1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.15 2009/06/02 05:56:27 marka Exp $ -->
22 <book xmlns:xi="http://www.w3.org/2001/XInclude">
23 <title>BIND 9 Administrator Reference Manual</title>
33 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
40 <holder>Internet Software Consortium.</holder>
44 <chapter id="Bv9ARM.ch01">
45 <title>Introduction</title>
47 The Internet Domain Name System (<acronym>DNS</acronym>)
48 consists of the syntax
49 to specify the names of entities in the Internet in a hierarchical
50 manner, the rules used for delegating authority over names, and the
51 system implementation that actually maps names to Internet
52 addresses. <acronym>DNS</acronym> data is maintained in a
54 hierarchical databases.
58 <title>Scope of Document</title>
61 The Berkeley Internet Name Domain
62 (<acronym>BIND</acronym>) implements a
63 domain name server for a number of operating systems. This
64 document provides basic information about the installation and
65 care of the Internet Systems Consortium (<acronym>ISC</acronym>)
66 <acronym>BIND</acronym> version 9 software package for
67 system administrators.
71 This version of the manual corresponds to BIND version 9.6.
76 <title>Organization of This Document</title>
78 In this document, <emphasis>Chapter 1</emphasis> introduces
79 the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
80 describes resource requirements for running <acronym>BIND</acronym> in various
81 environments. Information in <emphasis>Chapter 3</emphasis> is
82 <emphasis>task-oriented</emphasis> in its presentation and is
83 organized functionally, to aid in the process of installing the
84 <acronym>BIND</acronym> 9 software. The task-oriented
85 section is followed by
86 <emphasis>Chapter 4</emphasis>, which contains more advanced
87 concepts that the system administrator may need for implementing
88 certain options. <emphasis>Chapter 5</emphasis>
89 describes the <acronym>BIND</acronym> 9 lightweight
90 resolver. The contents of <emphasis>Chapter 6</emphasis> are
91 organized as in a reference manual to aid in the ongoing
92 maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
93 security considerations, and
94 <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
95 main body of the document is followed by several
96 <emphasis>appendices</emphasis> which contain useful reference
97 information, such as a <emphasis>bibliography</emphasis> and
98 historic information related to <acronym>BIND</acronym>
104 <title>Conventions Used in This Document</title>
107 In this document, we use the following general typographic
113 <colspec colname="1" colnum="1" colwidth="3.000in"/>
114 <colspec colname="2" colnum="2" colwidth="2.625in"/>
119 <emphasis>To describe:</emphasis>
124 <emphasis>We use the style:</emphasis>
131 a pathname, filename, URL, hostname,
132 mailing list name, or new term or concept
137 <filename>Fixed width</filename>
150 <userinput>Fixed Width Bold</userinput>
162 <computeroutput>Fixed Width</computeroutput>
171 The following conventions are used in descriptions of the
172 <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
173 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
174 <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
175 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
178 <entry colname="1" colsep="1" rowsep="1">
180 <emphasis>To describe:</emphasis>
183 <entry colname="2" rowsep="1">
185 <emphasis>We use the style:</emphasis>
190 <entry colname="1" colsep="1" rowsep="1">
195 <entry colname="2" rowsep="1">
197 <literal>Fixed Width</literal>
202 <entry colname="1" colsep="1" rowsep="1">
207 <entry colname="2" rowsep="1">
209 <varname>Fixed Width</varname>
214 <entry colname="1" colsep="1">
221 <optional>Text is enclosed in square brackets</optional>
231 <title>The Domain Name System (<acronym>DNS</acronym>)</title>
233 The purpose of this document is to explain the installation
234 and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
235 Name Domain) software package, and we
236 begin by reviewing the fundamentals of the Domain Name System
237 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
241 <title>DNS Fundamentals</title>
244 The Domain Name System (DNS) is a hierarchical, distributed
245 database. It stores information for mapping Internet host names to
247 addresses and vice versa, mail routing information, and other data
248 used by Internet applications.
252 Clients look up information in the DNS by calling a
253 <emphasis>resolver</emphasis> library, which sends queries to one or
254 more <emphasis>name servers</emphasis> and interprets the responses.
255 The <acronym>BIND</acronym> 9 software distribution
257 name server, <command>named</command>, and a resolver
258 library, <command>liblwres</command>. The older
259 <command>libbind</command> resolver library is also available
260 from ISC as a separate download.
264 <title>Domains and Domain Names</title>
267 The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
268 organizational or administrative boundaries. Each node of the tree,
269 called a <emphasis>domain</emphasis>, is given a label. The domain
271 node is the concatenation of all the labels on the path from the
272 node to the <emphasis>root</emphasis> node. This is represented
273 in written form as a string of labels listed from right to left and
274 separated by dots. A label need only be unique within its parent
279 For example, a domain name for a host at the
280 company <emphasis>Example, Inc.</emphasis> could be
281 <literal>ourhost.example.com</literal>,
282 where <literal>com</literal> is the
283 top level domain to which
284 <literal>ourhost.example.com</literal> belongs,
285 <literal>example</literal> is
286 a subdomain of <literal>com</literal>, and
287 <literal>ourhost</literal> is the
292 For administrative purposes, the name space is partitioned into
293 areas called <emphasis>zones</emphasis>, each starting at a node and
294 extending down to the leaf nodes or to nodes where other zones
296 The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
297 <emphasis>DNS protocol</emphasis>.
301 The data associated with each domain name is stored in the
302 form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
303 Some of the supported resource record types are described in
304 <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
308 For more detailed information about the design of the DNS and
309 the DNS protocol, please refer to the standards documents listed in
310 <xref linkend="rfcs"/>.
317 To properly operate a name server, it is important to understand
318 the difference between a <emphasis>zone</emphasis>
319 and a <emphasis>domain</emphasis>.
323 As stated previously, a zone is a point of delegation in
324 the <acronym>DNS</acronym> tree. A zone consists of
325 those contiguous parts of the domain
326 tree for which a name server has complete information and over which
327 it has authority. It contains all domain names from a certain point
328 downward in the domain tree except those which are delegated to
329 other zones. A delegation point is marked by one or more
330 <emphasis>NS records</emphasis> in the
331 parent zone, which should be matched by equivalent NS records at
332 the root of the delegated zone.
336 For instance, consider the <literal>example.com</literal>
337 domain which includes names
338 such as <literal>host.aaa.example.com</literal> and
339 <literal>host.bbb.example.com</literal> even though
340 the <literal>example.com</literal> zone includes
341 only delegations for the <literal>aaa.example.com</literal> and
342 <literal>bbb.example.com</literal> zones. A zone can
344 exactly to a single domain, but could also include only part of a
345 domain, the rest of which could be delegated to other
346 name servers. Every name in the <acronym>DNS</acronym>
348 <emphasis>domain</emphasis>, even if it is
349 <emphasis>terminal</emphasis>, that is, has no
350 <emphasis>subdomains</emphasis>. Every subdomain is a domain and
351 every domain except the root is also a subdomain. The terminology is
352 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
354 gain a complete understanding of this difficult and subtle
359 Though <acronym>BIND</acronym> is called a "domain name
361 it deals primarily in terms of zones. The master and slave
362 declarations in the <filename>named.conf</filename> file
364 zones, not domains. When you ask some other site if it is willing to
365 be a slave server for your <emphasis>domain</emphasis>, you are
366 actually asking for slave service for some collection of zones.
371 <title>Authoritative Name Servers</title>
374 Each zone is served by at least
375 one <emphasis>authoritative name server</emphasis>,
376 which contains the complete data for the zone.
377 To make the DNS tolerant of server and network failures,
378 most zones have two or more authoritative servers, on
383 Responses from authoritative servers have the "authoritative
384 answer" (AA) bit set in the response packets. This makes them
385 easy to identify when debugging DNS configurations using tools like
386 <command>dig</command> (<xref linkend="diagnostic_tools"/>).
390 <title>The Primary Master</title>
393 The authoritative server where the master copy of the zone
394 data is maintained is called the
395 <emphasis>primary master</emphasis> server, or simply the
396 <emphasis>primary</emphasis>. Typically it loads the zone
397 contents from some local file edited by humans or perhaps
398 generated mechanically from some other local file which is
399 edited by humans. This file is called the
400 <emphasis>zone file</emphasis> or
401 <emphasis>master file</emphasis>.
405 In some cases, however, the master file may not be edited
406 by humans at all, but may instead be the result of
407 <emphasis>dynamic update</emphasis> operations.
412 <title>Slave Servers</title>
414 The other authoritative servers, the <emphasis>slave</emphasis>
415 servers (also known as <emphasis>secondary</emphasis> servers)
417 the zone contents from another server using a replication process
418 known as a <emphasis>zone transfer</emphasis>. Typically the data
420 transferred directly from the primary master, but it is also
422 to transfer it from another slave. In other words, a slave server
423 may itself act as a master to a subordinate slave server.
428 <title>Stealth Servers</title>
431 Usually all of the zone's authoritative servers are listed in
432 NS records in the parent zone. These NS records constitute
433 a <emphasis>delegation</emphasis> of the zone from the parent.
434 The authoritative servers are also listed in the zone file itself,
435 at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
436 of the zone. You can list servers in the zone's top-level NS
437 records that are not in the parent's NS delegation, but you cannot
438 list servers in the parent's delegation that are not present at
439 the zone's top level.
443 A <emphasis>stealth server</emphasis> is a server that is
444 authoritative for a zone but is not listed in that zone's NS
445 records. Stealth servers can be used for keeping a local copy of
447 zone to speed up access to the zone's records or to make sure that
449 zone is available even if all the "official" servers for the zone
455 A configuration where the primary master server itself is a
456 stealth server is often referred to as a "hidden primary"
457 configuration. One use for this configuration is when the primary
459 is behind a firewall and therefore unable to communicate directly
460 with the outside world.
468 <title>Caching Name Servers</title>
471 - Terminology here is inconsistent. Probably ought to
472 - convert to using "recursive name server" everywhere
473 - with just a note about "caching" terminology.
477 The resolver libraries provided by most operating systems are
478 <emphasis>stub resolvers</emphasis>, meaning that they are not
480 performing the full DNS resolution process by themselves by talking
481 directly to the authoritative servers. Instead, they rely on a
483 name server to perform the resolution on their behalf. Such a
485 is called a <emphasis>recursive</emphasis> name server; it performs
486 <emphasis>recursive lookups</emphasis> for local clients.
490 To improve performance, recursive servers cache the results of
491 the lookups they perform. Since the processes of recursion and
492 caching are intimately connected, the terms
493 <emphasis>recursive server</emphasis> and
494 <emphasis>caching server</emphasis> are often used synonymously.
498 The length of time for which a record may be retained in
499 the cache of a caching name server is controlled by the
500 Time To Live (TTL) field associated with each resource record.
504 <title>Forwarding</title>
507 Even a caching name server does not necessarily perform
508 the complete recursive lookup itself. Instead, it can
509 <emphasis>forward</emphasis> some or all of the queries
510 that it cannot satisfy from its cache to another caching name
512 commonly referred to as a <emphasis>forwarder</emphasis>.
516 There may be one or more forwarders,
517 and they are queried in turn until the list is exhausted or an
519 is found. Forwarders are typically used when you do not
520 wish all the servers at a given site to interact directly with the
522 the Internet servers. A typical scenario would involve a number
523 of internal <acronym>DNS</acronym> servers and an
524 Internet firewall. Servers unable
525 to pass packets through the firewall would forward to the server
526 that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
527 on the internal server's behalf.
534 <title>Name Servers in Multiple Roles</title>
537 The <acronym>BIND</acronym> name server can
538 simultaneously act as
539 a master for some zones, a slave for other zones, and as a caching
540 (recursive) server for a set of local clients.
544 However, since the functions of authoritative name service
545 and caching/recursive name service are logically separate, it is
546 often advantageous to run them on separate server machines.
548 A server that only provides authoritative name service
549 (an <emphasis>authoritative-only</emphasis> server) can run with
550 recursion disabled, improving reliability and security.
552 A server that is not authoritative for any zones and only provides
553 recursive service to local
554 clients (a <emphasis>caching-only</emphasis> server)
555 does not need to be reachable from the Internet at large and can
556 be placed inside a firewall.
564 <chapter id="Bv9ARM.ch02">
565 <title><acronym>BIND</acronym> Resource Requirements</title>
568 <title>Hardware requirements</title>
571 <acronym>DNS</acronym> hardware requirements have
572 traditionally been quite modest.
573 For many installations, servers that have been pensioned off from
574 active duty have performed admirably as <acronym>DNS</acronym> servers.
577 The DNSSEC features of <acronym>BIND</acronym> 9
578 may prove to be quite
579 CPU intensive however, so organizations that make heavy use of these
580 features may wish to consider larger systems for these applications.
581 <acronym>BIND</acronym> 9 is fully multithreaded, allowing
583 multiprocessor systems for installations that need it.
587 <title>CPU Requirements</title>
589 CPU requirements for <acronym>BIND</acronym> 9 range from
591 for serving of static zones without caching, to enterprise-class
592 machines if you intend to process many dynamic updates and DNSSEC
593 signed zones, serving many thousands of queries per second.
598 <title>Memory Requirements</title>
600 The memory of the server has to be large enough to fit the
601 cache and zones loaded off disk. The <command>max-cache-size</command>
602 option can be used to limit the amount of memory used by the cache,
603 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
605 Additionally, if additional section caching
606 (<xref linkend="acache"/>) is enabled,
607 the <command>max-acache-size</command> option can be used to
609 of memory used by the mechanism.
610 It is still good practice to have enough memory to load
611 all zone and cache data into memory — unfortunately, the best
613 to determine this for a given installation is to watch the name server
614 in operation. After a few weeks the server process should reach
615 a relatively stable size where entries are expiring from the cache as
616 fast as they are being inserted.
619 - Add something here about leaving overhead for attacks?
620 - How much overhead? Percentage?
625 <title>Name Server Intensive Environment Issues</title>
627 For name server intensive environments, there are two alternative
628 configurations that may be used. The first is where clients and
629 any second-level internal name servers query a main name server, which
630 has enough memory to build a large cache. This approach minimizes
631 the bandwidth used by external name lookups. The second alternative
632 is to set up second-level internal name servers to make queries
634 In this configuration, none of the individual machines needs to
635 have as much memory or CPU power as in the first alternative, but
636 this has the disadvantage of making many more external queries,
637 as none of the name servers share their cached data.
642 <title>Supported Operating Systems</title>
644 ISC <acronym>BIND</acronym> 9 compiles and runs on a large
646 of Unix-like operating systems and on NT-derived versions of
647 Microsoft Windows such as Windows 2000 and Windows XP. For an
649 list of supported systems, see the README file in the top level
651 of the BIND 9 source distribution.
656 <chapter id="Bv9ARM.ch03">
657 <title>Name Server Configuration</title>
659 In this chapter we provide some suggested configurations along
660 with guidelines for their use. We suggest reasonable values for
661 certain option settings.
664 <sect1 id="sample_configuration">
665 <title>Sample Configurations</title>
667 <title>A Caching-only Name Server</title>
669 The following sample configuration is appropriate for a caching-only
670 name server for use by clients internal to a corporation. All
672 from outside clients are refused using the <command>allow-query</command>
673 option. Alternatively, the same effect could be achieved using
679 // Two corporate subnets we wish to allow queries from.
680 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
682 directory "/etc/namedb"; // Working directory
683 allow-query { corpnets; };
685 // Provide a reverse mapping for the loopback address 127.0.0.1
686 zone "0.0.127.in-addr.arpa" {
688 file "localhost.rev";
696 <title>An Authoritative-only Name Server</title>
698 This sample configuration is for an authoritative-only server
699 that is the master server for "<filename>example.com</filename>"
700 and a slave for the subdomain "<filename>eng.example.com</filename>".
705 directory "/etc/namedb"; // Working directory
706 allow-query-cache { none; }; // Do not allow access to cache
707 allow-query { any; }; // This is the default
708 recursion no; // Do not provide recursive service
711 // Provide a reverse mapping for the loopback address 127.0.0.1
712 zone "0.0.127.in-addr.arpa" {
714 file "localhost.rev";
717 // We are the master server for example.com
720 file "example.com.db";
721 // IP addresses of slave servers allowed to transfer example.com
727 // We are a slave server for eng.example.com
728 zone "eng.example.com" {
730 file "eng.example.com.bk";
731 // IP address of eng.example.com master server
732 masters { 192.168.4.12; };
740 <title>Load Balancing</title>
742 - Add explanation of why load balancing is fragile at best
743 - and completely pointless in the general case.
747 A primitive form of load balancing can be achieved in
748 the <acronym>DNS</acronym> by using multiple records
749 (such as multiple A records) for one name.
753 For example, if you have three WWW servers with network addresses
754 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
755 following means that clients will connect to each machine one third
759 <informaltable colsep="0" rowsep="0">
760 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
761 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
762 <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
763 <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
764 <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
765 <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
790 Resource Record (RR) Data
797 <literal>www</literal>
802 <literal>600</literal>
807 <literal>IN</literal>
817 <literal>10.0.0.1</literal>
827 <literal>600</literal>
832 <literal>IN</literal>
842 <literal>10.0.0.2</literal>
852 <literal>600</literal>
857 <literal>IN</literal>
867 <literal>10.0.0.3</literal>
875 When a resolver queries for these records, <acronym>BIND</acronym> will rotate
876 them and respond to the query with the records in a different
877 order. In the example above, clients will randomly receive
878 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
879 will use the first record returned and discard the rest.
882 For more detail on ordering responses, check the
883 <command>rrset-order</command> substatement in the
884 <command>options</command> statement, see
885 <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
891 <title>Name Server Operations</title>
894 <title>Tools for Use With the Name Server Daemon</title>
896 This section describes several indispensable diagnostic,
897 administrative and monitoring tools available to the system
898 administrator for controlling and debugging the name server
901 <sect3 id="diagnostic_tools">
902 <title>Diagnostic Tools</title>
904 The <command>dig</command>, <command>host</command>, and
905 <command>nslookup</command> programs are all command
907 for manually querying name servers. They differ in style and
913 <term id="dig"><command>dig</command></term>
916 The domain information groper (<command>dig</command>)
917 is the most versatile and complete of these lookup tools.
918 It has two modes: simple interactive
919 mode for a single query, and batch mode which executes a
921 each in a list of several query lines. All query options are
923 from the command line.
925 <cmdsynopsis label="Usage">
926 <command>dig</command>
927 <arg>@<replaceable>server</replaceable></arg>
928 <arg choice="plain"><replaceable>domain</replaceable></arg>
929 <arg><replaceable>query-type</replaceable></arg>
930 <arg><replaceable>query-class</replaceable></arg>
931 <arg>+<replaceable>query-option</replaceable></arg>
932 <arg>-<replaceable>dig-option</replaceable></arg>
933 <arg>%<replaceable>comment</replaceable></arg>
936 The usual simple use of <command>dig</command> will take the form
939 <command>dig @server domain query-type query-class</command>
942 For more information and a list of available commands and
943 options, see the <command>dig</command> man
950 <term><command>host</command></term>
953 The <command>host</command> utility emphasizes
955 and ease of use. By default, it converts
956 between host names and Internet addresses, but its
958 can be extended with the use of options.
960 <cmdsynopsis label="Usage">
961 <command>host</command>
962 <arg>-aCdlnrsTwv</arg>
963 <arg>-c <replaceable>class</replaceable></arg>
964 <arg>-N <replaceable>ndots</replaceable></arg>
965 <arg>-t <replaceable>type</replaceable></arg>
966 <arg>-W <replaceable>timeout</replaceable></arg>
967 <arg>-R <replaceable>retries</replaceable></arg>
968 <arg>-m <replaceable>flag</replaceable></arg>
971 <arg choice="plain"><replaceable>hostname</replaceable></arg>
972 <arg><replaceable>server</replaceable></arg>
975 For more information and a list of available commands and
976 options, see the <command>host</command> man
983 <term><command>nslookup</command></term>
985 <para><command>nslookup</command>
986 has two modes: interactive and
987 non-interactive. Interactive mode allows the user to
988 query name servers for information about various
989 hosts and domains or to print a list of hosts in a
990 domain. Non-interactive mode is used to print just
991 the name and requested information for a host or
994 <cmdsynopsis label="Usage">
995 <command>nslookup</command>
996 <arg rep="repeat">-option</arg>
998 <arg><replaceable>host-to-find</replaceable></arg>
999 <arg>- <arg>server</arg></arg>
1003 Interactive mode is entered when no arguments are given (the
1004 default name server will be used) or when the first argument
1006 hyphen (`-') and the second argument is the host name or
1011 Non-interactive mode is used when the name or Internet
1013 of the host to be looked up is given as the first argument.
1015 optional second argument specifies the host name or address
1019 Due to its arcane user interface and frequently inconsistent
1020 behavior, we do not recommend the use of <command>nslookup</command>.
1021 Use <command>dig</command> instead.
1029 <sect3 id="admin_tools">
1030 <title>Administrative Tools</title>
1032 Administrative tools play an integral part in the management
1036 <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1038 <term><command>named-checkconf</command></term>
1041 The <command>named-checkconf</command> program
1042 checks the syntax of a <filename>named.conf</filename> file.
1044 <cmdsynopsis label="Usage">
1045 <command>named-checkconf</command>
1047 <arg>-t <replaceable>directory</replaceable></arg>
1048 <arg><replaceable>filename</replaceable></arg>
1052 <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1054 <term><command>named-checkzone</command></term>
1057 The <command>named-checkzone</command> program
1058 checks a master file for
1059 syntax and consistency.
1061 <cmdsynopsis label="Usage">
1062 <command>named-checkzone</command>
1064 <arg>-c <replaceable>class</replaceable></arg>
1065 <arg>-o <replaceable>output</replaceable></arg>
1066 <arg>-t <replaceable>directory</replaceable></arg>
1067 <arg>-w <replaceable>directory</replaceable></arg>
1068 <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1069 <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1070 <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1071 <arg choice="plain"><replaceable>zone</replaceable></arg>
1072 <arg><replaceable>filename</replaceable></arg>
1076 <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
1077 <term><command>named-compilezone</command></term>
1080 Similar to <command>named-checkzone,</command> but
1081 it always dumps the zone content to a specified file
1082 (typically in a different format).
1086 <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1088 <term><command>rndc</command></term>
1091 The remote name daemon control
1092 (<command>rndc</command>) program allows the
1094 administrator to control the operation of a name server.
1095 Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1096 supports all the commands of the BIND 8 <command>ndc</command>
1097 utility except <command>ndc start</command> and
1098 <command>ndc restart</command>, which were also
1099 not supported in <command>ndc</command>'s
1101 If you run <command>rndc</command> without any
1103 it will display a usage message as follows:
1105 <cmdsynopsis label="Usage">
1106 <command>rndc</command>
1107 <arg>-c <replaceable>config</replaceable></arg>
1108 <arg>-s <replaceable>server</replaceable></arg>
1109 <arg>-p <replaceable>port</replaceable></arg>
1110 <arg>-y <replaceable>key</replaceable></arg>
1111 <arg choice="plain"><replaceable>command</replaceable></arg>
1112 <arg rep="repeat"><replaceable>command</replaceable></arg>
1114 <para>The <command>command</command>
1115 is one of the following:
1121 <term><userinput>reload</userinput></term>
1124 Reload configuration file and zones.
1130 <term><userinput>reload <replaceable>zone</replaceable>
1131 <optional><replaceable>class</replaceable>
1132 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1135 Reload the given zone.
1141 <term><userinput>refresh <replaceable>zone</replaceable>
1142 <optional><replaceable>class</replaceable>
1143 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1146 Schedule zone maintenance for the given zone.
1152 <term><userinput>retransfer <replaceable>zone</replaceable>
1154 <optional><replaceable>class</replaceable>
1155 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1158 Retransfer the given zone from the master.
1165 <term><userinput>freeze
1166 <optional><replaceable>zone</replaceable>
1167 <optional><replaceable>class</replaceable>
1168 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1171 Suspend updates to a dynamic zone. If no zone is
1173 then all zones are suspended. This allows manual
1174 edits to be made to a zone normally updated by dynamic
1176 also causes changes in the journal file to be synced
1178 and the journal file to be removed. All dynamic
1179 update attempts will
1180 be refused while the zone is frozen.
1186 <term><userinput>thaw
1187 <optional><replaceable>zone</replaceable>
1188 <optional><replaceable>class</replaceable>
1189 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1192 Enable updates to a frozen dynamic zone. If no zone
1194 specified, then all frozen zones are enabled. This
1196 the server to reload the zone from disk, and
1197 re-enables dynamic updates
1198 after the load has completed. After a zone is thawed,
1200 will no longer be refused.
1206 <term><userinput>notify <replaceable>zone</replaceable>
1207 <optional><replaceable>class</replaceable>
1208 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1211 Resend NOTIFY messages for the zone.
