</title>
1585 <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1586 servers to notify their slave servers of changes to a zone's data. In
1587 response to a <command>NOTIFY</command> from a master server, the
1588 slave will check to see that its version of the zone is the
1589 current version and, if not, initiate a zone transfer.
1593 For more information about <acronym>DNS</acronym>
1594 <command>NOTIFY</command>, see the description of the
1595 <command>notify</command> option in <xref linkend="boolean_options"/> and
1596 the description of the zone option <command>also-notify</command> in
1597 <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1598 protocol is specified in RFC 1996.
1602 As a slave zone can also be a master to other slaves, named,
1603 by default, sends <command>NOTIFY</command> messages for every zone
1604 it loads. Specifying <command>notify master-only;</command> will
1605 cause named to only send <command>NOTIFY</command> for master
1606 zones that it loads.
1611 <sect1 id="dynamic_update">
1612 <title>Dynamic Update</title>
1615 Dynamic Update is a method for adding, replacing or deleting
1616 records in a master server by sending it a special form of DNS
1617 messages. The format and meaning of these messages is specified
1622 Dynamic update is enabled by
1623 including an <command>allow-update</command> or
1624 <command>update-policy</command> clause in the
1625 <command>zone</command> statement.
1629 Updating of secure zones (zones using DNSSEC) follows
1630 RFC 3007: RRSIG and NSEC records affected by updates are automatically
1631 regenerated by the server using an online zone key.
1632 Update authorization is based
1633 on transaction signatures and an explicit server policy.
1636 <sect2 id="journal">
1637 <title>The journal file</title>
1640 All changes made to a zone using dynamic update are stored
1641 in the zone's journal file. This file is automatically created
1642 by the server when the first dynamic update takes place.
1643 The name of the journal file is formed by appending the extension
1644 <filename>.jnl</filename> to the name of the
1646 file unless specifically overridden. The journal file is in a
1647 binary format and should not be edited manually.
1651 The server will also occasionally write ("dump")
1652 the complete contents of the updated zone to its zone file.
1653 This is not done immediately after
1654 each dynamic update, because that would be too slow when a large
1655 zone is updated frequently. Instead, the dump is delayed by
1656 up to 15 minutes, allowing additional updates to take place.
1660 When a server is restarted after a shutdown or crash, it will replay
1661 the journal file to incorporate into the zone any updates that
1663 place after the last zone dump.
1667 Changes that result from incoming incremental zone transfers are
1669 journalled in a similar way.
1673 The zone files of dynamic zones cannot normally be edited by
1674 hand because they are not guaranteed to contain the most recent
1675 dynamic changes — those are only in the journal file.
1676 The only way to ensure that the zone file of a dynamic zone
1677 is up to date is to run <command>rndc stop</command>.
1681 If you have to make changes to a dynamic zone
1682 manually, the following procedure will work: Disable dynamic updates
1684 <command>rndc freeze <replaceable>zone</replaceable></command>.
1685 This will also remove the zone's <filename>.jnl</filename> file
1686 and update the master file. Edit the zone file. Run
1687 <command>rndc thaw <replaceable>zone</replaceable></command>
1688 to reload the changed zone and re-enable dynamic updates.
1695 <sect1 id="incremental_zone_transfers">
1696 <title>Incremental Zone Transfers (IXFR)</title>
1699 The incremental zone transfer (IXFR) protocol is a way for
1700 slave servers to transfer only changed data, instead of having to
1701 transfer the entire zone. The IXFR protocol is specified in RFC
1702 1995. See <xref linkend="proposed_standards"/>.
1706 When acting as a master, <acronym>BIND</acronym> 9
1707 supports IXFR for those zones
1708 where the necessary change history information is available. These
1709 include master zones maintained by dynamic update and slave zones
1710 whose data was obtained by IXFR. For manually maintained master
1711 zones, and for slave zones obtained by performing a full zone
1712 transfer (AXFR), IXFR is supported only if the option
1713 <command>ixfr-from-differences</command> is set
1714 to <userinput>yes</userinput>.
1718 When acting as a slave, <acronym>BIND</acronym> 9 will
1719 attempt to use IXFR unless
1720 it is explicitly disabled. For more information about disabling
1721 IXFR, see the description of the <command>request-ixfr</command> clause
1722 of the <command>server</command> statement.
1727 <title>Split DNS</title>
1729 Setting up different views, or visibility, of the DNS space to
1730 internal and external resolvers is usually referred to as a
1731 <emphasis>Split DNS</emphasis> setup. There are several
1732 reasons an organization would want to set up its DNS this way.
1735 One common reason for setting up a DNS system this way is
1736 to hide "internal" DNS information from "external" clients on the
1737 Internet. There is some debate as to whether or not this is actually
1739 Internal DNS information leaks out in many ways (via email headers,
1740 for example) and most savvy "attackers" can find the information
1741 they need using other means.
1742 However, since listing addresses of internal servers that
1743 external clients cannot possibly reach can result in
1744 connection delays and other annoyances, an organization may
1745 choose to use a Split DNS to present a consistent view of itself
1746 to the outside world.
1749 Another common reason for setting up a Split DNS system is
1750 to allow internal networks that are behind filters or in RFC 1918
1751 space (reserved IP space, as documented in RFC 1918) to resolve DNS
1752 on the Internet. Split DNS can also be used to allow mail from outside
1753 back in to the internal network.
1756 <title>Example split DNS setup</title>
1758 Let's say a company named <emphasis>Example, Inc.</emphasis>
1759 (<literal>example.com</literal>)
1760 has several corporate sites that have an internal network with
1762 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1763 or "outside" section of a network, that is available to the public.
1766 <emphasis>Example, Inc.</emphasis> wants its internal clients
1767 to be able to resolve external hostnames and to exchange mail with
1768 people on the outside. The company also wants its internal resolvers
1769 to have access to certain internal-only zones that are not available
1770 at all outside of the internal network.
1773 In order to accomplish this, the company will set up two sets
1774 of name servers. One set will be on the inside network (in the
1776 IP space) and the other set will be on bastion hosts, which are
1778 hosts that can talk to both sides of its network, in the DMZ.
1781 The internal servers will be configured to forward all queries,
1782 except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1783 and <filename>site2.example.com</filename>, to the servers
1785 DMZ. These internal servers will have complete sets of information
1786 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1787 and <filename>site2.internal</filename>.
1790 To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1791 the internal name servers must be configured to disallow all queries
1792 to these domains from any external hosts, including the bastion
1796 The external servers, which are on the bastion hosts, will
1797 be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1798 This could include things such as the host records for public servers
1799 (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1800 and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1803 In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1804 should have special MX records that contain wildcard (`*') records
1805 pointing to the bastion hosts. This is needed because external mail
1806 servers do not have any other way of looking up how to deliver mail
1807 to those internal hosts. With the wildcard records, the mail will
1808 be delivered to the bastion host, which can then forward it on to
1812 Here's an example of a wildcard MX record:
1814 <programlisting>* IN MX 10 external1.example.com.</programlisting>
1816 Now that they accept mail on behalf of anything in the internal
1817 network, the bastion hosts will need to know how to deliver mail
1818 to internal hosts. In order for this to work properly, the resolvers
1820 the bastion hosts will need to be configured to point to the internal
1821 name servers for DNS resolution.
1824 Queries for internal hostnames will be answered by the internal
1825 servers, and queries for external hostnames will be forwarded back
1826 out to the DNS servers on the bastion hosts.
1829 In order for all this to work properly, internal clients will
1830 need to be configured to query <emphasis>only</emphasis> the internal
1831 name servers for DNS queries. This could also be enforced via
1833 filtering on the network.
1836 If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1837 internal clients will now be able to:
1842 Look up any hostnames in the <literal>site1</literal>
1844 <literal>site2.example.com</literal> zones.
1849 Look up any hostnames in the <literal>site1.internal</literal> and
1850 <literal>site2.internal</literal> domains.
1854 <simpara>Look up any hostnames on the Internet.</simpara>
1857 <simpara>Exchange mail with both internal and external people.</simpara>
1861 Hosts on the Internet will be able to:
1866 Look up any hostnames in the <literal>site1</literal>
1868 <literal>site2.example.com</literal> zones.
1873 Exchange mail with anyone in the <literal>site1</literal> and
1874 <literal>site2.example.com</literal> zones.
1880 Here is an example configuration for the setup we just
1881 described above. Note that this is only configuration information;
1882 for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1886 Internal DNS server config:
1891 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1893 acl externals { <varname>bastion-ips-go-here</varname>; };
1899 forwarders { // forward to external servers
1900 <varname>bastion-ips-go-here</varname>;
1902 allow-transfer { none; }; // sample allow-transfer (no one)
1903 allow-query { internals; externals; }; // restrict query access
1904 allow-recursion { internals; }; // restrict recursion
1909 zone "site1.example.com" { // sample master zone
1911 file "m/site1.example.com";
1912 forwarders { }; // do normal iterative
1913 // resolution (do not forward)
1914 allow-query { internals; externals; };
1915 allow-transfer { internals; };
1918 zone "site2.example.com" { // sample slave zone
1920 file "s/site2.example.com";
1921 masters { 172.16.72.3; };
1923 allow-query { internals; externals; };
1924 allow-transfer { internals; };
1927 zone "site1.internal" {
1929 file "m/site1.internal";
1931 allow-query { internals; };
1932 allow-transfer { internals; }
1935 zone "site2.internal" {
1937 file "s/site2.internal";
1938 masters { 172.16.72.3; };
1940 allow-query { internals };
1941 allow-transfer { internals; }
1946 External (bastion host) DNS server config:
1950 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1952 acl externals { bastion-ips-go-here; };
1957 allow-transfer { none; }; // sample allow-transfer (no one)
1958 allow-query { any; }; // default query access
1959 allow-query-cache { internals; externals; }; // restrict cache access
1960 allow-recursion { internals; externals; }; // restrict recursion
1965 zone "site1.example.com" { // sample slave zone
1967 file "m/site1.foo.com";
1968 allow-transfer { internals; externals; };
1971 zone "site2.example.com" {
1973 file "s/site2.foo.com";
1974 masters { another_bastion_host_maybe; };
1975 allow-transfer { internals; externals; }
1980 In the <filename>resolv.conf</filename> (or equivalent) on
1981 the bastion host(s):
1986 nameserver 172.16.72.2
1987 nameserver 172.16.72.3
1988 nameserver 172.16.72.4
1996 This is a short guide to setting up Transaction SIGnatures
1997 (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
1998 to the configuration file as well as what changes are required for
1999 different features, including the process of creating transaction
2000 keys and using transaction signatures with <acronym>BIND</acronym>.
2003 <acronym>BIND</acronym> primarily supports TSIG for server
2004 to server communication.
2005 This includes zone transfer, notify, and recursive query messages.
2006 Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2011 TSIG can also be useful for dynamic update. A primary
2012 server for a dynamic zone should control access to the dynamic
2013 update service, but IP-based access control is insufficient.
2014 The cryptographic access control provided by TSIG
2015 is far superior. The <command>nsupdate</command>
2016 program supports TSIG via the <option>-k</option> and
2017 <option>-y</option> command line options or inline by use
2018 of the <command>key</command>.
2022 <title>Generate Shared Keys for Each Pair of Hosts</title>
2024 A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2025 An arbitrary key name is chosen: "host1-host2.". The key name must
2026 be the same on both hosts.
2029 <title>Automatic Generation</title>
2031 The following command will generate a 128-bit (16 byte) HMAC-MD5
2032 key as described above. Longer keys are better, but shorter keys
2033 are easier to read. Note that the maximum key length is 512 bits;
2034 keys longer than that will be digested with MD5 to produce a
2038 <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
2041 The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
2042 Nothing directly uses this file, but the base-64 encoded string
2043 following "<literal>Key:</literal>"
2044 can be extracted from the file and used as a shared secret:
2046 <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2048 The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2049 be used as the shared secret.
2053 <title>Manual Generation</title>
2055 The shared secret is simply a random sequence of bits, encoded
2056 in base-64. Most ASCII strings are valid base-64 strings (assuming
2057 the length is a multiple of 4 and only valid characters are used),
2058 so the shared secret can be manually generated.
2061 Also, a known string can be run through <command>mmencode</command> or
2062 a similar program to generate base-64 encoded data.
2067 <title>Copying the Shared Secret to Both Machines</title>
2069 This is beyond the scope of DNS. A secure transport mechanism
2070 should be used. This could be secure FTP, ssh, telephone, etc.
2074 <title>Informing the Servers of the Key's Existence</title>
2076 Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2078 both servers. The following is added to each server's <filename>named.conf</filename> file:
2084 secret "La/E5CjG9O+os1jq0a2jdA==";
2089 The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
2090 The secret is the one generated above. Since this is a secret, it
2091 is recommended that either <filename>named.conf</filename> be non-world
2092 readable, or the key directive be added to a non-world readable
2093 file that is included by
2094 <filename>named.conf</filename>.
2097 At this point, the key is recognized. This means that if the
2098 server receives a message signed by this key, it can verify the
2099 signature. If the signature is successfully verified, the
2100 response is signed by the same key.
2105 <title>Instructing the Server to Use the Key</title>
2107 Since keys are shared between two hosts only, the server must
2108 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2109 for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2115 keys { host1-host2. ;};
2120 Multiple keys may be present, but only the first is used.
2121 This directive does not contain any secrets, so it may be in a
2126 If <emphasis>host1</emphasis> sends a message that is a request
2127 to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2128 expect any responses to signed messages to be signed with the same
2132 A similar statement must be present in <emphasis>host2</emphasis>'s
2133 configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2134 sign request messages to <emphasis>host1</emphasis>.
2138 <title>TSIG Key Based Access Control</title>
2140 <acronym>BIND</acronym> allows IP addresses and ranges
2141 to be specified in ACL
2143 <command>allow-{ query | transfer | update }</command>
2145 This has been extended to allow TSIG keys also. The above key would
2146 be denoted <command>key host1-host2.</command>
2149 An example of an allow-update directive would be:
2153 allow-update { key host1-host2. ;};
2157 This allows dynamic updates to succeed only if the request
2158 was signed by a key named
2159 "<command>host1-host2.</command>".
2162 You may want to read about the more
2163 powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
2168 <title>Errors</title>
2171 The processing of TSIG signed messages can result in
2172 several errors. If a signed message is sent to a non-TSIG aware
2173 server, a FORMERR (format error) will be returned, since the server will not
2174 understand the record. This is a result of misconfiguration,
2175 since the server must be explicitly configured to send a TSIG
2176 signed message to a specific server.
2180 If a TSIG aware server receives a message signed by an
2181 unknown key, the response will be unsigned with the TSIG
2182 extended error code set to BADKEY. If a TSIG aware server
2183 receives a message with a signature that does not validate, the
2184 response will be unsigned with the TSIG extended error code set
2185 to BADSIG. If a TSIG aware server receives a message with a time
2186 outside of the allowed range, the response will be signed with
2187 the TSIG extended error code set to BADTIME, and the time values
2188 will be adjusted so that the response can be successfully
2189 verified. In any of these cases, the message's rcode (response code) is set to
2190 NOTAUTH (not authenticated).
2198 <para><command>TKEY</command>
2199 is a mechanism for automatically generating a shared secret
2200 between two hosts. There are several "modes" of
2201 <command>TKEY</command> that specify how the key is generated
2202 or assigned. <acronym>BIND</acronym> 9 implements only one of
2203 these modes, the Diffie-Hellman key exchange. Both hosts are
2204 required to have a Diffie-Hellman KEY record (although this
2205 record is not required to be present in a zone). The
2206 <command>TKEY</command> process must use signed messages,
2207 signed either by TSIG or SIG(0). The result of
2208 <command>TKEY</command> is a shared secret that can be used to
2209 sign messages with TSIG. <command>TKEY</command> can also be
2210 used to delete shared secrets that it had previously
2215 The <command>TKEY</command> process is initiated by a
2217 or server by sending a signed <command>TKEY</command>
2219 (including any appropriate KEYs) to a TKEY-aware server. The
2220 server response, if it indicates success, will contain a
2221 <command>TKEY</command> record and any appropriate keys.
2223 this exchange, both participants have enough information to
2224 determine the shared secret; the exact process depends on the
2225 <command>TKEY</command> mode. When using the
2227 <command>TKEY</command> mode, Diffie-Hellman keys are
2229 and the shared secret is derived by both participants.
2234 <title>SIG(0)</title>
2237 <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2238 transaction signatures as specified in RFC 2535 and RFC2931.
2240 uses public/private keys to authenticate messages. Access control
2241 is performed in the same manner as TSIG keys; privileges can be
2242 granted or denied based on the key name.
2246 When a SIG(0) signed message is received, it will only be
2247 verified if the key is known and trusted by the server; the server
2248 will not attempt to locate and/or validate the key.
2252 SIG(0) signing of multiple-message TCP streams is not
2257 The only tool shipped with <acronym>BIND</acronym> 9 that
2258 generates SIG(0) signed messages is <command>nsupdate</command>.
2263 <title>DNSSEC</title>
2266 Cryptographic authentication of DNS information is possible
2267 through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2268 defined in RFC 4033, RFC 4034, and RFC 4035.
2269 This section describes the creation and use of DNSSEC signed zones.
2273 In order to set up a DNSSEC secure zone, there are a series
2274 of steps which must be followed. <acronym>BIND</acronym>
2277 that are used in this process, which are explained in more detail
2278 below. In all cases, the <option>-h</option> option prints a
2279 full list of parameters. Note that the DNSSEC tools require the
2280 keyset files to be in the working directory or the
2281 directory specified by the <option>-d</option> option, and
2282 that the tools shipped with BIND 9.2.x and earlier are not compatible
2283 with the current ones.
2287 There must also be communication with the administrators of
2288 the parent and/or child zone to transmit keys. A zone's security
2289 status must be indicated by the parent zone for a DNSSEC capable
2290 resolver to trust its data. This is done through the presence
2291 or absence of a <literal>DS</literal> record at the
2297 For other servers to trust data in this zone, they must
2298 either be statically configured with this zone's zone key or the
2299 zone key of another zone above this one in the DNS tree.
2303 <title>Generating Keys</title>
2306 The <command>dnssec-keygen</command> program is used to
2311 A secure zone must contain one or more zone keys. The
2312 zone keys will sign all other records in the zone, as well as
2313 the zone keys of any secure delegated zones. Zone keys must
2314 have the same name as the zone, a name type of
2315 <command>ZONE</command>, and must be usable for
2317 It is recommended that zone keys use a cryptographic algorithm
2318 designated as "mandatory to implement" by the IETF; currently
2319 the only one is RSASHA1.
2323 The following command will generate a 768-bit RSASHA1 key for
2324 the <filename>child.example</filename> zone:
2328 <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2332 Two output files will be produced:
2333 <filename>Kchild.example.+005+12345.key</filename> and
2334 <filename>Kchild.example.+005+12345.private</filename>
2336 12345 is an example of a key tag). The key filenames contain
2337 the key name (<filename>child.example.</filename>),
2339 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2341 The private key (in the <filename>.private</filename>
2343 used to generate signatures, and the public key (in the
2344 <filename>.key</filename> file) is used for signature
2349 To generate another key with the same properties (but with
2350 a different key tag), repeat the above command.
2354 The public keys should be inserted into the zone file by
2355 including the <filename>.key</filename> files using
2356 <command>$INCLUDE</command> statements.
2361 <title>Signing the Zone</title>
2364 The <command>dnssec-signzone</command> program is used
2370 Any <filename>keyset</filename> files corresponding
2371 to secure subzones should be present. The zone signer will
2372 generate <literal>NSEC</literal> and <literal>RRSIG</literal>
2373 records for the zone, as well as <literal>DS</literal>
2375 the child zones if <literal>'-d'</literal> is specified.
2376 If <literal>'-d'</literal> is not specified, then
2378 the secure child zones need to be added manually.
2382 The following command signs the zone, assuming it is in a
2383 file called <filename>zone.child.example</filename>. By
2384 default, all zone keys which have an available private key are
2385 used to generate signatures.
2389 <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2393 One output file is produced:
2394 <filename>zone.child.example.signed</filename>. This
2396 should be referenced by <filename>named.conf</filename>
2398 input file for the zone.
2401 <para><command>dnssec-signzone</command>
2402 will also produce a keyset and dsset files and optionally a
2403 dlvset file. These are used to provide the parent zone
2404 administrators with the <literal>DNSKEYs</literal> (or their
2405 corresponding <literal>DS</literal> records) that are the
2406 secure entry point to the zone.
2412 <title>Configuring Servers</title>
2415 To enable <command>named</command> to respond appropriately
2416 to DNS requests from DNSSEC aware clients,
2417 <command>dnssec-enable</command> must be set to yes.
2421 To enable <command>named</command> to validate answers from
2422 other servers both <command>dnssec-enable</command> and
2423 <command>dnssec-validation</command> must be set and some
2424 <command>trusted-keys</command> must be configured
2425 into <filename>named.conf</filename>.
2429 <command>trusted-keys</command> are copies of DNSKEY RRs
2430 for zones that are used to form the first link in the
2431 cryptographic chain of trust. All keys listed in
2432 <command>trusted-keys</command> (and corresponding zones)
2433 are deemed to exist and only the listed keys will be used
2434 to validated the DNSKEY RRset that they are from.
2438 <command>trusted-keys</command> are described in more detail
2439 later in this document.
2443 Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2444 9 does not verify signatures on load, so zone keys for
2445 authoritative zones do not need to be specified in the
2450 After DNSSEC gets established, a typical DNSSEC configuration
2451 will look something like the following. It has a one or
2452 more public keys for the root. This allows answers from
2453 outside the organization to be validated. It will also
2454 have several keys for parts of the namespace the organization
2455 controls. These are here to ensure that named is immune
2456 to compromises in the DNSSEC components of the security
2464 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2465 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2466 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2467 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2468 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2469 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2470 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2472 /* Key for our organization's forward zone */
2473 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2474 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2475 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2476 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2477 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2478 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2479 SCThlHf3xiYleDbt/o1OTQ09A0=";
2481 /* Key for our reverse zone. */
2482 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2483 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2484 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2485 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2486 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2487 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2488 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2489 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2495 dnssec-validation yes;
2500 None of the keys listed in this example are valid. In particular,
2501 the root key is not valid.
2508 <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2511 <acronym>BIND</acronym> 9 fully supports all currently
2512 defined forms of IPv6
2513 name to address and address to name lookups. It will also use
2514 IPv6 addresses to make queries when running on an IPv6 capable
2519 For forward lookups, <acronym>BIND</acronym> 9 supports
2520 only AAAA records. RFC 3363 deprecated the use of A6 records,
2521 and client-side support for A6 records was accordingly removed
2522 from <acronym>BIND</acronym> 9.
2523 However, authoritative <acronym>BIND</acronym> 9 name servers still
2524 load zone files containing A6 records correctly, answer queries
2525 for A6 records, and accept zone transfer for a zone containing A6
2530 For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2531 the traditional "nibble" format used in the
2532 <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2533 <emphasis>ip6.int</emphasis> domain.
2534 Older versions of <acronym>BIND</acronym> 9
2535 supported the "binary label" (also known as "bitstring") format,
2536 but support of binary labels has been completely removed per
2538 Many applications in <acronym>BIND</acronym> 9 do not understand
2539 the binary label format at all any more, and will return an
2541 In particular, an authoritative <acronym>BIND</acronym> 9
2542 name server will not load a zone file containing binary labels.
2546 For an overview of the format and structure of IPv6 addresses,
2547 see <xref linkend="ipv6addresses"/>.
2551 <title>Address Lookups Using AAAA Records</title>
2554 The IPv6 AAAA record is a parallel to the IPv4 A record,
2555 and, unlike the deprecated A6 record, specifies the entire
2556 IPv6 address in a single record. For example,
2560 $ORIGIN example.com.
2561 host 3600 IN AAAA 2001:db8::1
2565 Use of IPv4-in-IPv6 mapped addresses is not recommended.
2566 If a host has an IPv4 address, use an A record, not
2567 a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2572 <title>Address to Name Lookups Using Nibble Format</title>
2575 When looking up an address in nibble format, the address
2576 components are simply reversed, just as in IPv4, and
2577 <literal>ip6.arpa.</literal> is appended to the
2579 For example, the following would provide reverse name lookup for
2581 <literal>2001:db8::1</literal>.
2585 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
2586 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
2593 <chapter id="Bv9ARM.ch05">
2594 <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2596 <title>The Lightweight Resolver Library</title>
2598 Traditionally applications have been linked with a stub resolver
2599 library that sends recursive DNS queries to a local caching name
2603 IPv6 once introduced new complexity into the resolution process,
2604 such as following A6 chains and DNAME records, and simultaneous
2605 lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2606 then removed, these are hard or impossible
2607 to implement in a traditional stub resolver.
2610 <acronym>BIND</acronym> 9 therefore can also provide resolution
2611 services to local clients
2612 using a combination of a lightweight resolver library and a resolver
2613 daemon process running on the local host. These communicate using
2614 a simple UDP-based protocol, the "lightweight resolver protocol"
2615 that is distinct from and simpler than the full DNS protocol.
2619 <title>Running a Resolver Daemon</title>
2622 To use the lightweight resolver interface, the system must
2623 run the resolver daemon <command>lwresd</command> or a
2625 name server configured with a <command>lwres</command>
2630 By default, applications using the lightweight resolver library will
2632 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2634 address can be overridden by <command>lwserver</command>
2636 <filename>/etc/resolv.conf</filename>.
2640 The daemon currently only looks in the DNS, but in the future
2641 it may use other sources such as <filename>/etc/hosts</filename>,
2646 The <command>lwresd</command> daemon is essentially a
2647 caching-only name server that responds to requests using the
2649 resolver protocol rather than the DNS protocol. Because it needs
2650 to run on each host, it is designed to require no or minimal
2652 Unless configured otherwise, it uses the name servers listed on
2653 <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2654 as forwarders, but is also capable of doing the resolution
2659 The <command>lwresd</command> daemon may also be
2661 <filename>named.conf</filename> style configuration file,
2663 <filename>/etc/lwresd.conf</filename> by default. A name
2665 be configured to act as a lightweight resolver daemon using the
2666 <command>lwres</command> statement in <filename>named.conf</filename>.
2672 <chapter id="Bv9ARM.ch06">
2673 <title><acronym>BIND</acronym> 9 Configuration Reference</title>
2676 <acronym>BIND</acronym> 9 configuration is broadly similar
2677 to <acronym>BIND</acronym> 8; however, there are a few new
2679 of configuration, such as views. <acronym>BIND</acronym>
2680 8 configuration files should work with few alterations in <acronym>BIND</acronym>
2681 9, although more complex configurations should be reviewed to check
2682 if they can be more efficiently implemented using the new features
2683 found in <acronym>BIND</acronym> 9.
2687 <acronym>BIND</acronym> 4 configuration files can be
2688 converted to the new format
2689 using the shell script
2690 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2692 <sect1 id="configuration_file_elements">
2693 <title>Configuration File Elements</title>
2695 Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2698 <informaltable colsep="0" rowsep="0">
2699 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2700 <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2701 <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2706 <varname>acl_name</varname>
2711 The name of an <varname>address_match_list</varname> as
2712 defined by the <command>acl</command> statement.
2719 <varname>address_match_list</varname>
2724 A list of one or more
2725 <varname>ip_addr</varname>,
2726 <varname>ip_prefix</varname>, <varname>key_id</varname>,
2727 or <varname>acl_name</varname> elements, see
2728 <xref linkend="address_match_lists"/>.
2735 <varname>masters_list</varname>
2740 A named list of one or more <varname>ip_addr</varname>
2741 with optional <varname>key_id</varname> and/or
2742 <varname>ip_port</varname>.
2743 A <varname>masters_list</varname> may include other
2744 <varname>masters_lists</varname>.