1217 <term><userinput>reconfig</userinput></term>
1220 Reload the configuration file and load new zones,
1221 but do not reload existing zone files even if they
1223 This is faster than a full <command>reload</command> when there
1224 is a large number of zones because it avoids the need
1226 modification times of the zones files.
1232 <term><userinput>stats</userinput></term>
1235 Write server statistics to the statistics file.
1241 <term><userinput>querylog</userinput></term>
1244 Toggle query logging. Query logging can also be enabled
1245 by explicitly directing the <command>queries</command>
1246 <command>category</command> to a
1247 <command>channel</command> in the
1248 <command>logging</command> section of
1249 <filename>named.conf</filename> or by specifying
1250 <command>querylog yes;</command> in the
1251 <command>options</command> section of
1252 <filename>named.conf</filename>.
1258 <term><userinput>dumpdb
1259 <optional>-all|-cache|-zone</optional>
1260 <optional><replaceable>view ...</replaceable></optional></userinput></term>
1263 Dump the server's caches (default) and/or zones to
1265 dump file for the specified views. If no view is
1273 <term><userinput>stop <optional>-p</optional></userinput></term>
1276 Stop the server, making sure any recent changes
1277 made through dynamic update or IXFR are first saved to
1278 the master files of the updated zones.
1279 If <option>-p</option> is specified <command>named</command>'s process id is returned.
1280 This allows an external process to determine when <command>named</command>
1281 had completed stopping.
1287 <term><userinput>halt <optional>-p</optional></userinput></term>
1290 Stop the server immediately. Recent changes
1291 made through dynamic update or IXFR are not saved to
1292 the master files, but will be rolled forward from the
1293 journal files when the server is restarted.
1294 If <option>-p</option> is specified <command>named</command>'s process id is returned.
1295 This allows an external process to determine when <command>named</command>
1296 had completed halting.
1302 <term><userinput>trace</userinput></term>
1305 Increment the servers debugging level by one.
1311 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
1314 Sets the server's debugging level to an explicit
1321 <term><userinput>notrace</userinput></term>
1324 Sets the server's debugging level to 0.
1330 <term><userinput>flush</userinput></term>
1333 Flushes the server's cache.
1339 <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1342 Flushes the given name from the server's cache.
1348 <term><userinput>status</userinput></term>
1351 Display status of the server.
1352 Note that the number of zones includes the internal <command>bind/CH</command> zone
1353 and the default <command>./IN</command>
1354 hint zone if there is not an
1355 explicit root zone configured.
1361 <term><userinput>recursing</userinput></term>
1364 Dump the list of queries <command>named</command> is currently recursing
1371 <term><userinput>validation
1372 <optional>on|off</optional>
1373 <optional><replaceable>view ...</replaceable></optional>
1377 Enable or disable DNSSEC validation.
1378 Note <command>dnssec-enable</command> also needs to be
1379 set to <userinput>yes</userinput> to be effective.
1380 It defaults to enabled.
1388 A configuration file is required, since all
1389 communication with the server is authenticated with
1390 digital signatures that rely on a shared secret, and
1391 there is no way to provide that secret other than with a
1392 configuration file. The default location for the
1393 <command>rndc</command> configuration file is
1394 <filename>/etc/rndc.conf</filename>, but an
1396 location can be specified with the <option>-c</option>
1397 option. If the configuration file is not found,
1398 <command>rndc</command> will also look in
1399 <filename>/etc/rndc.key</filename> (or whatever
1400 <varname>sysconfdir</varname> was defined when
1401 the <acronym>BIND</acronym> build was
1403 The <filename>rndc.key</filename> file is
1405 running <command>rndc-confgen -a</command> as
1407 <xref linkend="controls_statement_definition_and_usage"/>.
1411 The format of the configuration file is similar to
1412 that of <filename>named.conf</filename>, but
1414 only four statements, the <command>options</command>,
1415 <command>key</command>, <command>server</command> and
1416 <command>include</command>
1417 statements. These statements are what associate the
1418 secret keys to the servers with which they are meant to
1419 be shared. The order of statements is not
1424 The <command>options</command> statement has
1426 <command>default-server</command>, <command>default-key</command>,
1427 and <command>default-port</command>.
1428 <command>default-server</command> takes a
1429 host name or address argument and represents the server
1431 be contacted if no <option>-s</option>
1432 option is provided on the command line.
1433 <command>default-key</command> takes
1434 the name of a key as its argument, as defined by a <command>key</command> statement.
1435 <command>default-port</command> specifies the
1437 <command>rndc</command> should connect if no
1438 port is given on the command line or in a
1439 <command>server</command> statement.
1443 The <command>key</command> statement defines a
1445 by <command>rndc</command> when authenticating
1447 <command>named</command>. Its syntax is
1449 <command>key</command> statement in <filename>named.conf</filename>.
1450 The keyword <userinput>key</userinput> is
1451 followed by a key name, which must be a valid
1452 domain name, though it need not actually be hierarchical;
1454 a string like "<userinput>rndc_key</userinput>" is a valid
1456 The <command>key</command> statement has two
1458 <command>algorithm</command> and <command>secret</command>.
1459 While the configuration parser will accept any string as the
1461 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1462 has any meaning. The secret is a base-64 encoded string
1463 as specified in RFC 3548.
1467 The <command>server</command> statement
1469 defined using the <command>key</command>
1470 statement with a server.
1471 The keyword <userinput>server</userinput> is followed by a
1472 host name or address. The <command>server</command> statement
1473 has two clauses: <command>key</command> and <command>port</command>.
1474 The <command>key</command> clause specifies the
1476 to be used when communicating with this server, and the
1477 <command>port</command> clause can be used to
1478 specify the port <command>rndc</command> should
1484 A sample minimal configuration file is as follows:
1489 algorithm "hmac-md5";
1490 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
1493 default-server 127.0.0.1;
1494 default-key rndc_key;
1499 This file, if installed as <filename>/etc/rndc.conf</filename>,
1500 would allow the command:
1504 <prompt>$ </prompt><userinput>rndc reload</userinput>
1508 to connect to 127.0.0.1 port 953 and cause the name server
1509 to reload, if a name server on the local machine were
1511 following controls statements:
1516 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
1521 and it had an identical key statement for
1522 <literal>rndc_key</literal>.
1526 Running the <command>rndc-confgen</command>
1528 conveniently create a <filename>rndc.conf</filename>
1529 file for you, and also display the
1530 corresponding <command>controls</command>
1531 statement that you need to
1532 add to <filename>named.conf</filename>.
1534 you can run <command>rndc-confgen -a</command>
1536 a <filename>rndc.key</filename> file and not
1538 <filename>named.conf</filename> at all.
1549 <title>Signals</title>
1551 Certain UNIX signals cause the name server to take specific
1552 actions, as described in the following table. These signals can
1553 be sent using the <command>kill</command> command.
1555 <informaltable frame="all">
1557 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1558 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1562 <para><command>SIGHUP</command></para>
1566 Causes the server to read <filename>named.conf</filename> and
1567 reload the database.
1573 <para><command>SIGTERM</command></para>
1577 Causes the server to clean up and exit.
1583 <para><command>SIGINT</command></para>
1587 Causes the server to clean up and exit.
1598 <chapter id="Bv9ARM.ch04">
1599 <title>Advanced DNS Features</title>
1603 <title>Notify</title>
1605 <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1606 servers to notify their slave servers of changes to a zone's data. In
1607 response to a <command>NOTIFY</command> from a master server, the
1608 slave will check to see that its version of the zone is the
1609 current version and, if not, initiate a zone transfer.
1613 For more information about <acronym>DNS</acronym>
1614 <command>NOTIFY</command>, see the description of the
1615 <command>notify</command> option in <xref linkend="boolean_options"/> and
1616 the description of the zone option <command>also-notify</command> in
1617 <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1618 protocol is specified in RFC 1996.
1622 As a slave zone can also be a master to other slaves, <command>named</command>,
1623 by default, sends <command>NOTIFY</command> messages for every zone
1624 it loads. Specifying <command>notify master-only;</command> will
1625 cause <command>named</command> to only send <command>NOTIFY</command> for master
1626 zones that it loads.
1631 <sect1 id="dynamic_update">
1632 <title>Dynamic Update</title>
1635 Dynamic Update is a method for adding, replacing or deleting
1636 records in a master server by sending it a special form of DNS
1637 messages. The format and meaning of these messages is specified
1642 Dynamic update is enabled by including an
1643 <command>allow-update</command> or <command>update-policy</command>
1644 clause in the <command>zone</command> statement. The
1645 <command>tkey-gssapi-credential</command> and
1646 <command>tkey-domain</command> clauses in the
1647 <command>options</command> statement enable the
1648 server to negotiate keys that can be matched against those
1649 in <command>update-policy</command> or
1650 <command>allow-update</command>.
1654 Updating of secure zones (zones using DNSSEC) follows RFC
1655 3007: RRSIG, NSEC and NSEC3 records affected by updates are
1656 automatically regenerated by the server using an online
1657 zone key. Update authorization is based on transaction
1658 signatures and an explicit server policy.
1661 <sect2 id="journal">
1662 <title>The journal file</title>
1665 All changes made to a zone using dynamic update are stored
1666 in the zone's journal file. This file is automatically created
1667 by the server when the first dynamic update takes place.
1668 The name of the journal file is formed by appending the extension
1669 <filename>.jnl</filename> to the name of the
1671 file unless specifically overridden. The journal file is in a
1672 binary format and should not be edited manually.
1676 The server will also occasionally write ("dump")
1677 the complete contents of the updated zone to its zone file.
1678 This is not done immediately after
1679 each dynamic update, because that would be too slow when a large
1680 zone is updated frequently. Instead, the dump is delayed by
1681 up to 15 minutes, allowing additional updates to take place.
1685 When a server is restarted after a shutdown or crash, it will replay
1686 the journal file to incorporate into the zone any updates that
1688 place after the last zone dump.
1692 Changes that result from incoming incremental zone transfers are
1694 journalled in a similar way.
1698 The zone files of dynamic zones cannot normally be edited by
1699 hand because they are not guaranteed to contain the most recent
1700 dynamic changes — those are only in the journal file.
1701 The only way to ensure that the zone file of a dynamic zone
1702 is up to date is to run <command>rndc stop</command>.
1706 If you have to make changes to a dynamic zone
1707 manually, the following procedure will work: Disable dynamic updates
1709 <command>rndc freeze <replaceable>zone</replaceable></command>.
1710 This will also remove the zone's <filename>.jnl</filename> file
1711 and update the master file. Edit the zone file. Run
1712 <command>rndc thaw <replaceable>zone</replaceable></command>
1713 to reload the changed zone and re-enable dynamic updates.
1720 <sect1 id="incremental_zone_transfers">
1721 <title>Incremental Zone Transfers (IXFR)</title>
1724 The incremental zone transfer (IXFR) protocol is a way for
1725 slave servers to transfer only changed data, instead of having to
1726 transfer the entire zone. The IXFR protocol is specified in RFC
1727 1995. See <xref linkend="proposed_standards"/>.
1731 When acting as a master, <acronym>BIND</acronym> 9
1732 supports IXFR for those zones
1733 where the necessary change history information is available. These
1734 include master zones maintained by dynamic update and slave zones
1735 whose data was obtained by IXFR. For manually maintained master
1736 zones, and for slave zones obtained by performing a full zone
1737 transfer (AXFR), IXFR is supported only if the option
1738 <command>ixfr-from-differences</command> is set
1739 to <userinput>yes</userinput>.
1743 When acting as a slave, <acronym>BIND</acronym> 9 will
1744 attempt to use IXFR unless
1745 it is explicitly disabled. For more information about disabling
1746 IXFR, see the description of the <command>request-ixfr</command> clause
1747 of the <command>server</command> statement.
1752 <title>Split DNS</title>
1754 Setting up different views, or visibility, of the DNS space to
1755 internal and external resolvers is usually referred to as a
1756 <emphasis>Split DNS</emphasis> setup. There are several
1757 reasons an organization would want to set up its DNS this way.
1760 One common reason for setting up a DNS system this way is
1761 to hide "internal" DNS information from "external" clients on the
1762 Internet. There is some debate as to whether or not this is actually
1764 Internal DNS information leaks out in many ways (via email headers,
1765 for example) and most savvy "attackers" can find the information
1766 they need using other means.
1767 However, since listing addresses of internal servers that
1768 external clients cannot possibly reach can result in
1769 connection delays and other annoyances, an organization may
1770 choose to use a Split DNS to present a consistent view of itself
1771 to the outside world.
1774 Another common reason for setting up a Split DNS system is
1775 to allow internal networks that are behind filters or in RFC 1918
1776 space (reserved IP space, as documented in RFC 1918) to resolve DNS
1777 on the Internet. Split DNS can also be used to allow mail from outside
1778 back in to the internal network.
1781 <title>Example split DNS setup</title>
1783 Let's say a company named <emphasis>Example, Inc.</emphasis>
1784 (<literal>example.com</literal>)
1785 has several corporate sites that have an internal network with
1787 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1788 or "outside" section of a network, that is available to the public.
1791 <emphasis>Example, Inc.</emphasis> wants its internal clients
1792 to be able to resolve external hostnames and to exchange mail with
1793 people on the outside. The company also wants its internal resolvers
1794 to have access to certain internal-only zones that are not available
1795 at all outside of the internal network.
1798 In order to accomplish this, the company will set up two sets
1799 of name servers. One set will be on the inside network (in the
1801 IP space) and the other set will be on bastion hosts, which are
1803 hosts that can talk to both sides of its network, in the DMZ.
1806 The internal servers will be configured to forward all queries,
1807 except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1808 and <filename>site2.example.com</filename>, to the servers
1810 DMZ. These internal servers will have complete sets of information
1811 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1812 and <filename>site2.internal</filename>.
1815 To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1816 the internal name servers must be configured to disallow all queries
1817 to these domains from any external hosts, including the bastion
1821 The external servers, which are on the bastion hosts, will
1822 be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1823 This could include things such as the host records for public servers
1824 (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1825 and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1828 In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1829 should have special MX records that contain wildcard (`*') records
1830 pointing to the bastion hosts. This is needed because external mail
1831 servers do not have any other way of looking up how to deliver mail
1832 to those internal hosts. With the wildcard records, the mail will
1833 be delivered to the bastion host, which can then forward it on to
1837 Here's an example of a wildcard MX record:
1839 <programlisting>* IN MX 10 external1.example.com.</programlisting>
1841 Now that they accept mail on behalf of anything in the internal
1842 network, the bastion hosts will need to know how to deliver mail
1843 to internal hosts. In order for this to work properly, the resolvers
1845 the bastion hosts will need to be configured to point to the internal
1846 name servers for DNS resolution.
1849 Queries for internal hostnames will be answered by the internal
1850 servers, and queries for external hostnames will be forwarded back
1851 out to the DNS servers on the bastion hosts.
1854 In order for all this to work properly, internal clients will
1855 need to be configured to query <emphasis>only</emphasis> the internal
1856 name servers for DNS queries. This could also be enforced via
1858 filtering on the network.
1861 If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1862 internal clients will now be able to:
1867 Look up any hostnames in the <literal>site1</literal>
1869 <literal>site2.example.com</literal> zones.
1874 Look up any hostnames in the <literal>site1.internal</literal> and
1875 <literal>site2.internal</literal> domains.
1879 <simpara>Look up any hostnames on the Internet.</simpara>
1882 <simpara>Exchange mail with both internal and external people.</simpara>
1886 Hosts on the Internet will be able to:
1891 Look up any hostnames in the <literal>site1</literal>
1893 <literal>site2.example.com</literal> zones.
1898 Exchange mail with anyone in the <literal>site1</literal> and
1899 <literal>site2.example.com</literal> zones.
1905 Here is an example configuration for the setup we just
1906 described above. Note that this is only configuration information;
1907 for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1911 Internal DNS server config:
1916 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1918 acl externals { <varname>bastion-ips-go-here</varname>; };
1924 forwarders { // forward to external servers
1925 <varname>bastion-ips-go-here</varname>;
1927 allow-transfer { none; }; // sample allow-transfer (no one)
1928 allow-query { internals; externals; }; // restrict query access
1929 allow-recursion { internals; }; // restrict recursion
1934 zone "site1.example.com" { // sample master zone
1936 file "m/site1.example.com";
1937 forwarders { }; // do normal iterative
1938 // resolution (do not forward)
1939 allow-query { internals; externals; };
1940 allow-transfer { internals; };
1943 zone "site2.example.com" { // sample slave zone
1945 file "s/site2.example.com";
1946 masters { 172.16.72.3; };
1948 allow-query { internals; externals; };
1949 allow-transfer { internals; };
1952 zone "site1.internal" {
1954 file "m/site1.internal";
1956 allow-query { internals; };
1957 allow-transfer { internals; }
1960 zone "site2.internal" {
1962 file "s/site2.internal";
1963 masters { 172.16.72.3; };
1965 allow-query { internals };
1966 allow-transfer { internals; }
1971 External (bastion host) DNS server config:
1975 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1977 acl externals { bastion-ips-go-here; };
1982 allow-transfer { none; }; // sample allow-transfer (no one)
1983 allow-query { any; }; // default query access
1984 allow-query-cache { internals; externals; }; // restrict cache access
1985 allow-recursion { internals; externals; }; // restrict recursion
1990 zone "site1.example.com" { // sample slave zone
1992 file "m/site1.foo.com";
1993 allow-transfer { internals; externals; };
1996 zone "site2.example.com" {
1998 file "s/site2.foo.com";
1999 masters { another_bastion_host_maybe; };
2000 allow-transfer { internals; externals; }
2005 In the <filename>resolv.conf</filename> (or equivalent) on
2006 the bastion host(s):
2011 nameserver 172.16.72.2
2012 nameserver 172.16.72.3
2013 nameserver 172.16.72.4
2021 This is a short guide to setting up Transaction SIGnatures
2022 (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
2023 to the configuration file as well as what changes are required for
2024 different features, including the process of creating transaction
2025 keys and using transaction signatures with <acronym>BIND</acronym>.
2028 <acronym>BIND</acronym> primarily supports TSIG for server
2029 to server communication.
2030 This includes zone transfer, notify, and recursive query messages.
2031 Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2036 TSIG can also be useful for dynamic update. A primary
2037 server for a dynamic zone should control access to the dynamic
2038 update service, but IP-based access control is insufficient.
2039 The cryptographic access control provided by TSIG
2040 is far superior. The <command>nsupdate</command>
2041 program supports TSIG via the <option>-k</option> and
2042 <option>-y</option> command line options or inline by use
2043 of the <command>key</command>.
2047 <title>Generate Shared Keys for Each Pair of Hosts</title>
2049 A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2050 An arbitrary key name is chosen: "host1-host2.". The key name must
2051 be the same on both hosts.
2054 <title>Automatic Generation</title>
2056 The following command will generate a 128-bit (16 byte) HMAC-MD5
2057 key as described above. Longer keys are better, but shorter keys
2058 are easier to read. Note that the maximum key length is 512 bits;
2059 keys longer than that will be digested with MD5 to produce a
2063 <userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput>
2066 The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
2067 Nothing directly uses this file, but the base-64 encoded string
2068 following "<literal>Key:</literal>"
2069 can be extracted from the file and used as a shared secret:
2071 <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2073 The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2074 be used as the shared secret.
2078 <title>Manual Generation</title>
2080 The shared secret is simply a random sequence of bits, encoded
2081 in base-64. Most ASCII strings are valid base-64 strings (assuming
2082 the length is a multiple of 4 and only valid characters are used),
2083 so the shared secret can be manually generated.
2086 Also, a known string can be run through <command>mmencode</command> or
2087 a similar program to generate base-64 encoded data.
2092 <title>Copying the Shared Secret to Both Machines</title>
2094 This is beyond the scope of DNS. A secure transport mechanism
2095 should be used. This could be secure FTP, ssh, telephone, etc.
2099 <title>Informing the Servers of the Key's Existence</title>
2101 Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2103 both servers. The following is added to each server's <filename>named.conf</filename> file:
2109 secret "La/E5CjG9O+os1jq0a2jdA==";
2114 The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
2115 The secret is the one generated above. Since this is a secret, it
2116 is recommended that either <filename>named.conf</filename> be non-world
2117 readable, or the key directive be added to a non-world readable
2118 file that is included by
2119 <filename>named.conf</filename>.
2122 At this point, the key is recognized. This means that if the
2123 server receives a message signed by this key, it can verify the
2124 signature. If the signature is successfully verified, the
2125 response is signed by the same key.
2130 <title>Instructing the Server to Use the Key</title>
2132 Since keys are shared between two hosts only, the server must
2133 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2134 for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2140 keys { host1-host2. ;};
2145 Multiple keys may be present, but only the first is used.
2146 This directive does not contain any secrets, so it may be in a
2151 If <emphasis>host1</emphasis> sends a message that is a request
2152 to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2153 expect any responses to signed messages to be signed with the same
2157 A similar statement must be present in <emphasis>host2</emphasis>'s
2158 configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2159 sign request messages to <emphasis>host1</emphasis>.
2163 <title>TSIG Key Based Access Control</title>
2165 <acronym>BIND</acronym> allows IP addresses and ranges
2166 to be specified in ACL
2168 <command>allow-{ query | transfer | update }</command>
2170 This has been extended to allow TSIG keys also. The above key would
2171 be denoted <command>key host1-host2.</command>
2174 An example of an <command>allow-update</command> directive would be:
2178 allow-update { key host1-host2. ;};
2182 This allows dynamic updates to succeed only if the request
2183 was signed by a key named "<command>host1-host2.</command>".
2187 You may want to read about the more powerful
2188 <command>update-policy</command> statement in
2189 <xref linkend="dynamic_update_policies"/>.
2194 <title>Errors</title>
2197 The processing of TSIG signed messages can result in
2198 several errors. If a signed message is sent to a non-TSIG aware
2199 server, a FORMERR (format error) will be returned, since the server will not
2200 understand the record. This is a result of misconfiguration,
2201 since the server must be explicitly configured to send a TSIG
2202 signed message to a specific server.
2206 If a TSIG aware server receives a message signed by an
2207 unknown key, the response will be unsigned with the TSIG
2208 extended error code set to BADKEY. If a TSIG aware server
2209 receives a message with a signature that does not validate, the
2210 response will be unsigned with the TSIG extended error code set
2211 to BADSIG. If a TSIG aware server receives a message with a time
2212 outside of the allowed range, the response will be signed with
2213 the TSIG extended error code set to BADTIME, and the time values
2214 will be adjusted so that the response can be successfully
2215 verified. In any of these cases, the message's rcode (response code) is set to
2216 NOTAUTH (not authenticated).
2224 <para><command>TKEY</command>
2225 is a mechanism for automatically generating a shared secret
2226 between two hosts. There are several "modes" of
2227 <command>TKEY</command> that specify how the key is generated
2228 or assigned. <acronym>BIND</acronym> 9 implements only one of
2229 these modes, the Diffie-Hellman key exchange. Both hosts are
2230 required to have a Diffie-Hellman KEY record (although this
2231 record is not required to be present in a zone). The
2232 <command>TKEY</command> process must use signed messages,
2233 signed either by TSIG or SIG(0). The result of
2234 <command>TKEY</command> is a shared secret that can be used to
2235 sign messages with TSIG. <command>TKEY</command> can also be
2236 used to delete shared secrets that it had previously
2241 The <command>TKEY</command> process is initiated by a
2243 or server by sending a signed <command>TKEY</command>
2245 (including any appropriate KEYs) to a TKEY-aware server. The
2246 server response, if it indicates success, will contain a
2247 <command>TKEY</command> record and any appropriate keys.
2249 this exchange, both participants have enough information to
2250 determine the shared secret; the exact process depends on the
2251 <command>TKEY</command> mode. When using the
2253 <command>TKEY</command> mode, Diffie-Hellman keys are
2255 and the shared secret is derived by both participants.
2260 <title>SIG(0)</title>
2263 <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2264 transaction signatures as specified in RFC 2535 and RFC 2931.
2266 uses public/private keys to authenticate messages. Access control
2267 is performed in the same manner as TSIG keys; privileges can be
2268 granted or denied based on the key name.
2272 When a SIG(0) signed message is received, it will only be
2273 verified if the key is known and trusted by the server; the server
2274 will not attempt to locate and/or validate the key.
2278 SIG(0) signing of multiple-message TCP streams is not
2283 The only tool shipped with <acronym>BIND</acronym> 9 that
2284 generates SIG(0) signed messages is <command>nsupdate</command>.
2289 <title>DNSSEC</title>
2292 Cryptographic authentication of DNS information is possible
2293 through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2294 defined in RFC 4033, RFC 4034, and RFC 4035.
2295 This section describes the creation and use of DNSSEC signed zones.
2299 In order to set up a DNSSEC secure zone, there are a series
2300 of steps which must be followed. <acronym>BIND</acronym>
2303 that are used in this process, which are explained in more detail
2304 below. In all cases, the <option>-h</option> option prints a
2305 full list of parameters. Note that the DNSSEC tools require the
2306 keyset files to be in the working directory or the
2307 directory specified by the <option>-d</option> option, and
2308 that the tools shipped with BIND 9.2.x and earlier are not compatible
2309 with the current ones.
2313 There must also be communication with the administrators of
2314 the parent and/or child zone to transmit keys. A zone's security
2315 status must be indicated by the parent zone for a DNSSEC capable
2316 resolver to trust its data. This is done through the presence
2317 or absence of a <literal>DS</literal> record at the
2323 For other servers to trust data in this zone, they must
2324 either be statically configured with this zone's zone key or the
2325 zone key of another zone above this one in the DNS tree.
2329 <title>Generating Keys</title>
2332 The <command>dnssec-keygen</command> program is used to
2337 A secure zone must contain one or more zone keys. The
2338 zone keys will sign all other records in the zone, as well as
2339 the zone keys of any secure delegated zones. Zone keys must
2340 have the same name as the zone, a name type of
2341 <command>ZONE</command>, and must be usable for
2343 It is recommended that zone keys use a cryptographic algorithm
2344 designated as "mandatory to implement" by the IETF; currently
2345 the only one is RSASHA1.
2349 The following command will generate a 768-bit RSASHA1 key for
2350 the <filename>child.example</filename> zone:
2354 <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2358 Two output files will be produced:
2359 <filename>Kchild.example.+005+12345.key</filename> and
2360 <filename>Kchild.example.+005+12345.private</filename>
2362 12345 is an example of a key tag). The key filenames contain
2363 the key name (<filename>child.example.</filename>),
2365 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2367 The private key (in the <filename>.private</filename>
2369 used to generate signatures, and the public key (in the
2370 <filename>.key</filename> file) is used for signature
2375 To generate another key with the same properties (but with
2376 a different key tag), repeat the above command.
2380 The <command>dnssec-keyfromlabel</command> program is used
2381 to get a key pair from a crypto hardware and build the key
2382 files. Its usage is similar to <command>dnssec-keygen</command>.
2386 The public keys should be inserted into the zone file by
2387 including the <filename>.key</filename> files using
2388 <command>$INCLUDE</command> statements.
2393 <title>Signing the Zone</title>
2396 The <command>dnssec-signzone</command> program is used
2401 Any <filename>keyset</filename> files corresponding to
2402 secure subzones should be present. The zone signer will
2403 generate <literal>NSEC</literal>, <literal>NSEC3</literal>
2404 and <literal>RRSIG</literal> records for the zone, as
2405 well as <literal>DS</literal> for the child zones if
2406 <literal>'-g'</literal> is specified. If <literal>'-g'</literal>
2407 is not specified, then DS RRsets for the secure child
2408 zones need to be added manually.
2412 The following command signs the zone, assuming it is in a
2413 file called <filename>zone.child.example</filename>. By
2414 default, all zone keys which have an available private key are
2415 used to generate signatures.
2419 <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2423 One output file is produced:
2424 <filename>zone.child.example.signed</filename>. This
2426 should be referenced by <filename>named.conf</filename>
2428 input file for the zone.
2431 <para><command>dnssec-signzone</command>
2432 will also produce a keyset and dsset files and optionally a
2433 dlvset file. These are used to provide the parent zone
2434 administrators with the <literal>DNSKEYs</literal> (or their
2435 corresponding <literal>DS</literal> records) that are the
2436 secure entry point to the zone.
2442 <title>Configuring Servers</title>
2445 To enable <command>named</command> to respond appropriately
2446 to DNS requests from DNSSEC aware clients,
2447 <command>dnssec-enable</command> must be set to yes.
2451 To enable <command>named</command> to validate answers from
2452 other servers both <command>dnssec-enable</command> and
2453 <command>dnssec-validation</command> must be set and some
2454 <command>trusted-keys</command> must be configured
2455 into <filename>named.conf</filename>.
2459 <command>trusted-keys</command> are copies of DNSKEY RRs
2460 for zones that are used to form the first link in the
2461 cryptographic chain of trust. All keys listed in
2462 <command>trusted-keys</command> (and corresponding zones)
2463 are deemed to exist and only the listed keys will be used
2464 to validated the DNSKEY RRset that they are from.
2468 <command>trusted-keys</command> are described in more detail
2469 later in this document.
2473 Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2474 9 does not verify signatures on load, so zone keys for
2475 authoritative zones do not need to be specified in the
2480 After DNSSEC gets established, a typical DNSSEC configuration
2481 will look something like the following. It has a one or
2482 more public keys for the root. This allows answers from
2483 outside the organization to be validated. It will also
2484 have several keys for parts of the namespace the organization
2485 controls. These are here to ensure that <command>named</command> is immune
2486 to compromises in the DNSSEC components of the security
2494 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2495 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2496 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2497 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2498 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2499 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2500 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2502 /* Key for our organization's forward zone */
2503 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2504 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2505 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2506 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2507 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2508 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2509 SCThlHf3xiYleDbt/o1OTQ09A0=";
2511 /* Key for our reverse zone. */
2512 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2513 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2514 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2515 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2516 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2517 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2518 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2519 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2525 dnssec-validation yes;
2530 None of the keys listed in this example are valid. In particular,
2531 the root key is not valid.
2538 <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2541 <acronym>BIND</acronym> 9 fully supports all currently
2542 defined forms of IPv6
2543 name to address and address to name lookups. It will also use
2544 IPv6 addresses to make queries when running on an IPv6 capable
2549 For forward lookups, <acronym>BIND</acronym> 9 supports
2550 only AAAA records. RFC 3363 deprecated the use of A6 records,
2551 and client-side support for A6 records was accordingly removed
2552 from <acronym>BIND</acronym> 9.
2553 However, authoritative <acronym>BIND</acronym> 9 name servers still
2554 load zone files containing A6 records correctly, answer queries
2555 for A6 records, and accept zone transfer for a zone containing A6
2560 For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2561 the traditional "nibble" format used in the
2562 <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2563 <emphasis>ip6.int</emphasis> domain.
2564 Older versions of <acronym>BIND</acronym> 9
2565 supported the "binary label" (also known as "bitstring") format,
2566 but support of binary labels has been completely removed per
2568 Many applications in <acronym>BIND</acronym> 9 do not understand
2569 the binary label format at all any more, and will return an
2571 In particular, an authoritative <acronym>BIND</acronym> 9
2572 name server will not load a zone file containing binary labels.
2576 For an overview of the format and structure of IPv6 addresses,
2577 see <xref linkend="ipv6addresses"/>.
2581 <title>Address Lookups Using AAAA Records</title>
2584 The IPv6 AAAA record is a parallel to the IPv4 A record,
2585 and, unlike the deprecated A6 record, specifies the entire
2586 IPv6 address in a single record. For example,
2590 $ORIGIN example.com.
2591 host 3600 IN AAAA 2001:db8::1
2595 Use of IPv4-in-IPv6 mapped addresses is not recommended.
2596 If a host has an IPv4 address, use an A record, not
2597 a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2602 <title>Address to Name Lookups Using Nibble Format</title>
2605 When looking up an address in nibble format, the address
2606 components are simply reversed, just as in IPv4, and
2607 <literal>ip6.arpa.</literal> is appended to the
2609 For example, the following would provide reverse name lookup for
2611 <literal>2001:db8::1</literal>.
2615 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
2616 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
2623 <chapter id="Bv9ARM.ch05">
2624 <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2626 <title>The Lightweight Resolver Library</title>
2628 Traditionally applications have been linked with a stub resolver
2629 library that sends recursive DNS queries to a local caching name
2633 IPv6 once introduced new complexity into the resolution process,
2634 such as following A6 chains and DNAME records, and simultaneous
2635 lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2636 then removed, these are hard or impossible
2637 to implement in a traditional stub resolver.
2640 <acronym>BIND</acronym> 9 therefore can also provide resolution
2641 services to local clients
2642 using a combination of a lightweight resolver library and a resolver
2643 daemon process running on the local host. These communicate using
2644 a simple UDP-based protocol, the "lightweight resolver protocol"
2645 that is distinct from and simpler than the full DNS protocol.
2649 <title>Running a Resolver Daemon</title>
2652 To use the lightweight resolver interface, the system must
2653 run the resolver daemon <command>lwresd</command> or a
2655 name server configured with a <command>lwres</command>
2660 By default, applications using the lightweight resolver library will
2662 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2664 address can be overridden by <command>lwserver</command>
2666 <filename>/etc/resolv.conf</filename>.
2670 The daemon currently only looks in the DNS, but in the future
2671 it may use other sources such as <filename>/etc/hosts</filename>,
2676 The <command>lwresd</command> daemon is essentially a
2677 caching-only name server that responds to requests using the
2679 resolver protocol rather than the DNS protocol. Because it needs
2680 to run on each host, it is designed to require no or minimal
2682 Unless configured otherwise, it uses the name servers listed on
2683 <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2684 as forwarders, but is also capable of doing the resolution
2689 The <command>lwresd</command> daemon may also be
2691 <filename>named.conf</filename> style configuration file,
2693 <filename>/etc/lwresd.conf</filename> by default. A name
2695 be configured to act as a lightweight resolver daemon using the
2696 <command>lwres</command> statement in <filename>named.conf</filename>.
2702 <chapter id="Bv9ARM.ch06">
2703 <title><acronym>BIND</acronym> 9 Configuration Reference</title>
2706 <acronym>BIND</acronym> 9 configuration is broadly similar
2707 to <acronym>BIND</acronym> 8; however, there are a few new
2709 of configuration, such as views. <acronym>BIND</acronym>
2710 8 configuration files should work with few alterations in <acronym>BIND</acronym>
2711 9, although more complex configurations should be reviewed to check
2712 if they can be more efficiently implemented using the new features
2713 found in <acronym>BIND</acronym> 9.
2717 <acronym>BIND</acronym> 4 configuration files can be
2718 converted to the new format
2719 using the shell script
2720 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2722 <sect1 id="configuration_file_elements">
2723 <title>Configuration File Elements</title>
2725 Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2728 <informaltable colsep="0" rowsep="0">
2729 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2730 <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2731 <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2736 <varname>acl_name</varname>
2741 The name of an <varname>address_match_list</varname> as
2742 defined by the <command>acl</command> statement.
2749 <varname>address_match_list</varname>
2754 A list of one or more
2755 <varname>ip_addr</varname>,
2756 <varname>ip_prefix</varname>, <varname>key_id</varname>,
2757 or <varname>acl_name</varname> elements, see
2758 <xref linkend="address_match_lists"/>.
2765 <varname>masters_list</varname>
2770 A named list of one or more <varname>ip_addr</varname>
2771 with optional <varname>key_id</varname> and/or
2772 <varname>ip_port</varname>.
2773 A <varname>masters_list</varname> may include other
2774 <varname>masters_lists</varname>.
2781 <varname>domain_name</varname>
2786 A quoted string which will be used as
2787 a DNS name, for example "<literal>my.test.domain</literal>".
2794 <varname>dotted_decimal</varname>
2799 One to four integers valued 0 through
2800 255 separated by dots (`.'), such as <command>123</command>,
2801 <command>45.67</command> or <command>89.123.45.67</command>.
2808 <varname>ip4_addr</varname>
2813 An IPv4 address with exactly four elements
2814 in <varname>dotted_decimal</varname> notation.
2821 <varname>ip6_addr</varname>
2826 An IPv6 address, such as <command>2001:db8::1234</command>.
2827 IPv6 scoped addresses that have ambiguity on their
2828 scope zones must be disambiguated by an appropriate
2829 zone ID with the percent character (`%') as
2830 delimiter. It is strongly recommended to use
2831 string zone names rather than numeric identifiers,
2832 in order to be robust against system configuration
2833 changes. However, since there is no standard
2834 mapping for such names and identifier values,
2835 currently only interface names as link identifiers
2836 are supported, assuming one-to-one mapping between
2837 interfaces and links. For example, a link-local
2838 address <command>fe80::1</command> on the link
2839 attached to the interface <command>ne0</command>
2840 can be specified as <command>fe80::1%ne0</command>.
2841 Note that on most systems link-local addresses
2842 always have the ambiguity, and need to be
2850 <varname>ip_addr</varname>
2855 An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2862 <varname>ip_port</varname>
2867 An IP port <varname>number</varname>.
2868 The <varname>number</varname> is limited to 0
2869 through 65535, with values
2870 below 1024 typically restricted to use by processes running
2872 In some cases, an asterisk (`*') character can be used as a
2874 select a random high-numbered port.
2881 <varname>ip_prefix</varname>
2886 An IP network specified as an <varname>ip_addr</varname>,
2887 followed by a slash (`/') and then the number of bits in the
2889 Trailing zeros in a <varname>ip_addr</varname>
2891 For example, <command>127/8</command> is the
2892 network <command>127.0.0.0</command> with
2893 netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2894 network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2897 When specifying a prefix involving a IPv6 scoped address
2898 the scope may be omitted. In that case the prefix will
2899 match packets from any scope.
2906 <varname>key_id</varname>
2911 A <varname>domain_name</varname> representing
2912 the name of a shared key, to be used for transaction
2920 <varname>key_list</varname>
2925 A list of one or more
2926 <varname>key_id</varname>s,
2927 separated by semicolons and ending with a semicolon.
2934 <varname>number</varname>
2939 A non-negative 32-bit integer
2940 (i.e., a number between 0 and 4294967295, inclusive).
2941 Its acceptable value might further
2942 be limited by the context in which it is used.
2949 <varname>path_name</varname>
2954 A quoted string which will be used as
2955 a pathname, such as <filename>zones/master/my.test.domain</filename>.
2962 <varname>port_list</varname>
2967 A list of an <varname>ip_port</varname> or a port
2969 A port range is specified in the form of
2970 <userinput>range</userinput> followed by
2971 two <varname>ip_port</varname>s,
2972 <varname>port_low</varname> and
2973 <varname>port_high</varname>, which represents
2974 port numbers from <varname>port_low</varname> through
2975 <varname>port_high</varname>, inclusive.
2976 <varname>port_low</varname> must not be larger than
2977 <varname>port_high</varname>.
2979 <userinput>range 1024 65535</userinput> represents
2980 ports from 1024 through 65535.
2981 In either case an asterisk (`*') character is not
2982 allowed as a valid <varname>ip_port</varname>.
2989 <varname>size_spec</varname>
2994 A number, the word <userinput>unlimited</userinput>,
2995 or the word <userinput>default</userinput>.
2998 An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
2999 use, or the maximum available amount. A <varname>default size_spec</varname> uses
3000 the limit that was in force when the server was started.
3003 A <varname>number</varname> can optionally be
3004 followed by a scaling factor:
3005 <userinput>K</userinput> or <userinput>k</userinput>
3007 <userinput>M</userinput> or <userinput>m</userinput>
3009 <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
3010 which scale by 1024, 1024*1024, and 1024*1024*1024
3014 The value must be representable as a 64-bit unsigned integer
3015 (0 to 18446744073709551615, inclusive).
3016 Using <varname>unlimited</varname> is the best
3018 to safely set a really large number.
3025 <varname>yes_or_no</varname>
3030 Either <userinput>yes</userinput> or <userinput>no</userinput>.
3031 The words <userinput>true</userinput> and <userinput>false</userinput> are
3032 also accepted, as are the numbers <userinput>1</userinput>
3033 and <userinput>0</userinput>.
3040 <varname>dialup_option</varname>
3045 One of <userinput>yes</userinput>,
3046 <userinput>no</userinput>, <userinput>notify</userinput>,
3047 <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
3048 <userinput>passive</userinput>.
3049 When used in a zone, <userinput>notify-passive</userinput>,
3050 <userinput>refresh</userinput>, and <userinput>passive</userinput>
3051 are restricted to slave and stub zones.
3058 <sect2 id="address_match_lists">
3059 <title>Address Match Lists</title>
3061 <title>Syntax</title>
3063 <programlisting><varname>address_match_list</varname> = address_match_list_element ;
3064 <optional> address_match_list_element; ... </optional>
3065 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
3066 key key_id | acl_name | { address_match_list } )
3071 <title>Definition and Usage</title>
3073 Address match lists are primarily used to determine access
3074 control for various server operations. They are also used in
3075 the <command>listen-on</command> and <command>sortlist</command>
3076 statements. The elements which constitute an address match
3077 list can be any of the following:
3081 <simpara>an IP address (IPv4 or IPv6)</simpara>
3084 <simpara>an IP prefix (in `/' notation)</simpara>
3088 a key ID, as defined by the <command>key</command>
3093 <simpara>the name of an address match list defined with
3094 the <command>acl</command> statement
3098 <simpara>a nested address match list enclosed in braces</simpara>
3103 Elements can be negated with a leading exclamation mark (`!'),
3104 and the match list names "any", "none", "localhost", and
3105 "localnets" are predefined. More information on those names
3106 can be found in the description of the acl statement.
3110 The addition of the key clause made the name of this syntactic
3111 element something of a misnomer, since security keys can be used
3112 to validate access without regard to a host or network address.
3113 Nonetheless, the term "address match list" is still used
3114 throughout the documentation.
3118 When a given IP address or prefix is compared to an address
3119 match list, the comparison takes place in approximately O(1)
3120 time. However, key comparisons require that the list of keys
3121 be traversed until a matching key is found, and therefore may
3126 The interpretation of a match depends on whether the list is being
3127 used for access control, defining <command>listen-on</command> ports, or in a
3128 <command>sortlist</command>, and whether the element was negated.
3132 When used as an access control list, a non-negated match
3133 allows access and a negated match denies access. If
3134 there is no match, access is denied. The clauses
3135 <command>allow-notify</command>,
3136 <command>allow-recursion</command>,
3137 <command>allow-recursion-on</command>,
3138 <command>allow-query</command>,
3139 <command>allow-query-on</command>,
3140 <command>allow-query-cache</command>,
3141 <command>allow-query-cache-on</command>,
3142 <command>allow-transfer</command>,
3143 <command>allow-update</command>,
3144 <command>allow-update-forwarding</command>, and
3145 <command>blackhole</command> all use address match
3146 lists. Similarly, the <command>listen-on</command> option will cause the
3147 server to refuse queries on any of the machine's
3148 addresses which do not match the list.
3152 Order of insertion is significant. If more than one element
3153 in an ACL is found to match a given IP address or prefix,
3154 preference will be given to the one that came
3155 <emphasis>first</emphasis> in the ACL definition.
3156 Because of this first-match behavior, an element that
3157 defines a subset of another element in the list should
3158 come before the broader element, regardless of whether
3159 either is negated. For example, in
3160 <command>1.2.3/24; ! 1.2.3.13;</command>
3161 the 1.2.3.13 element is completely useless because the
3162 algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
3163 element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3164 that problem by having 1.2.3.13 blocked by the negation, but
3165 all other 1.2.3.* hosts fall through.
3171 <title>Comment Syntax</title>
3174 The <acronym>BIND</acronym> 9 comment syntax allows for
3176 anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3177 file. To appeal to programmers of all kinds, they can be written
3178 in the C, C++, or shell/perl style.
3182 <title>Syntax</title>
3185 <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3186 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3187 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3191 <title>Definition and Usage</title>
3193 Comments may appear anywhere that whitespace may appear in
3194 a <acronym>BIND</acronym> configuration file.
3197 C-style comments start with the two characters /* (slash,
3198 star) and end with */ (star, slash). Because they are completely
3199 delimited with these characters, they can be used to comment only
3200 a portion of a line or to span multiple lines.
3203 C-style comments cannot be nested. For example, the following
3204 is not valid because the entire comment ends with the first */:
3208 <programlisting>/* This is the start of a comment.
3209 This is still part of the comment.
3210 /* This is an incorrect attempt at nesting a comment. */
3211 This is no longer in any comment. */
3217 C++-style comments start with the two characters // (slash,
3218 slash) and continue to the end of the physical line. They cannot
3219 be continued across multiple physical lines; to have one logical
3220 comment span multiple lines, each line must use the // pair.
3225 <programlisting>// This is the start of a comment. The next line
3226 // is a new comment, even though it is logically
3227 // part of the previous comment.
3232 Shell-style (or perl-style, if you prefer) comments start
3233 with the character <literal>#</literal> (number sign)
3234 and continue to the end of the
3235 physical line, as in C++ comments.
3241 <programlisting># This is the start of a comment. The next line
3242 # is a new comment, even though it is logically
3243 # part of the previous comment.
3250 You cannot use the semicolon (`;') character
3251 to start a comment such as you would in a zone file. The
3252 semicolon indicates the end of a configuration
3260 <sect1 id="Configuration_File_Grammar">
3261 <title>Configuration File Grammar</title>
3264 A <acronym>BIND</acronym> 9 configuration consists of
3265 statements and comments.
3266 Statements end with a semicolon. Statements and comments are the
3267 only elements that can appear without enclosing braces. Many
3268 statements contain a block of sub-statements, which are also
3269 terminated with a semicolon.
3273 The following statements are supported:
3276 <informaltable colsep="0" rowsep="0">
3277 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3278 <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3279 <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3283 <para><command>acl</command></para>
3287 defines a named IP address
3288 matching list, for access control and other uses.
3294 <para><command>controls</command></para>
3298 declares control channels to be used
3299 by the <command>rndc</command> utility.
3305 <para><command>include</command></para>
3315 <para><command>key</command></para>
3319 specifies key information for use in
3320 authentication and authorization using TSIG.
3326 <para><command>logging</command></para>
3330 specifies what the server logs, and where
3331 the log messages are sent.
3337 <para><command>lwres</command></para>
3341 configures <command>named</command> to
3342 also act as a light-weight resolver daemon (<command>lwresd</command>).
3348 <para><command>masters</command></para>
3352 defines a named masters list for
3353 inclusion in stub and slave zone masters clauses.
3359 <para><command>options</command></para>
3363 controls global server configuration
3364 options and sets defaults for other statements.
3370 <para><command>server</command></para>
3374 sets certain configuration options on
3381 <para><command>statistics-channels</command></para>
3385 declares communication channels to get access to
3386 <command>named</command> statistics.
3392 <para><command>trusted-keys</command></para>
3396 defines trusted DNSSEC keys.
3402 <para><command>view</command></para>
3412 <para><command>zone</command></para>
3425 The <command>logging</command> and
3426 <command>options</command> statements may only occur once
3432 <title><command>acl</command> Statement Grammar</title>
3434 <programlisting><command>acl</command> acl-name {
3441 <title><command>acl</command> Statement Definition and
3445 The <command>acl</command> statement assigns a symbolic
3446 name to an address match list. It gets its name from a primary
3447 use of address match lists: Access Control Lists (ACLs).
3451 Note that an address match list's name must be defined
3452 with <command>acl</command> before it can be used
3453 elsewhere; no forward references are allowed.
3457 The following ACLs are built-in:
3460 <informaltable colsep="0" rowsep="0">
3461 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3462 <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3463 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3467 <para><command>any</command></para>
3477 <para><command>none</command></para>
3487 <para><command>localhost</command></para>
3491 Matches the IPv4 and IPv6 addresses of all network
3492 interfaces on the system.
3498 <para><command>localnets</command></para>
3502 Matches any host on an IPv4 or IPv6 network
3503 for which the system has an interface.
3504 Some systems do not provide a way to determine the prefix
3506 local IPv6 addresses.
3507 In such a case, <command>localnets</command>
3508 only matches the local
3509 IPv6 addresses, just like <command>localhost</command>.
3519 <title><command>controls</command> Statement Grammar</title>
3521 <programlisting><command>controls</command> {
3522 [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3523 keys { <replaceable>key_list</replaceable> }; ]
3525 [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
3532 <sect2 id="controls_statement_definition_and_usage">
3533 <title><command>controls</command> Statement Definition and
3537 The <command>controls</command> statement declares control
3538 channels to be used by system administrators to control the
3539 operation of the name server. These control channels are
3540 used by the <command>rndc</command> utility to send
3541 commands to and retrieve non-DNS results from a name server.
3545 An <command>inet</command> control channel is a TCP socket
3546 listening at the specified <command>ip_port</command> on the
3547 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3548 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3549 interpreted as the IPv4 wildcard address; connections will be
3550 accepted on any of the system's IPv4 addresses.
3551 To listen on the IPv6 wildcard address,
3552 use an <command>ip_addr</command> of <literal>::</literal>.
3553 If you will only use <command>rndc</command> on the local host,
3554 using the loopback address (<literal>127.0.0.1</literal>
3555 or <literal>::1</literal>) is recommended for maximum security.
3559 If no port is specified, port 953 is used. The asterisk
3560 "<literal>*</literal>" cannot be used for <command>ip_port</command>.
3564 The ability to issue commands over the control channel is
3565 restricted by the <command>allow</command> and
3566 <command>keys</command> clauses.