2751 <varname>domain_name</varname>
2756 A quoted string which will be used as
2757 a DNS name, for example "<literal>my.test.domain</literal>".
2764 <varname>dotted_decimal</varname>
2769 One to four integers valued 0 through
2770 255 separated by dots (`.'), such as <command>123</command>,
2771 <command>45.67</command> or <command>89.123.45.67</command>.
2778 <varname>ip4_addr</varname>
2783 An IPv4 address with exactly four elements
2784 in <varname>dotted_decimal</varname> notation.
2791 <varname>ip6_addr</varname>
2796 An IPv6 address, such as <command>2001:db8::1234</command>.
2797 IPv6 scoped addresses that have ambiguity on their scope
2799 disambiguated by an appropriate zone ID with the percent
2802 It is strongly recommended to use string zone names rather
2804 numeric identifiers, in order to be robust against system
2805 configuration changes.
2806 However, since there is no standard mapping for such names
2808 identifier values, currently only interface names as link
2810 are supported, assuming one-to-one mapping between
2811 interfaces and links.
2812 For example, a link-local address <command>fe80::1</command> on the
2813 link attached to the interface <command>ne0</command>
2814 can be specified as <command>fe80::1%ne0</command>.
2815 Note that on most systems link-local addresses always have
2817 ambiguity, and need to be disambiguated.
2824 <varname>ip_addr</varname>
2829 An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2836 <varname>ip_port</varname>
2841 An IP port <varname>number</varname>.
2842 The <varname>number</varname> is limited to 0
2843 through 65535, with values
2844 below 1024 typically restricted to use by processes running
2846 In some cases, an asterisk (`*') character can be used as a
2848 select a random high-numbered port.
2855 <varname>ip_prefix</varname>
2860 An IP network specified as an <varname>ip_addr</varname>,
2861 followed by a slash (`/') and then the number of bits in the
2863 Trailing zeros in a <varname>ip_addr</varname>
2865 For example, <command>127/8</command> is the
2866 network <command>127.0.0.0</command> with
2867 netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2868 network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2875 <varname>key_id</varname>
2880 A <varname>domain_name</varname> representing
2881 the name of a shared key, to be used for transaction
2889 <varname>key_list</varname>
2894 A list of one or more
2895 <varname>key_id</varname>s,
2896 separated by semicolons and ending with a semicolon.
2903 <varname>number</varname>
2908 A non-negative 32-bit integer
2909 (i.e., a number between 0 and 4294967295, inclusive).
2910 Its acceptable value might further
2911 be limited by the context in which it is used.
2918 <varname>path_name</varname>
2923 A quoted string which will be used as
2924 a pathname, such as <filename>zones/master/my.test.domain</filename>.
2931 <varname>port_list</varname>
2936 A list of an <varname>ip_port</varname> or a port
2938 A port range is specified in the form of
2939 <userinput>range</userinput> followed by
2940 two <varname>ip_port</varname>s,
2941 <varname>port_low</varname> and
2942 <varname>port_high</varname>, which represents
2943 port numbers from <varname>port_low</varname> through
2944 <varname>port_high</varname>, inclusive.
2945 <varname>port_low</varname> must not be larger than
2946 <varname>port_high</varname>.
2948 <userinput>range 1024 65535</userinput> represents
2949 ports from 1024 through 65535.
2950 In either case an asterisk (`*') character is not
2951 allowed as a valid <varname>ip_port</varname>.
2958 <varname>size_spec</varname>
2963 A number, the word <userinput>unlimited</userinput>,
2964 or the word <userinput>default</userinput>.
2967 An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
2968 use, or the maximum available amount. A <varname>default size_spec</varname> uses
2969 the limit that was in force when the server was started.
2972 A <varname>number</varname> can optionally be
2973 followed by a scaling factor:
2974 <userinput>K</userinput> or <userinput>k</userinput>
2976 <userinput>M</userinput> or <userinput>m</userinput>
2978 <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
2979 which scale by 1024, 1024*1024, and 1024*1024*1024
2983 The value must be representable as a 64-bit unsigned integer
2984 (0 to 18446744073709551615, inclusive).
2985 Using <varname>unlimited</varname> is the best
2987 to safely set a really large number.
2994 <varname>yes_or_no</varname>
2999 Either <userinput>yes</userinput> or <userinput>no</userinput>.
3000 The words <userinput>true</userinput> and <userinput>false</userinput> are
3001 also accepted, as are the numbers <userinput>1</userinput>
3002 and <userinput>0</userinput>.
3009 <varname>dialup_option</varname>
3014 One of <userinput>yes</userinput>,
3015 <userinput>no</userinput>, <userinput>notify</userinput>,
3016 <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
3017 <userinput>passive</userinput>.
3018 When used in a zone, <userinput>notify-passive</userinput>,
3019 <userinput>refresh</userinput>, and <userinput>passive</userinput>
3020 are restricted to slave and stub zones.
3027 <sect2 id="address_match_lists">
3028 <title>Address Match Lists</title>
3030 <title>Syntax</title>
3032 <programlisting><varname>address_match_list</varname> = address_match_list_element ;
3033 <optional> address_match_list_element; ... </optional>
3034 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
3035 key key_id | acl_name | { address_match_list } )
3040 <title>Definition and Usage</title>
3042 Address match lists are primarily used to determine access
3043 control for various server operations. They are also used in
3044 the <command>listen-on</command> and <command>sortlist</command>
3045 statements. The elements
3046 which constitute an address match list can be any of the
3051 <simpara>an IP address (IPv4 or IPv6)</simpara>
3054 <simpara>an IP prefix (in `/' notation)</simpara>
3058 a key ID, as defined by the <command>key</command>
3063 <simpara>the name of an address match list defined with
3064 the <command>acl</command> statement
3068 <simpara>a nested address match list enclosed in braces</simpara>
3073 Elements can be negated with a leading exclamation mark (`!'),
3074 and the match list names "any", "none", "localhost", and
3076 are predefined. More information on those names can be found in
3077 the description of the acl statement.
3081 The addition of the key clause made the name of this syntactic
3082 element something of a misnomer, since security keys can be used
3083 to validate access without regard to a host or network address.
3085 the term "address match list" is still used throughout the
3090 When a given IP address or prefix is compared to an address
3091 match list, the list is traversed in order until an element
3093 The interpretation of a match depends on whether the list is being
3095 for access control, defining listen-on ports, or in a sortlist,
3096 and whether the element was negated.
3100 When used as an access control list, a non-negated match
3101 allows access and a negated match denies access. If
3102 there is no match, access is denied. The clauses
3103 <command>allow-notify</command>,
3104 <command>allow-query</command>,
3105 <command>allow-query-cache</command>,
3106 <command>allow-transfer</command>,
3107 <command>allow-update</command>,
3108 <command>allow-update-forwarding</command>, and
3109 <command>blackhole</command> all use address match
3110 lists. Similarly, the listen-on option will cause the
3111 server to not accept queries on any of the machine's
3112 addresses which do not match the list.
3116 Because of the first-match aspect of the algorithm, an element
3117 that defines a subset of another element in the list should come
3118 before the broader element, regardless of whether either is
3121 <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
3123 completely useless because the algorithm will match any lookup for
3124 1.2.3.13 to the 1.2.3/24 element.
3125 Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3126 that problem by having 1.2.3.13 blocked by the negation but all
3127 other 1.2.3.* hosts fall through.
3133 <title>Comment Syntax</title>
3136 The <acronym>BIND</acronym> 9 comment syntax allows for
3138 anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3139 file. To appeal to programmers of all kinds, they can be written
3140 in the C, C++, or shell/perl style.
3144 <title>Syntax</title>
3147 <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3148 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3149 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3153 <title>Definition and Usage</title>
3155 Comments may appear anywhere that whitespace may appear in
3156 a <acronym>BIND</acronym> configuration file.
3159 C-style comments start with the two characters /* (slash,
3160 star) and end with */ (star, slash). Because they are completely
3161 delimited with these characters, they can be used to comment only
3162 a portion of a line or to span multiple lines.
3165 C-style comments cannot be nested. For example, the following
3166 is not valid because the entire comment ends with the first */:
3170 <programlisting>/* This is the start of a comment.
3171 This is still part of the comment.
3172 /* This is an incorrect attempt at nesting a comment. */
3173 This is no longer in any comment. */
3179 C++-style comments start with the two characters // (slash,
3180 slash) and continue to the end of the physical line. They cannot
3181 be continued across multiple physical lines; to have one logical
3182 comment span multiple lines, each line must use the // pair.
3189 <programlisting>// This is the start of a comment. The next line
3190 // is a new comment, even though it is logically
3191 // part of the previous comment.
3196 Shell-style (or perl-style, if you prefer) comments start
3197 with the character <literal>#</literal> (number sign)
3198 and continue to the end of the
3199 physical line, as in C++ comments.
3207 <programlisting># This is the start of a comment. The next line
3208 # is a new comment, even though it is logically
3209 # part of the previous comment.
3216 You cannot use the semicolon (`;') character
3217 to start a comment such as you would in a zone file. The
3218 semicolon indicates the end of a configuration
3226 <sect1 id="Configuration_File_Grammar">
3227 <title>Configuration File Grammar</title>
3230 A <acronym>BIND</acronym> 9 configuration consists of
3231 statements and comments.
3232 Statements end with a semicolon. Statements and comments are the
3233 only elements that can appear without enclosing braces. Many
3234 statements contain a block of sub-statements, which are also
3235 terminated with a semicolon.
3239 The following statements are supported:
3242 <informaltable colsep="0" rowsep="0">
3243 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3244 <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3245 <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3249 <para><command>acl</command></para>
3253 defines a named IP address
3254 matching list, for access control and other uses.
3260 <para><command>controls</command></para>
3264 declares control channels to be used
3265 by the <command>rndc</command> utility.
3271 <para><command>include</command></para>
3281 <para><command>key</command></para>
3285 specifies key information for use in
3286 authentication and authorization using TSIG.
3292 <para><command>logging</command></para>
3296 specifies what the server logs, and where
3297 the log messages are sent.
3303 <para><command>lwres</command></para>
3307 configures <command>named</command> to
3308 also act as a light-weight resolver daemon (<command>lwresd</command>).
3314 <para><command>masters</command></para>
3318 defines a named masters list for
3319 inclusion in stub and slave zone masters clauses.
3325 <para><command>options</command></para>
3329 controls global server configuration
3330 options and sets defaults for other statements.
3336 <para><command>server</command></para>
3340 sets certain configuration options on
3347 <para><command>trusted-keys</command></para>
3351 defines trusted DNSSEC keys.
3357 <para><command>view</command></para>
3367 <para><command>zone</command></para>
3380 The <command>logging</command> and
3381 <command>options</command> statements may only occur once
3387 <title><command>acl</command> Statement Grammar</title>
3389 <programlisting><command>acl</command> acl-name {
3396 <title><command>acl</command> Statement Definition and
3400 The <command>acl</command> statement assigns a symbolic
3401 name to an address match list. It gets its name from a primary
3402 use of address match lists: Access Control Lists (ACLs).
3406 Note that an address match list's name must be defined
3407 with <command>acl</command> before it can be used
3409 forward references are allowed.
3413 The following ACLs are built-in:
3416 <informaltable colsep="0" rowsep="0">
3417 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3418 <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3419 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3423 <para><command>any</command></para>
3433 <para><command>none</command></para>
3443 <para><command>localhost</command></para>
3447 Matches the IPv4 and IPv6 addresses of all network
3448 interfaces on the system.
3454 <para><command>localnets</command></para>
3458 Matches any host on an IPv4 or IPv6 network
3459 for which the system has an interface.
3460 Some systems do not provide a way to determine the prefix
3462 local IPv6 addresses.
3463 In such a case, <command>localnets</command>
3464 only matches the local
3465 IPv6 addresses, just like <command>localhost</command>.
3475 <title><command>controls</command> Statement Grammar</title>
3477 <programlisting><command>controls</command> {
3478 [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3479 keys { <replaceable>key_list</replaceable> }; ]
3481 [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
3488 <sect2 id="controls_statement_definition_and_usage">
3489 <title><command>controls</command> Statement Definition and
3493 The <command>controls</command> statement declares control
3494 channels to be used by system administrators to control the
3495 operation of the name server. These control channels are
3496 used by the <command>rndc</command> utility to send
3497 commands to and retrieve non-DNS results from a name server.
3501 An <command>inet</command> control channel is a TCP socket
3502 listening at the specified <command>ip_port</command> on the
3503 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3504 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3505 interpreted as the IPv4 wildcard address; connections will be
3506 accepted on any of the system's IPv4 addresses.
3507 To listen on the IPv6 wildcard address,
3508 use an <command>ip_addr</command> of <literal>::</literal>.
3509 If you will only use <command>rndc</command> on the local host,
3510 using the loopback address (<literal>127.0.0.1</literal>
3511 or <literal>::1</literal>) is recommended for maximum security.
3515 If no port is specified, port 953 is used. The asterisk
3516 "<literal>*</literal>" cannot be used for <command>ip_port</command>.
3520 The ability to issue commands over the control channel is
3521 restricted by the <command>allow</command> and
3522 <command>keys</command> clauses.
3523 Connections to the control channel are permitted based on the
3524 <command>address_match_list</command>. This is for simple
3525 IP address based filtering only; any <command>key_id</command>
3526 elements of the <command>address_match_list</command>
3531 A <command>unix</command> control channel is a UNIX domain
3532 socket listening at the specified path in the file system.
3533 Access to the socket is specified by the <command>perm</command>,
3534 <command>owner</command> and <command>group</command> clauses.
3535 Note on some platforms (SunOS and Solaris) the permissions
3536 (<command>perm</command>) are applied to the parent directory
3537 as the permissions on the socket itself are ignored.
3541 The primary authorization mechanism of the command
3542 channel is the <command>key_list</command>, which
3543 contains a list of <command>key_id</command>s.
3544 Each <command>key_id</command> in the <command>key_list</command>
3545 is authorized to execute commands over the control channel.
3546 See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3547 for information about configuring keys in <command>rndc</command>.
3551 If no <command>controls</command> statement is present,
3552 <command>named</command> will set up a default
3553 control channel listening on the loopback address 127.0.0.1
3554 and its IPv6 counterpart ::1.
3555 In this case, and also when the <command>controls</command> statement
3556 is present but does not have a <command>keys</command> clause,
3557 <command>named</command> will attempt to load the command channel key
3558 from the file <filename>rndc.key</filename> in
3559 <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3560 was specified as when <acronym>BIND</acronym> was built).
3561 To create a <filename>rndc.key</filename> file, run
3562 <userinput>rndc-confgen -a</userinput>.
3566 The <filename>rndc.key</filename> feature was created to
3567 ease the transition of systems from <acronym>BIND</acronym> 8,
3568 which did not have digital signatures on its command channel
3569 messages and thus did not have a <command>keys</command> clause.
3571 It makes it possible to use an existing <acronym>BIND</acronym> 8
3572 configuration file in <acronym>BIND</acronym> 9 unchanged,
3573 and still have <command>rndc</command> work the same way
3574 <command>ndc</command> worked in BIND 8, simply by executing the
3575 command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3580 Since the <filename>rndc.key</filename> feature
3581 is only intended to allow the backward-compatible usage of
3582 <acronym>BIND</acronym> 8 configuration files, this
3584 have a high degree of configurability. You cannot easily change
3585 the key name or the size of the secret, so you should make a
3586 <filename>rndc.conf</filename> with your own key if you
3588 those things. The <filename>rndc.key</filename> file
3590 permissions set such that only the owner of the file (the user that
3591 <command>named</command> is running as) can access it.
3593 desire greater flexibility in allowing other users to access
3594 <command>rndc</command> commands, then you need to create
3596 <filename>rndc.conf</filename> file and make it group
3598 that contains the users who should have access.
3602 To disable the command channel, use an empty
3603 <command>controls</command> statement:
3604 <command>controls { };</command>.
3609 <title><command>include</command> Statement Grammar</title>
3610 <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
3613 <title><command>include</command> Statement Definition and
3617 The <command>include</command> statement inserts the
3618 specified file at the point where the <command>include</command>
3619 statement is encountered. The <command>include</command>
3620 statement facilitates the administration of configuration
3622 by permitting the reading or writing of some things but not
3623 others. For example, the statement could include private keys
3624 that are readable only by the name server.
3629 <title><command>key</command> Statement Grammar</title>
3631 <programlisting><command>key</command> <replaceable>key_id</replaceable> {
3632 algorithm <replaceable>string</replaceable>;
3633 secret <replaceable>string</replaceable>;
3640 <title><command>key</command> Statement Definition and Usage</title>
3643 The <command>key</command> statement defines a shared
3644 secret key for use with TSIG (see <xref linkend="tsig"/>)
3645 or the command channel
3646 (see <xref linkend="controls_statement_definition_and_usage"/>).
3650 The <command>key</command> statement can occur at the
3652 of the configuration file or inside a <command>view</command>
3653 statement. Keys defined in top-level <command>key</command>
3654 statements can be used in all views. Keys intended for use in
3655 a <command>controls</command> statement
3656 (see <xref linkend="controls_statement_definition_and_usage"/>)
3657 must be defined at the top level.
3661 The <replaceable>key_id</replaceable>, also known as the
3662 key name, is a domain name uniquely identifying the key. It can
3663 be used in a <command>server</command>
3664 statement to cause requests sent to that
3665 server to be signed with this key, or in address match lists to
3666 verify that incoming requests have been signed with a key
3667 matching this name, algorithm, and secret.
3671 The <replaceable>algorithm_id</replaceable> is a string
3672 that specifies a security/authentication algorithm. Named
3673 supports <literal>hmac-md5</literal>,
3674 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3675 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3676 and <literal>hmac-sha512</literal> TSIG authentication.
3677 Truncated hashes are supported by appending the minimum
3678 number of required bits preceded by a dash, e.g.
3679 <literal>hmac-sha1-80</literal>. The
3680 <replaceable>secret_string</replaceable> is the secret
3681 to be used by the algorithm, and is treated as a base-64
3687 <title><command>logging</command> Statement Grammar</title>
3689 <programlisting><command>logging</command> {
3690 [ <command>channel</command> <replaceable>channel_name</replaceable> {
3691 ( <command>file</command> <replaceable>path name</replaceable>
3692 [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
3693 [ <command>size</command> <replaceable>size spec</replaceable> ]
3694 | <command>syslog</command> <replaceable>syslog_facility</replaceable>
3695 | <command>stderr</command>
3696 | <command>null</command> );
3697 [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
3698 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
3699 [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
3700 [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
3701 [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
3703 [ <command>category</command> <replaceable>category_name</replaceable> {
3704 <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
3713 <title><command>logging</command> Statement Definition and
3717 The <command>logging</command> statement configures a
3719 variety of logging options for the name server. Its <command>channel</command> phrase
3720 associates output methods, format options and severity levels with
3721 a name that can then be used with the <command>category</command> phrase
3722 to select how various classes of messages are logged.
3725 Only one <command>logging</command> statement is used to
3727 as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3728 the logging configuration will be:
3731 <programlisting>logging {
3732 category default { default_syslog; default_debug; };
3733 category unmatched { null; };
3738 In <acronym>BIND</acronym> 9, the logging configuration
3739 is only established when
3740 the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3741 established as soon as the <command>logging</command>
3743 was parsed. When the server is starting up, all logging messages
3744 regarding syntax errors in the configuration file go to the default
3745 channels, or to standard error if the "<option>-g</option>" option
3750 <title>The <command>channel</command> Phrase</title>
3753 All log output goes to one or more <emphasis>channels</emphasis>;
3754 you can make as many of them as you want.
3758 Every channel definition must include a destination clause that
3759 says whether messages selected for the channel go to a file, to a
3760 particular syslog facility, to the standard error stream, or are
3761 discarded. It can optionally also limit the message severity level
3762 that will be accepted by the channel (the default is
3763 <command>info</command>), and whether to include a
3764 <command>named</command>-generated time stamp, the
3766 and/or severity level (the default is not to include any).
3770 The <command>null</command> destination clause
3771 causes all messages sent to the channel to be discarded;
3772 in that case, other options for the channel are meaningless.
3776 The <command>file</command> destination clause directs
3778 to a disk file. It can include limitations
3779 both on how large the file is allowed to become, and how many
3781 of the file will be saved each time the file is opened.
3785 If you use the <command>versions</command> log file
3787 <command>named</command> will retain that many backup
3788 versions of the file by
3789 renaming them when opening. For example, if you choose to keep
3791 of the file <filename>lamers.log</filename>, then just
3793 <filename>lamers.log.1</filename> is renamed to
3794 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3795 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3796 renamed to <filename>lamers.log.0</filename>.
3797 You can say <command>versions unlimited</command> to
3799 the number of versions.
3800 If a <command>size</command> option is associated with
3802 then renaming is only done when the file being opened exceeds the
3803 indicated size. No backup versions are kept by default; any
3805 log file is simply appended.
3809 The <command>size</command> option for files is used
3811 growth. If the file ever exceeds the size, then <command>named</command> will
3812 stop writing to the file unless it has a <command>versions</command> option
3813 associated with it. If backup versions are kept, the files are
3815 described above and a new one begun. If there is no
3816 <command>versions</command> option, no more data will
3817 be written to the log
3818 until some out-of-band mechanism removes or truncates the log to
3820 maximum size. The default behavior is not to limit the size of
3826 Example usage of the <command>size</command> and
3827 <command>versions</command> options:
3830 <programlisting>channel an_example_channel {
3831 file "example.log" versions 3 size 20m;
3838 The <command>syslog</command> destination clause
3840 channel to the system log. Its argument is a
3841 syslog facility as described in the <command>syslog</command> man
3842 page. Known facilities are <command>kern</command>, <command>user</command>,
3843 <command>mail</command>, <command>daemon</command>, <command>auth</command>,
3844 <command>syslog</command>, <command>lpr</command>, <command>news</command>,
3845 <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3846 <command>ftp</command>, <command>local0</command>, <command>local1</command>,
3847 <command>local2</command>, <command>local3</command>, <command>local4</command>,
3848 <command>local5</command>, <command>local6</command> and
3849 <command>local7</command>, however not all facilities
3851 all operating systems.
3852 How <command>syslog</command> will handle messages
3854 this facility is described in the <command>syslog.conf</command> man
3855 page. If you have a system which uses a very old version of <command>syslog</command> that
3856 only uses two arguments to the <command>openlog()</command> function,
3857 then this clause is silently ignored.
3860 The <command>severity</command> clause works like <command>syslog</command>'s
3861 "priorities", except that they can also be used if you are writing
3862 straight to a file rather than using <command>syslog</command>.
3863 Messages which are not at least of the severity level given will
3864 not be selected for the channel; messages of higher severity
3869 If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3870 will also determine what eventually passes through. For example,
3871 defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3872 only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3873 cause messages of severity <command>info</command> and
3874 <command>notice</command> to
3875 be dropped. If the situation were reversed, with <command>named</command> writing
3876 messages of only <command>warning</command> or higher,
3877 then <command>syslogd</command> would
3878 print all messages it received from the channel.
3882 The <command>stderr</command> destination clause
3884 channel to the server's standard error stream. This is intended
3886 use when the server is running as a foreground process, for
3888 when debugging a configuration.
3892 The server can supply extensive debugging information when
3893 it is in debugging mode. If the server's global debug level is
3895 than zero, then debugging mode will be active. The global debug
3896 level is set either by starting the <command>named</command> server
3897 with the <option>-d</option> flag followed by a positive integer,
3898 or by running <command>rndc trace</command>.
3899 The global debug level
3900 can be set to zero, and debugging mode turned off, by running <command>rndc
3901 notrace</command>. All debugging messages in the server have a debug
3902 level, and higher debug levels give more detailed output. Channels
3903 that specify a specific debug severity, for example:
3906 <programlisting>channel specific_debug_level {
3913 will get debugging output of level 3 or less any time the
3914 server is in debugging mode, regardless of the global debugging
3915 level. Channels with <command>dynamic</command>
3917 server's global debug level to determine what messages to print.
3920 If <command>print-time</command> has been turned on,
3922 the date and time will be logged. <command>print-time</command> may
3923 be specified for a <command>syslog</command> channel,
3925 pointless since <command>syslog</command> also prints
3927 time. If <command>print-category</command> is
3929 category of the message will be logged as well. Finally, if <command>print-severity</command> is
3930 on, then the severity level of the message will be logged. The <command>print-</command> options may
3931 be used in any combination, and will always be printed in the
3933 order: time, category, severity. Here is an example where all
3934 three <command>print-</command> options
3939 <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
3943 There are four predefined channels that are used for
3944 <command>named</command>'s default logging as follows.
3946 used is described in <xref linkend="the_category_phrase"/>.
3949 <programlisting>channel default_syslog {
3950 syslog daemon; // send to syslog's daemon
3952 severity info; // only send priority info
3956 channel default_debug {
3957 file "named.run"; // write to named.run in
3958 // the working directory
3959 // Note: stderr is used instead
3961 // if the server is started
3962 // with the '-f' option.
3963 severity dynamic; // log at the server's
3964 // current debug level
3967 channel default_stderr {
3968 stderr; // writes to stderr
3969 severity info; // only send priority info
3974 null; // toss anything sent to
3980 The <command>default_debug</command> channel has the
3982 property that it only produces output when the server's debug
3984 nonzero. It normally writes to a file called <filename>named.run</filename>
3985 in the server's working directory.
3989 For security reasons, when the "<option>-u</option>"
3990 command line option is used, the <filename>named.run</filename> file
3991 is created only after <command>named</command> has
3993 new UID, and any debug output generated while <command>named</command> is
3994 starting up and still running as root is discarded. If you need
3995 to capture this output, you must run the server with the "<option>-g</option>"
3996 option and redirect standard error to a file.
4000 Once a channel is defined, it cannot be redefined. Thus you
4001 cannot alter the built-in channels directly, but you can modify
4002 the default logging by pointing categories at channels you have
4007 <sect3 id="the_category_phrase">
4008 <title>The <command>category</command> Phrase</title>
4011 There are many categories, so you can send the logs you want
4012 to see wherever you want, without seeing logs you don't want. If
4013 you don't specify a list of channels for a category, then log
4015 in that category will be sent to the <command>default</command> category
4016 instead. If you don't specify a default category, the following
4017 "default default" is used:
4020 <programlisting>category default { default_syslog; default_debug; };
4024 As an example, let's say you want to log security events to
4025 a file, but you also want keep the default logging behavior. You'd
4026 specify the following:
4029 <programlisting>channel my_security_channel {
4030 file "my_security_file";
4034 my_security_channel;
4040 To discard all messages in a category, specify the <command>null</command> channel:
4043 <programlisting>category xfer-out { null; };
4044 category notify { null; };
4048 Following are the available categories and brief descriptions
4049 of the types of log information they contain. More
4050 categories may be added in future <acronym>BIND</acronym> releases.
4052 <informaltable colsep="0" rowsep="0">
4053 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4054 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4055 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4059 <para><command>default</command></para>
4063 The default category defines the logging
4064 options for those categories where no specific
4065 configuration has been
4072 <para><command>general</command></para>
4076 The catch-all. Many things still aren't
4077 classified into categories, and they all end up here.
4083 <para><command>database</command></para>
4087 Messages relating to the databases used
4088 internally by the name server to store zone and cache
4095 <para><command>security</command></para>
4099 Approval and denial of requests.
4105 <para><command>config</command></para>
4109 Configuration file parsing and processing.
4115 <para><command>resolver</command></para>
4119 DNS resolution, such as the recursive
4120 lookups performed on behalf of clients by a caching name
4127 <para><command>xfer-in</command></para>
4131 Zone transfers the server is receiving.
4137 <para><command>xfer-out</command></para>
4141 Zone transfers the server is sending.
4147 <para><command>notify</command></para>
4151 The NOTIFY protocol.
4157 <para><command>client</command></para>
4161 Processing of client requests.
4167 <para><command>unmatched</command></para>
4171 Messages that named was unable to determine the
4172 class of or for which there was no matching <command>view</command>.
4173 A one line summary is also logged to the <command>client</command> category.
4174 This category is best sent to a file or stderr, by
4175 default it is sent to
4176 the <command>null</command> channel.
4182 <para><command>network</command></para>
4192 <para><command>update</command></para>
4202 <para><command>update-security</command></para>
4206 Approval and denial of update requests.
4212 <para><command>queries</command></para>
4216 Specify where queries should be logged to.
4219 At startup, specifying the category <command>queries</command> will also
4220 enable query logging unless <command>querylog</command> option has been
4224 The query log entry reports the client's IP address and
4225 port number, and the
4226 query name, class and type. It also reports whether the
4228 flag was set (+ if set, - if not set), EDNS was in use
4230 query was signed (S).
4233 <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
4236 <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
4242 <para><command>dispatch</command></para>
4246 Dispatching of incoming packets to the
4247 server modules where they are to be processed.
4253 <para><command>dnssec</command></para>
4257 DNSSEC and TSIG protocol processing.
4263 <para><command>lame-servers</command></para>
4267 Lame servers. These are misconfigurations
4268 in remote servers, discovered by BIND 9 when trying to
4270 those servers during resolution.
4276 <para><command>delegation-only</command></para>
4280 Delegation only. Logs queries that have have
4281 been forced to NXDOMAIN as the result of a
4282 delegation-only zone or
4283 a <command>delegation-only</command> in a
4284 hint or stub zone declaration.
4295 <title><command>lwres</command> Statement Grammar</title>
4298 This is the grammar of the <command>lwres</command>
4299 statement in the <filename>named.conf</filename> file:
4302 <programlisting><command>lwres</command> {
4303 <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4304 <optional> view <replaceable>view_name</replaceable>; </optional>
4305 <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
4306 <optional> ndots <replaceable>number</replaceable>; </optional>
4312 <title><command>lwres</command> Statement Definition and Usage</title>
4315 The <command>lwres</command> statement configures the
4317 server to also act as a lightweight resolver server. (See
4318 <xref linkend="lwresd"/>.) There may be multiple
4319 <command>lwres</command> statements configuring
4320 lightweight resolver servers with different properties.
4324 The <command>listen-on</command> statement specifies a
4326 addresses (and ports) that this instance of a lightweight resolver
4328 should accept requests on. If no port is specified, port 921 is
4330 If this statement is omitted, requests will be accepted on
4336 The <command>view</command> statement binds this
4338 lightweight resolver daemon to a view in the DNS namespace, so that
4340 response will be constructed in the same manner as a normal DNS
4342 matching this view. If this statement is omitted, the default view
4344 used, and if there is no default view, an error is triggered.
4348 The <command>search</command> statement is equivalent to
4350 <command>search</command> statement in
4351 <filename>/etc/resolv.conf</filename>. It provides a
4353 which are appended to relative names in queries.
4357 The <command>ndots</command> statement is equivalent to
4359 <command>ndots</command> statement in
4360 <filename>/etc/resolv.conf</filename>. It indicates the
4362 number of dots in a relative domain name that should result in an
4363 exact match lookup before search path elements are appended.
4367 <title><command>masters</command> Statement Grammar</title>
4370 <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
4376 <title><command>masters</command> Statement Definition and
4378 <para><command>masters</command>
4379 lists allow for a common set of masters to be easily used by
4380 multiple stub and slave zones.
4385 <title><command>options</command> Statement Grammar</title>
4388 This is the grammar of the <command>options</command>
4389 statement in the <filename>named.conf</filename> file:
4392 <programlisting><command>options</command> {
4393 <optional> version <replaceable>version_string</replaceable>; </optional>
4394 <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
4395 <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
4396 <optional> directory <replaceable>path_name</replaceable>; </optional>
4397 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
4398 <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4399 <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
4400 <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4401 <optional> cache-file <replaceable>path_name</replaceable>; </optional>
4402 <optional> dump-file <replaceable>path_name</replaceable>; </optional>
4403 <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
4404 <optional> pid-file <replaceable>path_name</replaceable>; </optional>
4405 <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
4406 <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
4407 <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
4408 <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
4409 <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
4410 <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
4411 <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
4412 <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
4413 <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
4414 <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
4415 <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
4416 <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
4417 <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
4418 <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
4419 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
4420 <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
4421 <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
4422 <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
4423 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
4424 <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4425 <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
4426 <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
4427 <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4428 <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
4429 <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
4430 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4431 <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4432 ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4433 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4435 <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4436 ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4437 <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4438 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4439 <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4440 <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4441 <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4442 <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
4443 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
4444 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4445 <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4446 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
4447 <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4448 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
4449 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4450 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4451 <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
4452 <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
4453 <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4454 <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4455 <optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4456 <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4457 <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4458 <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4459 <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4460 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4461 <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4462 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4463 <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4464 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4465 <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4466 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4467 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
4468 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
4469 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
4470 <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
4471 <optional> tcp-clients <replaceable>number</replaceable>; </optional>
4472 <optional> reserved-sockets <replaceable>number</replaceable>; </optional>
4473 <optional> recursive-clients <replaceable>number</replaceable>; </optional>
4474 <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
4475 <optional> serial-queries <replaceable>number</replaceable>; </optional>
4476 <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
4477 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
4478 <optional> transfers-in <replaceable>number</replaceable>; </optional>
4479 <optional> transfers-out <replaceable>number</replaceable>; </optional>
4480 <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
4481 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4482 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4483 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4484 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4485 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4486 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
4487 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4488 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4489 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4490 <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
4491 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
4492 <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
4493 <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
4494 <optional> files <replaceable>size_spec</replaceable> ; </optional>
4495 <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
4496 <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
4497 <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
4498 <optional> interface-interval <replaceable>number</replaceable>; </optional>
4499 <optional> statistics-interval <replaceable>number</replaceable>; </optional>
4500 <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
4501 <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
4502 <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
4503 <optional> lame-ttl <replaceable>number</replaceable>; </optional>
4504 <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
4505 <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
4506 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
4507 <optional> min-roots <replaceable>number</replaceable>; </optional>
4508 <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4509 <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4510 <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4511 <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
4512 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
4513 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4514 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4515 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4516 <optional> port <replaceable>ip_port</replaceable>; </optional>
4517 <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
4518 <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
4519 <optional> random-device <replaceable>path_name</replaceable> ; </optional>
4520 <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
4521 <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
4522 <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
4523 <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4524 <optional> max-udp-size <replaceable>number</replaceable>; </optional>
4525 <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
4526 <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
4527 <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4528 <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4529 <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4530 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4531 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4532 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4533 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4534 <optional> empty-server <replaceable>name</replaceable> ; </optional>
4535 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
4536 <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4537 <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4538 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4539 <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
4545 <sect2 id="options">
4546 <title><command>options</command> Statement Definition and
4550 The <command>options</command> statement sets up global
4552 to be used by <acronym>BIND</acronym>. This statement
4554 once in a configuration file. If there is no <command>options</command>
4555 statement, an options block with each option set to its default will
4562 <term><command>directory</command></term>
4565 The working directory of the server.
4566 Any non-absolute pathnames in the configuration file will be
4568 as relative to this directory. The default location for most
4570 output files (e.g. <filename>named.run</filename>)
4572 If a directory is not specified, the working directory
4573 defaults to `<filename>.</filename>', the directory from
4575 was started. The directory specified should be an absolute
4582 <term><command>key-directory</command></term>
4585 When performing dynamic update of secure zones, the
4586 directory where the public and private key files should be
4588 if different than the current working directory. The
4590 must be an absolute path.
4596 <term><command>named-xfer</command></term>
4599 <emphasis>This option is obsolete.</emphasis>
4600 It was used in <acronym>BIND</acronym> 8 to
4601 specify the pathname to the <command>named-xfer</command> program.
4602 In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
4603 needed; its functionality is built into the name server.
4610 <term><command>tkey-domain</command></term>
4613 The domain appended to the names of all
4614 shared keys generated with
4615 <command>TKEY</command>. When a client
4616 requests a <command>TKEY</command> exchange, it
4617 may or may not specify
4618 the desired name for the key. If present, the name of the
4620 key will be "<varname>client specified part</varname>" +
4621 "<varname>tkey-domain</varname>".
4622 Otherwise, the name of the shared key will be "<varname>random hex
4623 digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
4624 the <command>domainname</command> should be the
4632 <term><command>tkey-dhkey</command></term>
4635 The Diffie-Hellman key used by the server
4636 to generate shared keys with clients using the Diffie-Hellman
4638 of <command>TKEY</command>. The server must be
4640 public and private keys from files in the working directory.
4642 most cases, the keyname should be the server's host name.
4648 <term><command>cache-file</command></term>
4651 This is for testing only. Do not use.
4657 <term><command>dump-file</command></term>
4660 The pathname of the file the server dumps
4661 the database to when instructed to do so with
4662 <command>rndc dumpdb</command>.
4663 If not specified, the default is <filename>named_dump.db</filename>.
4669 <term><command>memstatistics-file</command></term>
4672 The pathname of the file the server writes memory
4673 usage statistics to on exit. If specified the
4674 statistics will be written to the file on exit.
4677 In <acronym>BIND</acronym> 9.5 and later this will
4678 default to <filename>named.memstats</filename>.
4679 <acronym>BIND</acronym> 9.5 will also introduce
4680 <command>memstatistics</command> to control the
4687 <term><command>pid-file</command></term>
4690 The pathname of the file the server writes its process ID
4691 in. If not specified, the default is <filename>/var/run/named.pid</filename>.
4692 The pid-file is used by programs that want to send signals to
4694 name server. Specifying <command>pid-file none</command> disables the
4695 use of a PID file — no file will be written and any
4696 existing one will be removed. Note that <command>none</command>
4697 is a keyword, not a filename, and therefore is not enclosed
4705 <term><command>recursing-file</command></term>
4708 The pathname of the file the server dumps
4709 the queries that are currently recursing when instructed
4710 to do so with <command>rndc recursing</command>.
4711 If not specified, the default is <filename>named.recursing</filename>.
4717 <term><command>statistics-file</command></term>
4720 The pathname of the file the server appends statistics
4721 to when instructed to do so using <command>rndc stats</command>.
4722 If not specified, the default is <filename>named.stats</filename> in the
4723 server's current directory. The format of the file is
4725 in <xref linkend="statsfile"/>.
4731 <term><command>port</command></term>
4734 The UDP/TCP port number the server uses for
4735 receiving and sending DNS protocol traffic.
4736 The default is 53. This option is mainly intended for server
4738 a server using a port other than 53 will not be able to
4746 <term><command>random-device</command></term>
4749 The source of entropy to be used by the server. Entropy is
4751 for DNSSEC operations, such as TKEY transactions and dynamic
4753 zones. This options specifies the device (or file) from which
4755 entropy. If this is a file, operations requiring entropy will
4757 file has been exhausted. If not specified, the default value
4759 <filename>/dev/random</filename>
4760 (or equivalent) when present, and none otherwise. The
4761 <command>random-device</command> option takes
4763 the initial configuration load at server startup time and
4764 is ignored on subsequent reloads.
4770 <term><command>preferred-glue</command></term>
4773 If specified, the listed type (A or AAAA) will be emitted
4775 in the additional section of a query response.
4776 The default is not to prefer any type (NONE).
4782 <term><command>root-delegation-only</command></term>
4785 Turn on enforcement of delegation-only in TLDs (top level domains) and root zones
4790 Note some TLDs are not delegation only (e.g. "DE", "LV", "US"
4796 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
4804 <term><command>disable-algorithms</command></term>
4807 Disable the specified DNSSEC algorithms at and below the
4809 Multiple <command>disable-algorithms</command>
4810 statements are allowed.
4811 Only the most specific will be applied.
4817 <term><command>dnssec-lookaside</command></term>
4820 When set, <command>dnssec-lookaside</command>
4822 validator with an alternate method to validate DNSKEY records
4824 top of a zone. When a DNSKEY is at or below a domain
4826 deepest <command>dnssec-lookaside</command>, and
4827 the normal dnssec validation
4828 has left the key untrusted, the trust-anchor will be append to
4830 name and a DLV record will be looked up to see if it can
4832 key. If the DLV record validates a DNSKEY (similarly to the
4834 record does) the DNSKEY RRset is deemed to be trusted.
4840 <term><command>dnssec-must-be-secure</command></term>
4843 Specify hierarchies which must be or may not be secure (signed and
4845 If <userinput>yes</userinput>, then named will only accept
4848 If <userinput>no</userinput>, then normal dnssec validation
4850 allowing for insecure answers to be accepted.
4851 The specified domain must be under a <command>trusted-key</command> or
4852 <command>dnssec-lookaside</command> must be
4860 <sect3 id="boolean_options">
4861 <title>Boolean Options</title>
4866 <term><command>auth-nxdomain</command></term>
4869 If <userinput>yes</userinput>, then the <command>AA</command> bit
4870 is always set on NXDOMAIN responses, even if the server is
4872 authoritative. The default is <userinput>no</userinput>;
4874 a change from <acronym>BIND</acronym> 8. If you
4875 are using very old DNS software, you
4876 may need to set it to <userinput>yes</userinput>.
4882 <term><command>deallocate-on-exit</command></term>
4885 This option was used in <acronym>BIND</acronym>
4886 8 to enable checking
4887 for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
4894 <term><command>dialup</command></term>
4897 If <userinput>yes</userinput>, then the
4898 server treats all zones as if they are doing zone transfers
4900 a dial-on-demand dialup link, which can be brought up by
4902 originating from this server. This has different effects
4904 to zone type and concentrates the zone maintenance so that
4906 happens in a short interval, once every <command>heartbeat-interval</command> and
4907 hopefully during the one call. It also suppresses some of
4909 zone maintenance traffic. The default is <userinput>no</userinput>.
4912 The <command>dialup</command> option
4913 may also be specified in the <command>view</command> and
4914 <command>zone</command> statements,
4915 in which case it overrides the global <command>dialup</command>
4919 If the zone is a master zone, then the server will send out a
4921 request to all the slaves (default). This should trigger the
4923 number check in the slave (providing it supports NOTIFY)
4925 to verify the zone while the connection is active.
4926 The set of servers to which NOTIFY is sent can be controlled
4928 <command>notify</command> and <command>also-notify</command>.
4932 zone is a slave or stub zone, then the server will suppress
4934 "zone up to date" (refresh) queries and only perform them
4936 <command>heartbeat-interval</command> expires in
4941 Finer control can be achieved by using
4942 <userinput>notify</userinput> which only sends NOTIFY
4944 <userinput>notify-passive</userinput> which sends NOTIFY
4946 suppresses the normal refresh queries, <userinput>refresh</userinput>
4947 which suppresses normal refresh processing and sends refresh
4949 when the <command>heartbeat-interval</command>
4951 <userinput>passive</userinput> which just disables normal
4956 <informaltable colsep="0" rowsep="0">
4957 <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4958 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4959 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
4960 <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
4961 <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
4987 <para><command>no</command> (default)</para>
5007 <para><command>yes</command></para>
5027 <para><command>notify</command></para>
5047 <para><command>refresh</command></para>
5067 <para><command>passive</command></para>
5087 <para><command>notify-passive</command></para>
5110 Note that normal NOTIFY processing is not affected by
5111 <command>dialup</command>.
5118 <term><command>fake-iquery</command></term>
5121 In <acronym>BIND</acronym> 8, this option
5122 enabled simulating the obsolete DNS query type
5123 IQUERY. <acronym>BIND</acronym> 9 never does
5130 <term><command>fetch-glue</command></term>
5133 This option is obsolete.
5134 In BIND 8, <userinput>fetch-glue yes</userinput>
5135 caused the server to attempt to fetch glue resource records
5137 didn't have when constructing the additional
5138 data section of a response. This is now considered a bad
5140 and BIND 9 never does it.
5146 <term><command>flush-zones-on-shutdown</command></term>
5149 When the nameserver exits due receiving SIGTERM,
5150 flush or do not flush any pending zone writes. The default
5152 <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5158 <term><command>has-old-clients</command></term>
5161 This option was incorrectly implemented
5162 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5163 To achieve the intended effect
5165 <command>has-old-clients</command> <userinput>yes</userinput>, specify
5166 the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5167 and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5173 <term><command>host-statistics</command></term>
5176 In BIND 8, this enables keeping of
5177 statistics for every host that the name server interacts
5179 Not implemented in BIND 9.
5185 <term><command>maintain-ixfr-base</command></term>
5188 <emphasis>This option is obsolete</emphasis>.
5189 It was used in <acronym>BIND</acronym> 8 to
5190 determine whether a transaction log was
5191 kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5192 log whenever possible. If you need to disable outgoing
5194 transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5200 <term><command>minimal-responses</command></term>
5203 If <userinput>yes</userinput>, then when generating
5204 responses the server will only add records to the authority
5205 and additional data sections when they are required (e.g.
5206 delegations, negative responses). This may improve the
5207 performance of the server.
5208 The default is <userinput>no</userinput>.
5214 <term><command>multiple-cnames</command></term>
5217 This option was used in <acronym>BIND</acronym> 8 to allow
5218 a domain name to have multiple CNAME records in violation of
5219 the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5220 always strictly enforces the CNAME rules both in master
5221 files and dynamic updates.
5227 <term><command>notify</command></term>
5230 If <userinput>yes</userinput> (the default),
5231 DNS NOTIFY messages are sent when a zone the server is
5233 changes, see <xref linkend="notify"/>. The messages are
5235 servers listed in the zone's NS records (except the master
5237 in the SOA MNAME field), and to any servers listed in the
5238 <command>also-notify</command> option.
5241 If <userinput>master-only</userinput>, notifies are only
5244 If <userinput>explicit</userinput>, notifies are sent only
5246 servers explicitly listed using <command>also-notify</command>.
5247 If <userinput>no</userinput>, no notifies are sent.
5250 The <command>notify</command> option may also be
5251 specified in the <command>zone</command>
5253 in which case it overrides the <command>options notify</command> statement.
5254 It would only be necessary to turn off this option if it
5262 <term><command>recursion</command></term>
5265 If <userinput>yes</userinput>, and a
5266 DNS query requests recursion, then the server will attempt
5268 all the work required to answer the query. If recursion is
5270 and the server does not already know the answer, it will
5272 referral response. The default is
5273 <userinput>yes</userinput>.
5274 Note that setting <command>recursion no</command> does not prevent
5275 clients from getting data from the server's cache; it only
5276 prevents new data from being cached as an effect of client
5278 Caching may still occur as an effect the server's internal
5279 operation, such as NOTIFY address lookups.
5280 See also <command>fetch-glue</command> above.
5286 <term><command>rfc2308-type1</command></term>
5289 Setting this to <userinput>yes</userinput> will
5290 cause the server to send NS records along with the SOA
5292 answers. The default is <userinput>no</userinput>.
5296 Not yet implemented in <acronym>BIND</acronym>
5304 <term><command>use-id-pool</command></term>
5307 <emphasis>This option is obsolete</emphasis>.
5308 <acronym>BIND</acronym> 9 always allocates query
5315 <term><command>zone-statistics</command></term>
5318 If <userinput>yes</userinput>, the server will collect
5319 statistical data on all zones (unless specifically turned
5321 on a per-zone basis by specifying <command>zone-statistics no</command>
5322 in the <command>zone</command> statement).
5323 These statistics may be accessed
5324 using <command>rndc stats</command>, which will
5325 dump them to the file listed
5326 in the <command>statistics-file</command>. See
5327 also <xref linkend="statsfile"/>.
5333 <term><command>use-ixfr</command></term>
5336 <emphasis>This option is obsolete</emphasis>.
5337 If you need to disable IXFR to a particular server or
5339 the information on the <command>provide-ixfr</command> option
5340 in <xref linkend="server_statement_definition_and_usage"/>.
5342 <xref linkend="incremental_zone_transfers"/>.
5348 <term><command>provide-ixfr</command></term>
5351 See the description of
5352 <command>provide-ixfr</command> in
5353 <xref linkend="server_statement_definition_and_usage"/>.
5359 <term><command>request-ixfr</command></term>
5362 See the description of
5363 <command>request-ixfr</command> in
5364 <xref linkend="server_statement_definition_and_usage"/>.
5370 <term><command>treat-cr-as-space</command></term>
5373 This option was used in <acronym>BIND</acronym>
5375 the server treat carriage return ("<command>\r</command>") characters the same way
5376 as a space or tab character,
5377 to facilitate loading of zone files on a UNIX system that
5379 on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5380 and NT/DOS "<command>\r\n</command>" newlines
5381 are always accepted,
5382 and the option is ignored.
5388 <term><command>additional-from-auth</command></term>
5389 <term><command>additional-from-cache</command></term>
5393 These options control the behavior of an authoritative
5395 answering queries which have additional data, or when
5401 When both of these options are set to <userinput>yes</userinput>
5403 query is being answered from authoritative data (a zone
5404 configured into the server), the additional data section of
5406 reply will be filled in using data from other authoritative
5408 and from the cache. In some situations this is undesirable,
5410 as when there is concern over the correctness of the cache,
5412 in servers where slave zones may be added and modified by
5413 untrusted third parties. Also, avoiding
5414 the search for this additional data will speed up server
5416 at the possible expense of additional queries to resolve
5418 otherwise be provided in the additional section.
5422 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5423 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5424 records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5425 if known, even though they are not in the example.com zone.
5426 Setting these options to <command>no</command>
5427 disables this behavior and makes
5428 the server only search for additional data in the zone it
5433 These options are intended for use in authoritative-only
5434 servers, or in authoritative-only views. Attempts to set
5435 them to <command>no</command> without also
5437 <command>recursion no</command> will cause the
5439 ignore the options and log a warning message.
5443 Specifying <command>additional-from-cache no</command> actually
5444 disables the use of the cache not only for additional data
5446 but also when looking up the answer. This is usually the
5448 behavior in an authoritative-only server where the
5450 the cached data is an issue.
5454 When a name server is non-recursively queried for a name
5456 below the apex of any served zone, it normally answers with
5458 "upwards referral" to the root servers or the servers of
5460 known parent of the query name. Since the data in an
5462 comes from the cache, the server will not be able to provide
5464 referrals when <command>additional-from-cache no</command>
5465 has been specified. Instead, it will respond to such
5467 with REFUSED. This should not cause any problems since
5468 upwards referrals are not required for the resolution
5476 <term><command>match-mapped-addresses</command></term>
5479 If <userinput>yes</userinput>, then an
5480 IPv4-mapped IPv6 address will match any address match
5481 list entries that match the corresponding IPv4 address.
5482 Enabling this option is sometimes useful on IPv6-enabled
5484 systems, to work around a kernel quirk that causes IPv4
5485 TCP connections such as zone transfers to be accepted
5486 on an IPv6 socket using mapped addresses, causing
5487 address match lists designed for IPv4 to fail to match.
5488 The use of this option for any other purpose is discouraged.
5494 <term><command>ixfr-from-differences</command></term>
5497 When <userinput>yes</userinput> and the server loads a new version of a master
5498 zone from its zone file or receives a new version of a slave
5499 file by a non-incremental zone transfer, it will compare
5500 the new version to the previous one and calculate a set
5501 of differences. The differences are then logged in the
5502 zone's journal file such that the changes can be transmitted
5503 to downstream slaves as an incremental zone transfer.
5506 By allowing incremental zone transfers to be used for
5507 non-dynamic zones, this option saves bandwidth at the
5508 expense of increased CPU and memory consumption at the
5510 In particular, if the new version of a zone is completely
5511 different from the previous one, the set of differences
5512 will be of a size comparable to the combined size of the
5513 old and new zone version, and the server will need to
5514 temporarily allocate memory to hold this complete
5517 <para><command>ixfr-from-differences</command>
5518 also accepts <command>master</command> and
5519 <command>slave</command> at the view and options
5521 <command>ixfr-from-differences</command> to apply to
5522 all <command>master</command> or
5523 <command>slave</command> zones respectively.
5529 <term><command>multi-master</command></term>
5532 This should be set when you have multiple masters for a zone
5534 addresses refer to different machines. If <userinput>yes</userinput>, named will
5536 when the serial number on the master is less than what named
5538 has. The default is <userinput>no</userinput>.
5544 <term><command>dnssec-enable</command></term>
5547 Enable DNSSEC support in named. Unless set to <userinput>yes</userinput>,
5548 named behaves as if it does not support DNSSEC.
5549 The default is <userinput>yes</userinput>.
5555 <term><command>dnssec-validation</command></term>
5558 Enable DNSSEC validation in named.
5559 Note <command>dnssec-enable</command> also needs to be
5560 set to <userinput>yes</userinput> to be effective.
5561 The default is <userinput>no</userinput>.
5567 <term><command>dnssec-accept-expired</command></term>
5570 Accept expired signatures when verifying DNSSEC signatures.
5571 The default is <userinput>no</userinput>.
5572 Setting this option to "yes" leaves named vulnerable to replay attacks.
5578 <term><command>querylog</command></term>
5581 Specify whether query logging should be started when named
5583 If <command>querylog</command> is not specified,
5584 then the query logging
5585 is determined by the presence of the logging category <command>queries</command>.
5591 <term><command>check-names</command></term>
5594 This option is used to restrict the character set and syntax
5596 certain domain names in master files and/or DNS responses
5598 from the network. The default varies according to usage
5600 <command>master</command> zones the default is <command>fail</command>.
5601 For <command>slave</command> zones the default
5602 is <command>warn</command>.
5603 For answers received from the network (<command>response</command>)
5604 the default is <command>ignore</command>.
5607 The rules for legal hostnames and mail domains are derived
5608 from RFC 952 and RFC 821 as modified by RFC 1123.
5610 <para><command>check-names</command>
5611 applies to the owner names of A, AAA and MX records.
5612 It also applies to the domain names in the RDATA of NS, SOA
5614 It also applies to the RDATA of PTR records where the owner
5615 name indicated that it is a reverse lookup of a hostname
5616 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
5622 <term><command>check-mx</command></term>
5625 Check whether the MX record appears to refer to a IP address.
5626 The default is to <command>warn</command>. Other possible
5627 values are <command>fail</command> and
5628 <command>ignore</command>.
5634 <term><command>check-wildcard</command></term>
5637 This option is used to check for non-terminal wildcards.
5638 The use of non-terminal wildcards is almost always as a
5640 to understand the wildcard matching algorithm (RFC 1034).
5642 affects master zones. The default (<command>yes</command>) is to check
5643 for non-terminal wildcards and issue a warning.
5649 <term><command>check-integrity</command></term>
5652 Perform post load zone integrity checks on master
5653 zones. This checks that MX and SRV records refer
5654 to address (A or AAAA) records and that glue
5655 address records exist for delegated zones. For
5656 MX and SRV records only in-zone hostnames are
5657 checked (for out-of-zone hostnames use
5658 <command>named-checkzone</command>).
5659 For NS records only names below top of zone are
5660 checked (for out-of-zone names and glue consistency
5661 checks use <command>named-checkzone</command>).
5662 The default is <command>yes</command>.
5668 <term><command>check-mx-cname</command></term>
5671 If <command>check-integrity</command> is set then
5672 fail, warn or ignore MX records that refer
5673 to CNAMES. The default is to <command>warn</command>.
5679 <term><command>check-srv-cname</command></term>
5682 If <command>check-integrity</command> is set then
5683 fail, warn or ignore SRV records that refer
5684 to CNAMES. The default is to <command>warn</command>.
5690 <term><command>check-sibling</command></term>
5693 When performing integrity checks, also check that
5694 sibling glue exists. The default is <command>yes</command>.