3567 Connections to the control channel are permitted based on the
3568 <command>address_match_list</command>. This is for simple
3569 IP address based filtering only; any <command>key_id</command>
3570 elements of the <command>address_match_list</command>
3575 A <command>unix</command> control channel is a UNIX domain
3576 socket listening at the specified path in the file system.
3577 Access to the socket is specified by the <command>perm</command>,
3578 <command>owner</command> and <command>group</command> clauses.
3579 Note on some platforms (SunOS and Solaris) the permissions
3580 (<command>perm</command>) are applied to the parent directory
3581 as the permissions on the socket itself are ignored.
3585 The primary authorization mechanism of the command
3586 channel is the <command>key_list</command>, which
3587 contains a list of <command>key_id</command>s.
3588 Each <command>key_id</command> in the <command>key_list</command>
3589 is authorized to execute commands over the control channel.
3590 See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3591 for information about configuring keys in <command>rndc</command>.
3595 If no <command>controls</command> statement is present,
3596 <command>named</command> will set up a default
3597 control channel listening on the loopback address 127.0.0.1
3598 and its IPv6 counterpart ::1.
3599 In this case, and also when the <command>controls</command> statement
3600 is present but does not have a <command>keys</command> clause,
3601 <command>named</command> will attempt to load the command channel key
3602 from the file <filename>rndc.key</filename> in
3603 <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3604 was specified as when <acronym>BIND</acronym> was built).
3605 To create a <filename>rndc.key</filename> file, run
3606 <userinput>rndc-confgen -a</userinput>.
3610 The <filename>rndc.key</filename> feature was created to
3611 ease the transition of systems from <acronym>BIND</acronym> 8,
3612 which did not have digital signatures on its command channel
3613 messages and thus did not have a <command>keys</command> clause.
3615 It makes it possible to use an existing <acronym>BIND</acronym> 8
3616 configuration file in <acronym>BIND</acronym> 9 unchanged,
3617 and still have <command>rndc</command> work the same way
3618 <command>ndc</command> worked in BIND 8, simply by executing the
3619 command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3624 Since the <filename>rndc.key</filename> feature
3625 is only intended to allow the backward-compatible usage of
3626 <acronym>BIND</acronym> 8 configuration files, this
3628 have a high degree of configurability. You cannot easily change
3629 the key name or the size of the secret, so you should make a
3630 <filename>rndc.conf</filename> with your own key if you
3632 those things. The <filename>rndc.key</filename> file
3634 permissions set such that only the owner of the file (the user that
3635 <command>named</command> is running as) can access it.
3637 desire greater flexibility in allowing other users to access
3638 <command>rndc</command> commands, then you need to create
3640 <filename>rndc.conf</filename> file and make it group
3642 that contains the users who should have access.
3646 To disable the command channel, use an empty
3647 <command>controls</command> statement:
3648 <command>controls { };</command>.
3653 <title><command>include</command> Statement Grammar</title>
3654 <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
3657 <title><command>include</command> Statement Definition and
3661 The <command>include</command> statement inserts the
3662 specified file at the point where the <command>include</command>
3663 statement is encountered. The <command>include</command>
3664 statement facilitates the administration of configuration
3666 by permitting the reading or writing of some things but not
3667 others. For example, the statement could include private keys
3668 that are readable only by the name server.
3673 <title><command>key</command> Statement Grammar</title>
3675 <programlisting><command>key</command> <replaceable>key_id</replaceable> {
3676 algorithm <replaceable>string</replaceable>;
3677 secret <replaceable>string</replaceable>;
3684 <title><command>key</command> Statement Definition and Usage</title>
3687 The <command>key</command> statement defines a shared
3688 secret key for use with TSIG (see <xref linkend="tsig"/>)
3689 or the command channel
3690 (see <xref linkend="controls_statement_definition_and_usage"/>).
3694 The <command>key</command> statement can occur at the
3696 of the configuration file or inside a <command>view</command>
3697 statement. Keys defined in top-level <command>key</command>
3698 statements can be used in all views. Keys intended for use in
3699 a <command>controls</command> statement
3700 (see <xref linkend="controls_statement_definition_and_usage"/>)
3701 must be defined at the top level.
3705 The <replaceable>key_id</replaceable>, also known as the
3706 key name, is a domain name uniquely identifying the key. It can
3707 be used in a <command>server</command>
3708 statement to cause requests sent to that
3709 server to be signed with this key, or in address match lists to
3710 verify that incoming requests have been signed with a key
3711 matching this name, algorithm, and secret.
3715 The <replaceable>algorithm_id</replaceable> is a string
3716 that specifies a security/authentication algorithm. Named
3717 supports <literal>hmac-md5</literal>,
3718 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3719 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3720 and <literal>hmac-sha512</literal> TSIG authentication.
3721 Truncated hashes are supported by appending the minimum
3722 number of required bits preceded by a dash, e.g.
3723 <literal>hmac-sha1-80</literal>. The
3724 <replaceable>secret_string</replaceable> is the secret
3725 to be used by the algorithm, and is treated as a base-64
3731 <title><command>logging</command> Statement Grammar</title>
3733 <programlisting><command>logging</command> {
3734 [ <command>channel</command> <replaceable>channel_name</replaceable> {
3735 ( <command>file</command> <replaceable>path_name</replaceable>
3736 [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
3737 [ <command>size</command> <replaceable>size spec</replaceable> ]
3738 | <command>syslog</command> <replaceable>syslog_facility</replaceable>
3739 | <command>stderr</command>
3740 | <command>null</command> );
3741 [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
3742 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
3743 [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
3744 [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
3745 [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
3747 [ <command>category</command> <replaceable>category_name</replaceable> {
3748 <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
3757 <title><command>logging</command> Statement Definition and
3761 The <command>logging</command> statement configures a
3763 variety of logging options for the name server. Its <command>channel</command> phrase
3764 associates output methods, format options and severity levels with
3765 a name that can then be used with the <command>category</command> phrase
3766 to select how various classes of messages are logged.
3769 Only one <command>logging</command> statement is used to
3771 as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3772 the logging configuration will be:
3775 <programlisting>logging {
3776 category default { default_syslog; default_debug; };
3777 category unmatched { null; };
3782 In <acronym>BIND</acronym> 9, the logging configuration
3783 is only established when
3784 the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3785 established as soon as the <command>logging</command>
3787 was parsed. When the server is starting up, all logging messages
3788 regarding syntax errors in the configuration file go to the default
3789 channels, or to standard error if the "<option>-g</option>" option
3794 <title>The <command>channel</command> Phrase</title>
3797 All log output goes to one or more <emphasis>channels</emphasis>;
3798 you can make as many of them as you want.
3802 Every channel definition must include a destination clause that
3803 says whether messages selected for the channel go to a file, to a
3804 particular syslog facility, to the standard error stream, or are
3805 discarded. It can optionally also limit the message severity level
3806 that will be accepted by the channel (the default is
3807 <command>info</command>), and whether to include a
3808 <command>named</command>-generated time stamp, the
3810 and/or severity level (the default is not to include any).
3814 The <command>null</command> destination clause
3815 causes all messages sent to the channel to be discarded;
3816 in that case, other options for the channel are meaningless.
3820 The <command>file</command> destination clause directs
3822 to a disk file. It can include limitations
3823 both on how large the file is allowed to become, and how many
3825 of the file will be saved each time the file is opened.
3829 If you use the <command>versions</command> log file
3831 <command>named</command> will retain that many backup
3832 versions of the file by
3833 renaming them when opening. For example, if you choose to keep
3835 of the file <filename>lamers.log</filename>, then just
3837 <filename>lamers.log.1</filename> is renamed to
3838 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3839 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3840 renamed to <filename>lamers.log.0</filename>.
3841 You can say <command>versions unlimited</command> to
3843 the number of versions.
3844 If a <command>size</command> option is associated with
3846 then renaming is only done when the file being opened exceeds the
3847 indicated size. No backup versions are kept by default; any
3849 log file is simply appended.
3853 The <command>size</command> option for files is used
3855 growth. If the file ever exceeds the size, then <command>named</command> will
3856 stop writing to the file unless it has a <command>versions</command> option
3857 associated with it. If backup versions are kept, the files are
3859 described above and a new one begun. If there is no
3860 <command>versions</command> option, no more data will
3861 be written to the log
3862 until some out-of-band mechanism removes or truncates the log to
3864 maximum size. The default behavior is not to limit the size of
3870 Example usage of the <command>size</command> and
3871 <command>versions</command> options:
3874 <programlisting>channel an_example_channel {
3875 file "example.log" versions 3 size 20m;
3882 The <command>syslog</command> destination clause
3884 channel to the system log. Its argument is a
3885 syslog facility as described in the <command>syslog</command> man
3886 page. Known facilities are <command>kern</command>, <command>user</command>,
3887 <command>mail</command>, <command>daemon</command>, <command>auth</command>,
3888 <command>syslog</command>, <command>lpr</command>, <command>news</command>,
3889 <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3890 <command>ftp</command>, <command>local0</command>, <command>local1</command>,
3891 <command>local2</command>, <command>local3</command>, <command>local4</command>,
3892 <command>local5</command>, <command>local6</command> and
3893 <command>local7</command>, however not all facilities
3895 all operating systems.
3896 How <command>syslog</command> will handle messages
3898 this facility is described in the <command>syslog.conf</command> man
3899 page. If you have a system which uses a very old version of <command>syslog</command> that
3900 only uses two arguments to the <command>openlog()</command> function,
3901 then this clause is silently ignored.
3904 The <command>severity</command> clause works like <command>syslog</command>'s
3905 "priorities", except that they can also be used if you are writing
3906 straight to a file rather than using <command>syslog</command>.
3907 Messages which are not at least of the severity level given will
3908 not be selected for the channel; messages of higher severity
3913 If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3914 will also determine what eventually passes through. For example,
3915 defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3916 only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3917 cause messages of severity <command>info</command> and
3918 <command>notice</command> to
3919 be dropped. If the situation were reversed, with <command>named</command> writing
3920 messages of only <command>warning</command> or higher,
3921 then <command>syslogd</command> would
3922 print all messages it received from the channel.
3926 The <command>stderr</command> destination clause
3928 channel to the server's standard error stream. This is intended
3930 use when the server is running as a foreground process, for
3932 when debugging a configuration.
3936 The server can supply extensive debugging information when
3937 it is in debugging mode. If the server's global debug level is
3939 than zero, then debugging mode will be active. The global debug
3940 level is set either by starting the <command>named</command> server
3941 with the <option>-d</option> flag followed by a positive integer,
3942 or by running <command>rndc trace</command>.
3943 The global debug level
3944 can be set to zero, and debugging mode turned off, by running <command>rndc
3945 notrace</command>. All debugging messages in the server have a debug
3946 level, and higher debug levels give more detailed output. Channels
3947 that specify a specific debug severity, for example:
3950 <programlisting>channel specific_debug_level {
3957 will get debugging output of level 3 or less any time the
3958 server is in debugging mode, regardless of the global debugging
3959 level. Channels with <command>dynamic</command>
3961 server's global debug level to determine what messages to print.
3964 If <command>print-time</command> has been turned on,
3966 the date and time will be logged. <command>print-time</command> may
3967 be specified for a <command>syslog</command> channel,
3969 pointless since <command>syslog</command> also logs
3971 time. If <command>print-category</command> is
3973 category of the message will be logged as well. Finally, if <command>print-severity</command> is
3974 on, then the severity level of the message will be logged. The <command>print-</command> options may
3975 be used in any combination, and will always be printed in the
3977 order: time, category, severity. Here is an example where all
3978 three <command>print-</command> options
3983 <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
3987 There are four predefined channels that are used for
3988 <command>named</command>'s default logging as follows.
3990 used is described in <xref linkend="the_category_phrase"/>.
3993 <programlisting>channel default_syslog {
3994 syslog daemon; // send to syslog's daemon
3996 severity info; // only send priority info
4000 channel default_debug {
4001 file "named.run"; // write to named.run in
4002 // the working directory
4003 // Note: stderr is used instead
4005 // if the server is started
4006 // with the '-f' option.
4007 severity dynamic; // log at the server's
4008 // current debug level
4011 channel default_stderr {
4012 stderr; // writes to stderr
4013 severity info; // only send priority info
4018 null; // toss anything sent to
4024 The <command>default_debug</command> channel has the
4026 property that it only produces output when the server's debug
4028 nonzero. It normally writes to a file called <filename>named.run</filename>
4029 in the server's working directory.
4033 For security reasons, when the "<option>-u</option>"
4034 command line option is used, the <filename>named.run</filename> file
4035 is created only after <command>named</command> has
4037 new UID, and any debug output generated while <command>named</command> is
4038 starting up and still running as root is discarded. If you need
4039 to capture this output, you must run the server with the "<option>-g</option>"
4040 option and redirect standard error to a file.
4044 Once a channel is defined, it cannot be redefined. Thus you
4045 cannot alter the built-in channels directly, but you can modify
4046 the default logging by pointing categories at channels you have
4051 <sect3 id="the_category_phrase">
4052 <title>The <command>category</command> Phrase</title>
4055 There are many categories, so you can send the logs you want
4056 to see wherever you want, without seeing logs you don't want. If
4057 you don't specify a list of channels for a category, then log
4059 in that category will be sent to the <command>default</command> category
4060 instead. If you don't specify a default category, the following
4061 "default default" is used:
4064 <programlisting>category default { default_syslog; default_debug; };
4068 As an example, let's say you want to log security events to
4069 a file, but you also want keep the default logging behavior. You'd
4070 specify the following:
4073 <programlisting>channel my_security_channel {
4074 file "my_security_file";
4078 my_security_channel;
4084 To discard all messages in a category, specify the <command>null</command> channel:
4087 <programlisting>category xfer-out { null; };
4088 category notify { null; };
4092 Following are the available categories and brief descriptions
4093 of the types of log information they contain. More
4094 categories may be added in future <acronym>BIND</acronym> releases.
4096 <informaltable colsep="0" rowsep="0">
4097 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4098 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4099 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4103 <para><command>default</command></para>
4107 The default category defines the logging
4108 options for those categories where no specific
4109 configuration has been
4116 <para><command>general</command></para>
4120 The catch-all. Many things still aren't
4121 classified into categories, and they all end up here.
4127 <para><command>database</command></para>
4131 Messages relating to the databases used
4132 internally by the name server to store zone and cache
4139 <para><command>security</command></para>
4143 Approval and denial of requests.
4149 <para><command>config</command></para>
4153 Configuration file parsing and processing.
4159 <para><command>resolver</command></para>
4163 DNS resolution, such as the recursive
4164 lookups performed on behalf of clients by a caching name
4171 <para><command>xfer-in</command></para>
4175 Zone transfers the server is receiving.
4181 <para><command>xfer-out</command></para>
4185 Zone transfers the server is sending.
4191 <para><command>notify</command></para>
4195 The NOTIFY protocol.
4201 <para><command>client</command></para>
4205 Processing of client requests.
4211 <para><command>unmatched</command></para>
4215 Messages that <command>named</command> was unable to determine the
4216 class of or for which there was no matching <command>view</command>.
4217 A one line summary is also logged to the <command>client</command> category.
4218 This category is best sent to a file or stderr, by
4219 default it is sent to
4220 the <command>null</command> channel.
4226 <para><command>network</command></para>
4236 <para><command>update</command></para>
4246 <para><command>update-security</command></para>
4250 Approval and denial of update requests.
4256 <para><command>queries</command></para>
4260 Specify where queries should be logged to.
4263 At startup, specifying the category <command>queries</command> will also
4264 enable query logging unless <command>querylog</command> option has been
4269 The query log entry reports the client's IP
4270 address and port number, and the query name,
4271 class and type. It also reports whether the
4272 Recursion Desired flag was set (+ if set, -
4273 if not set), if the query was signed (S),
4274 EDNS was in use (E), if DO (DNSSEC Ok) was
4275 set (D), or if CD (Checking Disabled) was set
4280 <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
4283 <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
4289 <para><command>query-errors</command></para>
4293 Information about queries that resulted in some
4300 <para><command>dispatch</command></para>
4304 Dispatching of incoming packets to the
4305 server modules where they are to be processed.
4311 <para><command>dnssec</command></para>
4315 DNSSEC and TSIG protocol processing.
4321 <para><command>lame-servers</command></para>
4325 Lame servers. These are misconfigurations
4326 in remote servers, discovered by BIND 9 when trying to
4328 those servers during resolution.
4334 <para><command>delegation-only</command></para>
4338 Delegation only. Logs queries that have been
4339 forced to NXDOMAIN as the result of a
4340 delegation-only zone or a
4341 <command>delegation-only</command> in a hint
4342 or stub zone declaration.
4348 <para><command>edns-disabled</command></para>
4352 Log queries that have been forced to use plain
4353 DNS due to timeouts. This is often due to
4354 the remote servers not being RFC 1034 compliant
4355 (not always returning FORMERR or similar to
4356 EDNS queries and other extensions to the DNS
4357 when they are not understood). In other words, this is
4358 targeted at servers that fail to respond to
4359 DNS queries that they don't understand.
4362 Note: the log message can also be due to
4363 packet loss. Before reporting servers for
4364 non-RFC 1034 compliance they should be re-tested
4365 to determine the nature of the non-compliance.
4366 This testing should prevent or reduce the
4367 number of false-positive reports.
4370 Note: eventually <command>named</command> will have to stop
4371 treating such timeouts as due to RFC 1034 non
4372 compliance and start treating it as plain
4373 packet loss. Falsely classifying packet
4374 loss as due to RFC 1034 non compliance impacts
4375 on DNSSEC validation which requires EDNS for
4376 the DNSSEC records to be returned.
4385 <title>The <command>query-errors</command> Category</title>
4387 The <command>query-errors</command> category is
4388 specifically intended for debugging purposes: To identify
4389 why and how specific queries result in responses which
4391 Messages of this category are therefore only logged
4392 with <command>debug</command> levels.
4396 At the debug levels of 1 or higher, each response with the
4397 rcode of SERVFAIL is logged as follows:
4400 <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
4403 This means an error resulting in SERVFAIL was
4404 detected at line 3880 of source file
4405 <filename>query.c</filename>.
4406 Log messages of this level will particularly
4407 help identify the cause of SERVFAIL for an
4408 authoritative server.
4411 At the debug levels of 2 or higher, detailed context
4412 information of recursive resolutions that resulted in
4414 The log message will look like as follows:
4417 <computeroutput>fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</computeroutput>
4420 The first part before the colon shows that a recursive
4421 resolution for AAAA records of www.example.com completed
4422 in 30.000183 seconds and the final result that led to the
4423 SERVFAIL was determined at line 2970 of source file
4424 <filename>resolver.c</filename>.
4427 The following part shows the detected final result and the
4428 latest result of DNSSEC validation.
4429 The latter is always success when no validation attempt
4431 In this example, this query resulted in SERVFAIL probably
4432 because all name servers are down or unreachable, leading
4433 to a timeout in 30 seconds.
4434 DNSSEC validation was probably not attempted.
4437 The last part enclosed in square brackets shows statistics
4438 information collected for this particular resolution
4440 The <varname>domain</varname> field shows the deepest zone
4441 that the resolver reached;
4442 it is the zone where the error was finally detected.
4443 The meaning of the other fields is summarized in the
4447 <informaltable colsep="0" rowsep="0">
4448 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4449 <colspec colname="1" colnum="1" colsep="0" />
4450 <colspec colname="2" colnum="2" colsep="0" />
4454 <para><varname>referral</varname></para>
4458 The number of referrals the resolver received
4459 throughout the resolution process.
4460 In the above example this is 2, which are most
4461 likely com and example.com.
4467 <para><varname>restart</varname></para>
4471 The number of cycles that the resolver tried
4472 remote servers at the <varname>domain</varname>
4474 In each cycle the resolver sends one query
4475 (possibly resending it, depending on the response)
4476 to each known name server of
4477 the <varname>domain</varname> zone.
4483 <para><varname>qrysent</varname></para>
4487 The number of queries the resolver sent at the
4488 <varname>domain</varname> zone.
4494 <para><varname>timeout</varname></para>
4498 The number of timeouts since the resolver
4499 received the last response.
4505 <para><varname>lame</varname></para>
4509 The number of lame servers the resolver detected
4510 at the <varname>domain</varname> zone.
4511 A server is detected to be lame either by an
4512 invalid response or as a result of lookup in
4513 BIND9's address database (ADB), where lame
4520 <para><varname>neterr</varname></para>
4524 The number of erroneous results that the
4525 resolver encountered in sending queries
4526 at the <varname>domain</varname> zone.
4527 One common case is the remote server is
4528 unreachable and the resolver receives an ICMP
4529 unreachable error message.
4535 <para><varname>badresp</varname></para>
4539 The number of unexpected responses (other than
4540 <varname>lame</varname>) to queries sent by the
4541 resolver at the <varname>domain</varname> zone.
4547 <para><varname>adberr</varname></para>
4551 Failures in finding remote server addresses
4552 of the <varname>domain</varname> zone in the ADB.
4553 One common case of this is that the remote
4554 server's name does not have any address records.
4560 <para><varname>findfail</varname></para>
4564 Failures of resolving remote server addresses.
4565 This is a total number of failures throughout
4566 the resolution process.
4572 <para><varname>valfail</varname></para>
4576 Failures of DNSSEC validation.
4577 Validation failures are counted throughout
4578 the resolution process (not limited to
4579 the <varname>domain</varname> zone), but should
4580 only happen in <varname>domain</varname>.
4588 At the debug levels of 3 or higher, the same messages
4589 as those at the debug 1 level are logged for other errors
4591 Note that negative responses such as NXDOMAIN are not
4592 regarded as errors here.
4595 At the debug levels of 4 or higher, the same messages
4596 as those at the debug 2 level are logged for other errors
4598 Unlike the above case of level 3, messages are logged for
4600 This is because any unexpected results can be difficult to
4601 debug in the recursion case.
4607 <title><command>lwres</command> Statement Grammar</title>
4610 This is the grammar of the <command>lwres</command>
4611 statement in the <filename>named.conf</filename> file:
4614 <programlisting><command>lwres</command> {
4615 <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4616 <optional> view <replaceable>view_name</replaceable>; </optional>
4617 <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
4618 <optional> ndots <replaceable>number</replaceable>; </optional>
4624 <title><command>lwres</command> Statement Definition and Usage</title>
4627 The <command>lwres</command> statement configures the
4629 server to also act as a lightweight resolver server. (See
4630 <xref linkend="lwresd"/>.) There may be multiple
4631 <command>lwres</command> statements configuring
4632 lightweight resolver servers with different properties.
4636 The <command>listen-on</command> statement specifies a
4638 addresses (and ports) that this instance of a lightweight resolver
4640 should accept requests on. If no port is specified, port 921 is
4642 If this statement is omitted, requests will be accepted on
4648 The <command>view</command> statement binds this
4650 lightweight resolver daemon to a view in the DNS namespace, so that
4652 response will be constructed in the same manner as a normal DNS
4654 matching this view. If this statement is omitted, the default view
4656 used, and if there is no default view, an error is triggered.
4660 The <command>search</command> statement is equivalent to
4662 <command>search</command> statement in
4663 <filename>/etc/resolv.conf</filename>. It provides a
4665 which are appended to relative names in queries.
4669 The <command>ndots</command> statement is equivalent to
4671 <command>ndots</command> statement in
4672 <filename>/etc/resolv.conf</filename>. It indicates the
4674 number of dots in a relative domain name that should result in an
4675 exact match lookup before search path elements are appended.
4679 <title><command>masters</command> Statement Grammar</title>
4682 <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
4688 <title><command>masters</command> Statement Definition and
4690 <para><command>masters</command>
4691 lists allow for a common set of masters to be easily used by
4692 multiple stub and slave zones.