5700 <term><command>zero-no-soa-ttl</command></term>
5703 When returning authoritative negative responses to
5704 SOA queries set the TTL of the SOA recored returned in
5705 the authority section to zero.
5706 The default is <command>yes</command>.
5712 <term><command>zero-no-soa-ttl-cache</command></term>
5715 When caching a negative response to a SOA query
5716 set the TTL to zero.
5717 The default is <command>no</command>.
5723 <term><command>update-check-ksk</command></term>
5726 When regenerating the RRSIGs following a UPDATE
5727 request to a secure zone, check the KSK flag on
5728 the DNSKEY RR to determine if this key should be
5729 used to generate the RRSIG. This flag is ignored
5730 if there are not DNSKEY RRs both with and without
5732 The default is <command>yes</command>.
5742 <title>Forwarding</title>
5744 The forwarding facility can be used to create a large site-wide
5745 cache on a few servers, reducing traffic over links to external
5746 name servers. It can also be used to allow queries by servers that
5747 do not have direct access to the Internet, but wish to look up
5749 names anyway. Forwarding occurs only on those queries for which
5750 the server is not authoritative and does not have the answer in
5756 <term><command>forward</command></term>
5759 This option is only meaningful if the
5760 forwarders list is not empty. A value of <varname>first</varname>,
5761 the default, causes the server to query the forwarders
5763 if that doesn't answer the question, the server will then
5765 the answer itself. If <varname>only</varname> is
5767 server will only query the forwarders.
5773 <term><command>forwarders</command></term>
5776 Specifies the IP addresses to be used
5777 for forwarding. The default is the empty list (no
5786 Forwarding can also be configured on a per-domain basis, allowing
5787 for the global forwarding options to be overridden in a variety
5788 of ways. You can set particular domains to use different
5790 or have a different <command>forward only/first</command> behavior,
5791 or not forward at all, see <xref linkend="zone_statement_grammar"/>.
5796 <title>Dual-stack Servers</title>
5798 Dual-stack servers are used as servers of last resort to work
5800 problems in reachability due the lack of support for either IPv4
5802 on the host machine.
5807 <term><command>dual-stack-servers</command></term>
5810 Specifies host names or addresses of machines with access to
5811 both IPv4 and IPv6 transports. If a hostname is used, the
5813 to resolve the name using only the transport it has. If the
5815 stacked, then the <command>dual-stack-servers</command> have no effect unless
5816 access to a transport has been disabled on the command line
5817 (e.g. <command>named -4</command>).
5824 <sect3 id="access_control">
5825 <title>Access Control</title>
5828 Access to the server can be restricted based on the IP address
5829 of the requesting system. See <xref linkend="address_match_lists"/> for
5830 details on how to specify IP address lists.
5836 <term><command>allow-notify</command></term>
5839 Specifies which hosts are allowed to
5840 notify this server, a slave, of zone changes in addition
5841 to the zone masters.
5842 <command>allow-notify</command> may also be
5844 <command>zone</command> statement, in which case
5846 <command>options allow-notify</command>
5847 statement. It is only meaningful
5848 for a slave zone. If not specified, the default is to
5849 process notify messages
5850 only from a zone's master.
5856 <term><command>allow-query</command></term>
5859 Specifies which hosts are allowed to ask ordinary
5860 DNS questions. <command>allow-query</command> may
5861 also be specified in the <command>zone</command>
5862 statement, in which case it overrides the
5863 <command>options allow-query</command> statement.
5864 If not specified, the default is to allow queries
5869 <command>allow-query-cache</command> is now
5870 used to specify access to the cache.
5877 <term><command>allow-query-cache</command></term>
5880 Specifies which hosts are allowed to get answers
5881 from the cache. If <command>allow-query-cache</command>
5882 is not set then <command>allow-recursion</command>
5883 is used if set, otherwise <command>allow-query</command>
5884 is used if set, otherwise the default
5885 (<command>localnets;</command>
5886 <command>localhost;</command>) is used.
5892 <term><command>allow-recursion</command></term>
5895 Specifies which hosts are allowed to make recursive
5896 queries through this server. If
5897 <command>allow-recursion</command> is not set
5898 then <command>allow-query-cache</command> is
5899 used if set, otherwise <command>allow-query</command>
5900 is used if set, otherwise the default
5901 (<command>localnets;</command>
5902 <command>localhost;</command>) is used.
5908 <term><command>allow-update</command></term>
5911 Specifies which hosts are allowed to
5912 submit Dynamic DNS updates for master zones. The default is
5914 updates from all hosts. Note that allowing updates based
5915 on the requestor's IP address is insecure; see
5916 <xref linkend="dynamic_update_security"/> for details.
5922 <term><command>allow-update-forwarding</command></term>
5925 Specifies which hosts are allowed to
5926 submit Dynamic DNS updates to slave zones to be forwarded to
5928 master. The default is <userinput>{ none; }</userinput>,
5930 means that no update forwarding will be performed. To
5932 update forwarding, specify
5933 <userinput>allow-update-forwarding { any; };</userinput>.
5934 Specifying values other than <userinput>{ none; }</userinput> or
5935 <userinput>{ any; }</userinput> is usually
5936 counterproductive, since
5937 the responsibility for update access control should rest
5939 master server, not the slaves.
5942 Note that enabling the update forwarding feature on a slave
5944 may expose master servers relying on insecure IP address
5946 access control to attacks; see <xref linkend="dynamic_update_security"/>
5953 <term><command>allow-v6-synthesis</command></term>
5956 This option was introduced for the smooth transition from
5958 to A6 and from "nibble labels" to binary labels.
5959 However, since both A6 and binary labels were then
5961 this option was also deprecated.
5962 It is now ignored with some warning messages.
5968 <term><command>allow-transfer</command></term>
5971 Specifies which hosts are allowed to
5972 receive zone transfers from the server. <command>allow-transfer</command> may
5973 also be specified in the <command>zone</command>
5975 case it overrides the <command>options allow-transfer</command> statement.
5976 If not specified, the default is to allow transfers to all
5983 <term><command>blackhole</command></term>
5986 Specifies a list of addresses that the
5987 server will not accept queries from or use to resolve a
5989 from these addresses will not be responded to. The default
5990 is <userinput>none</userinput>.
6000 <title>Interfaces</title>
6002 The interfaces and ports that the server will answer queries
6003 from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
6004 an optional port, and an <varname>address_match_list</varname>.
6005 The server will listen on all interfaces allowed by the address
6006 match list. If a port is not specified, port 53 will be used.
6009 Multiple <command>listen-on</command> statements are
6014 <programlisting>listen-on { 5.6.7.8; };
6015 listen-on port 1234 { !1.2.3.4; 1.2/16; };
6019 will enable the name server on port 53 for the IP address
6020 5.6.7.8, and on port 1234 of an address on the machine in net
6021 1.2 that is not 1.2.3.4.
6025 If no <command>listen-on</command> is specified, the
6026 server will listen on port 53 on all interfaces.
6030 The <command>listen-on-v6</command> option is used to
6031 specify the interfaces and the ports on which the server will
6033 for incoming queries sent using IPv6.
6037 When <programlisting>{ any; }</programlisting> is
6039 as the <varname>address_match_list</varname> for the
6040 <command>listen-on-v6</command> option,
6041 the server does not bind a separate socket to each IPv6 interface
6042 address as it does for IPv4 if the operating system has enough API
6043 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6045 Instead, it listens on the IPv6 wildcard address.
6046 If the system only has incomplete API support for IPv6, however,
6047 the behavior is the same as that for IPv4.
6051 A list of particular IPv6 addresses can also be specified, in
6053 the server listens on a separate socket for each specified
6055 regardless of whether the desired API is supported by the system.
6059 Multiple <command>listen-on-v6</command> options can
6064 <programlisting>listen-on-v6 { any; };
6065 listen-on-v6 port 1234 { !2001:db8::/32; any; };
6069 will enable the name server on port 53 for any IPv6 addresses
6070 (with a single wildcard socket),
6071 and on port 1234 of IPv6 addresses that is not in the prefix
6072 2001:db8::/32 (with separate sockets for each matched address.)
6076 To make the server not listen on any IPv6 address, use
6079 <programlisting>listen-on-v6 { none; };
6083 If no <command>listen-on-v6</command> option is
6085 the server will not listen on any IPv6 address.
6089 <sect3 id="query_address">
6090 <title>Query Address</title>
6092 If the server doesn't know the answer to a question, it will
6093 query other name servers. <command>query-source</command> specifies
6094 the address and port used for such queries. For queries sent over
6095 IPv6, there is a separate <command>query-source-v6</command> option.
6096 If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6097 a wildcard IP address (<command>INADDR_ANY</command>)
6102 If <command>port</command> is <command>*</command> or is omitted,
6103 a random port number from a pre-configured
6104 range is picked up and will be used for each query.
6105 The port range(s) is that specified in
6106 the <command>use-v4-udp-ports</command> (for IPv4)
6107 and <command>use-v6-udp-ports</command> (for IPv6)
6108 options, excluding the ranges specified in
6109 the <command>avoid-v4-udp-ports</command>
6110 and <command>avoid-v6-udp-ports</command> options, respectively.
6114 The defaults of the <command>query-source</command> and
6115 <command>query-source-v6</command> options
6119 <programlisting>query-source address * port *;
6120 query-source-v6 address * port *;
6124 If <command>use-v4-udp-ports</command> or
6125 <command>use-v6-udp-ports</command> is unspecified,
6126 <command>named</command> will check if the operating
6127 system provides a programming interface to retrieve the
6128 system's default range for ephemeral ports.
6129 If such an interface is available,
6130 <command>named</command> will use the corresponding system
6131 default range; otherwise, it will use its own defaults:
6134 <programlisting>use-v4-udp-ports { range 1024 65535; };
6135 use-v6-udp-ports { range 1024 65535; };
6139 Note: make sure the ranges be sufficiently large for
6140 security. A desirable size depends on various parameters,
6141 but we generally recommend it contain at least 16384 ports
6142 (14 bits of entropy).
6143 Note also that the system's default range when used may be
6144 too small for this purpose, and that the range may even be
6145 changed while <command>named</command> is running; the new
6146 range will automatically be applied when <command>named</command>
6149 configure <command>use-v4-udp-ports</command> and
6150 <command>use-v6-udp-ports</command> explicitly so that the
6151 ranges are sufficiently large and are reasonably
6152 independent from the ranges used by other applications.
6156 Note: the operational configuration
6157 where <command>named</command> runs may prohibit the use
6158 of some ports. For example, UNIX systems will not allow
6159 <command>named</command> running without a root privilege
6160 to use ports less than 1024.
6161 If such ports are included in the specified (or detected)
6162 set of query ports, the corresponding query attempts will
6163 fail, resulting in resolution failures or delay.
6164 It is therefore important to configure the set of ports
6165 that can be safely used in the expected operational environment.
6169 The defaults of the <command>avoid-v4-udp-ports</command> and
6170 <command>avoid-v6-udp-ports</command> options
6174 <programlisting>avoid-v4-udp-ports {};
6175 avoid-v6-udp-ports {};
6179 Note: it is generally strongly discouraged to
6180 specify a particular port for the
6181 <command>query-source</command> or
6182 <command>query-source-v6</command> options;
6183 it implicitly disables the use of randomized port numbers
6184 and can be insecure.
6189 The address specified in the <command>query-source</command> option
6190 is used for both UDP and TCP queries, but the port applies only
6192 UDP queries. TCP queries always use a random
6198 Solaris 2.5.1 and earlier does not support setting the source
6199 address for TCP sockets.
6204 See also <command>transfer-source</command> and
6205 <command>notify-source</command>.
6210 <sect3 id="zone_transfers">
6211 <title>Zone Transfers</title>
6213 <acronym>BIND</acronym> has mechanisms in place to
6214 facilitate zone transfers
6215 and set limits on the amount of load that transfers place on the
6216 system. The following options apply to zone transfers.
6222 <term><command>also-notify</command></term>
6225 Defines a global list of IP addresses of name servers
6226 that are also sent NOTIFY messages whenever a fresh copy of
6228 zone is loaded, in addition to the servers listed in the
6230 This helps to ensure that copies of the zones will
6231 quickly converge on stealth servers. If an <command>also-notify</command> list
6232 is given in a <command>zone</command> statement,
6234 the <command>options also-notify</command>
6235 statement. When a <command>zone notify</command>
6237 is set to <command>no</command>, the IP
6238 addresses in the global <command>also-notify</command> list will
6239 not be sent NOTIFY messages for that zone. The default is
6241 list (no global notification list).
6247 <term><command>max-transfer-time-in</command></term>
6250 Inbound zone transfers running longer than
6251 this many minutes will be terminated. The default is 120
6253 (2 hours). The maximum value is 28 days (40320 minutes).
6259 <term><command>max-transfer-idle-in</command></term>
6262 Inbound zone transfers making no progress
6263 in this many minutes will be terminated. The default is 60
6265 (1 hour). The maximum value is 28 days (40320 minutes).
6271 <term><command>max-transfer-time-out</command></term>
6274 Outbound zone transfers running longer than
6275 this many minutes will be terminated. The default is 120
6277 (2 hours). The maximum value is 28 days (40320 minutes).
6283 <term><command>max-transfer-idle-out</command></term>
6286 Outbound zone transfers making no progress
6287 in this many minutes will be terminated. The default is 60
6289 hour). The maximum value is 28 days (40320 minutes).
6295 <term><command>serial-query-rate</command></term>
6298 Slave servers will periodically query master servers
6299 to find out if zone serial numbers have changed. Each such
6301 a minute amount of the slave server's network bandwidth. To
6303 amount of bandwidth used, BIND 9 limits the rate at which
6305 sent. The value of the <command>serial-query-rate</command> option,
6306 an integer, is the maximum number of queries sent per
6314 <term><command>serial-queries</command></term>
6317 In BIND 8, the <command>serial-queries</command>
6319 set the maximum number of concurrent serial number queries
6320 allowed to be outstanding at any given time.
6321 BIND 9 does not limit the number of outstanding
6322 serial queries and ignores the <command>serial-queries</command> option.
6323 Instead, it limits the rate at which the queries are sent
6324 as defined using the <command>serial-query-rate</command> option.
6330 <term><command>transfer-format</command></term>
6334 Zone transfers can be sent using two different formats,
6335 <command>one-answer</command> and
6336 <command>many-answers</command>.
6337 The <command>transfer-format</command> option is used
6338 on the master server to determine which format it sends.
6339 <command>one-answer</command> uses one DNS message per
6340 resource record transferred.
6341 <command>many-answers</command> packs as many resource
6342 records as possible into a message.
6343 <command>many-answers</command> is more efficient, but is
6344 only supported by relatively new slave servers,
6345 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6346 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6347 The <command>many-answers</command> format is also supported by
6348 recent Microsoft Windows nameservers.
6349 The default is <command>many-answers</command>.
6350 <command>transfer-format</command> may be overridden on a
6351 per-server basis by using the <command>server</command>
6359 <term><command>transfers-in</command></term>
6362 The maximum number of inbound zone transfers
6363 that can be running concurrently. The default value is <literal>10</literal>.
6364 Increasing <command>transfers-in</command> may
6365 speed up the convergence
6366 of slave zones, but it also may increase the load on the
6373 <term><command>transfers-out</command></term>
6376 The maximum number of outbound zone transfers
6377 that can be running concurrently. Zone transfer requests in
6379 of the limit will be refused. The default value is <literal>10</literal>.
6385 <term><command>transfers-per-ns</command></term>
6388 The maximum number of inbound zone transfers
6389 that can be concurrently transferring from a given remote
6391 The default value is <literal>2</literal>.
6392 Increasing <command>transfers-per-ns</command>
6394 speed up the convergence of slave zones, but it also may
6396 the load on the remote name server. <command>transfers-per-ns</command> may
6397 be overridden on a per-server basis by using the <command>transfers</command> phrase
6398 of the <command>server</command> statement.
6404 <term><command>transfer-source</command></term>
6406 <para><command>transfer-source</command>
6407 determines which local address will be bound to IPv4
6408 TCP connections used to fetch zones transferred
6409 inbound by the server. It also determines the
6410 source IPv4 address, and optionally the UDP port,
6411 used for the refresh queries and forwarded dynamic
6412 updates. If not set, it defaults to a system
6413 controlled value which will usually be the address
6414 of the interface "closest to" the remote end. This
6415 address must appear in the remote end's
6416 <command>allow-transfer</command> option for the
6417 zone being transferred, if one is specified. This
6419 <command>transfer-source</command> for all zones,
6420 but can be overridden on a per-view or per-zone
6421 basis by including a
6422 <command>transfer-source</command> statement within
6423 the <command>view</command> or
6424 <command>zone</command> block in the configuration
6429 Solaris 2.5.1 and earlier does not support setting the
6430 source address for TCP sockets.
6437 <term><command>transfer-source-v6</command></term>
6440 The same as <command>transfer-source</command>,
6441 except zone transfers are performed using IPv6.
6447 <term><command>alt-transfer-source</command></term>
6450 An alternate transfer source if the one listed in
6451 <command>transfer-source</command> fails and
6452 <command>use-alt-transfer-source</command> is
6456 If you do not wish the alternate transfer source
6457 to be used, you should set
6458 <command>use-alt-transfer-source</command>
6459 appropriately and you should not depend upon
6460 getting a answer back to the first refresh
6467 <term><command>alt-transfer-source-v6</command></term>
6470 An alternate transfer source if the one listed in
6471 <command>transfer-source-v6</command> fails and
6472 <command>use-alt-transfer-source</command> is
6479 <term><command>use-alt-transfer-source</command></term>
6482 Use the alternate transfer sources or not. If views are
6483 specified this defaults to <command>no</command>
6484 otherwise it defaults to
6485 <command>yes</command> (for BIND 8
6492 <term><command>notify-source</command></term>
6494 <para><command>notify-source</command>
6495 determines which local source address, and
6496 optionally UDP port, will be used to send NOTIFY
6497 messages. This address must appear in the slave
6498 server's <command>masters</command> zone clause or
6499 in an <command>allow-notify</command> clause. This
6500 statement sets the <command>notify-source</command>
6501 for all zones, but can be overridden on a per-zone or
6502 per-view basis by including a
6503 <command>notify-source</command> statement within
6504 the <command>zone</command> or
6505 <command>view</command> block in the configuration
6510 Solaris 2.5.1 and earlier does not support setting the
6511 source address for TCP sockets.
6518 <term><command>notify-source-v6</command></term>
6521 Like <command>notify-source</command>,
6522 but applies to notify messages sent to IPv6 addresses.
6532 <title>UDP Port Lists</title>
6534 <command>use-v4-udp-ports</command>,
6535 <command>avoid-v4-udp-ports</command>,
6536 <command>use-v6-udp-ports</command>, and
6537 <command>avoid-v6-udp-ports</command>
6538 specify a list of IPv4 and IPv6 UDP ports that will be
6539 used or not used as source ports for UDP messages.
6540 See <xref linkend="query_address"/> about how the
6541 available ports are determined.
6542 For example, with the following configuration
6546 use-v6-udp-ports { range 32768 65535; };
6547 avoid-v6-udp-ports { 40000; range 50000 60000; };
6551 UDP ports of IPv6 messages sent
6552 from <command>named</command> will be in one
6553 of the following ranges: 32768 to 39999, 40001 to 49999,
6558 <command>avoid-v4-udp-ports</command> and
6559 <command>avoid-v6-udp-ports</command> can be used
6560 to prevent <command>named</command> from choosing as its random source port a
6561 port that is blocked by your firewall or a port that is
6562 used by other applications;
6563 if a query went out with a source port blocked by a
6565 answer would not get by the firewall and the name server would
6566 have to query again.
6567 Note: the desired range can also be represented only with
6568 <command>use-v4-udp-ports</command> and
6569 <command>use-v6-udp-ports</command>, and the
6570 <command>avoid-</command> options are redundant in that
6571 sense; they are provided for backward compatibility and
6572 to possibly simplify the port specification.
6577 <title>Operating System Resource Limits</title>
6580 The server's usage of many system resources can be limited.
6581 Scaled values are allowed when specifying resource limits. For
6582 example, <command>1G</command> can be used instead of
6583 <command>1073741824</command> to specify a limit of
6585 gigabyte. <command>unlimited</command> requests
6586 unlimited use, or the
6587 maximum available amount. <command>default</command>
6589 that was in force when the server was started. See the description
6590 of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
6594 The following options set operating system resource limits for
6595 the name server process. Some operating systems don't support
6597 any of the limits. On such systems, a warning will be issued if
6599 unsupported limit is used.
6605 <term><command>coresize</command></term>
6608 The maximum size of a core dump. The default
6609 is <literal>default</literal>.
6615 <term><command>datasize</command></term>
6618 The maximum amount of data memory the server
6619 may use. The default is <literal>default</literal>.
6620 This is a hard limit on server memory usage.
6621 If the server attempts to allocate memory in excess of this
6622 limit, the allocation will fail, which may in turn leave
6623 the server unable to perform DNS service. Therefore,
6624 this option is rarely useful as a way of limiting the
6625 amount of memory used by the server, but it can be used
6626 to raise an operating system data size limit that is
6627 too small by default. If you wish to limit the amount
6628 of memory used by the server, use the
6629 <command>max-cache-size</command> and
6630 <command>recursive-clients</command>
6637 <term><command>files</command></term>
6640 The maximum number of files the server
6641 may have open concurrently. The default is <literal>unlimited</literal>.
6647 <term><command>stacksize</command></term>
6650 The maximum amount of stack memory the server
6651 may use. The default is <literal>default</literal>.
6661 <title>Server Resource Limits</title>
6664 The following options set limits on the server's
6665 resource consumption that are enforced internally by the
6666 server rather than the operating system.
6672 <term><command>max-ixfr-log-size</command></term>
6675 This option is obsolete; it is accepted
6676 and ignored for BIND 8 compatibility. The option
6677 <command>max-journal-size</command> performs a
6678 similar function in BIND 9.
6684 <term><command>max-journal-size</command></term>
6687 Sets a maximum size for each journal file
6688 (see <xref linkend="journal"/>). When the journal file
6690 the specified size, some of the oldest transactions in the
6692 will be automatically removed. The default is
6693 <literal>unlimited</literal>.
6699 <term><command>host-statistics-max</command></term>
6702 In BIND 8, specifies the maximum number of host statistics
6704 Not implemented in BIND 9.
6710 <term><command>recursive-clients</command></term>
6713 The maximum number of simultaneous recursive lookups
6714 the server will perform on behalf of clients. The default
6716 <literal>1000</literal>. Because each recursing
6718 bit of memory, on the order of 20 kilobytes, the value of
6720 <command>recursive-clients</command> option may
6721 have to be decreased
6722 on hosts with limited memory.
6728 <term><command>tcp-clients</command></term>
6731 The maximum number of simultaneous client TCP
6732 connections that the server will accept.
6733 The default is <literal>100</literal>.
6739 <term><command>reserved-sockets</command></term>
6742 The number of file descriptors reserved for TCP, stdio,
6743 etc. This needs to be big enough to cover the number of
6744 interfaces named listens on, tcp-clients as well as
6745 to provide room for outgoing TCP queries and incoming zone
6746 transfers. The default is <literal>512</literal>.
6747 The minimum value is <literal>128</literal> and the
6748 maximum value is <literal>128</literal> less than
6749 maxsockets (-S). This option may be removed in the future.
6752 This option has little effect on Windows.
6758 <term><command>max-cache-size</command></term>
6761 The maximum amount of memory to use for the
6762 server's cache, in bytes.
6763 When the amount of data in the cache
6764 reaches this limit, the server will cause records to expire
6765 prematurely so that the limit is not exceeded.
6766 A value of 0 is special, meaning that
6767 records are purged from the cache only when their
6769 Another special keyword <userinput>unlimited</userinput>
6770 means the maximum value of 32-bit unsigned integers
6771 (0xffffffff), which may not have the same effect as
6772 0 on machines that support more than 32 bits of
6774 Any positive values less than 2MB will be ignored reset
6776 In a server with multiple views, the limit applies
6777 separately to the cache of each view.
6784 <term><command>tcp-listen-queue</command></term>
6787 The listen queue depth. The default and minimum is 3.
6788 If the kernel supports the accept filter "dataready" this
6790 many TCP connections that will be queued in kernel space
6792 some data before being passed to accept. Values less than 3
6804 <title>Periodic Task Intervals</title>
6809 <term><command>cleaning-interval</command></term>
6812 The server will remove expired resource records
6813 from the cache every <command>cleaning-interval</command> minutes.
6814 The default is 60 minutes. The maximum value is 28 days
6816 If set to 0, no periodic cleaning will occur.
6822 <term><command>heartbeat-interval</command></term>
6825 The server will perform zone maintenance tasks
6826 for all zones marked as <command>dialup</command> whenever this
6827 interval expires. The default is 60 minutes. Reasonable
6829 to 1 day (1440 minutes). The maximum value is 28 days
6831 If set to 0, no zone maintenance for these zones will occur.
6837 <term><command>interface-interval</command></term>
6840 The server will scan the network interface list
6841 every <command>interface-interval</command>
6842 minutes. The default
6843 is 60 minutes. The maximum value is 28 days (40320 minutes).
6844 If set to 0, interface scanning will only occur when
6845 the configuration file is loaded. After the scan, the
6847 begin listening for queries on any newly discovered
6848 interfaces (provided they are allowed by the
6849 <command>listen-on</command> configuration), and
6851 stop listening on interfaces that have gone away.
6857 <term><command>statistics-interval</command></term>
6860 Name server statistics will be logged
6861 every <command>statistics-interval</command>
6862 minutes. The default is
6863 60. The maximum value is 28 days (40320 minutes).
6864 If set to 0, no statistics will be logged.
6867 Not yet implemented in
6868 <acronym>BIND</acronym> 9.
6878 <sect3 id="topology">
6879 <title>Topology</title>
6882 All other things being equal, when the server chooses a name
6884 to query from a list of name servers, it prefers the one that is
6885 topologically closest to itself. The <command>topology</command> statement
6886 takes an <command>address_match_list</command> and
6888 in a special way. Each top-level list element is assigned a
6890 Non-negated elements get a distance based on their position in the
6891 list, where the closer the match is to the start of the list, the
6892 shorter the distance is between it and the server. A negated match
6893 will be assigned the maximum distance from the server. If there
6894 is no match, the address will get a distance which is further than
6895 any non-negated list element, and closer than any negated element.
6899 <programlisting>topology {
6906 will prefer servers on network 10 the most, followed by hosts
6907 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
6908 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
6909 is preferred least of all.
6912 The default topology is
6915 <programlisting> topology { localhost; localnets; };
6920 The <command>topology</command> option
6921 is not implemented in <acronym>BIND</acronym> 9.
6926 <sect3 id="the_sortlist_statement">
6928 <title>The <command>sortlist</command> Statement</title>
6931 The response to a DNS query may consist of multiple resource
6932 records (RRs) forming a resource records set (RRset).
6933 The name server will normally return the
6934 RRs within the RRset in an indeterminate order
6935 (but see the <command>rrset-order</command>
6936 statement in <xref linkend="rrset_ordering"/>).
6937 The client resolver code should rearrange the RRs as appropriate,
6938 that is, using any addresses on the local net in preference to
6940 However, not all resolvers can do this or are correctly
6942 When a client is using a local server, the sorting can be performed
6943 in the server, based on the client's address. This only requires
6944 configuring the name servers, not all the clients.
6948 The <command>sortlist</command> statement (see below)
6950 an <command>address_match_list</command> and
6952 more specifically than the <command>topology</command>
6954 does (<xref linkend="topology"/>).
6955 Each top level statement in the <command>sortlist</command> must
6956 itself be an explicit <command>address_match_list</command> with
6957 one or two elements. The first element (which may be an IP
6959 an IP prefix, an ACL name or a nested <command>address_match_list</command>)
6960 of each top level list is checked against the source address of
6961 the query until a match is found.
6964 Once the source address of the query has been matched, if
6965 the top level statement contains only one element, the actual
6967 element that matched the source address is used to select the
6969 in the response to move to the beginning of the response. If the
6970 statement is a list of two elements, then the second element is
6971 treated the same as the <command>address_match_list</command> in
6972 a <command>topology</command> statement. Each top
6974 is assigned a distance and the address in the response with the
6976 distance is moved to the beginning of the response.
6979 In the following example, any queries received from any of
6980 the addresses of the host itself will get responses preferring
6982 on any of the locally connected networks. Next most preferred are
6984 on the 192.168.1/24 network, and after that either the
6987 192.168.3/24 network with no preference shown between these two
6988 networks. Queries received from a host on the 192.168.1/24 network
6989 will prefer other addresses on that network to the 192.168.2/24
6991 192.168.3/24 networks. Queries received from a host on the
6993 or the 192.168.5/24 network will only prefer other addresses on
6994 their directly connected networks.
6997 <programlisting>sortlist {
6998 { localhost; // IF the local host
6999 { localnets; // THEN first fit on the
7000 192.168.1/24; // following nets
7001 { 192.168.2/24; 192.168.3/24; }; }; };
7002 { 192.168.1/24; // IF on class C 192.168.1
7003 { 192.168.1/24; // THEN use .1, or .2 or .3
7004 { 192.168.2/24; 192.168.3/24; }; }; };
7005 { 192.168.2/24; // IF on class C 192.168.2
7006 { 192.168.2/24; // THEN use .2, or .1 or .3
7007 { 192.168.1/24; 192.168.3/24; }; }; };
7008 { 192.168.3/24; // IF on class C 192.168.3
7009 { 192.168.3/24; // THEN use .3, or .1 or .2
7010 { 192.168.1/24; 192.168.2/24; }; }; };
7011 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
7016 The following example will give reasonable behavior for the
7017 local host and hosts on directly connected networks. It is similar
7018 to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
7019 to queries from the local host will favor any of the directly
7021 networks. Responses sent to queries from any other hosts on a
7023 connected network will prefer addresses on that same network.
7025 to other queries will not be sorted.
7028 <programlisting>sortlist {
7029 { localhost; localnets; };
7035 <sect3 id="rrset_ordering">
7036 <title id="rrset_ordering_title">RRset Ordering</title>
7038 When multiple records are returned in an answer it may be
7039 useful to configure the order of the records placed into the
7041 The <command>rrset-order</command> statement permits
7043 of the ordering of the records in a multiple record response.
7044 See also the <command>sortlist</command> statement,
7045 <xref linkend="the_sortlist_statement"/>.
7049 An <command>order_spec</command> is defined as
7053 <optional>class <replaceable>class_name</replaceable></optional>
7054 <optional>type <replaceable>type_name</replaceable></optional>
7055 <optional>name <replaceable>"domain_name"</replaceable></optional>
7056 order <replaceable>ordering</replaceable>
7059 If no class is specified, the default is <command>ANY</command>.
7060 If no type is specified, the default is <command>ANY</command>.
7061 If no name is specified, the default is "<command>*</command>" (asterisk).
7064 The legal values for <command>ordering</command> are:
7066 <informaltable colsep="0" rowsep="0">
7067 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7068 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
7069 <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
7073 <para><command>fixed</command></para>
7077 Records are returned in the order they
7078 are defined in the zone file.
7084 <para><command>random</command></para>
7088 Records are returned in some random order.
7094 <para><command>cyclic</command></para>
7098 Records are returned in a round-robin
7110 <programlisting>rrset-order {
7111 class IN type A name "host.example.com" order random;
7117 will cause any responses for type A records in class IN that
7118 have "<literal>host.example.com</literal>" as a
7119 suffix, to always be returned
7120 in random order. All other records are returned in cyclic order.
7123 If multiple <command>rrset-order</command> statements
7125 they are not combined — the last one applies.
7130 The <command>rrset-order</command> statement
7131 is not yet fully implemented in <acronym>BIND</acronym> 9.
7132 BIND 9 currently does not fully support "fixed" ordering.
7138 <title>Tuning</title>
7143 <term><command>lame-ttl</command></term>
7146 Sets the number of seconds to cache a
7147 lame server indication. 0 disables caching. (This is
7148 <emphasis role="bold">NOT</emphasis> recommended.)
7149 The default is <literal>600</literal> (10 minutes) and the
7151 <literal>1800</literal> (30 minutes).
7158 <term><command>max-ncache-ttl</command></term>
7161 To reduce network traffic and increase performance,
7162 the server stores negative answers. <command>max-ncache-ttl</command> is
7163 used to set a maximum retention time for these answers in
7165 in seconds. The default
7166 <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7167 <command>max-ncache-ttl</command> cannot exceed
7169 be silently truncated to 7 days if set to a greater value.
7175 <term><command>max-cache-ttl</command></term>
7178 Sets the maximum time for which the server will
7179 cache ordinary (positive) answers. The default is
7181 A value of zero may cause all queries to return
7182 SERVFAIL, because of lost caches of intermediate
7183 RRsets (such as NS and glue AAAA/A records) in the
7190 <term><command>min-roots</command></term>
7193 The minimum number of root servers that
7194 is required for a request for the root servers to be
7195 accepted. The default
7196 is <userinput>2</userinput>.
7200 Not implemented in <acronym>BIND</acronym> 9.
7207 <term><command>sig-validity-interval</command></term>
7210 Specifies the number of days into the
7211 future when DNSSEC signatures automatically generated as a
7213 of dynamic updates (<xref linkend="dynamic_update"/>)
7214 will expire. The default is <literal>30</literal> days.
7215 The maximum value is 10 years (3660 days). The signature
7216 inception time is unconditionally set to one hour before the
7218 to allow for a limited amount of clock skew.
7224 <term><command>min-refresh-time</command></term>
7225 <term><command>max-refresh-time</command></term>
7226 <term><command>min-retry-time</command></term>
7227 <term><command>max-retry-time</command></term>
7230 These options control the server's behavior on refreshing a
7232 (querying for SOA changes) or retrying failed transfers.
7233 Usually the SOA values for the zone are used, but these
7235 are set by the master, giving slave server administrators
7237 control over their contents.
7240 These options allow the administrator to set a minimum and
7242 refresh and retry time either per-zone, per-view, or
7244 These options are valid for slave and stub zones,
7245 and clamp the SOA refresh and retry times to the specified
7252 <term><command>edns-udp-size</command></term>
7255 Sets the advertised EDNS UDP buffer size in bytes. Valid
7256 values are 512 to 4096 (values outside this range
7257 will be silently adjusted). The default value is
7258 4096. The usual reason for setting edns-udp-size to
7259 a non-default value is to get UDP answers to pass
7260 through broken firewalls that block fragmented
7261 packets and/or block UDP packets that are greater
7268 <term><command>max-udp-size</command></term>
7271 Sets the maximum EDNS UDP message size named will
7272 send in bytes. Valid values are 512 to 4096 (values outside
7273 this range will be silently adjusted). The default
7274 value is 4096. The usual reason for setting
7275 max-udp-size to a non-default value is to get UDP
7276 answers to pass through broken firewalls that
7277 block fragmented packets and/or block UDP packets
7278 that are greater than 512 bytes.
7279 This is independent of the advertised receive
7280 buffer (<command>edns-udp-size</command>).
7286 <term><command>masterfile-format</command></term>
7289 the file format of zone files (see
7290 <xref linkend="zonefile_format"/>).
7291 The default value is <constant>text</constant>, which is the
7292 standard textual representation. Files in other formats
7293 than <constant>text</constant> are typically expected
7294 to be generated by the <command>named-compilezone</command> tool.
7295 Note that when a zone file in a different format than
7296 <constant>text</constant> is loaded, <command>named</command>
7297 may omit some of the checks which would be performed for a
7298 file in the <constant>text</constant> format. In particular,
7299 <command>check-names</command> checks do not apply
7300 for the <constant>raw</constant> format. This means
7301 a zone file in the <constant>raw</constant> format
7302 must be generated with the same check level as that
7303 specified in the <command>named</command> configuration
7304 file. This statement sets the
7305 <command>masterfile-format</command> for all zones,
7306 but can be overridden on a per-zone or per-view basis
7307 by including a <command>masterfile-format</command>
7308 statement within the <command>zone</command> or
7309 <command>view</command> block in the configuration
7316 <term><command>clients-per-query</command></term>
7317 <term><command>max-clients-per-query</command></term>
7320 initial value (minimum) and maximum number of recursive
7321 simultanious clients for any given query
7322 (<qname,qtype,qclass>) that the server will accept
7323 before dropping additional clients. named will attempt to
7324 self tune this value and changes will be logged. The
7325 default values are 10 and 100.
7328 This value should reflect how many queries come in for
7329 a given name in the time it takes to resolve that name.
7330 If the number of queries exceed this value, named will
7331 assume that it is dealing with a non-responsive zone
7332 and will drop additional queries. If it gets a response
7333 after dropping queries, it will raise the estimate. The
7334 estimate will then be lowered in 20 minutes if it has
7338 If <command>clients-per-query</command> is set to zero,
7339 then there is no limit on the number of clients per query
7340 and no queries will be dropped.
7343 If <command>max-clients-per-query</command> is set to zero,
7344 then there is no upper bound other than imposed by
7345 <command>recursive-clients</command>.
7351 <term><command>notify-delay</command></term>
7354 The delay, in seconds, between sending sets of notify
7355 messages for a zone. The default is zero.
7363 <sect3 id="builtin">
7364 <title>Built-in server information zones</title>
7367 The server provides some helpful diagnostic information
7368 through a number of built-in zones under the
7369 pseudo-top-level-domain <literal>bind</literal> in the
7370 <command>CHAOS</command> class. These zones are part
7372 built-in view (see <xref linkend="view_statement_grammar"/>) of
7374 <command>CHAOS</command> which is separate from the
7376 class <command>IN</command>; therefore, any global
7378 such as <command>allow-query</command> do not apply
7380 If you feel the need to disable these zones, use the options
7381 below, or hide the built-in <command>CHAOS</command>
7383 defining an explicit view of class <command>CHAOS</command>
7384 that matches all clients.
7390 <term><command>version</command></term>
7393 The version the server should report
7394 via a query of the name <literal>version.bind</literal>
7395 with type <command>TXT</command>, class <command>CHAOS</command>.
7396 The default is the real version number of this server.
7397 Specifying <command>version none</command>
7398 disables processing of the queries.
7404 <term><command>hostname</command></term>
7407 The hostname the server should report via a query of
7408 the name <filename>hostname.bind</filename>
7409 with type <command>TXT</command>, class <command>CHAOS</command>.
7410 This defaults to the hostname of the machine hosting the
7412 found by the gethostname() function. The primary purpose of such queries
7414 identify which of a group of anycast servers is actually
7415 answering your queries. Specifying <command>hostname none;</command>
7416 disables processing of the queries.
7422 <term><command>server-id</command></term>
7425 The ID of the server should report via a query of
7426 the name <filename>ID.SERVER</filename>
7427 with type <command>TXT</command>, class <command>CHAOS</command>.
7428 The primary purpose of such queries is to
7429 identify which of a group of anycast servers is actually
7430 answering your queries. Specifying <command>server-id none;</command>
7431 disables processing of the queries.
7432 Specifying <command>server-id hostname;</command> will cause named to
7433 use the hostname as found by the gethostname() function.
7434 The default <command>server-id</command> is <command>none</command>.
7444 <title>Built-in Empty Zones</title>
7446 Named has some built-in empty zones (SOA and NS records only).
7447 These are for zones that should normally be answered locally
7448 and which queries should not be sent to the Internet's root
7449 servers. The official servers which cover these namespaces
7450 return NXDOMAIN responses to these queries. In particular,
7451 these cover the reverse namespace for addresses from RFC 1918 and
7452 RFC 3330. They also include the reverse namespace for IPv6 local
7453 address (locally assigned), IPv6 link local addresses, the IPv6
7454 loopback address and the IPv6 unknown addresss.
7457 Named will attempt to determine if a built in zone already exists
7458 or is active (covered by a forward-only forwarding declaration)
7459 and will not not create a empty zone in that case.
7462 The current list of empty zones is:
7464 <!-- XXX: The RFC1918 addresses are #defined out in sources currently.
7465 <listitem>10.IN-ADDR.ARPA</listitem>
7466 <listitem>16.172.IN-ADDR.ARPA</listitem>
7467 <listitem>17.172.IN-ADDR.ARPA</listitem>
7468 <listitem>18.172.IN-ADDR.ARPA</listitem>
7469 <listitem>19.172.IN-ADDR.ARPA</listitem>
7470 <listitem>20.172.IN-ADDR.ARPA</listitem>
7471 <listitem>21.172.IN-ADDR.ARPA</listitem>
7472 <listitem>22.172.IN-ADDR.ARPA</listitem>
7473 <listitem>23.172.IN-ADDR.ARPA</listitem>
7474 <listitem>24.172.IN-ADDR.ARPA</listitem>
7475 <listitem>25.172.IN-ADDR.ARPA</listitem>
7476 <listitem>26.172.IN-ADDR.ARPA</listitem>
7477 <listitem>27.172.IN-ADDR.ARPA</listitem>
7478 <listitem>28.172.IN-ADDR.ARPA</listitem>
7479 <listitem>29.172.IN-ADDR.ARPA</listitem>
7480 <listitem>30.172.IN-ADDR.ARPA</listitem>
7481 <listitem>31.172.IN-ADDR.ARPA</listitem>
7482 <listitem>168.192.IN-ADDR.ARPA</listitem>
7483 XXX: end of RFC1918 addresses #defined out -->
7484 <listitem>0.IN-ADDR.ARPA</listitem>
7485 <listitem>127.IN-ADDR.ARPA</listitem>
7486 <listitem>254.169.IN-ADDR.ARPA</listitem>
7487 <listitem>2.0.192.IN-ADDR.ARPA</listitem>
7488 <listitem>255.255.255.255.IN-ADDR.ARPA</listitem>
7489 <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7490 <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
7491 <listitem>D.F.IP6.ARPA</listitem>
7492 <listitem>8.E.F.IP6.ARPA</listitem>
7493 <listitem>9.E.F.IP6.ARPA</listitem>
7494 <listitem>A.E.F.IP6.ARPA</listitem>
7495 <listitem>B.E.F.IP6.ARPA</listitem>
7499 Empty zones are settable at the view level and only apply to
7500 views of class IN. Disabled empty zones are only inherited
7501 from options if there are no disabled empty zones specified
7502 at the view level. To override the options list of disabled
7503 zones, you can disable the root zone at the view level, for example:
7505 disable-empty-zone ".";
7509 If you are using the address ranges covered here, you should
7510 already have reverse zones covering the addresses you use.
7511 In practice this appears to not be the case with many queries
7512 being made to the infrastructure servers for names in these
7513 spaces. So many in fact that sacrificial servers were needed
7514 to be deployed to channel the query load away from the
7515 infrastructure servers.
7518 The real parent servers for these zones should disable all
7519 empty zone under the parent zone they serve. For the real
7520 root servers, this is all built in empty zones. This will
7521 enable them to return referrals to deeper in the tree.
7525 <term><command>empty-server</command></term>
7528 Specify what server name will appear in the returned
7529 SOA record for empty zones. If none is specified, then
7530 the zone's name will be used.
7536 <term><command>empty-contact</command></term>
7539 Specify what contact name will appear in the returned
7540 SOA record for empty zones. If none is specified, then
7547 <term><command>empty-zones-enable</command></term>
7550 Enable or disable all empty zones. By default they
7557 <term><command>disable-empty-zone</command></term>
7560 Disable individual empty zones. By default none are
7561 disabled. This option can be specified multiple times.
7568 <sect3 id="statsfile">
7569 <title>The Statistics File</title>
7572 The statistics file generated by <acronym>BIND</acronym> 9
7573 is similar, but not identical, to that
7574 generated by <acronym>BIND</acronym> 8.
7577 The statistics dump begins with a line, like:
7580 <command>+++ Statistics Dump +++ (973798949)</command>
7583 The number in parentheses is a standard
7584 Unix-style timestamp, measured as seconds since January 1, 1970.
7586 that line are a series of lines containing a counter type, the
7588 counter, optionally a zone name, and optionally a view name.
7589 The lines without view and zone listed are global statistics for
7591 Lines with a zone and view name for the given view and zone (the
7593 omitted for the default view).
7596 The statistics dump ends with the line where the
7597 number is identical to the number in the beginning line; for example:
7600 <command>--- Statistics Dump --- (973798949)</command>
7603 The following statistics counters are maintained:
7605 <informaltable colsep="0" rowsep="0">
7606 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7607 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
7608 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
7612 <para><command>success</command></para>
7617 successful queries made to the server or zone. A
7619 is defined as query which returns a NOERROR response
7627 <para><command>referral</command></para>
7631 The number of queries which resulted
7632 in referral responses.
7638 <para><command>nxrrset</command></para>
7642 The number of queries which resulted in
7643 NOERROR responses with no data.
7649 <para><command>nxdomain</command></para>
7654 of queries which resulted in NXDOMAIN responses.
7660 <para><command>failure</command></para>
7664 The number of queries which resulted in a
7665 failure response other than those above.
7671 <para><command>recursion</command></para>
7675 The number of queries which caused the server
7676 to perform recursion in order to find the final answer.
7682 <para><command>duplicate</command></para>
7686 The number of queries which the server attempted to
7687 recurse but discover a existing query with the same
7688 IP address, port, query id, name, type and class
7689 already being processed.
7695 <para><command>dropped</command></para>
7699 The number of queries for which the server
7700 discovered a excessive number of existing
7701 recursive queries for the same name, type and
7702 class and were subsequently dropped.
7711 Each query received by the server will cause exactly one of
7712 <command>success</command>,
7713 <command>referral</command>,
7714 <command>nxrrset</command>,
7715 <command>nxdomain</command>,
7716 <command>failure</command>,
7717 <command>duplicate</command>, or
7718 <command>dropped</command>
7719 to be incremented, and may additionally cause the
7720 <command>recursion</command> counter to be
7727 <title>Additional Section Caching</title>
7730 The additional section cache, also called <command>acache</command>,
7731 is an internal cache to improve the response performance of BIND 9.
7732 When additional section caching is enabled, BIND 9 will
7733 cache an internal short-cut to the additional section content for
7735 Note that <command>acache</command> is an internal caching
7736 mechanism of BIND 9, and is not related to the DNS caching
7741 Additional section caching does not change the
7742 response content (except the RRsets ordering of the additional
7743 section, see below), but can improve the response performance
7745 It is particularly effective when BIND 9 acts as an authoritative
7746 server for a zone that has many delegations with many glue RRs.
7750 In order to obtain the maximum performance improvement
7751 from additional section caching, setting
7752 <command>additional-from-cache</command>
7753 to <command>no</command> is recommended, since the current
7754 implementation of <command>acache</command>
7755 does not short-cut of additional section information from the
7760 One obvious disadvantage of <command>acache</command> is
7761 that it requires much more
7762 memory for the internal cached data.
7763 Thus, if the response performance does not matter and memory
7764 consumption is much more critical, the
7765 <command>acache</command> mechanism can be
7766 disabled by setting <command>acache-enable</command> to
7767 <command>no</command>.
7768 It is also possible to specify the upper limit of memory
7770 for acache by using <command>max-acache-size</command>.
7774 Additional section caching also has a minor effect on the
7775 RRset ordering in the additional section.
7776 Without <command>acache</command>,
7777 <command>cyclic</command> order is effective for the additional
7778 section as well as the answer and authority sections.
7779 However, additional section caching fixes the ordering when it
7780 first caches an RRset for the additional section, and the same
7781 ordering will be kept in succeeding responses, regardless of the
7782 setting of <command>rrset-order</command>.
7783 The effect of this should be minor, however, since an
7784 RRset in the additional section
7785 typically only contains a small number of RRs (and in many cases
7786 it only contains a single RR), in which case the
7787 ordering does not matter much.
7791 The following is a summary of options related to
7792 <command>acache</command>.
7798 <term><command>acache-enable</command></term>
7801 If <command>yes</command>, additional section caching is
7802 enabled. The default value is <command>no</command>.
7808 <term><command>acache-cleaning-interval</command></term>
7811 The server will remove stale cache entries, based on an LRU
7813 algorithm, every <command>acache-cleaning-interval</command> minutes.
7814 The default is 60 minutes.
7815 If set to 0, no periodic cleaning will occur.
7821 <term><command>max-acache-size</command></term>
7824 The maximum amount of memory in bytes to use for the server's acache.
7825 When the amount of data in the acache reaches this limit,
7827 will clean more aggressively so that the limit is not
7829 In a server with multiple views, the limit applies
7831 acache of each view.
7832 The default is <literal>unlimited</literal>,
7834 entries are purged from the acache only at the
7835 periodic cleaning time.
7846 <sect2 id="server_statement_grammar">
7847 <title><command>server</command> Statement Grammar</title>
7849 <programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
7850 <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
7851 <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
7852 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
7853 <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
7854 <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
7855 <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
7856 <optional> transfers <replaceable>number</replaceable> ; </optional>
7857 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
7858 <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
7859 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7860 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7861 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7862 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
7863 <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7864 <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
7870 <sect2 id="server_statement_definition_and_usage">
7871 <title><command>server</command> Statement Definition and
7875 The <command>server</command> statement defines
7877 to be associated with a remote name server. If a prefix length is
7878 specified, then a range of servers is covered. Only the most
7880 server clause applies regardless of the order in
7881 <filename>named.conf</filename>.
7885 The <command>server</command> statement can occur at
7886 the top level of the
7887 configuration file or inside a <command>view</command>
7889 If a <command>view</command> statement contains
7890 one or more <command>server</command> statements, only
7892 apply to the view and any top-level ones are ignored.
7893 If a view contains no <command>server</command>
7895 any top-level <command>server</command> statements are
7901 If you discover that a remote server is giving out bad data,
7902 marking it as bogus will prevent further queries to it. The
7904 value of <command>bogus</command> is <command>no</command>.
7907 The <command>provide-ixfr</command> clause determines
7909 the local server, acting as master, will respond with an
7911 zone transfer when the given remote server, a slave, requests it.
7912 If set to <command>yes</command>, incremental transfer
7914 whenever possible. If set to <command>no</command>,
7916 to the remote server will be non-incremental. If not set, the
7918 of the <command>provide-ixfr</command> option in the
7920 global options block is used as a default.
7924 The <command>request-ixfr</command> clause determines
7926 the local server, acting as a slave, will request incremental zone
7927 transfers from the given remote server, a master. If not set, the
7928 value of the <command>request-ixfr</command> option in
7930 global options block is used as a default.
7934 IXFR requests to servers that do not support IXFR will
7936 fall back to AXFR. Therefore, there is no need to manually list
7937 which servers support IXFR and which ones do not; the global
7939 of <command>yes</command> should always work.
7940 The purpose of the <command>provide-ixfr</command> and
7941 <command>request-ixfr</command> clauses is
7942 to make it possible to disable the use of IXFR even when both
7944 and slave claim to support it, for example if one of the servers
7945 is buggy and crashes or corrupts data when IXFR is used.
7949 The <command>edns</command> clause determines whether
7950 the local server will attempt to use EDNS when communicating
7951 with the remote server. The default is <command>yes</command>.
7955 The <command>edns-udp-size</command> option sets the EDNS UDP size
7956 that is advertised by named when querying the remote server.
7957 Valid values are 512 to 4096 bytes (values outside this range will be
7958 silently adjusted). This option is useful when you wish to
7959 advertises a different value to this server than the value you
7960 advertise globally, for example, when there is a firewall at the
7961 remote site that is blocking large replies.
7965 The <command>max-udp-size</command> option sets the
7966 maximum EDNS UDP message size named will send. Valid
7967 values are 512 to 4096 bytes (values outside this range will
7968 be silently adjusted). This option is useful when you
7969 know that there is a firewall that is blocking large
7974 The server supports two zone transfer methods. The first, <command>one-answer</command>,
7975 uses one DNS message per resource record transferred. <command>many-answers</command> packs
7976 as many resource records as possible into a message. <command>many-answers</command> is
7977 more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
7978 8.x, and patched versions of <acronym>BIND</acronym>
7979 4.9.5. You can specify which method
7980 to use for a server with the <command>transfer-format</command> option.
7981 If <command>transfer-format</command> is not
7982 specified, the <command>transfer-format</command>
7984 by the <command>options</command> statement will be
7988 <para><command>transfers</command>
7989 is used to limit the number of concurrent inbound zone
7990 transfers from the specified server. If no
7991 <command>transfers</command> clause is specified, the
7992 limit is set according to the
7993 <command>transfers-per-ns</command> option.
7997 The <command>keys</command> clause identifies a
7998 <command>key_id</command> defined by the <command>key</command> statement,
7999 to be used for transaction security (TSIG, <xref linkend="tsig"/>)
8000 when talking to the remote server.
8001 When a request is sent to the remote server, a request signature
8002 will be generated using the key specified here and appended to the
8003 message. A request originating from the remote server is not
8005 to be signed by this key.
8009 Although the grammar of the <command>keys</command>
8011 allows for multiple keys, only a single key per server is
8017 The <command>transfer-source</command> and
8018 <command>transfer-source-v6</command> clauses specify
8019 the IPv4 and IPv6 source
8020 address to be used for zone transfer with the remote server,
8022 For an IPv4 remote server, only <command>transfer-source</command> can
8024 Similarly, for an IPv6 remote server, only
8025 <command>transfer-source-v6</command> can be
8027 For more details, see the description of
8028 <command>transfer-source</command> and
8029 <command>transfer-source-v6</command> in
8030 <xref linkend="zone_transfers"/>.
8034 The <command>notify-source</command> and
8035 <command>notify-source-v6</command> clauses specify the
8036 IPv4 and IPv6 source address to be used for notify
8037 messages sent to remote servers, respectively. For an
8038 IPv4 remote server, only <command>notify-source</command>
8039 can be specified. Similarly, for an IPv6 remote server,
8040 only <command>notify-source-v6</command> can be specified.
8044 The <command>query-source</command> and
8045 <command>query-source-v6</command> clauses specify the
8046 IPv4 and IPv6 source address to be used for queries
8047 sent to remote servers, respectively. For an IPv4
8048 remote server, only <command>query-source</command> can
8049 be specified. Similarly, for an IPv6 remote server,
8050 only <command>query-source-v6</command> can be specified.
8056 <title><command>trusted-keys</command> Statement Grammar</title>
8058 <programlisting><command>trusted-keys</command> {
8059 <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
8060 <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
8066 <title><command>trusted-keys</command> Statement Definition
8069 The <command>trusted-keys</command> statement defines
8070 DNSSEC security roots. DNSSEC is described in <xref
8071 linkend="DNSSEC"/>. A security root is defined when the
8072 public key for a non-authoritative zone is known, but
8073 cannot be securely obtained through DNS, either because
8074 it is the DNS root zone or because its parent zone is
8075 unsigned. Once a key has been configured as a trusted
8076 key, it is treated as if it had been validated and
8077 proven secure. The resolver attempts DNSSEC validation
8078 on all DNS data in subdomains of a security root.
8081 All keys (and corresponding zones) listed in
8082 <command>trusted-keys</command> are deemed to exist regardless
8083 of what parent zones say. Similarly for all keys listed in
8084 <command>trusted-keys</command> only those keys are
8085 used to validate the DNSKEY RRset. The parent's DS RRset
8089 The <command>trusted-keys</command> statement can contain
8090 multiple key entries, each consisting of the key's
8091 domain name, flags, protocol, algorithm, and the Base-64
8092 representation of the key data.