4697 <title><command>options</command> Statement Grammar</title>
4700 This is the grammar of the <command>options</command>
4701 statement in the <filename>named.conf</filename> file:
4704 <programlisting><command>options</command> {
4705 <optional> version <replaceable>version_string</replaceable>; </optional>
4706 <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
4707 <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
4708 <optional> directory <replaceable>path_name</replaceable>; </optional>
4709 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
4710 <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4711 <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
4712 <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
4713 <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4714 <optional> cache-file <replaceable>path_name</replaceable>; </optional>
4715 <optional> dump-file <replaceable>path_name</replaceable>; </optional>
4716 <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
4717 <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
4718 <optional> pid-file <replaceable>path_name</replaceable>; </optional>
4719 <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
4720 <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
4721 <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
4722 <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
4723 <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
4724 <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
4725 <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
4726 <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
4727 <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
4728 <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
4729 <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
4730 <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
4731 <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
4732 <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
4733 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
4734 <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
4735 <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
4736 <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
4737 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
4738 <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
4739 <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4740 <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
4741 <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
4742 <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4743 <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
4744 <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
4745 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4746 <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4747 ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4748 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4750 <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4751 ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4752 <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4753 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4754 <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4755 <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4756 <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4757 <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
4758 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
4759 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4760 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
4761 <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4762 <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
4763 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
4764 <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4765 <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
4766 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
4767 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4768 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4769 <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
4770 <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
4771 <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
4772 <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4773 <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4774 <optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4775 <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4776 <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4777 <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4778 <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4779 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4780 <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4781 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4782 <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4783 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4784 <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4785 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4786 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
4787 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
4788 <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
4789 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
4790 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
4791 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
4792 <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
4793 <optional> tcp-clients <replaceable>number</replaceable>; </optional>
4794 <optional> reserved-sockets <replaceable>number</replaceable>; </optional>
4795 <optional> recursive-clients <replaceable>number</replaceable>; </optional>
4796 <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
4797 <optional> serial-queries <replaceable>number</replaceable>; </optional>
4798 <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
4799 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
4800 <optional> transfers-in <replaceable>number</replaceable>; </optional>
4801 <optional> transfers-out <replaceable>number</replaceable>; </optional>
4802 <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
4803 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4804 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4805 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4806 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4807 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4808 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
4809 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4810 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4811 <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
4812 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4813 <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
4814 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
4815 <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
4816 <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
4817 <optional> files <replaceable>size_spec</replaceable> ; </optional>
4818 <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
4819 <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
4820 <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
4821 <optional> interface-interval <replaceable>number</replaceable>; </optional>
4822 <optional> statistics-interval <replaceable>number</replaceable>; </optional>
4823 <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
4824 <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
4825 <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
4826 <optional> lame-ttl <replaceable>number</replaceable>; </optional>
4827 <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
4828 <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
4829 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
4830 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
4831 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
4832 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
4833 <optional> min-roots <replaceable>number</replaceable>; </optional>
4834 <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4835 <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4836 <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4837 <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
4838 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
4839 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4840 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4841 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4842 <optional> port <replaceable>ip_port</replaceable>; </optional>
4843 <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
4844 <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
4845 <optional> random-device <replaceable>path_name</replaceable> ; </optional>
4846 <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
4847 <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
4848 <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
4849 <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4850 <optional> max-udp-size <replaceable>number</replaceable>; </optional>
4851 <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
4852 <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
4853 <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4854 <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4855 <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4856 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4857 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4858 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4859 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4860 <optional> empty-server <replaceable>name</replaceable> ; </optional>
4861 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
4862 <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4863 <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4864 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4865 <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
4871 <sect2 id="options">
4872 <title><command>options</command> Statement Definition and
4876 The <command>options</command> statement sets up global
4878 to be used by <acronym>BIND</acronym>. This statement
4880 once in a configuration file. If there is no <command>options</command>
4881 statement, an options block with each option set to its default will
4888 <term><command>directory</command></term>
4891 The working directory of the server.
4892 Any non-absolute pathnames in the configuration file will be
4894 as relative to this directory. The default location for most
4896 output files (e.g. <filename>named.run</filename>)
4898 If a directory is not specified, the working directory
4899 defaults to `<filename>.</filename>', the directory from
4901 was started. The directory specified should be an absolute
4908 <term><command>key-directory</command></term>
4911 When performing dynamic update of secure zones, the
4912 directory where the public and private key files should be
4914 if different than the current working directory. The
4916 must be an absolute path.
4922 <term><command>named-xfer</command></term>
4925 <emphasis>This option is obsolete.</emphasis> It
4926 was used in <acronym>BIND</acronym> 8 to specify
4927 the pathname to the <command>named-xfer</command>
4928 program. In <acronym>BIND</acronym> 9, no separate
4929 <command>named-xfer</command> program is needed;
4930 its functionality is built into the name server.
4936 <term><command>tkey-gssapi-credential</command></term>
4939 The security credential with which the server should
4940 authenticate keys requested by the GSS-TSIG protocol.
4941 Currently only Kerberos 5 authentication is available
4942 and the credential is a Kerberos principal which
4943 the server can acquire through the default system
4944 key file, normally <filename>/etc/krb5.keytab</filename>.
4945 Normally this principal is of the form
4946 "<userinput>dns/</userinput><varname>server.domain</varname>".
4947 To use GSS-TSIG, <command>tkey-domain</command>
4954 <term><command>tkey-domain</command></term>
4957 The domain appended to the names of all shared keys
4958 generated with <command>TKEY</command>. When a
4959 client requests a <command>TKEY</command> exchange,
4960 it may or may not specify the desired name for the
4961 key. If present, the name of the shared key will
4962 be <varname>client specified part</varname> +
4963 <varname>tkey-domain</varname>. Otherwise, the
4964 name of the shared key will be <varname>random hex
4965 digits</varname> + <varname>tkey-domain</varname>.
4966 In most cases, the <command>domainname</command>
4967 should be the server's domain name, or an otherwise
4968 non-existent subdomain like
4969 "_tkey.<varname>domainname</varname>". If you are
4970 using GSS-TSIG, this variable must be defined.
4976 <term><command>tkey-dhkey</command></term>
4979 The Diffie-Hellman key used by the server
4980 to generate shared keys with clients using the Diffie-Hellman
4982 of <command>TKEY</command>. The server must be
4984 public and private keys from files in the working directory.
4986 most cases, the keyname should be the server's host name.
4992 <term><command>cache-file</command></term>
4995 This is for testing only. Do not use.
5001 <term><command>dump-file</command></term>
5004 The pathname of the file the server dumps
5005 the database to when instructed to do so with
5006 <command>rndc dumpdb</command>.
5007 If not specified, the default is <filename>named_dump.db</filename>.
5013 <term><command>memstatistics-file</command></term>
5016 The pathname of the file the server writes memory
5017 usage statistics to on exit. If not specified,
5018 the default is <filename>named.memstats</filename>.
5024 <term><command>pid-file</command></term>
5027 The pathname of the file the server writes its process ID
5028 in. If not specified, the default is
5029 <filename>/var/run/named/named.pid</filename>.
5030 The PID file is used by programs that want to send signals to
5032 name server. Specifying <command>pid-file none</command> disables the
5033 use of a PID file — no file will be written and any
5034 existing one will be removed. Note that <command>none</command>
5035 is a keyword, not a filename, and therefore is not enclosed
5043 <term><command>recursing-file</command></term>
5046 The pathname of the file the server dumps
5047 the queries that are currently recursing when instructed
5048 to do so with <command>rndc recursing</command>.
5049 If not specified, the default is <filename>named.recursing</filename>.
5055 <term><command>statistics-file</command></term>
5058 The pathname of the file the server appends statistics
5059 to when instructed to do so using <command>rndc stats</command>.
5060 If not specified, the default is <filename>named.stats</filename> in the
5061 server's current directory. The format of the file is
5063 in <xref linkend="statsfile"/>.
5069 <term><command>port</command></term>
5072 The UDP/TCP port number the server uses for
5073 receiving and sending DNS protocol traffic.
5074 The default is 53. This option is mainly intended for server
5076 a server using a port other than 53 will not be able to
5084 <term><command>random-device</command></term>
5087 The source of entropy to be used by the server. Entropy is
5089 for DNSSEC operations, such as TKEY transactions and dynamic
5091 zones. This options specifies the device (or file) from which
5093 entropy. If this is a file, operations requiring entropy will
5095 file has been exhausted. If not specified, the default value
5097 <filename>/dev/random</filename>
5098 (or equivalent) when present, and none otherwise. The
5099 <command>random-device</command> option takes
5101 the initial configuration load at server startup time and
5102 is ignored on subsequent reloads.
5108 <term><command>preferred-glue</command></term>
5111 If specified, the listed type (A or AAAA) will be emitted
5113 in the additional section of a query response.
5114 The default is not to prefer any type (NONE).
5119 <varlistentry id="root_delegation_only">
5120 <term><command>root-delegation-only</command></term>
5123 Turn on enforcement of delegation-only in TLDs
5124 (top level domains) and root zones with an optional
5128 DS queries are expected to be made to and be answered by
5129 delegation only zones. Such queries and responses are
5130 treated as a exception to delegation-only processing
5131 and are not converted to NXDOMAIN responses provided
5132 a CNAME is not discovered at the query name.
5135 If a delegation only zone server also serves a child
5136 zone it is not always possible to determine whether
5137 a answer comes from the delegation only zone or the
5138 child zone. SOA NS and DNSKEY records are apex
5139 only records and a matching response that contains
5140 these records or DS is treated as coming from a
5141 child zone. RRSIG records are also examined to see
5142 if they are signed by a child zone or not. The
5143 authority section is also examined to see if there
5144 is evidence that the answer is from the child zone.
5145 Answers that are determined to be from a child zone
5146 are not converted to NXDOMAIN responses. Despite
5147 all these checks there is still a possibility of
5148 false negatives when a child zone is being served.
5151 Similarly false positives can arise from empty nodes
5152 (no records at the name) in the delegation only zone
5153 when the query type is not ANY.
5156 Note some TLDs are not delegation only (e.g. "DE", "LV",
5157 "US" and "MUSEUM"). This list is not exhaustive.
5162 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
5170 <term><command>disable-algorithms</command></term>
5173 Disable the specified DNSSEC algorithms at and below the
5175 Multiple <command>disable-algorithms</command>
5176 statements are allowed.
5177 Only the most specific will be applied.
5183 <term><command>dnssec-lookaside</command></term>
5186 When set, <command>dnssec-lookaside</command>
5188 validator with an alternate method to validate DNSKEY records
5190 top of a zone. When a DNSKEY is at or below a domain
5192 deepest <command>dnssec-lookaside</command>, and
5193 the normal DNSSEC validation
5194 has left the key untrusted, the trust-anchor will be append to
5196 name and a DLV record will be looked up to see if it can
5198 key. If the DLV record validates a DNSKEY (similarly to the
5200 record does) the DNSKEY RRset is deemed to be trusted.
5206 <term><command>dnssec-must-be-secure</command></term>
5209 Specify hierarchies which must be or may not be secure (signed and
5211 If <userinput>yes</userinput>, then <command>named</command> will only accept
5214 If <userinput>no</userinput>, then normal DNSSEC validation
5216 allowing for insecure answers to be accepted.
5217 The specified domain must be under a <command>trusted-key</command> or
5218 <command>dnssec-lookaside</command> must be
5226 <sect3 id="boolean_options">
5227 <title>Boolean Options</title>
5232 <term><command>auth-nxdomain</command></term>
5235 If <userinput>yes</userinput>, then the <command>AA</command> bit
5236 is always set on NXDOMAIN responses, even if the server is
5238 authoritative. The default is <userinput>no</userinput>;
5240 a change from <acronym>BIND</acronym> 8. If you
5241 are using very old DNS software, you
5242 may need to set it to <userinput>yes</userinput>.
5248 <term><command>deallocate-on-exit</command></term>
5251 This option was used in <acronym>BIND</acronym>
5252 8 to enable checking
5253 for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
5260 <term><command>memstatistics</command></term>
5263 Write memory statistics to the file specified by
5264 <command>memstatistics-file</command> at exit.
5265 The default is <userinput>no</userinput> unless
5266 '-m record' is specified on the command line in
5267 which case it is <userinput>yes</userinput>.
5273 <term><command>dialup</command></term>
5276 If <userinput>yes</userinput>, then the
5277 server treats all zones as if they are doing zone transfers
5279 a dial-on-demand dialup link, which can be brought up by
5281 originating from this server. This has different effects
5283 to zone type and concentrates the zone maintenance so that
5285 happens in a short interval, once every <command>heartbeat-interval</command> and
5286 hopefully during the one call. It also suppresses some of
5288 zone maintenance traffic. The default is <userinput>no</userinput>.
5291 The <command>dialup</command> option
5292 may also be specified in the <command>view</command> and
5293 <command>zone</command> statements,
5294 in which case it overrides the global <command>dialup</command>
5298 If the zone is a master zone, then the server will send out a
5300 request to all the slaves (default). This should trigger the
5302 number check in the slave (providing it supports NOTIFY)
5304 to verify the zone while the connection is active.
5305 The set of servers to which NOTIFY is sent can be controlled
5307 <command>notify</command> and <command>also-notify</command>.
5311 zone is a slave or stub zone, then the server will suppress
5313 "zone up to date" (refresh) queries and only perform them
5315 <command>heartbeat-interval</command> expires in
5320 Finer control can be achieved by using
5321 <userinput>notify</userinput> which only sends NOTIFY
5323 <userinput>notify-passive</userinput> which sends NOTIFY
5325 suppresses the normal refresh queries, <userinput>refresh</userinput>
5326 which suppresses normal refresh processing and sends refresh
5328 when the <command>heartbeat-interval</command>
5330 <userinput>passive</userinput> which just disables normal
5335 <informaltable colsep="0" rowsep="0">
5336 <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
5337 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
5338 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
5339 <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
5340 <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
5366 <para><command>no</command> (default)</para>
5386 <para><command>yes</command></para>
5406 <para><command>notify</command></para>
5426 <para><command>refresh</command></para>
5446 <para><command>passive</command></para>
5466 <para><command>notify-passive</command></para>
5489 Note that normal NOTIFY processing is not affected by
5490 <command>dialup</command>.
5497 <term><command>fake-iquery</command></term>
5500 In <acronym>BIND</acronym> 8, this option
5501 enabled simulating the obsolete DNS query type
5502 IQUERY. <acronym>BIND</acronym> 9 never does
5509 <term><command>fetch-glue</command></term>
5512 This option is obsolete.
5513 In BIND 8, <userinput>fetch-glue yes</userinput>
5514 caused the server to attempt to fetch glue resource records
5516 didn't have when constructing the additional
5517 data section of a response. This is now considered a bad
5519 and BIND 9 never does it.
5525 <term><command>flush-zones-on-shutdown</command></term>
5528 When the nameserver exits due receiving SIGTERM,
5529 flush or do not flush any pending zone writes. The default
5531 <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5537 <term><command>has-old-clients</command></term>
5540 This option was incorrectly implemented
5541 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5542 To achieve the intended effect
5544 <command>has-old-clients</command> <userinput>yes</userinput>, specify
5545 the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5546 and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5552 <term><command>host-statistics</command></term>
5555 In BIND 8, this enables keeping of
5556 statistics for every host that the name server interacts
5558 Not implemented in BIND 9.
5564 <term><command>maintain-ixfr-base</command></term>
5567 <emphasis>This option is obsolete</emphasis>.
5568 It was used in <acronym>BIND</acronym> 8 to
5569 determine whether a transaction log was
5570 kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5571 log whenever possible. If you need to disable outgoing
5573 transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5579 <term><command>minimal-responses</command></term>
5582 If <userinput>yes</userinput>, then when generating
5583 responses the server will only add records to the authority
5584 and additional data sections when they are required (e.g.
5585 delegations, negative responses). This may improve the
5586 performance of the server.
5587 The default is <userinput>no</userinput>.
5593 <term><command>multiple-cnames</command></term>
5596 This option was used in <acronym>BIND</acronym> 8 to allow
5597 a domain name to have multiple CNAME records in violation of
5598 the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5599 always strictly enforces the CNAME rules both in master
5600 files and dynamic updates.
5606 <term><command>notify</command></term>
5609 If <userinput>yes</userinput> (the default),
5610 DNS NOTIFY messages are sent when a zone the server is
5612 changes, see <xref linkend="notify"/>. The messages are
5614 servers listed in the zone's NS records (except the master
5616 in the SOA MNAME field), and to any servers listed in the
5617 <command>also-notify</command> option.
5620 If <userinput>master-only</userinput>, notifies are only
5623 If <userinput>explicit</userinput>, notifies are sent only
5625 servers explicitly listed using <command>also-notify</command>.
5626 If <userinput>no</userinput>, no notifies are sent.
5629 The <command>notify</command> option may also be
5630 specified in the <command>zone</command>
5632 in which case it overrides the <command>options notify</command> statement.
5633 It would only be necessary to turn off this option if it
5641 <term><command>notify-to-soa</command></term>
5644 If <userinput>yes</userinput> do not check the nameservers
5645 in the NS RRset against the SOA MNAME. Normally a NOTIFY
5646 message is not sent to the SOA MNAME (SOA ORIGIN) as it is
5647 supposed to contain the name of the ultimate master.
5648 Sometimes, however, a slave is listed as the SOA MNAME in
5649 hidden master configurations and in that case you would
5650 want the ultimate master to still send NOTIFY messages to
5651 all the nameservers listed in the NS RRset.
5657 <term><command>recursion</command></term>
5660 If <userinput>yes</userinput>, and a
5661 DNS query requests recursion, then the server will attempt
5663 all the work required to answer the query. If recursion is
5665 and the server does not already know the answer, it will
5667 referral response. The default is
5668 <userinput>yes</userinput>.
5669 Note that setting <command>recursion no</command> does not prevent
5670 clients from getting data from the server's cache; it only
5671 prevents new data from being cached as an effect of client
5673 Caching may still occur as an effect the server's internal
5674 operation, such as NOTIFY address lookups.
5675 See also <command>fetch-glue</command> above.
5681 <term><command>rfc2308-type1</command></term>
5684 Setting this to <userinput>yes</userinput> will
5685 cause the server to send NS records along with the SOA
5687 answers. The default is <userinput>no</userinput>.
5691 Not yet implemented in <acronym>BIND</acronym>
5699 <term><command>use-id-pool</command></term>
5702 <emphasis>This option is obsolete</emphasis>.
5703 <acronym>BIND</acronym> 9 always allocates query
5710 <term><command>zone-statistics</command></term>
5713 If <userinput>yes</userinput>, the server will collect
5714 statistical data on all zones (unless specifically turned
5716 on a per-zone basis by specifying <command>zone-statistics no</command>
5717 in the <command>zone</command> statement).
5718 These statistics may be accessed
5719 using <command>rndc stats</command>, which will
5720 dump them to the file listed
5721 in the <command>statistics-file</command>. See
5722 also <xref linkend="statsfile"/>.
5728 <term><command>use-ixfr</command></term>
5731 <emphasis>This option is obsolete</emphasis>.
5732 If you need to disable IXFR to a particular server or
5734 the information on the <command>provide-ixfr</command> option
5735 in <xref linkend="server_statement_definition_and_usage"/>.
5737 <xref linkend="incremental_zone_transfers"/>.
5743 <term><command>provide-ixfr</command></term>
5746 See the description of
5747 <command>provide-ixfr</command> in
5748 <xref linkend="server_statement_definition_and_usage"/>.
5754 <term><command>request-ixfr</command></term>
5757 See the description of
5758 <command>request-ixfr</command> in
5759 <xref linkend="server_statement_definition_and_usage"/>.
5765 <term><command>treat-cr-as-space</command></term>
5768 This option was used in <acronym>BIND</acronym>
5770 the server treat carriage return ("<command>\r</command>") characters the same way
5771 as a space or tab character,
5772 to facilitate loading of zone files on a UNIX system that
5774 on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5775 and NT/DOS "<command>\r\n</command>" newlines
5776 are always accepted,
5777 and the option is ignored.
5783 <term><command>additional-from-auth</command></term>
5784 <term><command>additional-from-cache</command></term>
5788 These options control the behavior of an authoritative
5790 answering queries which have additional data, or when
5796 When both of these options are set to <userinput>yes</userinput>
5798 query is being answered from authoritative data (a zone
5799 configured into the server), the additional data section of
5801 reply will be filled in using data from other authoritative
5803 and from the cache. In some situations this is undesirable,
5805 as when there is concern over the correctness of the cache,
5807 in servers where slave zones may be added and modified by
5808 untrusted third parties. Also, avoiding
5809 the search for this additional data will speed up server
5811 at the possible expense of additional queries to resolve
5813 otherwise be provided in the additional section.
5817 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5818 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5819 records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5820 if known, even though they are not in the example.com zone.
5821 Setting these options to <command>no</command>
5822 disables this behavior and makes
5823 the server only search for additional data in the zone it
5828 These options are intended for use in authoritative-only
5829 servers, or in authoritative-only views. Attempts to set
5830 them to <command>no</command> without also
5832 <command>recursion no</command> will cause the
5834 ignore the options and log a warning message.
5838 Specifying <command>additional-from-cache no</command> actually
5839 disables the use of the cache not only for additional data
5841 but also when looking up the answer. This is usually the
5843 behavior in an authoritative-only server where the
5845 the cached data is an issue.
5849 When a name server is non-recursively queried for a name
5851 below the apex of any served zone, it normally answers with
5853 "upwards referral" to the root servers or the servers of
5855 known parent of the query name. Since the data in an
5857 comes from the cache, the server will not be able to provide
5859 referrals when <command>additional-from-cache no</command>
5860 has been specified. Instead, it will respond to such
5862 with REFUSED. This should not cause any problems since
5863 upwards referrals are not required for the resolution
5871 <term><command>match-mapped-addresses</command></term>
5874 If <userinput>yes</userinput>, then an
5875 IPv4-mapped IPv6 address will match any address match
5876 list entries that match the corresponding IPv4 address.
5877 Enabling this option is sometimes useful on IPv6-enabled
5879 systems, to work around a kernel quirk that causes IPv4
5880 TCP connections such as zone transfers to be accepted
5881 on an IPv6 socket using mapped addresses, causing
5882 address match lists designed for IPv4 to fail to match.
5883 The use of this option for any other purpose is discouraged.
5889 <term><command>ixfr-from-differences</command></term>
5892 When <userinput>yes</userinput> and the server loads a new version of a master
5893 zone from its zone file or receives a new version of a slave
5894 file by a non-incremental zone transfer, it will compare
5895 the new version to the previous one and calculate a set
5896 of differences. The differences are then logged in the
5897 zone's journal file such that the changes can be transmitted
5898 to downstream slaves as an incremental zone transfer.
5901 By allowing incremental zone transfers to be used for
5902 non-dynamic zones, this option saves bandwidth at the
5903 expense of increased CPU and memory consumption at the
5905 In particular, if the new version of a zone is completely
5906 different from the previous one, the set of differences
5907 will be of a size comparable to the combined size of the
5908 old and new zone version, and the server will need to
5909 temporarily allocate memory to hold this complete
5912 <para><command>ixfr-from-differences</command>
5913 also accepts <command>master</command> and
5914 <command>slave</command> at the view and options
5916 <command>ixfr-from-differences</command> to be enabled for
5917 all <command>master</command> or
5918 <command>slave</command> zones respectively.
5919 It is off by default.
5925 <term><command>multi-master</command></term>
5928 This should be set when you have multiple masters for a zone
5930 addresses refer to different machines. If <userinput>yes</userinput>, <command>named</command> will
5932 when the serial number on the master is less than what <command>named</command>
5934 has. The default is <userinput>no</userinput>.
5940 <term><command>dnssec-enable</command></term>
5943 Enable DNSSEC support in <command>named</command>. Unless set to <userinput>yes</userinput>,
5944 <command>named</command> behaves as if it does not support DNSSEC.
5945 The default is <userinput>yes</userinput>.
5951 <term><command>dnssec-validation</command></term>
5954 Enable DNSSEC validation in <command>named</command>.
5955 Note <command>dnssec-enable</command> also needs to be
5956 set to <userinput>yes</userinput> to be effective.
5957 The default is <userinput>yes</userinput>.
5963 <term><command>dnssec-accept-expired</command></term>
5966 Accept expired signatures when verifying DNSSEC signatures.
5967 The default is <userinput>no</userinput>.
5968 Setting this option to "yes" leaves <command>named</command> vulnerable to replay attacks.
5974 <term><command>querylog</command></term>
5977 Specify whether query logging should be started when <command>named</command>
5979 If <command>querylog</command> is not specified,
5980 then the query logging
5981 is determined by the presence of the logging category <command>queries</command>.
5987 <term><command>check-names</command></term>
5990 This option is used to restrict the character set and syntax
5992 certain domain names in master files and/or DNS responses
5994 from the network. The default varies according to usage
5996 <command>master</command> zones the default is <command>fail</command>.
5997 For <command>slave</command> zones the default
5998 is <command>warn</command>.
5999 For answers received from the network (<command>response</command>)
6000 the default is <command>ignore</command>.
6003 The rules for legal hostnames and mail domains are derived
6004 from RFC 952 and RFC 821 as modified by RFC 1123.
6006 <para><command>check-names</command>
6007 applies to the owner names of A, AAAA and MX records.
6008 It also applies to the domain names in the RDATA of NS, SOA,
6009 MX, and SRV records.
6010 It also applies to the RDATA of PTR records where the owner
6011 name indicated that it is a reverse lookup of a hostname
6012 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
6018 <term><command>check-mx</command></term>
6021 Check whether the MX record appears to refer to a IP address.
6022 The default is to <command>warn</command>. Other possible
6023 values are <command>fail</command> and
6024 <command>ignore</command>.
6030 <term><command>check-wildcard</command></term>
6033 This option is used to check for non-terminal wildcards.
6034 The use of non-terminal wildcards is almost always as a
6036 to understand the wildcard matching algorithm (RFC 1034).