8096 <sect2 id="view_statement_grammar">
8097 <title><command>view</command> Statement Grammar</title>
8099 <programlisting><command>view</command> <replaceable>view_name</replaceable>
8100 <optional><replaceable>class</replaceable></optional> {
8101 match-clients { <replaceable>address_match_list</replaceable> };
8102 match-destinations { <replaceable>address_match_list</replaceable> };
8103 match-recursive-only <replaceable>yes_or_no</replaceable> ;
8104 <optional> <replaceable>view_option</replaceable>; ...</optional>
8105 <optional> <replaceable>zone_statement</replaceable>; ...</optional>
8111 <title><command>view</command> Statement Definition and Usage</title>
8114 The <command>view</command> statement is a powerful
8116 of <acronym>BIND</acronym> 9 that lets a name server
8117 answer a DNS query differently
8118 depending on who is asking. It is particularly useful for
8120 split DNS setups without having to run multiple servers.
8124 Each <command>view</command> statement defines a view
8126 DNS namespace that will be seen by a subset of clients. A client
8128 a view if its source IP address matches the
8129 <varname>address_match_list</varname> of the view's
8130 <command>match-clients</command> clause and its
8131 destination IP address matches
8132 the <varname>address_match_list</varname> of the
8134 <command>match-destinations</command> clause. If not
8136 <command>match-clients</command> and <command>match-destinations</command>
8137 default to matching all addresses. In addition to checking IP
8139 <command>match-clients</command> and <command>match-destinations</command>
8140 can also take <command>keys</command> which provide an
8142 client to select the view. A view can also be specified
8143 as <command>match-recursive-only</command>, which
8144 means that only recursive
8145 requests from matching clients will match that view.
8146 The order of the <command>view</command> statements is
8148 a client request will be resolved in the context of the first
8149 <command>view</command> that it matches.
8153 Zones defined within a <command>view</command>
8155 only be accessible to clients that match the <command>view</command>.
8156 By defining a zone of the same name in multiple views, different
8157 zone data can be given to different clients, for example,
8159 and "external" clients in a split DNS setup.
8163 Many of the options given in the <command>options</command> statement
8164 can also be used within a <command>view</command>
8166 apply only when resolving queries with that view. When no
8168 value is given, the value in the <command>options</command> statement
8169 is used as a default. Also, zone options can have default values
8171 in the <command>view</command> statement; these
8172 view-specific defaults
8173 take precedence over those in the <command>options</command> statement.
8177 Views are class specific. If no class is given, class IN
8178 is assumed. Note that all non-IN views must contain a hint zone,
8179 since only the IN class has compiled-in default hints.
8183 If there are no <command>view</command> statements in
8185 file, a default view that matches any client is automatically
8187 in class IN. Any <command>zone</command> statements
8189 the top level of the configuration file are considered to be part
8191 this default view, and the <command>options</command>
8193 apply to the default view. If any explicit <command>view</command>
8194 statements are present, all <command>zone</command>
8196 occur inside <command>view</command> statements.
8200 Here is an example of a typical split DNS setup implemented
8201 using <command>view</command> statements:
8204 <programlisting>view "internal" {
8205 // This should match our internal networks.
8206 match-clients { 10.0.0.0/8; };
8208 // Provide recursive service to internal clients only.
8211 // Provide a complete view of the example.com zone
8212 // including addresses of internal hosts.
8213 zone "example.com" {
8215 file "example-internal.db";
8220 // Match all clients not matched by the previous view.
8221 match-clients { any; };
8223 // Refuse recursive service to external clients.
8226 // Provide a restricted view of the example.com zone
8227 // containing only publicly accessible hosts.
8228 zone "example.com" {
8230 file "example-external.db";
8236 <sect2 id="zone_statement_grammar">
8237 <title><command>zone</command>
8238 Statement Grammar</title>
8240 <programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8242 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8243 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8244 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
8245 <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
8246 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8247 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8248 <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8249 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
8250 <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
8251 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8252 <optional> file <replaceable>string</replaceable> ; </optional>
8253 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8254 <optional> journal <replaceable>string</replaceable> ; </optional>
8255 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8256 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8257 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8258 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8259 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8260 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8261 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8262 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8263 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8264 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8265 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8266 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8267 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8268 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8269 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
8270 <optional> database <replaceable>string</replaceable> ; </optional>
8271 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8272 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8273 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8274 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8275 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
8276 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8279 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8281 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8282 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8283 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8284 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8285 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8286 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8287 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8288 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8289 <optional> file <replaceable>string</replaceable> ; </optional>
8290 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8291 <optional> journal <replaceable>string</replaceable> ; </optional>
8292 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8293 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8294 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8295 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8296 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8297 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8298 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8299 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8300 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8301 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8302 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8303 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8304 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8305 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8306 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8307 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8308 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8309 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8310 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8311 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8312 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8313 <optional> database <replaceable>string</replaceable> ; </optional>
8314 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8315 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8316 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8317 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8318 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8319 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8322 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8324 file <replaceable>string</replaceable> ;
8325 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8326 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8329 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8331 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8332 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8333 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8334 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8335 <optional> file <replaceable>string</replaceable> ; </optional>
8336 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8337 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8338 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8339 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8340 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8341 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8342 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8343 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8344 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8345 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8346 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8347 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8348 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8349 <optional> database <replaceable>string</replaceable> ; </optional>
8350 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8351 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8352 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8353 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8354 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8357 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8359 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8360 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8361 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8364 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8365 type delegation-only;
8372 <title><command>zone</command> Statement Definition and Usage</title>
8374 <title>Zone Types</title>
8375 <informaltable colsep="0" rowsep="0">
8376 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8377 <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8378 <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8379 <colspec colname="1" colnum="1" colsep="0"/>
8380 <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8385 <varname>master</varname>
8390 The server has a master copy of the data
8391 for the zone and will be able to provide authoritative
8400 <varname>slave</varname>
8405 A slave zone is a replica of a master
8406 zone. The <command>masters</command> list
8407 specifies one or more IP addresses
8408 of master servers that the slave contacts to update
8409 its copy of the zone.
8410 Masters list elements can also be names of other
8412 By default, transfers are made from port 53 on the
8414 be changed for all servers by specifying a port number
8416 list of IP addresses, or on a per-server basis after
8418 Authentication to the master can also be done with
8419 per-server TSIG keys.
8420 If a file is specified, then the
8421 replica will be written to this file whenever the zone
8423 and reloaded from this file on a server restart. Use
8425 recommended, since it often speeds server startup and
8427 a needless waste of bandwidth. Note that for large
8429 tens or hundreds of thousands) of zones per server, it
8431 use a two-level naming scheme for zone filenames. For
8433 a slave server for the zone <literal>example.com</literal> might place
8434 the zone contents into a file called
8435 <filename>ex/example.com</filename> where <filename>ex/</filename> is
8436 just the first two letters of the zone name. (Most
8438 behave very slowly if you put 100 000 files into
8439 a single directory.)
8446 <varname>stub</varname>
8451 A stub zone is similar to a slave zone,
8452 except that it replicates only the NS records of a
8454 of the entire zone. Stub zones are not a standard part
8456 they are a feature specific to the <acronym>BIND</acronym> implementation.
8460 Stub zones can be used to eliminate the need for glue
8462 in a parent zone at the expense of maintaining a stub
8464 a set of name server addresses in <filename>named.conf</filename>.
8465 This usage is not recommended for new configurations,
8467 supports it only in a limited way.
8468 In <acronym>BIND</acronym> 4/8, zone
8469 transfers of a parent zone
8470 included the NS records from stub children of that
8472 that, in some cases, users could get away with
8473 configuring child stubs
8474 only in the master server for the parent zone. <acronym>BIND</acronym>
8475 9 never mixes together zone data from different zones
8477 way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
8478 zone has child stub zones configured, all the slave
8480 parent zone also need to have the same child stub
8486 Stub zones can also be used as a way of forcing the
8488 of a given domain to use a particular set of
8489 authoritative servers.
8490 For example, the caching name servers on a private
8492 RFC1918 addressing may be configured with stub zones
8494 <literal>10.in-addr.arpa</literal>
8495 to use a set of internal name servers as the
8497 servers for that domain.
8504 <varname>forward</varname>
8509 A "forward zone" is a way to configure
8510 forwarding on a per-domain basis. A <command>zone</command> statement
8511 of type <command>forward</command> can
8512 contain a <command>forward</command>
8513 and/or <command>forwarders</command>
8515 which will apply to queries within the domain given by
8517 name. If no <command>forwarders</command>
8518 statement is present or
8519 an empty list for <command>forwarders</command> is given, then no
8520 forwarding will be done for the domain, canceling the
8522 any forwarders in the <command>options</command> statement. Thus
8523 if you want to use this type of zone to change the
8525 global <command>forward</command> option
8526 (that is, "forward first"
8527 to, then "forward only", or vice versa, but want to
8529 servers as set globally) you need to re-specify the
8537 <varname>hint</varname>
8542 The initial set of root name servers is
8543 specified using a "hint zone". When the server starts
8545 the root hints to find a root name server and get the
8547 list of root name servers. If no hint zone is
8549 IN, the server uses a compiled-in default set of root
8551 Classes other than IN have no built-in defaults hints.
8558 <varname>delegation-only</varname>
8563 This is used to enforce the delegation-only
8564 status of infrastructure zones (e.g. COM, NET, ORG).
8566 is received without an explicit or implicit delegation
8568 section will be treated as NXDOMAIN. This does not
8570 apex. This should not be applied to leaf zones.
8573 <varname>delegation-only</varname> has no
8574 effect on answers received
8585 <title>Class</title>
8587 The zone's name may optionally be followed by a class. If
8588 a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
8589 is assumed. This is correct for the vast majority of cases.
8592 The <literal>hesiod</literal> class is
8593 named for an information service from MIT's Project Athena. It
8595 used to share information about various systems databases, such
8596 as users, groups, printers and so on. The keyword
8597 <literal>HS</literal> is
8598 a synonym for hesiod.
8601 Another MIT development is Chaosnet, a LAN protocol created
8602 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
8607 <title>Zone Options</title>
8612 <term><command>allow-notify</command></term>
8615 See the description of
8616 <command>allow-notify</command> in <xref linkend="access_control"/>.
8622 <term><command>allow-query</command></term>
8625 See the description of
8626 <command>allow-query</command> in <xref linkend="access_control"/>.
8632 <term><command>allow-transfer</command></term>
8635 See the description of <command>allow-transfer</command>
8636 in <xref linkend="access_control"/>.
8642 <term><command>allow-update</command></term>
8645 See the description of <command>allow-update</command>
8646 in <xref linkend="access_control"/>.
8652 <term><command>update-policy</command></term>
8655 Specifies a "Simple Secure Update" policy. See
8656 <xref linkend="dynamic_update_policies"/>.
8662 <term><command>allow-update-forwarding</command></term>
8665 See the description of <command>allow-update-forwarding</command>
8666 in <xref linkend="access_control"/>.
8672 <term><command>also-notify</command></term>
8675 Only meaningful if <command>notify</command>
8677 active for this zone. The set of machines that will
8679 <literal>DNS NOTIFY</literal> message
8680 for this zone is made up of all the listed name servers
8682 the primary master) for the zone plus any IP addresses
8684 with <command>also-notify</command>. A port
8686 with each <command>also-notify</command>
8687 address to send the notify
8688 messages to a port other than the default of 53.
8689 <command>also-notify</command> is not
8690 meaningful for stub zones.
8691 The default is the empty list.
8697 <term><command>check-names</command></term>
8700 This option is used to restrict the character set and
8702 certain domain names in master files and/or DNS responses
8704 network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
8705 zones the default is <command>warn</command>.
8711 <term><command>check-mx</command></term>
8714 See the description of
8715 <command>check-mx</command> in <xref linkend="boolean_options"/>.
8721 <term><command>check-wildcard</command></term>
8724 See the description of
8725 <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
8731 <term><command>check-integrity</command></term>
8734 See the description of
8735 <command>check-integrity</command> in <xref linkend="boolean_options"/>.
8741 <term><command>check-sibling</command></term>
8744 See the description of
8745 <command>check-sibling</command> in <xref linkend="boolean_options"/>.
8751 <term><command>zero-no-soa-ttl</command></term>
8754 See the description of
8755 <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
8761 <term><command>update-check-ksk</command></term>
8764 See the description of
8765 <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
8771 <term><command>database</command></term>
8774 Specify the type of database to be used for storing the
8775 zone data. The string following the <command>database</command> keyword
8776 is interpreted as a list of whitespace-delimited words.
8778 identifies the database type, and any subsequent words are
8780 as arguments to the database to be interpreted in a way
8782 to the database type.
8785 The default is <userinput>"rbt"</userinput>, BIND 9's
8787 red-black-tree database. This database does not take
8791 Other values are possible if additional database drivers
8792 have been linked into the server. Some sample drivers are
8794 with the distribution but none are linked in by default.
8800 <term><command>dialup</command></term>
8803 See the description of
8804 <command>dialup</command> in <xref linkend="boolean_options"/>.
8810 <term><command>delegation-only</command></term>
8813 The flag only applies to hint and stub zones. If set
8814 to <userinput>yes</userinput>, then the zone will also be
8816 is also a delegation-only type zone.
8822 <term><command>forward</command></term>
8825 Only meaningful if the zone has a forwarders
8826 list. The <command>only</command> value causes
8828 after trying the forwarders and getting no answer, while <command>first</command> would
8829 allow a normal lookup to be tried.
8835 <term><command>forwarders</command></term>
8838 Used to override the list of global forwarders.
8839 If it is not specified in a zone of type <command>forward</command>,
8840 no forwarding is done for the zone and the global options are
8847 <term><command>ixfr-base</command></term>
8850 Was used in <acronym>BIND</acronym> 8 to
8852 of the transaction log (journal) file for dynamic update
8854 <acronym>BIND</acronym> 9 ignores the option
8855 and constructs the name of the journal
8856 file by appending "<filename>.jnl</filename>"
8864 <term><command>ixfr-tmp-file</command></term>
8867 Was an undocumented option in <acronym>BIND</acronym> 8.
8868 Ignored in <acronym>BIND</acronym> 9.
8874 <term><command>journal</command></term>
8877 Allow the default journal's filename to be overridden.
8878 The default is the zone's filename with "<filename>.jnl</filename>" appended.
8879 This is applicable to <command>master</command> and <command>slave</command> zones.
8885 <term><command>max-transfer-time-in</command></term>
8888 See the description of
8889 <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
8895 <term><command>max-transfer-idle-in</command></term>
8898 See the description of
8899 <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
8905 <term><command>max-transfer-time-out</command></term>
8908 See the description of
8909 <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
8915 <term><command>max-transfer-idle-out</command></term>
8918 See the description of
8919 <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
8925 <term><command>notify</command></term>
8928 See the description of
8929 <command>notify</command> in <xref linkend="boolean_options"/>.
8935 <term><command>notify-delay</command></term>
8938 See the description of
8939 <command>notify-delay</command> in <xref linkend="tuning"/>.
8945 <term><command>pubkey</command></term>
8948 In <acronym>BIND</acronym> 8, this option was
8949 intended for specifying
8950 a public zone key for verification of signatures in DNSSEC
8952 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
8953 on load and ignores the option.
8959 <term><command>zone-statistics</command></term>
8962 If <userinput>yes</userinput>, the server will keep
8964 information for this zone, which can be dumped to the
8965 <command>statistics-file</command> defined in
8972 <term><command>sig-validity-interval</command></term>
8975 See the description of
8976 <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
8982 <term><command>transfer-source</command></term>
8985 See the description of
8986 <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
8992 <term><command>transfer-source-v6</command></term>
8995 See the description of
8996 <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9002 <term><command>alt-transfer-source</command></term>
9005 See the description of
9006 <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9012 <term><command>alt-transfer-source-v6</command></term>
9015 See the description of
9016 <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9022 <term><command>use-alt-transfer-source</command></term>
9025 See the description of
9026 <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9033 <term><command>notify-source</command></term>
9036 See the description of
9037 <command>notify-source</command> in <xref linkend="zone_transfers"/>.
9043 <term><command>notify-source-v6</command></term>
9046 See the description of
9047 <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
9053 <term><command>min-refresh-time</command></term>
9054 <term><command>max-refresh-time</command></term>
9055 <term><command>min-retry-time</command></term>
9056 <term><command>max-retry-time</command></term>
9059 See the description in <xref linkend="tuning"/>.
9065 <term><command>ixfr-from-differences</command></term>
9068 See the description of
9069 <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
9075 <term><command>key-directory</command></term>
9078 See the description of
9079 <command>key-directory</command> in <xref linkend="options"/>.
9085 <term><command>multi-master</command></term>
9088 See the description of <command>multi-master</command> in
9089 <xref linkend="boolean_options"/>.
9095 <term><command>masterfile-format</command></term>
9098 See the description of <command>masterfile-format</command>
9099 in <xref linkend="tuning"/>.
9107 <sect3 id="dynamic_update_policies">
9108 <title>Dynamic Update Policies</title>
9110 <acronym>BIND</acronym> 9 supports two alternative
9111 methods of granting clients
9112 the right to perform dynamic updates to a zone,
9113 configured by the <command>allow-update</command>
9115 <command>update-policy</command> option,
9119 The <command>allow-update</command> clause works the
9121 way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
9122 permission to update any record of any name in the zone.
9125 The <command>update-policy</command> clause is new
9126 in <acronym>BIND</acronym>
9127 9 and allows more fine-grained control over what updates are
9129 A set of rules is specified, where each rule either grants or
9131 permissions for one or more names to be updated by one or more
9133 If the dynamic update request message is signed (that is, it
9135 either a TSIG or SIG(0) record), the identity of the signer can
9139 Rules are specified in the <command>update-policy</command> zone
9140 option, and are only meaningful for master zones. When the <command>update-policy</command> statement
9141 is present, it is a configuration error for the <command>allow-update</command> statement
9142 to be present. The <command>update-policy</command>
9144 examines the signer of a message; the source address is not
9148 This is how a rule definition looks:
9152 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
9156 Each rule grants or denies privileges. Once a message has
9157 successfully matched a rule, the operation is immediately
9159 or denied and no further rules are examined. A rule is matched
9160 when the signer matches the identity field, the name matches the
9161 name field in accordance with the nametype field, and the type
9163 the types specified in the type field.
9167 The identity field specifies a name or a wildcard name.
9169 is the name of the TSIG or SIG(0) key used to sign the update
9171 TKEY exchange has been used to create a shared secret, the
9173 shared secret is the same as the identity of the key used to
9175 TKEY exchange. When the <replaceable>identity</replaceable> field specifies a
9176 wildcard name, it is subject to DNS wildcard expansion, so the
9178 to multiple identities. The <replaceable>identity</replaceable> field must
9179 contain a fully-qualified domain name.
9183 The <replaceable>nametype</replaceable> field has 6
9185 <varname>name</varname>, <varname>subdomain</varname>,
9186 <varname>wildcard</varname>, <varname>self</varname>,
9187 <varname>selfsub</varname>, and <varname>selfwild</varname>.
9190 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9191 <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9192 <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9197 <varname>name</varname>
9199 </entry> <entry colname="2">
9201 Exact-match semantics. This rule matches
9202 when the name being updated is identical
9203 to the contents of the
9204 <replaceable>name</replaceable> field.
9211 <varname>subdomain</varname>
9213 </entry> <entry colname="2">
9215 This rule matches when the name being updated
9216 is a subdomain of, or identical to, the
9217 contents of the <replaceable>name</replaceable>
9225 <varname>wildcard</varname>
9227 </entry> <entry colname="2">
9229 The <replaceable>name</replaceable> field
9230 is subject to DNS wildcard expansion, and
9231 this rule matches when the name being updated
9232 name is a valid expansion of the wildcard.
9239 <varname>self</varname>
9244 This rule matches when the name being updated
9245 matches the contents of the
9246 <replaceable>identity</replaceable> field.
9247 The <replaceable>name</replaceable> field
9248 is ignored, but should be the same as the
9249 <replaceable>identity</replaceable> field.
9250 The <varname>self</varname> nametype is
9251 most useful when allowing using one key per
9252 name to update, where the key has the same
9253 name as the name to be updated. The
9254 <replaceable>identity</replaceable> would
9255 be specified as <constant>*</constant> (an asterisk) in
9263 <varname>selfsub</varname>
9265 </entry> <entry colname="2">
9267 This rule is similar to <varname>self</varname>
9268 except that subdomains of <varname>self</varname>
9269 can also be updated.
9276 <varname>selfwild</varname>
9278 </entry> <entry colname="2">
9280 This rule is similar to <varname>self</varname>
9281 except that only subdomains of
9282 <varname>self</varname> can be updated.
9291 In all cases, the <replaceable>name</replaceable>
9293 specify a fully-qualified domain name.
9297 If no types are explicitly specified, this rule matches all
9299 RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
9300 "ANY" (ANY matches all types except NSEC, which can never be
9302 Note that when an attempt is made to delete all records
9304 name, the rules are checked for each existing record type.
9310 <title>Zone File</title>
9311 <sect2 id="types_of_resource_records_and_when_to_use_them">
9312 <title>Types of Resource Records and When to Use Them</title>
9314 This section, largely borrowed from RFC 1034, describes the
9315 concept of a Resource Record (RR) and explains when each is used.
9316 Since the publication of RFC 1034, several new RRs have been
9318 and implemented in the DNS. These are also included.
9321 <title>Resource Records</title>
9324 A domain name identifies a node. Each node has a set of
9325 resource information, which may be empty. The set of resource
9326 information associated with a particular name is composed of
9327 separate RRs. The order of RRs in a set is not significant and
9328 need not be preserved by name servers, resolvers, or other
9329 parts of the DNS. However, sorting of multiple RRs is
9330 permitted for optimization purposes, for example, to specify
9331 that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
9335 The components of a Resource Record are:
9337 <informaltable colsep="0" rowsep="0">
9338 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9339 <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
9340 <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
9350 The domain name where the RR is found.
9362 An encoded 16-bit value that specifies
9363 the type of the resource record.
9375 The time-to-live of the RR. This field
9376 is a 32-bit integer in units of seconds, and is
9378 resolvers when they cache RRs. The TTL describes how
9380 be cached before it should be discarded.
9392 An encoded 16-bit value that identifies
9393 a protocol family or instance of a protocol.
9405 The resource data. The format of the
9406 data is type (and sometimes class) specific.
9414 The following are <emphasis>types</emphasis> of valid RRs:
9416 <informaltable colsep="0" rowsep="0">
9417 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9418 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9419 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9429 A host address. In the IN class, this is a
9430 32-bit IP address. Described in RFC 1035.
9442 IPv6 address. Described in RFC 1886.
9454 IPv6 address. This can be a partial
9455 address (a suffix) and an indirection to the name
9456 where the rest of the
9457 address (the prefix) can be found. Experimental.
9458 Described in RFC 2874.
9470 Location of AFS database servers.
9471 Experimental. Described in RFC 1183.
9483 Address prefix list. Experimental.
9484 Described in RFC 3123.
9496 Holds a digital certificate.
9497 Described in RFC 2538.
9509 Identifies the canonical name of an alias.
9510 Described in RFC 1035.
9522 Replaces the domain name specified with
9523 another name to be looked up, effectively aliasing an
9525 subtree of the domain name space rather than a single
9527 as in the case of the CNAME RR.
9528 Described in RFC 2672.
9540 Stores a public key associated with a signed
9541 DNS zone. Described in RFC 4034.
9553 Stores the hash of a public key associated with a
9554 signed DNS zone. Described in RFC 4034.
9566 Specifies the global position. Superseded by LOC.
9578 Identifies the CPU and OS used by a host.
9579 Described in RFC 1035.
9591 Provides a method for storing IPsec keying material in
9592 DNS. Described in RFC 4025.
9604 Representation of ISDN addresses.
9605 Experimental. Described in RFC 1183.
9617 Stores a public key associated with a
9618 DNS name. Used in original DNSSEC; replaced
9619 by DNSKEY in DNSSECbis, but still used with
9620 SIG(0). Described in RFCs 2535 and 2931.
9632 Identifies a key exchanger for this
9633 DNS name. Described in RFC 2230.
9645 For storing GPS info. Described in RFC 1876.
9658 Identifies a mail exchange for the domain with
9659 a 16-bit preference value (lower is better)
9660 followed by the host name of the mail exchange.
9661 Described in RFC 974, RFC 1035.
9673 Name authority pointer. Described in RFC 2915.
9685 A network service access point.
9686 Described in RFC 1706.
9698 The authoritative name server for the
9699 domain. Described in RFC 1035.
9711 Used in DNSSECbis to securely indicate that
9712 RRs with an owner name in a certain name interval do
9714 a zone and indicate what RR types are present for an
9716 Described in RFC 4034.
9728 Used in DNSSEC to securely indicate that
9729 RRs with an owner name in a certain name interval do
9731 a zone and indicate what RR types are present for an
9733 Used in original DNSSEC; replaced by NSEC in
9735 Described in RFC 2535.
9747 A pointer to another part of the domain
9748 name space. Described in RFC 1035.
9760 Provides mappings between RFC 822 and X.400
9761 addresses. Described in RFC 2163.
9773 Information on persons responsible
9774 for the domain. Experimental. Described in RFC 1183.
9786 Contains DNSSECbis signature data. Described
9799 Route-through binding for hosts that
9800 do not have their own direct wide area network
9802 Experimental. Described in RFC 1183.
9814 Contains DNSSEC signature data. Used in
9815 original DNSSEC; replaced by RRSIG in
9816 DNSSECbis, but still used for SIG(0).
9817 Described in RFCs 2535 and 2931.
9829 Identifies the start of a zone of authority.
9830 Described in RFC 1035.
9842 Contains the Sender Policy Framework information
9843 for a given email domain. Described in RFC 4408.
9855 Information about well known network
9856 services (replaces WKS). Described in RFC 2782.
9868 Provides a way to securly publish a secure shell key's
9869 fingerprint. Described in RFC 4255.
9881 Text records. Described in RFC 1035.
9893 Information about which well known
9894 network services, such as SMTP, that a domain
9895 supports. Historical.
9907 Representation of X.25 network addresses.
9908 Experimental. Described in RFC 1183.
9916 The following <emphasis>classes</emphasis> of resource records
9917 are currently valid in the DNS:
9919 <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9920 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
9921 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
9945 Chaosnet, a LAN protocol created at MIT in the
9947 Rarely used for its historical purpose, but reused for
9949 built-in server information zones, e.g.,
9950 <literal>version.bind</literal>.
9963 Hesiod, an information service
9964 developed by MIT's Project Athena. It is used to share
9966 about various systems databases, such as users,
9978 The owner name is often implicit, rather than forming an
9980 part of the RR. For example, many name servers internally form
9982 or hash structures for the name space, and chain RRs off nodes.
9983 The remaining RR parts are the fixed header (type, class, TTL)
9984 which is consistent for all RRs, and a variable part (RDATA)
9986 fits the needs of the resource being described.
9989 The meaning of the TTL field is a time limit on how long an
9990 RR can be kept in a cache. This limit does not apply to
9992 data in zones; it is also timed out, but by the refreshing
9994 for the zone. The TTL is assigned by the administrator for the
9995 zone where the data originates. While short TTLs can be used to
9996 minimize caching, and a zero TTL prohibits caching, the
9998 of Internet performance suggest that these times should be on
10000 order of days for the typical host. If a change can be
10002 the TTL can be reduced prior to the change to minimize
10004 during the change, and then increased back to its former value
10009 The data in the RDATA section of RRs is carried as a combination
10010 of binary strings and domain names. The domain names are
10012 used as "pointers" to other data in the DNS.