6038 affects master zones. The default (<command>yes</command>) is to check
6039 for non-terminal wildcards and issue a warning.
6045 <term><command>check-integrity</command></term>
6048 Perform post load zone integrity checks on master
6049 zones. This checks that MX and SRV records refer
6050 to address (A or AAAA) records and that glue
6051 address records exist for delegated zones. For
6052 MX and SRV records only in-zone hostnames are
6053 checked (for out-of-zone hostnames use
6054 <command>named-checkzone</command>).
6055 For NS records only names below top of zone are
6056 checked (for out-of-zone names and glue consistency
6057 checks use <command>named-checkzone</command>).
6058 The default is <command>yes</command>.
6064 <term><command>check-mx-cname</command></term>
6067 If <command>check-integrity</command> is set then
6068 fail, warn or ignore MX records that refer
6069 to CNAMES. The default is to <command>warn</command>.
6075 <term><command>check-srv-cname</command></term>
6078 If <command>check-integrity</command> is set then
6079 fail, warn or ignore SRV records that refer
6080 to CNAMES. The default is to <command>warn</command>.
6086 <term><command>check-sibling</command></term>
6089 When performing integrity checks, also check that
6090 sibling glue exists. The default is <command>yes</command>.
6096 <term><command>zero-no-soa-ttl</command></term>
6099 When returning authoritative negative responses to
6100 SOA queries set the TTL of the SOA record returned in
6101 the authority section to zero.
6102 The default is <command>yes</command>.
6108 <term><command>zero-no-soa-ttl-cache</command></term>
6111 When caching a negative response to a SOA query
6112 set the TTL to zero.
6113 The default is <command>no</command>.
6119 <term><command>update-check-ksk</command></term>
6122 When regenerating the RRSIGs following a UPDATE
6123 request to a secure zone, check the KSK flag on
6124 the DNSKEY RR to determine if this key should be
6125 used to generate the RRSIG. This flag is ignored
6126 if there are not DNSKEY RRs both with and without
6128 The default is <command>yes</command>.
6134 <term><command>try-tcp-refresh</command></term>
6137 Try to refresh the zone using TCP if UDP queries fail.
6138 For BIND 8 compatibility, the default is
6139 <command>yes</command>.
6149 <title>Forwarding</title>
6151 The forwarding facility can be used to create a large site-wide
6152 cache on a few servers, reducing traffic over links to external
6153 name servers. It can also be used to allow queries by servers that
6154 do not have direct access to the Internet, but wish to look up
6156 names anyway. Forwarding occurs only on those queries for which
6157 the server is not authoritative and does not have the answer in
6163 <term><command>forward</command></term>
6166 This option is only meaningful if the
6167 forwarders list is not empty. A value of <varname>first</varname>,
6168 the default, causes the server to query the forwarders
6170 if that doesn't answer the question, the server will then
6172 the answer itself. If <varname>only</varname> is
6174 server will only query the forwarders.
6180 <term><command>forwarders</command></term>
6183 Specifies the IP addresses to be used
6184 for forwarding. The default is the empty list (no
6193 Forwarding can also be configured on a per-domain basis, allowing
6194 for the global forwarding options to be overridden in a variety
6195 of ways. You can set particular domains to use different
6197 or have a different <command>forward only/first</command> behavior,
6198 or not forward at all, see <xref linkend="zone_statement_grammar"/>.
6203 <title>Dual-stack Servers</title>
6205 Dual-stack servers are used as servers of last resort to work
6207 problems in reachability due the lack of support for either IPv4
6209 on the host machine.
6214 <term><command>dual-stack-servers</command></term>
6217 Specifies host names or addresses of machines with access to
6218 both IPv4 and IPv6 transports. If a hostname is used, the
6220 to resolve the name using only the transport it has. If the
6222 stacked, then the <command>dual-stack-servers</command> have no effect unless
6223 access to a transport has been disabled on the command line
6224 (e.g. <command>named -4</command>).
6231 <sect3 id="access_control">
6232 <title>Access Control</title>
6235 Access to the server can be restricted based on the IP address
6236 of the requesting system. See <xref linkend="address_match_lists"/> for
6237 details on how to specify IP address lists.
6243 <term><command>allow-notify</command></term>
6246 Specifies which hosts are allowed to
6247 notify this server, a slave, of zone changes in addition
6248 to the zone masters.
6249 <command>allow-notify</command> may also be
6251 <command>zone</command> statement, in which case
6253 <command>options allow-notify</command>
6254 statement. It is only meaningful
6255 for a slave zone. If not specified, the default is to
6256 process notify messages
6257 only from a zone's master.
6263 <term><command>allow-query</command></term>
6266 Specifies which hosts are allowed to ask ordinary
6267 DNS questions. <command>allow-query</command> may
6268 also be specified in the <command>zone</command>
6269 statement, in which case it overrides the
6270 <command>options allow-query</command> statement.
6271 If not specified, the default is to allow queries
6276 <command>allow-query-cache</command> is now
6277 used to specify access to the cache.
6284 <term><command>allow-query-on</command></term>
6287 Specifies which local addresses can accept ordinary
6288 DNS questions. This makes it possible, for instance,
6289 to allow queries on internal-facing interfaces but
6290 disallow them on external-facing ones, without
6291 necessarily knowing the internal network's addresses.
6294 <command>allow-query-on</command> may
6295 also be specified in the <command>zone</command>
6296 statement, in which case it overrides the
6297 <command>options allow-query-on</command> statement.
6300 If not specified, the default is to allow queries
6305 <command>allow-query-cache</command> is
6306 used to specify access to the cache.
6313 <term><command>allow-query-cache</command></term>
6316 Specifies which hosts are allowed to get answers
6317 from the cache. If <command>allow-query-cache</command>
6318 is not set then <command>allow-recursion</command>
6319 is used if set, otherwise <command>allow-query</command>
6320 is used if set unless <command>recursion no;</command> is
6321 set in which case <command>none;</command> is used,
6322 otherwise the default (<command>localnets;</command>
6323 <command>localhost;</command>) is used.
6329 <term><command>allow-query-cache-on</command></term>
6332 Specifies which local addresses can give answers
6333 from the cache. If not specified, the default is
6334 to allow cache queries on any address,
6335 <command>localnets</command> and
6336 <command>localhost</command>.
6342 <term><command>allow-recursion</command></term>
6345 Specifies which hosts are allowed to make recursive
6346 queries through this server. If
6347 <command>allow-recursion</command> is not set
6348 then <command>allow-query-cache</command> is
6349 used if set, otherwise <command>allow-query</command>
6350 is used if set, otherwise the default
6351 (<command>localnets;</command>
6352 <command>localhost;</command>) is used.
6358 <term><command>allow-recursion-on</command></term>
6361 Specifies which local addresses can accept recursive
6362 queries. If not specified, the default is to allow
6363 recursive queries on all addresses.
6369 <term><command>allow-update</command></term>
6372 Specifies which hosts are allowed to
6373 submit Dynamic DNS updates for master zones. The default is
6375 updates from all hosts. Note that allowing updates based
6376 on the requestor's IP address is insecure; see
6377 <xref linkend="dynamic_update_security"/> for details.
6383 <term><command>allow-update-forwarding</command></term>
6386 Specifies which hosts are allowed to
6387 submit Dynamic DNS updates to slave zones to be forwarded to
6389 master. The default is <userinput>{ none; }</userinput>,
6391 means that no update forwarding will be performed. To
6393 update forwarding, specify
6394 <userinput>allow-update-forwarding { any; };</userinput>.
6395 Specifying values other than <userinput>{ none; }</userinput> or
6396 <userinput>{ any; }</userinput> is usually
6397 counterproductive, since
6398 the responsibility for update access control should rest
6400 master server, not the slaves.
6403 Note that enabling the update forwarding feature on a slave
6405 may expose master servers relying on insecure IP address
6407 access control to attacks; see <xref linkend="dynamic_update_security"/>
6414 <term><command>allow-v6-synthesis</command></term>
6417 This option was introduced for the smooth transition from
6419 to A6 and from "nibble labels" to binary labels.
6420 However, since both A6 and binary labels were then
6422 this option was also deprecated.
6423 It is now ignored with some warning messages.
6429 <term><command>allow-transfer</command></term>
6432 Specifies which hosts are allowed to
6433 receive zone transfers from the server. <command>allow-transfer</command> may
6434 also be specified in the <command>zone</command>
6436 case it overrides the <command>options allow-transfer</command> statement.
6437 If not specified, the default is to allow transfers to all
6444 <term><command>blackhole</command></term>
6447 Specifies a list of addresses that the
6448 server will not accept queries from or use to resolve a
6450 from these addresses will not be responded to. The default
6451 is <userinput>none</userinput>.
6461 <title>Interfaces</title>
6463 The interfaces and ports that the server will answer queries
6464 from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
6465 an optional port and an <varname>address_match_list</varname>.
6466 The server will listen on all interfaces allowed by the address
6467 match list. If a port is not specified, port 53 will be used.
6470 Multiple <command>listen-on</command> statements are
6475 <programlisting>listen-on { 5.6.7.8; };
6476 listen-on port 1234 { !1.2.3.4; 1.2/16; };
6480 will enable the name server on port 53 for the IP address
6481 5.6.7.8, and on port 1234 of an address on the machine in net
6482 1.2 that is not 1.2.3.4.
6486 If no <command>listen-on</command> is specified, the
6487 server will listen on port 53 on all IPv4 interfaces.
6491 The <command>listen-on-v6</command> option is used to
6492 specify the interfaces and the ports on which the server will
6494 for incoming queries sent using IPv6.
6498 When <programlisting>{ any; }</programlisting> is
6500 as the <varname>address_match_list</varname> for the
6501 <command>listen-on-v6</command> option,
6502 the server does not bind a separate socket to each IPv6 interface
6503 address as it does for IPv4 if the operating system has enough API
6504 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6506 Instead, it listens on the IPv6 wildcard address.
6507 If the system only has incomplete API support for IPv6, however,
6508 the behavior is the same as that for IPv4.
6512 A list of particular IPv6 addresses can also be specified, in
6514 the server listens on a separate socket for each specified
6516 regardless of whether the desired API is supported by the system.
6520 Multiple <command>listen-on-v6</command> options can
6525 <programlisting>listen-on-v6 { any; };
6526 listen-on-v6 port 1234 { !2001:db8::/32; any; };
6530 will enable the name server on port 53 for any IPv6 addresses
6531 (with a single wildcard socket),
6532 and on port 1234 of IPv6 addresses that is not in the prefix
6533 2001:db8::/32 (with separate sockets for each matched address.)
6537 To make the server not listen on any IPv6 address, use
6540 <programlisting>listen-on-v6 { none; };
6544 If no <command>listen-on-v6</command> option is
6545 specified, the server will not listen on any IPv6 address
6546 unless <command>-6</command> is specified when <command>named</command> is
6547 invoked. If <command>-6</command> is specified then
6548 <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
6552 <sect3 id="query_address">
6553 <title>Query Address</title>
6555 If the server doesn't know the answer to a question, it will
6556 query other name servers. <command>query-source</command> specifies
6557 the address and port used for such queries. For queries sent over
6558 IPv6, there is a separate <command>query-source-v6</command> option.
6559 If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6560 a wildcard IP address (<command>INADDR_ANY</command>)
6565 If <command>port</command> is <command>*</command> or is omitted,
6566 a random port number from a pre-configured
6567 range is picked up and will be used for each query.
6568 The port range(s) is that specified in
6569 the <command>use-v4-udp-ports</command> (for IPv4)
6570 and <command>use-v6-udp-ports</command> (for IPv6)
6571 options, excluding the ranges specified in
6572 the <command>avoid-v4-udp-ports</command>
6573 and <command>avoid-v6-udp-ports</command> options, respectively.
6577 The defaults of the <command>query-source</command> and
6578 <command>query-source-v6</command> options
6582 <programlisting>query-source address * port *;
6583 query-source-v6 address * port *;
6587 If <command>use-v4-udp-ports</command> or
6588 <command>use-v6-udp-ports</command> is unspecified,
6589 <command>named</command> will check if the operating
6590 system provides a programming interface to retrieve the
6591 system's default range for ephemeral ports.
6592 If such an interface is available,
6593 <command>named</command> will use the corresponding system
6594 default range; otherwise, it will use its own defaults:
6597 <programlisting>use-v4-udp-ports { range 1024 65535; };
6598 use-v6-udp-ports { range 1024 65535; };
6602 Note: make sure the ranges be sufficiently large for
6603 security. A desirable size depends on various parameters,
6604 but we generally recommend it contain at least 16384 ports
6605 (14 bits of entropy).
6606 Note also that the system's default range when used may be
6607 too small for this purpose, and that the range may even be
6608 changed while <command>named</command> is running; the new
6609 range will automatically be applied when <command>named</command>
6612 configure <command>use-v4-udp-ports</command> and
6613 <command>use-v6-udp-ports</command> explicitly so that the
6614 ranges are sufficiently large and are reasonably
6615 independent from the ranges used by other applications.
6619 Note: the operational configuration
6620 where <command>named</command> runs may prohibit the use
6621 of some ports. For example, UNIX systems will not allow
6622 <command>named</command> running without a root privilege
6623 to use ports less than 1024.
6624 If such ports are included in the specified (or detected)
6625 set of query ports, the corresponding query attempts will
6626 fail, resulting in resolution failures or delay.
6627 It is therefore important to configure the set of ports
6628 that can be safely used in the expected operational environment.
6632 The defaults of the <command>avoid-v4-udp-ports</command> and
6633 <command>avoid-v6-udp-ports</command> options
6637 <programlisting>avoid-v4-udp-ports {};
6638 avoid-v6-udp-ports {};
6642 Note: BIND 9.5.0 introduced
6643 the <command>use-queryport-pool</command>
6644 option to support a pool of such random ports, but this
6645 option is now obsolete because reusing the same ports in
6646 the pool may not be sufficiently secure.
6647 For the same reason, it is generally strongly discouraged to
6648 specify a particular port for the
6649 <command>query-source</command> or
6650 <command>query-source-v6</command> options;
6651 it implicitly disables the use of randomized port numbers.
6656 <term><command>use-queryport-pool</command></term>
6659 This option is obsolete.
6665 <term><command>queryport-pool-ports</command></term>
6668 This option is obsolete.
6674 <term><command>queryport-pool-updateinterval</command></term>
6677 This option is obsolete.
6685 The address specified in the <command>query-source</command> option
6686 is used for both UDP and TCP queries, but the port applies only
6687 to UDP queries. TCP queries always use a random
6693 Solaris 2.5.1 and earlier does not support setting the source
6694 address for TCP sockets.
6699 See also <command>transfer-source</command> and
6700 <command>notify-source</command>.
6705 <sect3 id="zone_transfers">
6706 <title>Zone Transfers</title>
6708 <acronym>BIND</acronym> has mechanisms in place to
6709 facilitate zone transfers
6710 and set limits on the amount of load that transfers place on the
6711 system. The following options apply to zone transfers.
6717 <term><command>also-notify</command></term>
6720 Defines a global list of IP addresses of name servers
6721 that are also sent NOTIFY messages whenever a fresh copy of
6723 zone is loaded, in addition to the servers listed in the
6725 This helps to ensure that copies of the zones will
6726 quickly converge on stealth servers.
6727 Optionally, a port may be specified with each
6728 <command>also-notify</command> address to send
6729 the notify messages to a port other than the
6731 If an <command>also-notify</command> list
6732 is given in a <command>zone</command> statement,
6734 the <command>options also-notify</command>
6735 statement. When a <command>zone notify</command>
6737 is set to <command>no</command>, the IP
6738 addresses in the global <command>also-notify</command> list will
6739 not be sent NOTIFY messages for that zone. The default is
6741 list (no global notification list).
6747 <term><command>max-transfer-time-in</command></term>
6750 Inbound zone transfers running longer than
6751 this many minutes will be terminated. The default is 120
6753 (2 hours). The maximum value is 28 days (40320 minutes).
6759 <term><command>max-transfer-idle-in</command></term>
6762 Inbound zone transfers making no progress
6763 in this many minutes will be terminated. The default is 60
6765 (1 hour). The maximum value is 28 days (40320 minutes).
6771 <term><command>max-transfer-time-out</command></term>
6774 Outbound zone transfers running longer than
6775 this many minutes will be terminated. The default is 120
6777 (2 hours). The maximum value is 28 days (40320 minutes).
6783 <term><command>max-transfer-idle-out</command></term>
6786 Outbound zone transfers making no progress
6787 in this many minutes will be terminated. The default is 60
6789 hour). The maximum value is 28 days (40320 minutes).
6795 <term><command>serial-query-rate</command></term>
6798 Slave servers will periodically query master servers
6799 to find out if zone serial numbers have changed. Each such
6801 a minute amount of the slave server's network bandwidth. To
6803 amount of bandwidth used, BIND 9 limits the rate at which
6805 sent. The value of the <command>serial-query-rate</command> option,
6806 an integer, is the maximum number of queries sent per
6814 <term><command>serial-queries</command></term>
6817 In BIND 8, the <command>serial-queries</command>
6819 set the maximum number of concurrent serial number queries
6820 allowed to be outstanding at any given time.
6821 BIND 9 does not limit the number of outstanding
6822 serial queries and ignores the <command>serial-queries</command> option.
6823 Instead, it limits the rate at which the queries are sent
6824 as defined using the <command>serial-query-rate</command> option.
6830 <term><command>transfer-format</command></term>
6834 Zone transfers can be sent using two different formats,
6835 <command>one-answer</command> and
6836 <command>many-answers</command>.
6837 The <command>transfer-format</command> option is used
6838 on the master server to determine which format it sends.
6839 <command>one-answer</command> uses one DNS message per
6840 resource record transferred.
6841 <command>many-answers</command> packs as many resource
6842 records as possible into a message.
6843 <command>many-answers</command> is more efficient, but is
6844 only supported by relatively new slave servers,
6845 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6846 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6847 The <command>many-answers</command> format is also supported by
6848 recent Microsoft Windows nameservers.
6849 The default is <command>many-answers</command>.
6850 <command>transfer-format</command> may be overridden on a
6851 per-server basis by using the <command>server</command>
6859 <term><command>transfers-in</command></term>
6862 The maximum number of inbound zone transfers
6863 that can be running concurrently. The default value is <literal>10</literal>.
6864 Increasing <command>transfers-in</command> may
6865 speed up the convergence
6866 of slave zones, but it also may increase the load on the
6873 <term><command>transfers-out</command></term>
6876 The maximum number of outbound zone transfers
6877 that can be running concurrently. Zone transfer requests in
6879 of the limit will be refused. The default value is <literal>10</literal>.
6885 <term><command>transfers-per-ns</command></term>
6888 The maximum number of inbound zone transfers
6889 that can be concurrently transferring from a given remote
6891 The default value is <literal>2</literal>.
6892 Increasing <command>transfers-per-ns</command>
6894 speed up the convergence of slave zones, but it also may
6896 the load on the remote name server. <command>transfers-per-ns</command> may
6897 be overridden on a per-server basis by using the <command>transfers</command> phrase
6898 of the <command>server</command> statement.
6904 <term><command>transfer-source</command></term>
6906 <para><command>transfer-source</command>
6907 determines which local address will be bound to IPv4
6908 TCP connections used to fetch zones transferred
6909 inbound by the server. It also determines the
6910 source IPv4 address, and optionally the UDP port,
6911 used for the refresh queries and forwarded dynamic
6912 updates. If not set, it defaults to a system
6913 controlled value which will usually be the address
6914 of the interface "closest to" the remote end. This
6915 address must appear in the remote end's
6916 <command>allow-transfer</command> option for the
6917 zone being transferred, if one is specified. This
6919 <command>transfer-source</command> for all zones,
6920 but can be overridden on a per-view or per-zone
6921 basis by including a
6922 <command>transfer-source</command> statement within
6923 the <command>view</command> or
6924 <command>zone</command> block in the configuration
6929 Solaris 2.5.1 and earlier does not support setting the
6930 source address for TCP sockets.
6937 <term><command>transfer-source-v6</command></term>
6940 The same as <command>transfer-source</command>,
6941 except zone transfers are performed using IPv6.
6947 <term><command>alt-transfer-source</command></term>
6950 An alternate transfer source if the one listed in
6951 <command>transfer-source</command> fails and
6952 <command>use-alt-transfer-source</command> is
6956 If you do not wish the alternate transfer source
6957 to be used, you should set
6958 <command>use-alt-transfer-source</command>
6959 appropriately and you should not depend upon
6960 getting an answer back to the first refresh
6967 <term><command>alt-transfer-source-v6</command></term>
6970 An alternate transfer source if the one listed in
6971 <command>transfer-source-v6</command> fails and
6972 <command>use-alt-transfer-source</command> is
6979 <term><command>use-alt-transfer-source</command></term>
6982 Use the alternate transfer sources or not. If views are
6983 specified this defaults to <command>no</command>
6984 otherwise it defaults to
6985 <command>yes</command> (for BIND 8
6992 <term><command>notify-source</command></term>
6994 <para><command>notify-source</command>
6995 determines which local source address, and
6996 optionally UDP port, will be used to send NOTIFY
6997 messages. This address must appear in the slave
6998 server's <command>masters</command> zone clause or
6999 in an <command>allow-notify</command> clause. This
7000 statement sets the <command>notify-source</command>
7001 for all zones, but can be overridden on a per-zone or
7002 per-view basis by including a
7003 <command>notify-source</command> statement within
7004 the <command>zone</command> or
7005 <command>view</command> block in the configuration
7010 Solaris 2.5.1 and earlier does not support setting the
7011 source address for TCP sockets.
7018 <term><command>notify-source-v6</command></term>
7021 Like <command>notify-source</command>,
7022 but applies to notify messages sent to IPv6 addresses.
7032 <title>UDP Port Lists</title>
7034 <command>use-v4-udp-ports</command>,
7035 <command>avoid-v4-udp-ports</command>,
7036 <command>use-v6-udp-ports</command>, and
7037 <command>avoid-v6-udp-ports</command>
7038 specify a list of IPv4 and IPv6 UDP ports that will be
7039 used or not used as source ports for UDP messages.
7040 See <xref linkend="query_address"/> about how the
7041 available ports are determined.
7042 For example, with the following configuration
7046 use-v6-udp-ports { range 32768 65535; };
7047 avoid-v6-udp-ports { 40000; range 50000 60000; };
7051 UDP ports of IPv6 messages sent
7052 from <command>named</command> will be in one
7053 of the following ranges: 32768 to 39999, 40001 to 49999,
7058 <command>avoid-v4-udp-ports</command> and
7059 <command>avoid-v6-udp-ports</command> can be used
7060 to prevent <command>named</command> from choosing as its random source port a
7061 port that is blocked by your firewall or a port that is
7062 used by other applications;
7063 if a query went out with a source port blocked by a
7065 answer would not get by the firewall and the name server would
7066 have to query again.
7067 Note: the desired range can also be represented only with
7068 <command>use-v4-udp-ports</command> and
7069 <command>use-v6-udp-ports</command>, and the
7070 <command>avoid-</command> options are redundant in that
7071 sense; they are provided for backward compatibility and
7072 to possibly simplify the port specification.
7077 <title>Operating System Resource Limits</title>
7080 The server's usage of many system resources can be limited.
7081 Scaled values are allowed when specifying resource limits. For
7082 example, <command>1G</command> can be used instead of
7083 <command>1073741824</command> to specify a limit of
7085 gigabyte. <command>unlimited</command> requests
7086 unlimited use, or the
7087 maximum available amount. <command>default</command>
7089 that was in force when the server was started. See the description
7090 of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
7094 The following options set operating system resource limits for
7095 the name server process. Some operating systems don't support
7097 any of the limits. On such systems, a warning will be issued if
7099 unsupported limit is used.
7105 <term><command>coresize</command></term>
7108 The maximum size of a core dump. The default
7109 is <literal>default</literal>.
7115 <term><command>datasize</command></term>
7118 The maximum amount of data memory the server
7119 may use. The default is <literal>default</literal>.
7120 This is a hard limit on server memory usage.
7121 If the server attempts to allocate memory in excess of this
7122 limit, the allocation will fail, which may in turn leave
7123 the server unable to perform DNS service. Therefore,
7124 this option is rarely useful as a way of limiting the
7125 amount of memory used by the server, but it can be used
7126 to raise an operating system data size limit that is
7127 too small by default. If you wish to limit the amount
7128 of memory used by the server, use the
7129 <command>max-cache-size</command> and
7130 <command>recursive-clients</command>
7137 <term><command>files</command></term>
7140 The maximum number of files the server
7141 may have open concurrently. The default is <literal>unlimited</literal>.
7147 <term><command>stacksize</command></term>
7150 The maximum amount of stack memory the server
7151 may use. The default is <literal>default</literal>.
7160 <sect3 id="server_resource_limits">
7161 <title>Server Resource Limits</title>
7164 The following options set limits on the server's
7165 resource consumption that are enforced internally by the
7166 server rather than the operating system.
7172 <term><command>max-ixfr-log-size</command></term>
7175 This option is obsolete; it is accepted
7176 and ignored for BIND 8 compatibility. The option
7177 <command>max-journal-size</command> performs a
7178 similar function in BIND 9.
7184 <term><command>max-journal-size</command></term>
7187 Sets a maximum size for each journal file
7188 (see <xref linkend="journal"/>). When the journal file
7190 the specified size, some of the oldest transactions in the
7192 will be automatically removed. The default is
7193 <literal>unlimited</literal>.
7194 This may also be set on a per-zone basis.
7200 <term><command>host-statistics-max</command></term>
7203 In BIND 8, specifies the maximum number of host statistics
7205 Not implemented in BIND 9.
7211 <term><command>recursive-clients</command></term>
7214 The maximum number of simultaneous recursive lookups
7215 the server will perform on behalf of clients. The default
7217 <literal>1000</literal>. Because each recursing
7219 bit of memory, on the order of 20 kilobytes, the value of
7221 <command>recursive-clients</command> option may
7222 have to be decreased
7223 on hosts with limited memory.
7229 <term><command>tcp-clients</command></term>
7232 The maximum number of simultaneous client TCP
7233 connections that the server will accept.
7234 The default is <literal>100</literal>.
7240 <term><command>reserved-sockets</command></term>
7243 The number of file descriptors reserved for TCP, stdio,
7244 etc. This needs to be big enough to cover the number of
7245 interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
7246 to provide room for outgoing TCP queries and incoming zone
7247 transfers. The default is <literal>512</literal>.
7248 The minimum value is <literal>128</literal> and the
7249 maximum value is <literal>128</literal> less than
7250 maxsockets (-S). This option may be removed in the future.
7253 This option has little effect on Windows.
7259 <term><command>max-cache-size</command></term>
7262 The maximum amount of memory to use for the
7263 server's cache, in bytes.
7264 When the amount of data in the cache
7265 reaches this limit, the server will cause records to expire
7266 prematurely based on an LRU based strategy so that
7267 the limit is not exceeded.
7268 A value of 0 is special, meaning that
7269 records are purged from the cache only when their
7271 Another special keyword <userinput>unlimited</userinput>
7272 means the maximum value of 32-bit unsigned integers
7273 (0xffffffff), which may not have the same effect as
7274 0 on machines that support more than 32 bits of
7276 Any positive values less than 2MB will be ignored reset
7278 In a server with multiple views, the limit applies
7279 separately to the cache of each view.
7286 <term><command>tcp-listen-queue</command></term>
7289 The listen queue depth. The default and minimum is 3.
7290 If the kernel supports the accept filter "dataready" this
7292 many TCP connections that will be queued in kernel space
7294 some data before being passed to accept. Values less than 3
7306 <title>Periodic Task Intervals</title>
7311 <term><command>cleaning-interval</command></term>
7314 This interval is effectively obsolete. Previously,
7315 the server would remove expired resource records
7316 from the cache every <command>cleaning-interval</command> minutes.
7317 <acronym>BIND</acronym> 9 now manages cache
7318 memory in a more sophisticated manner and does not
7319 rely on the periodic cleaning any more.
7320 Specifying this option therefore has no effect on
7321 the server's behavior.
7327 <term><command>heartbeat-interval</command></term>
7330 The server will perform zone maintenance tasks
7331 for all zones marked as <command>dialup</command> whenever this
7332 interval expires. The default is 60 minutes. Reasonable
7334 to 1 day (1440 minutes). The maximum value is 28 days
7336 If set to 0, no zone maintenance for these zones will occur.
7342 <term><command>interface-interval</command></term>
7345 The server will scan the network interface list
7346 every <command>interface-interval</command>
7347 minutes. The default
7348 is 60 minutes. The maximum value is 28 days (40320 minutes).
7349 If set to 0, interface scanning will only occur when
7350 the configuration file is loaded. After the scan, the
7352 begin listening for queries on any newly discovered
7353 interfaces (provided they are allowed by the
7354 <command>listen-on</command> configuration), and
7356 stop listening on interfaces that have gone away.
7362 <term><command>statistics-interval</command></term>
7365 Name server statistics will be logged
7366 every <command>statistics-interval</command>
7367 minutes. The default is
7368 60. The maximum value is 28 days (40320 minutes).
7369 If set to 0, no statistics will be logged.
7372 Not yet implemented in
7373 <acronym>BIND</acronym> 9.
7383 <sect3 id="topology">
7384 <title>Topology</title>
7387 All other things being equal, when the server chooses a name
7389 to query from a list of name servers, it prefers the one that is
7390 topologically closest to itself. The <command>topology</command> statement
7391 takes an <command>address_match_list</command> and
7393 in a special way. Each top-level list element is assigned a
7395 Non-negated elements get a distance based on their position in the
7396 list, where the closer the match is to the start of the list, the
7397 shorter the distance is between it and the server. A negated match
7398 will be assigned the maximum distance from the server. If there
7399 is no match, the address will get a distance which is further than
7400 any non-negated list element, and closer than any negated element.
7404 <programlisting>topology {
7411 will prefer servers on network 10 the most, followed by hosts
7412 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
7413 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
7414 is preferred least of all.
7417 The default topology is
7420 <programlisting> topology { localhost; localnets; };
7425 The <command>topology</command> option
7426 is not implemented in <acronym>BIND</acronym> 9.
7431 <sect3 id="the_sortlist_statement">
7433 <title>The <command>sortlist</command> Statement</title>
7436 The response to a DNS query may consist of multiple resource
7437 records (RRs) forming a resource records set (RRset).
7438 The name server will normally return the
7439 RRs within the RRset in an indeterminate order
7440 (but see the <command>rrset-order</command>
7441 statement in <xref linkend="rrset_ordering"/>).
7442 The client resolver code should rearrange the RRs as appropriate,
7443 that is, using any addresses on the local net in preference to
7445 However, not all resolvers can do this or are correctly
7447 When a client is using a local server, the sorting can be performed
7448 in the server, based on the client's address. This only requires
7449 configuring the name servers, not all the clients.
7453 The <command>sortlist</command> statement (see below)
7455 an <command>address_match_list</command> and
7457 more specifically than the <command>topology</command>
7459 does (<xref linkend="topology"/>).
7460 Each top level statement in the <command>sortlist</command> must
7461 itself be an explicit <command>address_match_list</command> with
7462 one or two elements. The first element (which may be an IP
7464 an IP prefix, an ACL name or a nested <command>address_match_list</command>)
7465 of each top level list is checked against the source address of
7466 the query until a match is found.
7469 Once the source address of the query has been matched, if
7470 the top level statement contains only one element, the actual
7472 element that matched the source address is used to select the
7474 in the response to move to the beginning of the response. If the
7475 statement is a list of two elements, then the second element is
7476 treated the same as the <command>address_match_list</command> in
7477 a <command>topology</command> statement. Each top
7479 is assigned a distance and the address in the response with the
7481 distance is moved to the beginning of the response.
7484 In the following example, any queries received from any of
7485 the addresses of the host itself will get responses preferring
7487 on any of the locally connected networks. Next most preferred are
7489 on the 192.168.1/24 network, and after that either the
7492 192.168.3/24 network with no preference shown between these two
7493 networks. Queries received from a host on the 192.168.1/24 network
7494 will prefer other addresses on that network to the 192.168.2/24
7496 192.168.3/24 networks. Queries received from a host on the
7498 or the 192.168.5/24 network will only prefer other addresses on
7499 their directly connected networks.
7502 <programlisting>sortlist {
7503 { localhost; // IF the local host
7504 { localnets; // THEN first fit on the
7505 192.168.1/24; // following nets
7506 { 192.168.2/24; 192.168.3/24; }; }; };
7507 { 192.168.1/24; // IF on class C 192.168.1
7508 { 192.168.1/24; // THEN use .1, or .2 or .3
7509 { 192.168.2/24; 192.168.3/24; }; }; };
7510 { 192.168.2/24; // IF on class C 192.168.2
7511 { 192.168.2/24; // THEN use .2, or .1 or .3
7512 { 192.168.1/24; 192.168.3/24; }; }; };
7513 { 192.168.3/24; // IF on class C 192.168.3
7514 { 192.168.3/24; // THEN use .3, or .1 or .2
7515 { 192.168.1/24; 192.168.2/24; }; }; };
7516 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
7521 The following example will give reasonable behavior for the
7522 local host and hosts on directly connected networks. It is similar
7523 to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
7524 to queries from the local host will favor any of the directly
7526 networks. Responses sent to queries from any other hosts on a
7528 connected network will prefer addresses on that same network.
7530 to other queries will not be sorted.
7533 <programlisting>sortlist {
7534 { localhost; localnets; };
7540 <sect3 id="rrset_ordering">
7541 <title id="rrset_ordering_title">RRset Ordering</title>
7543 When multiple records are returned in an answer it may be
7544 useful to configure the order of the records placed into the
7546 The <command>rrset-order</command> statement permits
7548 of the ordering of the records in a multiple record response.
7549 See also the <command>sortlist</command> statement,
7550 <xref linkend="the_sortlist_statement"/>.
7554 An <command>order_spec</command> is defined as
7558 <optional>class <replaceable>class_name</replaceable></optional>
7559 <optional>type <replaceable>type_name</replaceable></optional>
7560 <optional>name <replaceable>"domain_name"</replaceable></optional>
7561 order <replaceable>ordering</replaceable>
7564 If no class is specified, the default is <command>ANY</command>.
7565 If no type is specified, the default is <command>ANY</command>.
7566 If no name is specified, the default is "<command>*</command>" (asterisk).
7569 The legal values for <command>ordering</command> are:
7571 <informaltable colsep="0" rowsep="0">
7572 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7573 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
7574 <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
7578 <para><command>fixed</command></para>
7582 Records are returned in the order they
7583 are defined in the zone file.
7589 <para><command>random</command></para>
7593 Records are returned in some random order.
7599 <para><command>cyclic</command></para>
7603 Records are returned in a cyclic round-robin order.
7606 If <acronym>BIND</acronym> is configured with the
7607 "--enable-fixed-rrset" option at compile time, then
7608 the initial ordering of the RRset will match the
7609 one specified in the zone file.
7620 <programlisting>rrset-order {
7621 class IN type A name "host.example.com" order random;
7627 will cause any responses for type A records in class IN that
7628 have "<literal>host.example.com</literal>" as a
7629 suffix, to always be returned
7630 in random order. All other records are returned in cyclic order.
7633 If multiple <command>rrset-order</command> statements
7635 they are not combined — the last one applies.
7640 In this release of <acronym>BIND</acronym> 9, the
7641 <command>rrset-order</command> statement does not support
7642 "fixed" ordering by default. Fixed ordering can be enabled
7643 at compile time by specifying "--enable-fixed-rrset" on
7644 the "configure" command line.
7650 <title>Tuning</title>
7655 <term><command>lame-ttl</command></term>
7658 Sets the number of seconds to cache a
7659 lame server indication. 0 disables caching. (This is
7660 <emphasis role="bold">NOT</emphasis> recommended.)
7661 The default is <literal>600</literal> (10 minutes) and the
7663 <literal>1800</literal> (30 minutes).
7670 <term><command>max-ncache-ttl</command></term>
7673 To reduce network traffic and increase performance,
7674 the server stores negative answers. <command>max-ncache-ttl</command> is
7675 used to set a maximum retention time for these answers in
7677 in seconds. The default
7678 <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7679 <command>max-ncache-ttl</command> cannot exceed
7681 be silently truncated to 7 days if set to a greater value.
7687 <term><command>max-cache-ttl</command></term>
7690 Sets the maximum time for which the server will
7691 cache ordinary (positive) answers. The default is
7693 A value of zero may cause all queries to return
7694 SERVFAIL, because of lost caches of intermediate
7695 RRsets (such as NS and glue AAAA/A records) in the
7702 <term><command>min-roots</command></term>
7705 The minimum number of root servers that
7706 is required for a request for the root servers to be
7707 accepted. The default
7708 is <userinput>2</userinput>.
7712 Not implemented in <acronym>BIND</acronym> 9.
7719 <term><command>sig-validity-interval</command></term>
7722 Specifies the number of days into the future when
7723 DNSSEC signatures automatically generated as a
7724 result of dynamic updates (<xref
7725 linkend="dynamic_update"/>) will expire. There
7726 is a optional second field which specifies how
7727 long before expiry that the signatures will be
7728 regenerated. If not specified, the signatures will
7729 be regenerated at 1/4 of base interval. The second
7730 field is specified in days if the base interval is
7731 greater than 7 days otherwise it is specified in hours.
7732 The default base interval is <literal>30</literal> days
7733 giving a re-signing interval of 7 1/2 days. The maximum
7734 values are 10 years (3660 days).
7737 The signature inception time is unconditionally
7738 set to one hour before the current time to allow
7739 for a limited amount of clock skew.
7742 The <command>sig-validity-interval</command>
7743 should be, at least, several multiples of the SOA
7744 expire interval to allow for reasonable interaction
7745 between the various timer and expiry dates.
7751 <term><command>sig-signing-nodes</command></term>
7754 Specify the maximum number of nodes to be
7755 examined in each quantum when signing a zone with
7756 a new DNSKEY. The default is
7757 <literal>100</literal>.
7763 <term><command>sig-signing-signatures</command></term>
7766 Specify a threshold number of signatures that
7767 will terminate processing a quantum when signing
7768 a zone with a new DNSKEY. The default is
7769 <literal>10</literal>.
7775 <term><command>sig-signing-type</command></term>
7778 Specify a private RDATA type to be used when generating
7779 key signing records. The default is
7780 <literal>65535</literal>.
7783 It is expected that this parameter may be removed
7784 in a future version once there is a standard type.
7790 <term><command>min-refresh-time</command></term>
7791 <term><command>max-refresh-time</command></term>
7792 <term><command>min-retry-time</command></term>
7793 <term><command>max-retry-time</command></term>
7796 These options control the server's behavior on refreshing a
7798 (querying for SOA changes) or retrying failed transfers.
7799 Usually the SOA values for the zone are used, but these
7801 are set by the master, giving slave server administrators
7803 control over their contents.
7806 These options allow the administrator to set a minimum and
7808 refresh and retry time either per-zone, per-view, or
7810 These options are valid for slave and stub zones,
7811 and clamp the SOA refresh and retry times to the specified
7818 <term><command>edns-udp-size</command></term>
7821 Sets the advertised EDNS UDP buffer size in bytes
7822 to control the size of packets received.
7823 Valid values are 512 to 4096 (values outside this range
7824 will be silently adjusted). The default value
7825 is 4096. The usual reason for setting
7826 <command>edns-udp-size</command> to a non-default
7827 value is to get UDP answers to pass through broken
7828 firewalls that block fragmented packets and/or
7829 block UDP packets that are greater than 512 bytes.
7835 <term><command>max-udp-size</command></term>
7838 Sets the maximum EDNS UDP message size <command>named</command> will
7839 send in bytes. Valid values are 512 to 4096 (values outside
7840 this range will be silently adjusted). The default
7841 value is 4096. The usual reason for setting
7842 <command>max-udp-size</command> to a non-default value is to get UDP
7843 answers to pass through broken firewalls that
7844 block fragmented packets and/or block UDP packets
7845 that are greater than 512 bytes.
7846 This is independent of the advertised receive
7847 buffer (<command>edns-udp-size</command>).
7853 <term><command>masterfile-format</command></term>
7856 the file format of zone files (see
7857 <xref linkend="zonefile_format"/>).
7858 The default value is <constant>text</constant>, which is the
7859 standard textual representation. Files in other formats
7860 than <constant>text</constant> are typically expected
7861 to be generated by the <command>named-compilezone</command> tool.
7862 Note that when a zone file in a different format than
7863 <constant>text</constant> is loaded, <command>named</command>
7864 may omit some of the checks which would be performed for a
7865 file in the <constant>text</constant> format. In particular,
7866 <command>check-names</command> checks do not apply
7867 for the <constant>raw</constant> format. This means
7868 a zone file in the <constant>raw</constant> format
7869 must be generated with the same check level as that
7870 specified in the <command>named</command> configuration
7871 file. This statement sets the
7872 <command>masterfile-format</command> for all zones,
7873 but can be overridden on a per-zone or per-view basis
7874 by including a <command>masterfile-format</command>
7875 statement within the <command>zone</command> or
7876 <command>view</command> block in the configuration
7882 <varlistentry id="clients-per-query">
7883 <term><command>clients-per-query</command></term>
7884 <term><command>max-clients-per-query</command></term>
7887 initial value (minimum) and maximum number of recursive
7888 simultaneous clients for any given query
7889 (<qname,qtype,qclass>) that the server will accept
7890 before dropping additional clients. <command>named</command> will attempt to
7891 self tune this value and changes will be logged. The
7892 default values are 10 and 100.
7895 This value should reflect how many queries come in for
7896 a given name in the time it takes to resolve that name.
7897 If the number of queries exceed this value, <command>named</command> will
7898 assume that it is dealing with a non-responsive zone
7899 and will drop additional queries. If it gets a response
7900 after dropping queries, it will raise the estimate. The
7901 estimate will then be lowered in 20 minutes if it has
7905 If <command>clients-per-query</command> is set to zero,
7906 then there is no limit on the number of clients per query
7907 and no queries will be dropped.
7910 If <command>max-clients-per-query</command> is set to zero,
7911 then there is no upper bound other than imposed by
7912 <command>recursive-clients</command>.
7918 <term><command>notify-delay</command></term>
7921 The delay, in seconds, between sending sets of notify
7922 messages for a zone. The default is zero.
7930 <sect3 id="builtin">
7931 <title>Built-in server information zones</title>
7934 The server provides some helpful diagnostic information
7935 through a number of built-in zones under the
7936 pseudo-top-level-domain <literal>bind</literal> in the
7937 <command>CHAOS</command> class. These zones are part
7939 built-in view (see <xref linkend="view_statement_grammar"/>) of
7941 <command>CHAOS</command> which is separate from the
7943 class <command>IN</command>; therefore, any global
7945 such as <command>allow-query</command> do not apply
7947 If you feel the need to disable these zones, use the options
7948 below, or hide the built-in <command>CHAOS</command>
7950 defining an explicit view of class <command>CHAOS</command>
7951 that matches all clients.
7957 <term><command>version</command></term>
7960 The version the server should report
7961 via a query of the name <literal>version.bind</literal>
7962 with type <command>TXT</command>, class <command>CHAOS</command>.
7963 The default is the real version number of this server.
7964 Specifying <command>version none</command>
7965 disables processing of the queries.
7971 <term><command>hostname</command></term>
7974 The hostname the server should report via a query of
7975 the name <filename>hostname.bind</filename>
7976 with type <command>TXT</command>, class <command>CHAOS</command>.
7977 This defaults to the hostname of the machine hosting the
7979 found by the gethostname() function. The primary purpose of such queries
7981 identify which of a group of anycast servers is actually
7982 answering your queries. Specifying <command>hostname none;</command>
7983 disables processing of the queries.
7989 <term><command>server-id</command></term>
7992 The ID the server should report when receiving a Name
7993 Server Identifier (NSID) query, or a query of the name
7994 <filename>ID.SERVER</filename> with type
7995 <command>TXT</command>, class <command>CHAOS</command>.
7996 The primary purpose of such queries is to
7997 identify which of a group of anycast servers is actually
7998 answering your queries. Specifying <command>server-id none;</command>
7999 disables processing of the queries.
8000 Specifying <command>server-id hostname;</command> will cause <command>named</command> to
8001 use the hostname as found by the gethostname() function.
8002 The default <command>server-id</command> is <command>none</command>.
8012 <title>Built-in Empty Zones</title>
8014 Named has some built-in empty zones (SOA and NS records only).
8015 These are for zones that should normally be answered locally
8016 and which queries should not be sent to the Internet's root
8017 servers. The official servers which cover these namespaces
8018 return NXDOMAIN responses to these queries. In particular,
8019 these cover the reverse namespace for addresses from RFC 1918 and
8020 RFC 3330. They also include the reverse namespace for IPv6 local
8021 address (locally assigned), IPv6 link local addresses, the IPv6
8022 loopback address and the IPv6 unknown address.
8025 Named will attempt to determine if a built-in zone already exists
8026 or is active (covered by a forward-only forwarding declaration)
8027 and will not create a empty zone in that case.
8030 The current list of empty zones is:
8032 <!-- XXX: The RFC1918 addresses are #defined out in sources currently.
8033 <listitem>10.IN-ADDR.ARPA</listitem>
8034 <listitem>16.172.IN-ADDR.ARPA</listitem>
8035 <listitem>17.172.IN-ADDR.ARPA</listitem>
8036 <listitem>18.172.IN-ADDR.ARPA</listitem>
8037 <listitem>19.172.IN-ADDR.ARPA</listitem>
8038 <listitem>20.172.IN-ADDR.ARPA</listitem>
8039 <listitem>21.172.IN-ADDR.ARPA</listitem>
8040 <listitem>22.172.IN-ADDR.ARPA</listitem>
8041 <listitem>23.172.IN-ADDR.ARPA</listitem>
8042 <listitem>24.172.IN-ADDR.ARPA</listitem>
8043 <listitem>25.172.IN-ADDR.ARPA</listitem>
8044 <listitem>26.172.IN-ADDR.ARPA</listitem>
8045 <listitem>27.172.IN-ADDR.ARPA</listitem>
8046 <listitem>28.172.IN-ADDR.ARPA</listitem>
8047 <listitem>29.172.IN-ADDR.ARPA</listitem>
8048 <listitem>30.172.IN-ADDR.ARPA</listitem>
8049 <listitem>31.172.IN-ADDR.ARPA</listitem>
8050 <listitem>168.192.IN-ADDR.ARPA</listitem>
8051 XXX: end of RFC1918 addresses #defined out -->
8052 <listitem>0.IN-ADDR.ARPA</listitem>
8053 <listitem>127.IN-ADDR.ARPA</listitem>
8054 <listitem>254.169.IN-ADDR.ARPA</listitem>
8055 <listitem>2.0.192.IN-ADDR.ARPA</listitem>
8056 <listitem>255.255.255.255.IN-ADDR.ARPA</listitem>
8057 <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
8058 <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
8059 <listitem>D.F.IP6.ARPA</listitem>
8060 <listitem>8.E.F.IP6.ARPA</listitem>
8061 <listitem>9.E.F.IP6.ARPA</listitem>
8062 <listitem>A.E.F.IP6.ARPA</listitem>
8063 <listitem>B.E.F.IP6.ARPA</listitem>
8067 Empty zones are settable at the view level and only apply to
8068 views of class IN. Disabled empty zones are only inherited
8069 from options if there are no disabled empty zones specified
8070 at the view level. To override the options list of disabled
8071 zones, you can disable the root zone at the view level, for example:
8073 disable-empty-zone ".";
8077 If you are using the address ranges covered here, you should
8078 already have reverse zones covering the addresses you use.
8079 In practice this appears to not be the case with many queries
8080 being made to the infrastructure servers for names in these
8081 spaces. So many in fact that sacrificial servers were needed
8082 to be deployed to channel the query load away from the
8083 infrastructure servers.
8086 The real parent servers for these zones should disable all
8087 empty zone under the parent zone they serve. For the real
8088 root servers, this is all built-in empty zones. This will
8089 enable them to return referrals to deeper in the tree.
8093 <term><command>empty-server</command></term>
8096 Specify what server name will appear in the returned
8097 SOA record for empty zones. If none is specified, then
8098 the zone's name will be used.
8104 <term><command>empty-contact</command></term>
8107 Specify what contact name will appear in the returned
8108 SOA record for empty zones. If none is specified, then
8115 <term><command>empty-zones-enable</command></term>
8118 Enable or disable all empty zones. By default, they
8125 <term><command>disable-empty-zone</command></term>
8128 Disable individual empty zones. By default, none are
8129 disabled. This option can be specified multiple times.
8137 <title>Additional Section Caching</title>
8140 The additional section cache, also called <command>acache</command>,
8141 is an internal cache to improve the response performance of BIND 9.
8142 When additional section caching is enabled, BIND 9 will
8143 cache an internal short-cut to the additional section content for
8145 Note that <command>acache</command> is an internal caching
8146 mechanism of BIND 9, and is not related to the DNS caching
8151 Additional section caching does not change the
8152 response content (except the RRsets ordering of the additional
8153 section, see below), but can improve the response performance
8155 It is particularly effective when BIND 9 acts as an authoritative
8156 server for a zone that has many delegations with many glue RRs.