10016 <title>Textual expression of RRs</title>
10018 RRs are represented in binary form in the packets of the DNS
10019 protocol, and are usually represented in highly encoded form
10021 stored in a name server or resolver. In the examples provided
10023 RFC 1034, a style similar to that used in master files was
10025 in order to show the contents of RRs. In this format, most RRs
10026 are shown on a single line, although continuation lines are
10031 The start of the line gives the owner of the RR. If a line
10032 begins with a blank, then the owner is assumed to be the same as
10033 that of the previous RR. Blank lines are often included for
10037 Following the owner, we list the TTL, type, and class of the
10038 RR. Class and type use the mnemonics defined above, and TTL is
10039 an integer before the type field. In order to avoid ambiguity
10041 parsing, type and class mnemonics are disjoint, TTLs are
10043 and the type mnemonic is always last. The IN class and TTL
10045 are often omitted from examples in the interests of clarity.
10048 The resource data or RDATA section of the RR are given using
10049 knowledge of the typical representation for the data.
10052 For example, we might show the RRs carried in a message as:
10054 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10055 <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
10056 <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
10057 <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
10060 <entry colname="1">
10062 <literal>ISI.EDU.</literal>
10065 <entry colname="2">
10067 <literal>MX</literal>
10070 <entry colname="3">
10072 <literal>10 VENERA.ISI.EDU.</literal>
10077 <entry colname="1">
10080 <entry colname="2">
10082 <literal>MX</literal>
10085 <entry colname="3">
10087 <literal>10 VAXA.ISI.EDU</literal>
10092 <entry colname="1">
10094 <literal>VENERA.ISI.EDU</literal>
10097 <entry colname="2">
10099 <literal>A</literal>
10102 <entry colname="3">
10104 <literal>128.9.0.32</literal>
10109 <entry colname="1">
10112 <entry colname="2">
10114 <literal>A</literal>
10117 <entry colname="3">
10119 <literal>10.1.0.52</literal>
10124 <entry colname="1">
10126 <literal>VAXA.ISI.EDU</literal>
10129 <entry colname="2">
10131 <literal>A</literal>
10134 <entry colname="3">
10136 <literal>10.2.0.27</literal>
10141 <entry colname="1">
10144 <entry colname="2">
10146 <literal>A</literal>
10149 <entry colname="3">
10151 <literal>128.9.0.33</literal>
10159 The MX RRs have an RDATA section which consists of a 16-bit
10160 number followed by a domain name. The address RRs use a
10162 IP address format to contain a 32-bit internet address.
10165 The above example shows six RRs, with two RRs at each of three
10169 Similarly we might see:
10171 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10172 <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
10173 <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
10174 <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
10177 <entry colname="1">
10179 <literal>XX.LCS.MIT.EDU.</literal>
10182 <entry colname="2">
10184 <literal>IN A</literal>
10187 <entry colname="3">
10189 <literal>10.0.0.44</literal>
10194 <entry colname="1"/>
10195 <entry colname="2">
10197 <literal>CH A</literal>
10200 <entry colname="3">
10202 <literal>MIT.EDU. 2420</literal>
10210 This example shows two addresses for
10211 <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10217 <title>Discussion of MX Records</title>
10220 As described above, domain servers store information as a
10221 series of resource records, each of which contains a particular
10222 piece of information about a given domain name (which is usually,
10223 but not always, a host). The simplest way to think of a RR is as
10224 a typed pair of data, a domain name matched with a relevant datum,
10225 and stored with some additional type information to help systems
10226 determine when the RR is relevant.
10230 MX records are used to control delivery of email. The data
10231 specified in the record is a priority and a domain name. The
10233 controls the order in which email delivery is attempted, with the
10234 lowest number first. If two priorities are the same, a server is
10235 chosen randomly. If no servers at a given priority are responding,
10236 the mail transport agent will fall back to the next largest
10238 Priority numbers do not have any absolute meaning — they are
10240 only respective to other MX records for that domain name. The
10242 name given is the machine to which the mail will be delivered.
10243 It <emphasis>must</emphasis> have an associated address record
10244 (A or AAAA) — CNAME is not sufficient.
10247 For a given domain, if there is both a CNAME record and an
10248 MX record, the MX record is in error, and will be ignored.
10250 the mail will be delivered to the server specified in the MX
10252 pointed to by the CNAME.
10257 <informaltable colsep="0" rowsep="0">
10258 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10259 <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10260 <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10261 <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10262 <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10263 <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10266 <entry colname="1">
10268 <literal>example.com.</literal>
10271 <entry colname="2">
10273 <literal>IN</literal>
10276 <entry colname="3">
10278 <literal>MX</literal>
10281 <entry colname="4">
10283 <literal>10</literal>
10286 <entry colname="5">
10288 <literal>mail.example.com.</literal>
10293 <entry colname="1">
10296 <entry colname="2">
10298 <literal>IN</literal>
10301 <entry colname="3">
10303 <literal>MX</literal>
10306 <entry colname="4">
10308 <literal>10</literal>
10311 <entry colname="5">
10313 <literal>mail2.example.com.</literal>
10318 <entry colname="1">
10321 <entry colname="2">
10323 <literal>IN</literal>
10326 <entry colname="3">
10328 <literal>MX</literal>
10331 <entry colname="4">
10333 <literal>20</literal>
10336 <entry colname="5">
10338 <literal>mail.backup.org.</literal>
10343 <entry colname="1">
10345 <literal>mail.example.com.</literal>
10348 <entry colname="2">
10350 <literal>IN</literal>
10353 <entry colname="3">
10355 <literal>A</literal>
10358 <entry colname="4">
10360 <literal>10.0.0.1</literal>
10363 <entry colname="5">
10368 <entry colname="1">
10370 <literal>mail2.example.com.</literal>
10373 <entry colname="2">
10375 <literal>IN</literal>
10378 <entry colname="3">
10380 <literal>A</literal>
10383 <entry colname="4">
10385 <literal>10.0.0.2</literal>
10388 <entry colname="5">
10394 </informaltable><para>
10395 Mail delivery will be attempted to <literal>mail.example.com</literal> and
10396 <literal>mail2.example.com</literal> (in
10397 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
10401 <sect2 id="Setting_TTLs">
10402 <title>Setting TTLs</title>
10404 The time-to-live of the RR field is a 32-bit integer represented
10405 in units of seconds, and is primarily used by resolvers when they
10406 cache RRs. The TTL describes how long a RR can be cached before it
10407 should be discarded. The following three types of TTL are
10409 used in a zone file.
10411 <informaltable colsep="0" rowsep="0">
10412 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10413 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
10414 <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
10417 <entry colname="1">
10422 <entry colname="2">
10424 The last field in the SOA is the negative
10425 caching TTL. This controls how long other servers will
10426 cache no-such-domain
10427 (NXDOMAIN) responses from you.
10430 The maximum time for
10431 negative caching is 3 hours (3h).
10436 <entry colname="1">
10441 <entry colname="2">
10443 The $TTL directive at the top of the
10444 zone file (before the SOA) gives a default TTL for every
10446 a specific TTL set.
10451 <entry colname="1">
10456 <entry colname="2">
10458 Each RR can have a TTL as the second
10459 field in the RR, which will control how long other
10469 All of these TTLs default to units of seconds, though units
10470 can be explicitly specified, for example, <literal>1h30m</literal>.
10474 <title>Inverse Mapping in IPv4</title>
10476 Reverse name resolution (that is, translation from IP address
10477 to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
10478 and PTR records. Entries in the in-addr.arpa domain are made in
10479 least-to-most significant order, read left to right. This is the
10480 opposite order to the way IP addresses are usually written. Thus,
10481 a machine with an IP address of 10.1.2.3 would have a
10483 in-addr.arpa name of
10484 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
10485 whose data field is the name of the machine or, optionally,
10487 PTR records if the machine has more than one name. For example,
10488 in the <optional>example.com</optional> domain:
10490 <informaltable colsep="0" rowsep="0">
10491 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10492 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
10493 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
10496 <entry colname="1">
10498 <literal>$ORIGIN</literal>
10501 <entry colname="2">
10503 <literal>2.1.10.in-addr.arpa</literal>
10508 <entry colname="1">
10510 <literal>3</literal>
10513 <entry colname="2">
10515 <literal>IN PTR foo.example.com.</literal>
10524 The <command>$ORIGIN</command> lines in the examples
10525 are for providing context to the examples only — they do not
10527 appear in the actual usage. They are only used here to indicate
10528 that the example is relative to the listed origin.
10533 <title>Other Zone File Directives</title>
10535 The Master File Format was initially defined in RFC 1035 and
10536 has subsequently been extended. While the Master File Format
10538 is class independent all records in a Master File must be of the
10543 Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
10544 and <command>$TTL.</command>
10547 <title>The <command>$ORIGIN</command> Directive</title>
10549 Syntax: <command>$ORIGIN</command>
10550 <replaceable>domain-name</replaceable>
10551 <optional><replaceable>comment</replaceable></optional>
10553 <para><command>$ORIGIN</command>
10554 sets the domain name that will be appended to any
10555 unqualified records. When a zone is first read in there
10556 is an implicit <command>$ORIGIN</command>
10557 <<varname>zone-name</varname>><command>.</command>
10558 The current <command>$ORIGIN</command> is appended to
10559 the domain specified in the <command>$ORIGIN</command>
10560 argument if it is not absolute.
10564 $ORIGIN example.com.
10565 WWW CNAME MAIN-SERVER
10573 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
10578 <title>The <command>$INCLUDE</command> Directive</title>
10580 Syntax: <command>$INCLUDE</command>
10581 <replaceable>filename</replaceable>
10583 <replaceable>origin</replaceable> </optional>
10584 <optional> <replaceable>comment</replaceable> </optional>
10587 Read and process the file <filename>filename</filename> as
10588 if it were included into the file at this point. If <command>origin</command> is
10589 specified the file is processed with <command>$ORIGIN</command> set
10590 to that value, otherwise the current <command>$ORIGIN</command> is
10594 The origin and the current domain name
10595 revert to the values they had prior to the <command>$INCLUDE</command> once
10596 the file has been read.
10600 RFC 1035 specifies that the current origin should be restored
10602 an <command>$INCLUDE</command>, but it is silent
10603 on whether the current
10604 domain name should also be restored. BIND 9 restores both of
10606 This could be construed as a deviation from RFC 1035, a
10612 <title>The <command>$TTL</command> Directive</title>
10614 Syntax: <command>$TTL</command>
10615 <replaceable>default-ttl</replaceable>
10617 <replaceable>comment</replaceable> </optional>
10620 Set the default Time To Live (TTL) for subsequent records
10621 with undefined TTLs. Valid TTLs are of the range 0-2147483647
10624 <para><command>$TTL</command>
10625 is defined in RFC 2308.
10630 <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
10632 Syntax: <command>$GENERATE</command>
10633 <replaceable>range</replaceable>
10634 <replaceable>lhs</replaceable>
10635 <optional><replaceable>ttl</replaceable></optional>
10636 <optional><replaceable>class</replaceable></optional>
10637 <replaceable>type</replaceable>
10638 <replaceable>rhs</replaceable>
10639 <optional><replaceable>comment</replaceable></optional>
10641 <para><command>$GENERATE</command>
10642 is used to create a series of resource records that only
10643 differ from each other by an
10644 iterator. <command>$GENERATE</command> can be used to
10645 easily generate the sets of records required to support
10646 sub /24 reverse delegations described in RFC 2317:
10647 Classless IN-ADDR.ARPA delegation.
10650 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
10651 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
10652 $GENERATE 1-127 $ CNAME $.0</programlisting>
10658 <programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
10659 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
10660 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
10661 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
10663 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
10666 <informaltable colsep="0" rowsep="0">
10667 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10668 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10669 <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
10672 <entry colname="1">
10673 <para><command>range</command></para>
10675 <entry colname="2">
10677 This can be one of two forms: start-stop
10678 or start-stop/step. If the first form is used, then step
10680 1. All of start, stop and step must be positive.
10685 <entry colname="1">
10686 <para><command>lhs</command></para>
10688 <entry colname="2">
10690 describes the owner name of the resource records
10691 to be created. Any single <command>$</command>
10693 symbols within the <command>lhs</command> side
10694 are replaced by the iterator value.
10696 To get a $ in the output, you need to escape the
10697 <command>$</command> using a backslash
10698 <command>\</command>,
10699 e.g. <command>\$</command>. The
10700 <command>$</command> may optionally be followed
10701 by modifiers which change the offset from the
10702 iterator, field width and base.
10704 Modifiers are introduced by a
10705 <command>{</command> (left brace) immediately following the
10706 <command>$</command> as
10707 <command>${offset[,width[,base]]}</command>.
10708 For example, <command>${-20,3,d}</command>
10709 subtracts 20 from the current value, prints the
10710 result as a decimal in a zero-padded field of
10713 Available output forms are decimal
10714 (<command>d</command>), octal
10715 (<command>o</command>) and hexadecimal
10716 (<command>x</command> or <command>X</command>
10717 for uppercase). The default modifier is
10718 <command>${0,0,d}</command>. If the
10719 <command>lhs</command> is not absolute, the
10720 current <command>$ORIGIN</command> is appended
10724 For compatibility with earlier versions, <command>$$</command> is still
10725 recognized as indicating a literal $ in the output.
10730 <entry colname="1">
10731 <para><command>ttl</command></para>
10733 <entry colname="2">
10735 Specifies the time-to-live of the generated records. If
10736 not specified this will be inherited using the
10737 normal ttl inheritance rules.
10739 <para><command>class</command>
10740 and <command>ttl</command> can be
10741 entered in either order.
10746 <entry colname="1">
10747 <para><command>class</command></para>
10749 <entry colname="2">
10751 Specifies the class of the generated records.
10752 This must match the zone class if it is
10755 <para><command>class</command>
10756 and <command>ttl</command> can be
10757 entered in either order.
10762 <entry colname="1">
10763 <para><command>type</command></para>
10765 <entry colname="2">
10767 At present the only supported types are
10768 PTR, CNAME, DNAME, A, AAAA and NS.
10773 <entry colname="1">
10774 <para><command>rhs</command></para>
10776 <entry colname="2">
10778 <command>rhs</command> is a domain name. It is processed
10787 The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
10788 and not part of the standard zone file format.
10791 BIND 8 does not support the optional TTL and CLASS fields.
10795 <sect2 id="zonefile_format">
10796 <title>Additional File Formats</title>
10798 In addition to the standard textual format, BIND 9
10799 supports the ability to read or dump to zone files in
10800 other formats. The <constant>raw</constant> format is
10801 currently available as an additional format. It is a
10802 binary format representing BIND 9's internal data
10803 structure directly, thereby remarkably improving the
10807 For a primary server, a zone file in the
10808 <constant>raw</constant> format is expected to be
10809 generated from a textual zone file by the
10810 <command>named-compilezone</command> command. For a
10811 secondary server or for a dynamic zone, it is automatically
10812 generated (if this format is specified by the
10813 <command>masterfile-format</command> option) when
10814 <command>named</command> dumps the zone contents after
10815 zone transfer or when applying prior updates.
10818 If a zone file in a binary format needs manual modification,
10819 it first must be converted to a textual form by the
10820 <command>named-compilezone</command> command. All
10821 necessary modification should go to the text file, which
10822 should then be converted to the binary form by the
10823 <command>named-compilezone</command> command again.
10826 Although the <constant>raw</constant> format uses the
10827 network byte order and avoids architecture-dependent
10828 data alignment so that it is as much portable as
10829 possible, it is primarily expected to be used inside
10830 the same single system. In order to export a zone
10831 file in the <constant>raw</constant> format or make a
10832 portable backup of the file, it is recommended to
10833 convert the file to the standard textual representation.
10838 <chapter id="Bv9ARM.ch07">
10839 <title><acronym>BIND</acronym> 9 Security Considerations</title>
10840 <sect1 id="Access_Control_Lists">
10841 <title>Access Control Lists</title>
10843 Access Control Lists (ACLs), are address match lists that
10844 you can set up and nickname for future use in <command>allow-notify</command>,
10845 <command>allow-query</command>, <command>allow-recursion</command>,
10846 <command>blackhole</command>, <command>allow-transfer</command>,
10850 Using ACLs allows you to have finer control over who can access
10851 your name server, without cluttering up your config files with huge
10852 lists of IP addresses.
10855 It is a <emphasis>good idea</emphasis> to use ACLs, and to
10856 control access to your server. Limiting access to your server by
10857 outside parties can help prevent spoofing and denial of service (DoS) attacks against
10861 Here is an example of how to properly apply ACLs:
10865 // Set up an ACL named "bogusnets" that will block RFC1918 space
10866 // and some reserved space, which is commonly used in spoofing attacks.
10868 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10869 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
10872 // Set up an ACL called our-nets. Replace this with the real IP numbers.
10873 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
10877 allow-query { our-nets; };
10878 allow-recursion { our-nets; };
10880 blackhole { bogusnets; };
10884 zone "example.com" {
10886 file "m/example.com";
10887 allow-query { any; };
10892 This allows recursive queries of the server from the outside
10893 unless recursion has been previously disabled.
10896 For more information on how to use ACLs to protect your server,
10897 see the <emphasis>AUSCERT</emphasis> advisory at:
10900 <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
10901 >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
10905 <title><command>Chroot</command> and <command>Setuid</command></title>
10907 On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
10908 (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
10909 option. This can help improve system security by placing <acronym>BIND</acronym> in
10910 a "sandbox", which will limit the damage done if a server is
10914 Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
10915 ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
10916 We suggest running as an unprivileged user when using the <command>chroot</command> feature.
10919 Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
10920 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
10924 <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
10928 <title>The <command>chroot</command> Environment</title>
10931 In order for a <command>chroot</command> environment
10933 work properly in a particular directory
10934 (for example, <filename>/var/named</filename>),
10935 you will need to set up an environment that includes everything
10936 <acronym>BIND</acronym> needs to run.
10937 From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
10938 the root of the filesystem. You will need to adjust the values of
10940 like <command>directory</command> and <command>pid-file</command> to account
10944 Unlike with earlier versions of BIND, you typically will
10945 <emphasis>not</emphasis> need to compile <command>named</command>
10946 statically nor install shared libraries under the new root.
10947 However, depending on your operating system, you may need
10948 to set up things like
10949 <filename>/dev/zero</filename>,
10950 <filename>/dev/random</filename>,
10951 <filename>/dev/log</filename>, and
10952 <filename>/etc/localtime</filename>.
10957 <title>Using the <command>setuid</command> Function</title>
10960 Prior to running the <command>named</command> daemon,
10962 the <command>touch</command> utility (to change file
10964 modification times) or the <command>chown</command>
10966 set the user id and/or group id) on files
10967 to which you want <acronym>BIND</acronym>
10971 Note that if the <command>named</command> daemon is running as an
10972 unprivileged user, it will not be able to bind to new restricted
10973 ports if the server is reloaded.
10978 <sect1 id="dynamic_update_security">
10979 <title>Dynamic Update Security</title>
10982 Access to the dynamic
10983 update facility should be strictly limited. In earlier versions of
10984 <acronym>BIND</acronym>, the only way to do this was
10986 address of the host requesting the update, by listing an IP address
10988 network prefix in the <command>allow-update</command>
10990 This method is insecure since the source address of the update UDP
10992 is easily forged. Also note that if the IP addresses allowed by the
10993 <command>allow-update</command> option include the
10995 server which performs forwarding of dynamic updates, the master can
10997 trivially attacked by sending the update to the slave, which will
10998 forward it to the master with its own source IP address causing the
10999 master to approve it without question.
11003 For these reasons, we strongly recommend that updates be
11004 cryptographically authenticated by means of transaction signatures
11005 (TSIG). That is, the <command>allow-update</command>
11007 list only TSIG key names, not IP addresses or network
11008 prefixes. Alternatively, the new <command>update-policy</command>
11009 option can be used.
11013 Some sites choose to keep all dynamically-updated DNS data
11014 in a subdomain and delegate that subdomain to a separate zone. This
11015 way, the top-level zone containing critical data such as the IP
11017 of public web and mail servers need not allow dynamic update at
11024 <chapter id="Bv9ARM.ch08">
11025 <title>Troubleshooting</title>
11027 <title>Common Problems</title>
11029 <title>It's not working; how can I figure out what's wrong?</title>
11032 The best solution to solving installation and
11033 configuration issues is to take preventative measures by setting
11034 up logging files beforehand. The log files provide a
11035 source of hints and information that can be used to figure out
11036 what went wrong and how to fix the problem.
11042 <title>Incrementing and Changing the Serial Number</title>
11045 Zone serial numbers are just numbers — they aren't
11046 date related. A lot of people set them to a number that
11047 represents a date, usually of the form YYYYMMDDRR.
11048 Occasionally they will make a mistake and set them to a
11049 "date in the future" then try to correct them by setting
11050 them to the "current date". This causes problems because
11051 serial numbers are used to indicate that a zone has been
11052 updated. If the serial number on the slave server is
11053 lower than the serial number on the master, the slave
11054 server will attempt to update its copy of the zone.
11058 Setting the serial number to a lower number on the master
11059 server than the slave server means that the slave will not perform
11060 updates to its copy of the zone.
11064 The solution to this is to add 2147483647 (2^31-1) to the
11065 number, reload the zone and make sure all slaves have updated to
11066 the new zone serial number, then reset the number to what you want
11067 it to be, and reload the zone again.
11072 <title>Where Can I Get Help?</title>
11075 The Internet Systems Consortium
11076 (<acronym>ISC</acronym>) offers a wide range
11077 of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
11078 levels of premium support are available and each level includes
11079 support for all <acronym>ISC</acronym> programs,
11080 significant discounts on products
11081 and training, and a recognized priority on bug fixes and
11082 non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
11083 support agreement package which includes services ranging from bug
11084 fix announcements to remote support. It also includes training in
11085 <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
11089 To discuss arrangements for support, contact
11090 <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
11091 <acronym>ISC</acronym> web page at
11092 <ulink url="http://www.isc.org/services/support/"
11093 >http://www.isc.org/services/support/</ulink>
11098 <appendix id="Bv9ARM.ch09">
11099 <title>Appendices</title>
11101 <title>Acknowledgments</title>
11102 <sect2 id="historical_dns_information">
11103 <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
11106 Although the "official" beginning of the Domain Name
11107 System occurred in 1984 with the publication of RFC 920, the
11108 core of the new system was described in 1983 in RFCs 882 and
11109 883. From 1984 to 1987, the ARPAnet (the precursor to today's
11110 Internet) became a testbed of experimentation for developing the
11111 new naming/addressing scheme in a rapidly expanding,
11112 operational network environment. New RFCs were written and
11113 published in 1987 that modified the original documents to
11114 incorporate improvements based on the working model. RFC 1034,
11115 "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
11116 Names-Implementation and Specification" were published and
11117 became the standards upon which all <acronym>DNS</acronym> implementations are
11122 The first working domain name server, called "Jeeves", was
11123 written in 1983-84 by Paul Mockapetris for operation on DEC
11125 machines located at the University of Southern California's
11127 Sciences Institute (USC-ISI) and SRI International's Network
11129 Center (SRI-NIC). A <acronym>DNS</acronym> server for
11130 Unix machines, the Berkeley Internet
11131 Name Domain (<acronym>BIND</acronym>) package, was
11132 written soon after by a group of
11133 graduate students at the University of California at Berkeley
11135 a grant from the US Defense Advanced Research Projects
11140 Versions of <acronym>BIND</acronym> through
11141 4.8.3 were maintained by the Computer
11142 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
11143 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
11144 project team. After that, additional work on the software package
11145 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
11147 employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
11148 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
11149 during that time: Doug Kingston, Craig Partridge, Smoot
11151 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
11152 handled by Mike Karels and Øivind Kure.
11155 <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
11156 released by Digital Equipment
11157 Corporation (now Compaq Computer Corporation). Paul Vixie, then
11158 a DEC employee, became <acronym>BIND</acronym>'s
11159 primary caretaker. He was assisted
11160 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
11162 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
11163 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
11164 Wolfhugel, and others.
11167 In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
11168 Vixie Enterprises. Paul
11169 Vixie became <acronym>BIND</acronym>'s principal
11170 architect/programmer.
11173 <acronym>BIND</acronym> versions from 4.9.3 onward
11174 have been developed and maintained
11175 by the Internet Systems Consortium and its predecessor,
11176 the Internet Software Consortium, with support being provided
11180 As co-architects/programmers, Bob Halley and
11181 Paul Vixie released the first production-ready version of
11182 <acronym>BIND</acronym> version 8 in May 1997.
11185 BIND version 9 was released in September 2000 and is a
11186 major rewrite of nearly all aspects of the underlying
11190 BIND version 4 is officially deprecated and BIND version
11191 8 development is considered maintenance-only in favor
11192 of BIND version 9. No additional development is done
11193 on BIND version 4 or BIND version 8 other than for
11194 security-related patches.
11197 <acronym>BIND</acronym> development work is made
11198 possible today by the sponsorship
11199 of several corporations, and by the tireless work efforts of
11200 numerous individuals.
11205 <title>General <acronym>DNS</acronym> Reference Information</title>
11206 <sect2 id="ipv6addresses">
11207 <title>IPv6 addresses (AAAA)</title>
11209 IPv6 addresses are 128-bit identifiers for interfaces and
11210 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
11211 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
11212 an identifier for a single interface;
11213 <emphasis>Anycast</emphasis>,
11214 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
11215 an identifier for a set of interfaces. Here we describe the global
11216 Unicast address scheme. For more information, see RFC 3587,
11217 "Global Unicast Address Format."
11220 IPv6 unicast addresses consist of a
11221 <emphasis>global routing prefix</emphasis>, a
11222 <emphasis>subnet identifier</emphasis>, and an
11223 <emphasis>interface identifier</emphasis>.
11226 The global routing prefix is provided by the
11227 upstream provider or ISP, and (roughly) corresponds to the
11228 IPv4 <emphasis>network</emphasis> section
11229 of the address range.
11231 The subnet identifier is for local subnetting, much the
11232 same as subnetting an
11233 IPv4 /16 network into /24 subnets.
11235 The interface identifier is the address of an individual
11236 interface on a given network; in IPv6, addresses belong to
11237 interfaces rather than to machines.
11240 The subnetting capability of IPv6 is much more flexible than
11241 that of IPv4: subnetting can be carried out on bit boundaries,
11242 in much the same way as Classless InterDomain Routing
11243 (CIDR), and the DNS PTR representation ("nibble" format)
11244 makes setting up reverse zones easier.
11247 The Interface Identifier must be unique on the local link,
11248 and is usually generated automatically by the IPv6
11249 implementation, although it is usually possible to
11250 override the default setting if necessary. A typical IPv6
11251 address might look like:
11252 <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
11255 IPv6 address specifications often contain long strings
11256 of zeros, so the architects have included a shorthand for
11258 them. The double colon (`::') indicates the longest possible
11260 of zeros that can fit, and can be used only once in an address.
11264 <sect1 id="bibliography">
11265 <title>Bibliography (and Suggested Reading)</title>
11267 <title>Request for Comments (RFCs)</title>
11269 Specification documents for the Internet protocol suite, including
11270 the <acronym>DNS</acronym>, are published as part of
11271 the Request for Comments (RFCs)
11272 series of technical notes. The standards themselves are defined
11273 by the Internet Engineering Task Force (IETF) and the Internet
11274 Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
11277 <ulink url="ftp://www.isi.edu/in-notes/">
11278 ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
11282 (where <replaceable>xxxx</replaceable> is
11283 the number of the RFC). RFCs are also available via the Web at:
11286 <ulink url="http://www.ietf.org/rfc/"
11287 >http://www.ietf.org/rfc/</ulink>.
11291 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
11292 <title>Standards</title>
11294 <abbrev>RFC974</abbrev>
11296 <surname>Partridge</surname>
11297 <firstname>C.</firstname>
11299 <title>Mail Routing and the Domain System</title>
11300 <pubdate>January 1986</pubdate>
11303 <abbrev>RFC1034</abbrev>
11305 <surname>Mockapetris</surname>
11306 <firstname>P.V.</firstname>
11308 <title>Domain Names — Concepts and Facilities</title>
11309 <pubdate>November 1987</pubdate>
11312 <abbrev>RFC1035</abbrev>
11314 <surname>Mockapetris</surname>
11315 <firstname>P. V.</firstname>
11316 </author> <title>Domain Names — Implementation and
11317 Specification</title>
11318 <pubdate>November 1987</pubdate>
11321 <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
11323 <title>Proposed Standards</title>
11324 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
11326 <abbrev>RFC2181</abbrev>
11328 <surname>Elz</surname>
11329 <firstname>R., R. Bush</firstname>
11331 <title>Clarifications to the <acronym>DNS</acronym>
11332 Specification</title>
11333 <pubdate>July 1997</pubdate>
11336 <abbrev>RFC2308</abbrev>
11338 <surname>Andrews</surname>
11339 <firstname>M.</firstname>
11341 <title>Negative Caching of <acronym>DNS</acronym>
11343 <pubdate>March 1998</pubdate>
11346 <abbrev>RFC1995</abbrev>
11348 <surname>Ohta</surname>
11349 <firstname>M.</firstname>
11351 <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
11352 <pubdate>August 1996</pubdate>
11355 <abbrev>RFC1996</abbrev>
11357 <surname>Vixie</surname>
11358 <firstname>P.</firstname>
11360 <title>A Mechanism for Prompt Notification of Zone Changes</title>
11361 <pubdate>August 1996</pubdate>
11364 <abbrev>RFC2136</abbrev>
11367 <surname>Vixie</surname>
11368 <firstname>P.</firstname>
11371 <firstname>S.</firstname>
11372 <surname>Thomson</surname>
11375 <firstname>Y.</firstname>
11376 <surname>Rekhter</surname>
11379 <firstname>J.</firstname>
11380 <surname>Bound</surname>
11383 <title>Dynamic Updates in the Domain Name System</title>
11384 <pubdate>April 1997</pubdate>
11387 <abbrev>RFC2671</abbrev>
11390 <firstname>P.</firstname>
11391 <surname>Vixie</surname>
11394 <title>Extension Mechanisms for DNS (EDNS0)</title>
11395 <pubdate>August 1997</pubdate>
11398 <abbrev>RFC2672</abbrev>
11401 <firstname>M.</firstname>
11402 <surname>Crawford</surname>
11405 <title>Non-Terminal DNS Name Redirection</title>
11406 <pubdate>August 1999</pubdate>
11409 <abbrev>RFC2845</abbrev>
11412 <surname>Vixie</surname>
11413 <firstname>P.</firstname>
11416 <firstname>O.</firstname>
11417 <surname>Gudmundsson</surname>
11420 <firstname>D.</firstname>
11421 <surname>Eastlake</surname>
11422 <lineage>3rd</lineage>
11425 <firstname>B.</firstname>
11426 <surname>Wellington</surname>
11429 <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
11430 <pubdate>May 2000</pubdate>
11433 <abbrev>RFC2930</abbrev>
11436 <firstname>D.</firstname>
11437 <surname>Eastlake</surname>
11438 <lineage>3rd</lineage>
11441 <title>Secret Key Establishment for DNS (TKEY RR)</title>
11442 <pubdate>September 2000</pubdate>
11445 <abbrev>RFC2931</abbrev>
11448 <firstname>D.</firstname>
11449 <surname>Eastlake</surname>
11450 <lineage>3rd</lineage>
11453 <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
11454 <pubdate>September 2000</pubdate>
11457 <abbrev>RFC3007</abbrev>
11460 <firstname>B.</firstname>
11461 <surname>Wellington</surname>
11464 <title>Secure Domain Name System (DNS) Dynamic Update</title>
11465 <pubdate>November 2000</pubdate>
11468 <abbrev>RFC3645</abbrev>
11471 <firstname>S.</firstname>
11472 <surname>Kwan</surname>
11475 <firstname>P.</firstname>
11476 <surname>Garg</surname>
11479 <firstname>J.</firstname>
11480 <surname>Gilroy</surname>
11483 <firstname>L.</firstname>
11484 <surname>Esibov</surname>
11487 <firstname>J.</firstname>
11488 <surname>Westhead</surname>
11491 <firstname>R.</firstname>
11492 <surname>Hall</surname>
11495 <title>Generic Security Service Algorithm for Secret
11496 Key Transaction Authentication for DNS
11498 <pubdate>October 2003</pubdate>
11502 <title><acronym>DNS</acronym> Security Proposed Standards</title>
11504 <abbrev>RFC3225</abbrev>
11507 <firstname>D.</firstname>
11508 <surname>Conrad</surname>
11511 <title>Indicating Resolver Support of DNSSEC</title>
11512 <pubdate>December 2001</pubdate>
11515 <abbrev>RFC3833</abbrev>
11518 <firstname>D.</firstname>
11519 <surname>Atkins</surname>
11522 <firstname>R.</firstname>
11523 <surname>Austein</surname>
11526 <title>Threat Analysis of the Domain Name System (DNS)</title>
11527 <pubdate>August 2004</pubdate>
11530 <abbrev>RFC4033</abbrev>
11533 <firstname>R.</firstname>
11534 <surname>Arends</surname>
11537 <firstname>R.</firstname>
11538 <surname>Austein</surname>
11541 <firstname>M.</firstname>
11542 <surname>Larson</surname>
11545 <firstname>D.</firstname>
11546 <surname>Massey</surname>
11549 <firstname>S.</firstname>
11550 <surname>Rose</surname>
11553 <title>DNS Security Introduction and Requirements</title>
11554 <pubdate>March 2005</pubdate>
11557 <abbrev>RFC4044</abbrev>
11560 <firstname>R.</firstname>
11561 <surname>Arends</surname>
11564 <firstname>R.</firstname>
11565 <surname>Austein</surname>
11568 <firstname>M.</firstname>
11569 <surname>Larson</surname>
11572 <firstname>D.</firstname>
11573 <surname>Massey</surname>
11576 <firstname>S.</firstname>
11577 <surname>Rose</surname>
11580 <title>Resource Records for the DNS Security Extensions</title>
11581 <pubdate>March 2005</pubdate>
11584 <abbrev>RFC4035</abbrev>
11587 <firstname>R.</firstname>
11588 <surname>Arends</surname>
11591 <firstname>R.</firstname>
11592 <surname>Austein</surname>
11595 <firstname>M.</firstname>
11596 <surname>Larson</surname>
11599 <firstname>D.</firstname>
11600 <surname>Massey</surname>
11603 <firstname>S.</firstname>
11604 <surname>Rose</surname>
11607 <title>Protocol Modifications for the DNS
11608 Security Extensions</title>
11609 <pubdate>March 2005</pubdate>
11613 <title>Other Important RFCs About <acronym>DNS</acronym>
11614 Implementation</title>
11616 <abbrev>RFC1535</abbrev>
11618 <surname>Gavron</surname>
11619 <firstname>E.</firstname>
11621 <title>A Security Problem and Proposed Correction With Widely
11622 Deployed <acronym>DNS</acronym> Software.</title>
11623 <pubdate>October 1993</pubdate>
11626 <abbrev>RFC1536</abbrev>
11629 <surname>Kumar</surname>
11630 <firstname>A.</firstname>
11633 <firstname>J.</firstname>
11634 <surname>Postel</surname>
11637 <firstname>C.</firstname>
11638 <surname>Neuman</surname>
11641 <firstname>P.</firstname>
11642 <surname>Danzig</surname>
11645 <firstname>S.</firstname>
11646 <surname>Miller</surname>
11649 <title>Common <acronym>DNS</acronym> Implementation
11650 Errors and Suggested Fixes</title>
11651 <pubdate>October 1993</pubdate>
11654 <abbrev>RFC1982</abbrev>
11657 <surname>Elz</surname>
11658 <firstname>R.</firstname>
11661 <firstname>R.</firstname>
11662 <surname>Bush</surname>
11665 <title>Serial Number Arithmetic</title>
11666 <pubdate>August 1996</pubdate>
11669 <abbrev>RFC4074</abbrev>
11672 <surname>Morishita</surname>
11673 <firstname>Y.</firstname>
11676 <firstname>T.</firstname>
11677 <surname>Jinmei</surname>
11680 <title>Common Misbehaviour Against <acronym>DNS</acronym>
11681 Queries for IPv6 Addresses</title>
11682 <pubdate>May 2005</pubdate>
11686 <title>Resource Record Types</title>
11688 <abbrev>RFC1183</abbrev>
11691 <surname>Everhart</surname>
11692 <firstname>C.F.</firstname>
11695 <firstname>L. A.</firstname>
11696 <surname>Mamakos</surname>
11699 <firstname>R.</firstname>
11700 <surname>Ullmann</surname>
11703 <firstname>P.</firstname>
11704 <surname>Mockapetris</surname>
11707 <title>New <acronym>DNS</acronym> RR Definitions</title>
11708 <pubdate>October 1990</pubdate>
11711 <abbrev>RFC1706</abbrev>
11714 <surname>Manning</surname>
11715 <firstname>B.</firstname>
11718 <firstname>R.</firstname>
11719 <surname>Colella</surname>
11722 <title><acronym>DNS</acronym> NSAP Resource Records</title>
11723 <pubdate>October 1994</pubdate>
11726 <abbrev>RFC2168</abbrev>
11729 <surname>Daniel</surname>
11730 <firstname>R.</firstname>
11733 <firstname>M.</firstname>
11734 <surname>Mealling</surname>
11737 <title>Resolution of Uniform Resource Identifiers using
11738 the Domain Name System</title>
11739 <pubdate>June 1997</pubdate>
11742 <abbrev>RFC1876</abbrev>
11745 <surname>Davis</surname>
11746 <firstname>C.</firstname>
11749 <firstname>P.</firstname>
11750 <surname>Vixie</surname>
11753 <firstname>T.</firstname>
11754 <firstname>Goodwin</firstname>
11757 <firstname>I.</firstname>
11758 <surname>Dickinson</surname>
11761 <title>A Means for Expressing Location Information in the
11763 Name System</title>
11764 <pubdate>January 1996</pubdate>
11767 <abbrev>RFC2052</abbrev>
11770 <surname>Gulbrandsen</surname>
11771 <firstname>A.</firstname>
11774 <firstname>P.</firstname>
11775 <surname>Vixie</surname>
11778 <title>A <acronym>DNS</acronym> RR for Specifying the
11781 <pubdate>October 1996</pubdate>
11784 <abbrev>RFC2163</abbrev>
11786 <surname>Allocchio</surname>
11787 <firstname>A.</firstname>
11789 <title>Using the Internet <acronym>DNS</acronym> to
11791 Conformant Global Address Mapping</title>
11792 <pubdate>January 1998</pubdate>
11795 <abbrev>RFC2230</abbrev>
11797 <surname>Atkinson</surname>
11798 <firstname>R.</firstname>
11800 <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
11801 <pubdate>October 1997</pubdate>
11804 <abbrev>RFC2536</abbrev>
11806 <surname>Eastlake</surname>
11807 <firstname>D.</firstname>
11808 <lineage>3rd</lineage>
11810 <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
11811 <pubdate>March 1999</pubdate>
11814 <abbrev>RFC2537</abbrev>
11816 <surname>Eastlake</surname>
11817 <firstname>D.</firstname>
11818 <lineage>3rd</lineage>
11820 <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
11821 <pubdate>March 1999</pubdate>
11824 <abbrev>RFC2538</abbrev>
11827 <surname>Eastlake</surname>
11828 <firstname>D.</firstname>
11829 <lineage>3rd</lineage>
11832 <surname>Gudmundsson</surname>
11833 <firstname>O.</firstname>
11836 <title>Storing Certificates in the Domain Name System (DNS)</title>
11837 <pubdate>March 1999</pubdate>
11840 <abbrev>RFC2539</abbrev>
11843 <surname>Eastlake</surname>
11844 <firstname>D.</firstname>
11845 <lineage>3rd</lineage>
11848 <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
11849 <pubdate>March 1999</pubdate>
11852 <abbrev>RFC2540</abbrev>
11855 <surname>Eastlake</surname>
11856 <firstname>D.</firstname>
11857 <lineage>3rd</lineage>
11860 <title>Detached Domain Name System (DNS) Information</title>
11861 <pubdate>March 1999</pubdate>
11864 <abbrev>RFC2782</abbrev>
11866 <surname>Gulbrandsen</surname>
11867 <firstname>A.</firstname>
11870 <surname>Vixie</surname>
11871 <firstname>P.</firstname>
11874 <surname>Esibov</surname>
11875 <firstname>L.</firstname>
11877 <title>A DNS RR for specifying the location of services (DNS SRV)</title>
11878 <pubdate>February 2000</pubdate>
11881 <abbrev>RFC2915</abbrev>
11883 <surname>Mealling</surname>
11884 <firstname>M.</firstname>
11887 <surname>Daniel</surname>
11888 <firstname>R.</firstname>
11890 <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
11891 <pubdate>September 2000</pubdate>
11894 <abbrev>RFC3110</abbrev>
11896 <surname>Eastlake</surname>
11897 <firstname>D.</firstname>
11898 <lineage>3rd</lineage>
11900 <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
11901 <pubdate>May 2001</pubdate>
11904 <abbrev>RFC3123</abbrev>
11906 <surname>Koch</surname>
11907 <firstname>P.</firstname>
11909 <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
11910 <pubdate>June 2001</pubdate>
11913 <abbrev>RFC3596</abbrev>
11916 <surname>Thomson</surname>
11917 <firstname>S.</firstname>
11920 <firstname>C.</firstname>
11921 <surname>Huitema</surname>
11924 <firstname>V.</firstname>
11925 <surname>Ksinant</surname>
11928 <firstname>M.</firstname>
11929 <surname>Souissi</surname>
11932 <title><acronym>DNS</acronym> Extensions to support IP
11934 <pubdate>October 2003</pubdate>
11937 <abbrev>RFC3597</abbrev>
11939 <surname>Gustafsson</surname>
11940 <firstname>A.</firstname>
11942 <title>Handling of Unknown DNS Resource Record (RR) Types</title>
11943 <pubdate>September 2003</pubdate>
11947 <title><acronym>DNS</acronym> and the Internet</title>
11949 <abbrev>RFC1101</abbrev>
11951 <surname>Mockapetris</surname>
11952 <firstname>P. V.</firstname>
11954 <title><acronym>DNS</acronym> Encoding of Network Names
11955 and Other Types</title>
11956 <pubdate>April 1989</pubdate>
11959 <abbrev>RFC1123</abbrev>
11961 <surname>Braden</surname>
11962 <surname>R.</surname>
11964 <title>Requirements for Internet Hosts - Application and
11966 <pubdate>October 1989</pubdate>
11969 <abbrev>RFC1591</abbrev>
11971 <surname>Postel</surname>
11972 <firstname>J.</firstname>
11974 <title>Domain Name System Structure and Delegation</title>
11975 <pubdate>March 1994</pubdate>
11978 <abbrev>RFC2317</abbrev>
11981 <surname>Eidnes</surname>
11982 <firstname>H.</firstname>
11985 <firstname>G.</firstname>
11986 <surname>de Groot</surname>
11989 <firstname>P.</firstname>
11990 <surname>Vixie</surname>
11993 <title>Classless IN-ADDR.ARPA Delegation</title>
11994 <pubdate>March 1998</pubdate>
11997 <abbrev>RFC2826</abbrev>
12000 <surname>Internet Architecture Board</surname>
12003 <title>IAB Technical Comment on the Unique DNS Root</title>
12004 <pubdate>May 2000</pubdate>
12007 <abbrev>RFC2929</abbrev>
12010 <surname>Eastlake</surname>
12011 <firstname>D.</firstname>
12012 <lineage>3rd</lineage>
12015 <surname>Brunner-Williams</surname>
12016 <firstname>E.</firstname>
12019 <surname>Manning</surname>
12020 <firstname>B.</firstname>
12023 <title>Domain Name System (DNS) IANA Considerations</title>
12024 <pubdate>September 2000</pubdate>
12028 <title><acronym>DNS</acronym> Operations</title>
12030 <abbrev>RFC1033</abbrev>
12032 <surname>Lottor</surname>
12033 <firstname>M.</firstname>
12035 <title>Domain administrators operations guide.</title>
12036 <pubdate>November 1987</pubdate>
12039 <abbrev>RFC1537</abbrev>
12041 <surname>Beertema</surname>
12042 <firstname>P.</firstname>
12044 <title>Common <acronym>DNS</acronym> Data File
12045 Configuration Errors</title>
12046 <pubdate>October 1993</pubdate>
12049 <abbrev>RFC1912</abbrev>
12051 <surname>Barr</surname>
12052 <firstname>D.</firstname>
12054 <title>Common <acronym>DNS</acronym> Operational and
12055 Configuration Errors</title>
12056 <pubdate>February 1996</pubdate>
12059 <abbrev>RFC2010</abbrev>
12062 <surname>Manning</surname>
12063 <firstname>B.</firstname>
12066 <firstname>P.</firstname>
12067 <surname>Vixie</surname>
12070 <title>Operational Criteria for Root Name Servers.</title>
12071 <pubdate>October 1996</pubdate>
12074 <abbrev>RFC2219</abbrev>
12077 <surname>Hamilton</surname>
12078 <firstname>M.</firstname>
12081 <firstname>R.</firstname>
12082 <surname>Wright</surname>
12085 <title>Use of <acronym>DNS</acronym> Aliases for
12086 Network Services.</title>
12087 <pubdate>October 1997</pubdate>
12091 <title>Internationalized Domain Names</title>
12093 <abbrev>RFC2825</abbrev>
12096 <surname>IAB</surname>
12099 <surname>Daigle</surname>
12100 <firstname>R.</firstname>
12103 <title>A Tangled Web: Issues of I18N, Domain Names,
12104 and the Other Internet protocols</title>
12105 <pubdate>May 2000</pubdate>
12108 <abbrev>RFC3490</abbrev>
12111 <surname>Faltstrom</surname>
12112 <firstname>P.</firstname>
12115 <surname>Hoffman</surname>
12116 <firstname>P.</firstname>
12119 <surname>Costello</surname>
12120 <firstname>A.</firstname>
12123 <title>Internationalizing Domain Names in Applications (IDNA)</title>
12124 <pubdate>March 2003</pubdate>
12127 <abbrev>RFC3491</abbrev>
12130 <surname>Hoffman</surname>
12131 <firstname>P.</firstname>
12134 <surname>Blanchet</surname>
12135 <firstname>M.</firstname>
12138 <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
12139 <pubdate>March 2003</pubdate>
12142 <abbrev>RFC3492</abbrev>
12145 <surname>Costello</surname>
12146 <firstname>A.</firstname>
12149 <title>Punycode: A Bootstring encoding of Unicode
12150 for Internationalized Domain Names in
12151 Applications (IDNA)</title>
12152 <pubdate>March 2003</pubdate>
12156 <title>Other <acronym>DNS</acronym>-related RFCs</title>
12159 Note: the following list of RFCs, although
12160 <acronym>DNS</acronym>-related, are not
12161 concerned with implementing software.
12165 <abbrev>RFC1464</abbrev>
12167 <surname>Rosenbaum</surname>
12168 <firstname>R.</firstname>
12170 <title>Using the Domain Name System To Store Arbitrary String
12172 <pubdate>May 1993</pubdate>
12175 <abbrev>RFC1713</abbrev>
12177 <surname>Romao</surname>
12178 <firstname>A.</firstname>
12180 <title>Tools for <acronym>DNS</acronym> Debugging</title>
12181 <pubdate>November 1994</pubdate>
12184 <abbrev>RFC1794</abbrev>
12186 <surname>Brisco</surname>
12187 <firstname>T.</firstname>
12189 <title><acronym>DNS</acronym> Support for Load
12191 <pubdate>April 1995</pubdate>
12194 <abbrev>RFC2240</abbrev>
12196 <surname>Vaughan</surname>
12197 <firstname>O.</firstname>
12199 <title>A Legal Basis for Domain Name Allocation</title>
12200 <pubdate>November 1997</pubdate>
12203 <abbrev>RFC2345</abbrev>
12206 <surname>Klensin</surname>
12207 <firstname>J.</firstname>
12210 <firstname>T.</firstname>
12211 <surname>Wolf</surname>
12214 <firstname>G.</firstname>
12215 <surname>Oglesby</surname>
12218 <title>Domain Names and Company Name Retrieval</title>
12219 <pubdate>May 1998</pubdate>
12222 <abbrev>RFC2352</abbrev>
12224 <surname>Vaughan</surname>
12225 <firstname>O.</firstname>
12227 <title>A Convention For Using Legal Names as Domain Names</title>
12228 <pubdate>May 1998</pubdate>
12231 <abbrev>RFC3071</abbrev>
12234 <surname>Klensin</surname>
12235 <firstname>J.</firstname>
12238 <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
12239 <pubdate>February 2001</pubdate>
12242 <abbrev>RFC3258</abbrev>
12245 <surname>Hardie</surname>
12246 <firstname>T.</firstname>
12249 <title>Distributing Authoritative Name Servers via
12250 Shared Unicast Addresses</title>
12251 <pubdate>April 2002</pubdate>
12254 <abbrev>RFC3901</abbrev>
12257 <surname>Durand</surname>
12258 <firstname>A.</firstname>
12261 <firstname>J.</firstname>
12262 <surname>Ihren</surname>
12265 <title>DNS IPv6 Transport Operational Guidelines</title>
12266 <pubdate>September 2004</pubdate>
12270 <title>Obsolete and Unimplemented Experimental RFC</title>
12272 <abbrev>RFC1712</abbrev>
12275 <surname>Farrell</surname>
12276 <firstname>C.</firstname>
12279 <firstname>M.</firstname>
12280 <surname>Schulze</surname>
12283 <firstname>S.</firstname>
12284 <surname>Pleitner</surname>
12287 <firstname>D.</firstname>
12288 <surname>Baldoni</surname>
12291 <title><acronym>DNS</acronym> Encoding of Geographical
12293 <pubdate>November 1994</pubdate>
12296 <abbrev>RFC2673</abbrev>
12299 <surname>Crawford</surname>
12300 <firstname>M.</firstname>
12303 <title>Binary Labels in the Domain Name System</title>
12304 <pubdate>August 1999</pubdate>
12307 <abbrev>RFC2874</abbrev>
12310 <surname>Crawford</surname>
12311 <firstname>M.</firstname>
12314 <surname>Huitema</surname>
12315 <firstname>C.</firstname>
12318 <title>DNS Extensions to Support IPv6 Address Aggregation
12319 and Renumbering</title>
12320 <pubdate>July 2000</pubdate>
12324 <title>Obsoleted DNS Security RFCs</title>
12327 Most of these have been consolidated into RFC4033,
12328 RFC4034 and RFC4035 which collectively describe DNSSECbis.
12332 <abbrev>RFC2065</abbrev>
12335 <surname>Eastlake</surname>
12336 <lineage>3rd</lineage>
12337 <firstname>D.</firstname>
12340 <firstname>C.</firstname>
12341 <surname>Kaufman</surname>
12344 <title>Domain Name System Security Extensions</title>
12345 <pubdate>January 1997</pubdate>
12348 <abbrev>RFC2137</abbrev>
12350 <surname>Eastlake</surname>
12351 <lineage>3rd</lineage>
12352 <firstname>D.</firstname>
12354 <title>Secure Domain Name System Dynamic Update</title>
12355 <pubdate>April 1997</pubdate>
12358 <abbrev>RFC2535</abbrev>
12361 <surname>Eastlake</surname>
12362 <lineage>3rd</lineage>
12363 <firstname>D.</firstname>
12366 <title>Domain Name System Security Extensions</title>
12367 <pubdate>March 1999</pubdate>
12370 <abbrev>RFC3008</abbrev>
12373 <surname>Wellington</surname>
12374 <firstname>B.</firstname>
12377 <title>Domain Name System Security (DNSSEC)
12378 Signing Authority</title>
12379 <pubdate>November 2000</pubdate>
12382 <abbrev>RFC3090</abbrev>
12385 <surname>Lewis</surname>
12386 <firstname>E.</firstname>
12389 <title>DNS Security Extension Clarification on Zone Status</title>
12390 <pubdate>March 2001</pubdate>
12393 <abbrev>RFC3445</abbrev>
12396 <surname>Massey</surname>
12397 <firstname>D.</firstname>
12400 <surname>Rose</surname>
12401 <firstname>S.</firstname>
12404 <title>Limiting the Scope of the KEY Resource Record (RR)</title>
12405 <pubdate>December 2002</pubdate>
12408 <abbrev>RFC3655</abbrev>
12411 <surname>Wellington</surname>
12412 <firstname>B.</firstname>
12415 <surname>Gudmundsson</surname>
12416 <firstname>O.</firstname>
12419 <title>Redefinition of DNS Authenticated Data (AD) bit</title>
12420 <pubdate>November 2003</pubdate>
12423 <abbrev>RFC3658</abbrev>
12426 <surname>Gudmundsson</surname>
12427 <firstname>O.</firstname>
12430 <title>Delegation Signer (DS) Resource Record (RR)</title>
12431 <pubdate>December 2003</pubdate>
12434 <abbrev>RFC3755</abbrev>
12437 <surname>Weiler</surname>
12438 <firstname>S.</firstname>
12441 <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
12442 <pubdate>May 2004</pubdate>
12445 <abbrev>RFC3757</abbrev>
12448 <surname>Kolkman</surname>
12449 <firstname>O.</firstname>
12452 <surname>Schlyter</surname>
12453 <firstname>J.</firstname>
12456 <surname>Lewis</surname>
12457 <firstname>E.</firstname>
12460 <title>Domain Name System KEY (DNSKEY) Resource Record
12461 (RR) Secure Entry Point (SEP) Flag</title>
12462 <pubdate>April 2004</pubdate>
12465 <abbrev>RFC3845</abbrev>
12468 <surname>Schlyter</surname>
12469 <firstname>J.</firstname>
12472 <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
12473 <pubdate>August 2004</pubdate>
12478 <sect2 id="internet_drafts">
12479 <title>Internet Drafts</title>
12481 Internet Drafts (IDs) are rough-draft working documents of
12482 the Internet Engineering Task Force. They are, in essence, RFCs
12483 in the preliminary stages of development. Implementors are
12485 to regard IDs as archival, and they should not be quoted or cited
12486 in any formal documents unless accompanied by the disclaimer that
12487 they are "works in progress." IDs have a lifespan of six months
12488 after which they are deleted unless updated by their authors.
12492 <title>Other Documents About <acronym>BIND</acronym></title>
12498 <surname>Albitz</surname>
12499 <firstname>Paul</firstname>
12502 <firstname>Cricket</firstname>
12503 <surname>Liu</surname>
12506 <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
12509 <holder>Sebastopol, CA: O'Reilly and Associates</holder>
12517 <reference id="Bv9ARM.ch10">
12518 <title>Manual pages</title>
12519 <xi:include href="../../bin/dig/dig.docbook"/>
12520 <xi:include href="../../bin/dig/host.docbook"/>
12521 <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
12522 <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
12523 <xi:include href="../../bin/check/named-checkconf.docbook"/>
12524 <xi:include href="../../bin/check/named-checkzone.docbook"/>
12525 <xi:include href="../../bin/named/named.docbook"/>
12526 <!-- named.conf.docbook and others? -->
12527 <!-- nsupdate gives db2latex indigestion, markup problems? -->
12528 <xi:include href="../../bin/rndc/rndc.docbook"/>
12529 <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
12530 <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>