8160 In order to obtain the maximum performance improvement
8161 from additional section caching, setting
8162 <command>additional-from-cache</command>
8163 to <command>no</command> is recommended, since the current
8164 implementation of <command>acache</command>
8165 does not short-cut of additional section information from the
8170 One obvious disadvantage of <command>acache</command> is
8171 that it requires much more
8172 memory for the internal cached data.
8173 Thus, if the response performance does not matter and memory
8174 consumption is much more critical, the
8175 <command>acache</command> mechanism can be
8176 disabled by setting <command>acache-enable</command> to
8177 <command>no</command>.
8178 It is also possible to specify the upper limit of memory
8180 for acache by using <command>max-acache-size</command>.
8184 Additional section caching also has a minor effect on the
8185 RRset ordering in the additional section.
8186 Without <command>acache</command>,
8187 <command>cyclic</command> order is effective for the additional
8188 section as well as the answer and authority sections.
8189 However, additional section caching fixes the ordering when it
8190 first caches an RRset for the additional section, and the same
8191 ordering will be kept in succeeding responses, regardless of the
8192 setting of <command>rrset-order</command>.
8193 The effect of this should be minor, however, since an
8194 RRset in the additional section
8195 typically only contains a small number of RRs (and in many cases
8196 it only contains a single RR), in which case the
8197 ordering does not matter much.
8201 The following is a summary of options related to
8202 <command>acache</command>.
8208 <term><command>acache-enable</command></term>
8211 If <command>yes</command>, additional section caching is
8212 enabled. The default value is <command>no</command>.
8218 <term><command>acache-cleaning-interval</command></term>
8221 The server will remove stale cache entries, based on an LRU
8223 algorithm, every <command>acache-cleaning-interval</command> minutes.
8224 The default is 60 minutes.
8225 If set to 0, no periodic cleaning will occur.
8231 <term><command>max-acache-size</command></term>
8234 The maximum amount of memory in bytes to use for the server's acache.
8235 When the amount of data in the acache reaches this limit,
8237 will clean more aggressively so that the limit is not
8239 In a server with multiple views, the limit applies
8241 acache of each view.
8242 The default is <literal>16M</literal>.
8253 <sect2 id="server_statement_grammar">
8254 <title><command>server</command> Statement Grammar</title>
8256 <programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
8257 <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
8258 <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
8259 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
8260 <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
8261 <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
8262 <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
8263 <optional> transfers <replaceable>number</replaceable> ; </optional>
8264 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
8265 <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
8266 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8267 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8268 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8269 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8270 <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
8271 <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
8272 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
8273 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
8274 <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
8280 <sect2 id="server_statement_definition_and_usage">
8281 <title><command>server</command> Statement Definition and
8285 The <command>server</command> statement defines
8287 to be associated with a remote name server. If a prefix length is
8288 specified, then a range of servers is covered. Only the most
8290 server clause applies regardless of the order in
8291 <filename>named.conf</filename>.
8295 The <command>server</command> statement can occur at
8296 the top level of the
8297 configuration file or inside a <command>view</command>
8299 If a <command>view</command> statement contains
8300 one or more <command>server</command> statements, only
8302 apply to the view and any top-level ones are ignored.
8303 If a view contains no <command>server</command>
8305 any top-level <command>server</command> statements are
8311 If you discover that a remote server is giving out bad data,
8312 marking it as bogus will prevent further queries to it. The
8314 value of <command>bogus</command> is <command>no</command>.
8317 The <command>provide-ixfr</command> clause determines
8319 the local server, acting as master, will respond with an
8321 zone transfer when the given remote server, a slave, requests it.
8322 If set to <command>yes</command>, incremental transfer
8324 whenever possible. If set to <command>no</command>,
8326 to the remote server will be non-incremental. If not set, the
8328 of the <command>provide-ixfr</command> option in the
8330 global options block is used as a default.
8334 The <command>request-ixfr</command> clause determines
8336 the local server, acting as a slave, will request incremental zone
8337 transfers from the given remote server, a master. If not set, the
8338 value of the <command>request-ixfr</command> option in
8340 global options block is used as a default.
8344 IXFR requests to servers that do not support IXFR will
8346 fall back to AXFR. Therefore, there is no need to manually list
8347 which servers support IXFR and which ones do not; the global
8349 of <command>yes</command> should always work.
8350 The purpose of the <command>provide-ixfr</command> and
8351 <command>request-ixfr</command> clauses is
8352 to make it possible to disable the use of IXFR even when both
8354 and slave claim to support it, for example if one of the servers
8355 is buggy and crashes or corrupts data when IXFR is used.
8359 The <command>edns</command> clause determines whether
8360 the local server will attempt to use EDNS when communicating
8361 with the remote server. The default is <command>yes</command>.
8365 The <command>edns-udp-size</command> option sets the EDNS UDP size
8366 that is advertised by <command>named</command> when querying the remote server.
8367 Valid values are 512 to 4096 bytes (values outside this range will be
8368 silently adjusted). This option is useful when you wish to
8369 advertises a different value to this server than the value you
8370 advertise globally, for example, when there is a firewall at the
8371 remote site that is blocking large replies.
8375 The <command>max-udp-size</command> option sets the
8376 maximum EDNS UDP message size <command>named</command> will send. Valid
8377 values are 512 to 4096 bytes (values outside this range will
8378 be silently adjusted). This option is useful when you
8379 know that there is a firewall that is blocking large
8380 replies from <command>named</command>.
8384 The server supports two zone transfer methods. The first, <command>one-answer</command>,
8385 uses one DNS message per resource record transferred. <command>many-answers</command> packs
8386 as many resource records as possible into a message. <command>many-answers</command> is
8387 more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
8388 8.x, and patched versions of <acronym>BIND</acronym>
8389 4.9.5. You can specify which method
8390 to use for a server with the <command>transfer-format</command> option.
8391 If <command>transfer-format</command> is not
8392 specified, the <command>transfer-format</command>
8394 by the <command>options</command> statement will be
8398 <para><command>transfers</command>
8399 is used to limit the number of concurrent inbound zone
8400 transfers from the specified server. If no
8401 <command>transfers</command> clause is specified, the
8402 limit is set according to the
8403 <command>transfers-per-ns</command> option.
8407 The <command>keys</command> clause identifies a
8408 <command>key_id</command> defined by the <command>key</command> statement,
8409 to be used for transaction security (TSIG, <xref linkend="tsig"/>)
8410 when talking to the remote server.
8411 When a request is sent to the remote server, a request signature
8412 will be generated using the key specified here and appended to the
8413 message. A request originating from the remote server is not
8415 to be signed by this key.
8419 Although the grammar of the <command>keys</command>
8421 allows for multiple keys, only a single key per server is
8427 The <command>transfer-source</command> and
8428 <command>transfer-source-v6</command> clauses specify
8429 the IPv4 and IPv6 source
8430 address to be used for zone transfer with the remote server,
8432 For an IPv4 remote server, only <command>transfer-source</command> can
8434 Similarly, for an IPv6 remote server, only
8435 <command>transfer-source-v6</command> can be
8437 For more details, see the description of
8438 <command>transfer-source</command> and
8439 <command>transfer-source-v6</command> in
8440 <xref linkend="zone_transfers"/>.
8444 The <command>notify-source</command> and
8445 <command>notify-source-v6</command> clauses specify the
8446 IPv4 and IPv6 source address to be used for notify
8447 messages sent to remote servers, respectively. For an
8448 IPv4 remote server, only <command>notify-source</command>
8449 can be specified. Similarly, for an IPv6 remote server,
8450 only <command>notify-source-v6</command> can be specified.
8454 The <command>query-source</command> and
8455 <command>query-source-v6</command> clauses specify the
8456 IPv4 and IPv6 source address to be used for queries
8457 sent to remote servers, respectively. For an IPv4
8458 remote server, only <command>query-source</command> can
8459 be specified. Similarly, for an IPv6 remote server,
8460 only <command>query-source-v6</command> can be specified.
8465 <sect2 id="statschannels">
8466 <title><command>statistics-channels</command> Statement Grammar</title>
8468 <programlisting><command>statistics-channels</command> {
8469 [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
8476 <title><command>statistics-channels</command> Statement Definition and
8480 The <command>statistics-channels</command> statement
8481 declares communication channels to be used by system
8482 administrators to get access to statistics information of
8487 This statement intends to be flexible to support multiple
8488 communication protocols in the future, but currently only
8489 HTTP access is supported.
8490 It requires that BIND 9 be compiled with libxml2;
8491 the <command>statistics-channels</command> statement is
8492 still accepted even if it is built without the library,
8493 but any HTTP access will fail with an error.
8497 An <command>inet</command> control channel is a TCP socket
8498 listening at the specified <command>ip_port</command> on the
8499 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
8500 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
8501 interpreted as the IPv4 wildcard address; connections will be
8502 accepted on any of the system's IPv4 addresses.
8503 To listen on the IPv6 wildcard address,
8504 use an <command>ip_addr</command> of <literal>::</literal>.
8508 If no port is specified, port 80 is used for HTTP channels.
8509 The asterisk "<literal>*</literal>" cannot be used for
8510 <command>ip_port</command>.
8514 The attempt of opening a statistics channel is
8515 restricted by the optional <command>allow</command> clause.
8516 Connections to the statistics channel are permitted based on the
8517 <command>address_match_list</command>.
8518 If no <command>allow</command> clause is present,
8519 <command>named</command> accepts connection
8520 attempts from any address; since the statistics may
8521 contain sensitive internal information, it is highly
8522 recommended to restrict the source of connection requests
8527 If no <command>statistics-channels</command> statement is present,
8528 <command>named</command> will not open any communication channels.
8534 <title><command>trusted-keys</command> Statement Grammar</title>
8536 <programlisting><command>trusted-keys</command> {
8537 <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
8538 <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
8544 <title><command>trusted-keys</command> Statement Definition
8547 The <command>trusted-keys</command> statement defines
8548 DNSSEC security roots. DNSSEC is described in <xref
8549 linkend="DNSSEC"/>. A security root is defined when the
8550 public key for a non-authoritative zone is known, but
8551 cannot be securely obtained through DNS, either because
8552 it is the DNS root zone or because its parent zone is
8553 unsigned. Once a key has been configured as a trusted
8554 key, it is treated as if it had been validated and
8555 proven secure. The resolver attempts DNSSEC validation
8556 on all DNS data in subdomains of a security root.
8559 All keys (and corresponding zones) listed in
8560 <command>trusted-keys</command> are deemed to exist regardless
8561 of what parent zones say. Similarly for all keys listed in
8562 <command>trusted-keys</command> only those keys are
8563 used to validate the DNSKEY RRset. The parent's DS RRset
8567 The <command>trusted-keys</command> statement can contain
8568 multiple key entries, each consisting of the key's
8569 domain name, flags, protocol, algorithm, and the Base-64
8570 representation of the key data.
8571 Spaces, tabs, newlines and carriage returns are ignored
8572 in the key data, so the configuration may be split up into
8577 <sect2 id="view_statement_grammar">
8578 <title><command>view</command> Statement Grammar</title>
8580 <programlisting><command>view</command> <replaceable>view_name</replaceable>
8581 <optional><replaceable>class</replaceable></optional> {
8582 match-clients { <replaceable>address_match_list</replaceable> };
8583 match-destinations { <replaceable>address_match_list</replaceable> };
8584 match-recursive-only <replaceable>yes_or_no</replaceable> ;
8585 <optional> <replaceable>view_option</replaceable>; ...</optional>
8586 <optional> <replaceable>zone_statement</replaceable>; ...</optional>
8592 <title><command>view</command> Statement Definition and Usage</title>
8595 The <command>view</command> statement is a powerful
8597 of <acronym>BIND</acronym> 9 that lets a name server
8598 answer a DNS query differently
8599 depending on who is asking. It is particularly useful for
8601 split DNS setups without having to run multiple servers.
8605 Each <command>view</command> statement defines a view
8607 DNS namespace that will be seen by a subset of clients. A client
8609 a view if its source IP address matches the
8610 <varname>address_match_list</varname> of the view's
8611 <command>match-clients</command> clause and its
8612 destination IP address matches
8613 the <varname>address_match_list</varname> of the
8615 <command>match-destinations</command> clause. If not
8617 <command>match-clients</command> and <command>match-destinations</command>
8618 default to matching all addresses. In addition to checking IP
8620 <command>match-clients</command> and <command>match-destinations</command>
8621 can also take <command>keys</command> which provide an
8623 client to select the view. A view can also be specified
8624 as <command>match-recursive-only</command>, which
8625 means that only recursive
8626 requests from matching clients will match that view.
8627 The order of the <command>view</command> statements is
8629 a client request will be resolved in the context of the first
8630 <command>view</command> that it matches.
8634 Zones defined within a <command>view</command>
8636 only be accessible to clients that match the <command>view</command>.
8637 By defining a zone of the same name in multiple views, different
8638 zone data can be given to different clients, for example,
8640 and "external" clients in a split DNS setup.
8644 Many of the options given in the <command>options</command> statement
8645 can also be used within a <command>view</command>
8647 apply only when resolving queries with that view. When no
8649 value is given, the value in the <command>options</command> statement
8650 is used as a default. Also, zone options can have default values
8652 in the <command>view</command> statement; these
8653 view-specific defaults
8654 take precedence over those in the <command>options</command> statement.
8658 Views are class specific. If no class is given, class IN
8659 is assumed. Note that all non-IN views must contain a hint zone,
8660 since only the IN class has compiled-in default hints.
8664 If there are no <command>view</command> statements in
8666 file, a default view that matches any client is automatically
8668 in class IN. Any <command>zone</command> statements
8670 the top level of the configuration file are considered to be part
8672 this default view, and the <command>options</command>
8674 apply to the default view. If any explicit <command>view</command>
8675 statements are present, all <command>zone</command>
8677 occur inside <command>view</command> statements.
8681 Here is an example of a typical split DNS setup implemented
8682 using <command>view</command> statements:
8685 <programlisting>view "internal" {
8686 // This should match our internal networks.
8687 match-clients { 10.0.0.0/8; };
8689 // Provide recursive service to internal clients only.
8692 // Provide a complete view of the example.com zone
8693 // including addresses of internal hosts.
8694 zone "example.com" {
8696 file "example-internal.db";
8701 // Match all clients not matched by the previous view.
8702 match-clients { any; };
8704 // Refuse recursive service to external clients.
8707 // Provide a restricted view of the example.com zone
8708 // containing only publicly accessible hosts.
8709 zone "example.com" {
8711 file "example-external.db";
8717 <sect2 id="zone_statement_grammar">
8718 <title><command>zone</command>
8719 Statement Grammar</title>
8721 <programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8723 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8724 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8725 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8726 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
8727 <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
8728 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8729 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8730 <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8731 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
8732 <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
8733 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8734 <optional> file <replaceable>string</replaceable> ; </optional>
8735 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8736 <optional> journal <replaceable>string</replaceable> ; </optional>
8737 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
8738 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8739 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8740 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8741 <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
8742 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8743 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8744 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8745 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8746 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8747 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8748 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8749 <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
8750 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8751 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8752 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8753 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8754 <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
8755 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
8756 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
8757 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
8758 <optional> database <replaceable>string</replaceable> ; </optional>
8759 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8760 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8761 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8762 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8763 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
8764 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8767 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8769 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8770 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8771 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8772 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8773 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8774 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8775 <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
8776 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8777 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8778 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8779 <optional> file <replaceable>string</replaceable> ; </optional>
8780 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8781 <optional> journal <replaceable>string</replaceable> ; </optional>
8782 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
8783 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8784 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8785 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8786 <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
8787 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8788 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8789 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8790 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8791 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8792 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8793 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8794 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8795 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8796 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8797 <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
8798 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8799 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8800 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8801 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8802 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8803 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8804 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8805 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8806 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8807 <optional> database <replaceable>string</replaceable> ; </optional>
8808 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8809 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8810 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8811 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8812 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8813 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8816 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8818 file <replaceable>string</replaceable> ;
8819 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8820 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8823 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8825 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8826 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8827 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8828 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8829 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8830 <optional> file <replaceable>string</replaceable> ; </optional>
8831 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8832 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8833 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8834 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8835 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8836 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8837 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8838 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8839 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8840 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8841 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8842 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8843 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8844 <optional> database <replaceable>string</replaceable> ; </optional>
8845 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8846 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8847 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8848 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8849 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8852 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8854 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8855 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8856 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8859 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8860 type delegation-only;
8867 <title><command>zone</command> Statement Definition and Usage</title>
8869 <title>Zone Types</title>
8870 <informaltable colsep="0" rowsep="0">
8871 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8872 <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8873 <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8874 <colspec colname="1" colnum="1" colsep="0"/>
8875 <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8880 <varname>master</varname>
8885 The server has a master copy of the data
8886 for the zone and will be able to provide authoritative
8895 <varname>slave</varname>
8900 A slave zone is a replica of a master
8901 zone. The <command>masters</command> list
8902 specifies one or more IP addresses
8903 of master servers that the slave contacts to update
8904 its copy of the zone.
8905 Masters list elements can also be names of other
8907 By default, transfers are made from port 53 on the
8909 be changed for all servers by specifying a port number
8911 list of IP addresses, or on a per-server basis after
8913 Authentication to the master can also be done with
8914 per-server TSIG keys.
8915 If a file is specified, then the
8916 replica will be written to this file whenever the zone
8918 and reloaded from this file on a server restart. Use
8920 recommended, since it often speeds server startup and
8922 a needless waste of bandwidth. Note that for large
8924 tens or hundreds of thousands) of zones per server, it
8926 use a two-level naming scheme for zone filenames. For
8928 a slave server for the zone <literal>example.com</literal> might place
8929 the zone contents into a file called
8930 <filename>ex/example.com</filename> where <filename>ex/</filename> is
8931 just the first two letters of the zone name. (Most
8933 behave very slowly if you put 100000 files into
8934 a single directory.)
8941 <varname>stub</varname>
8946 A stub zone is similar to a slave zone,
8947 except that it replicates only the NS records of a
8949 of the entire zone. Stub zones are not a standard part
8951 they are a feature specific to the <acronym>BIND</acronym> implementation.
8955 Stub zones can be used to eliminate the need for glue
8957 in a parent zone at the expense of maintaining a stub
8959 a set of name server addresses in <filename>named.conf</filename>.
8960 This usage is not recommended for new configurations,
8962 supports it only in a limited way.
8963 In <acronym>BIND</acronym> 4/8, zone
8964 transfers of a parent zone
8965 included the NS records from stub children of that
8967 that, in some cases, users could get away with
8968 configuring child stubs
8969 only in the master server for the parent zone. <acronym>BIND</acronym>
8970 9 never mixes together zone data from different zones
8972 way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
8973 zone has child stub zones configured, all the slave
8975 parent zone also need to have the same child stub
8981 Stub zones can also be used as a way of forcing the
8983 of a given domain to use a particular set of
8984 authoritative servers.
8985 For example, the caching name servers on a private
8987 RFC1918 addressing may be configured with stub zones
8989 <literal>10.in-addr.arpa</literal>
8990 to use a set of internal name servers as the
8992 servers for that domain.
8999 <varname>forward</varname>
9004 A "forward zone" is a way to configure
9005 forwarding on a per-domain basis. A <command>zone</command> statement
9006 of type <command>forward</command> can
9007 contain a <command>forward</command>
9008 and/or <command>forwarders</command>
9010 which will apply to queries within the domain given by
9012 name. If no <command>forwarders</command>
9013 statement is present or
9014 an empty list for <command>forwarders</command> is given, then no
9015 forwarding will be done for the domain, canceling the
9017 any forwarders in the <command>options</command> statement. Thus
9018 if you want to use this type of zone to change the
9020 global <command>forward</command> option
9021 (that is, "forward first"
9022 to, then "forward only", or vice versa, but want to
9024 servers as set globally) you need to re-specify the
9032 <varname>hint</varname>
9037 The initial set of root name servers is
9038 specified using a "hint zone". When the server starts
9040 the root hints to find a root name server and get the
9042 list of root name servers. If no hint zone is
9044 IN, the server uses a compiled-in default set of root
9046 Classes other than IN have no built-in defaults hints.
9053 <varname>delegation-only</varname>
9058 This is used to enforce the delegation-only
9059 status of infrastructure zones (e.g. COM,
9060 NET, ORG). Any answer that is received
9061 without an explicit or implicit delegation
9062 in the authority section will be treated
9063 as NXDOMAIN. This does not apply to the
9064 zone apex. This should not be applied to
9068 <varname>delegation-only</varname> has no
9069 effect on answers received from forwarders.
9072 See caveats in <xref linkend="root_delegation_only"/>.
9082 <title>Class</title>
9084 The zone's name may optionally be followed by a class. If
9085 a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
9086 is assumed. This is correct for the vast majority of cases.
9089 The <literal>hesiod</literal> class is
9090 named for an information service from MIT's Project Athena. It
9092 used to share information about various systems databases, such
9093 as users, groups, printers and so on. The keyword
9094 <literal>HS</literal> is
9095 a synonym for hesiod.
9098 Another MIT development is Chaosnet, a LAN protocol created
9099 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
9104 <title>Zone Options</title>
9109 <term><command>allow-notify</command></term>
9112 See the description of
9113 <command>allow-notify</command> in <xref linkend="access_control"/>.
9119 <term><command>allow-query</command></term>
9122 See the description of
9123 <command>allow-query</command> in <xref linkend="access_control"/>.
9129 <term><command>allow-query-on</command></term>
9132 See the description of
9133 <command>allow-query-on</command> in <xref linkend="access_control"/>.
9139 <term><command>allow-transfer</command></term>
9142 See the description of <command>allow-transfer</command>
9143 in <xref linkend="access_control"/>.
9149 <term><command>allow-update</command></term>
9152 See the description of <command>allow-update</command>
9153 in <xref linkend="access_control"/>.
9159 <term><command>update-policy</command></term>
9162 Specifies a "Simple Secure Update" policy. See
9163 <xref linkend="dynamic_update_policies"/>.
9169 <term><command>allow-update-forwarding</command></term>
9172 See the description of <command>allow-update-forwarding</command>
9173 in <xref linkend="access_control"/>.
9179 <term><command>also-notify</command></term>
9182 Only meaningful if <command>notify</command>
9184 active for this zone. The set of machines that will
9186 <literal>DNS NOTIFY</literal> message
9187 for this zone is made up of all the listed name servers
9189 the primary master) for the zone plus any IP addresses
9191 with <command>also-notify</command>. A port
9193 with each <command>also-notify</command>
9194 address to send the notify
9195 messages to a port other than the default of 53.
9196 <command>also-notify</command> is not
9197 meaningful for stub zones.
9198 The default is the empty list.
9204 <term><command>check-names</command></term>
9207 This option is used to restrict the character set and
9209 certain domain names in master files and/or DNS responses
9211 network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
9212 zones the default is <command>warn</command>.
9218 <term><command>check-mx</command></term>
9221 See the description of
9222 <command>check-mx</command> in <xref linkend="boolean_options"/>.
9228 <term><command>check-wildcard</command></term>
9231 See the description of
9232 <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
9238 <term><command>check-integrity</command></term>
9241 See the description of
9242 <command>check-integrity</command> in <xref linkend="boolean_options"/>.
9248 <term><command>check-sibling</command></term>
9251 See the description of
9252 <command>check-sibling</command> in <xref linkend="boolean_options"/>.
9258 <term><command>zero-no-soa-ttl</command></term>
9261 See the description of
9262 <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
9268 <term><command>update-check-ksk</command></term>
9271 See the description of
9272 <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
9278 <term><command>try-tcp-refresh</command></term>
9281 See the description of
9282 <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
9288 <term><command>database</command></term>
9291 Specify the type of database to be used for storing the
9292 zone data. The string following the <command>database</command> keyword
9293 is interpreted as a list of whitespace-delimited words.
9295 identifies the database type, and any subsequent words are
9297 as arguments to the database to be interpreted in a way
9299 to the database type.
9302 The default is <userinput>"rbt"</userinput>, BIND 9's
9304 red-black-tree database. This database does not take
9308 Other values are possible if additional database drivers
9309 have been linked into the server. Some sample drivers are
9311 with the distribution but none are linked in by default.
9317 <term><command>dialup</command></term>
9320 See the description of
9321 <command>dialup</command> in <xref linkend="boolean_options"/>.
9327 <term><command>delegation-only</command></term>
9330 The flag only applies to hint and stub zones. If set
9331 to <userinput>yes</userinput>, then the zone will also be
9332 treated as if it is also a delegation-only type zone.
9335 See caveats in <xref linkend="root_delegation_only"/>.
9341 <term><command>forward</command></term>
9344 Only meaningful if the zone has a forwarders
9345 list. The <command>only</command> value causes
9347 after trying the forwarders and getting no answer, while <command>first</command> would
9348 allow a normal lookup to be tried.
9354 <term><command>forwarders</command></term>
9357 Used to override the list of global forwarders.
9358 If it is not specified in a zone of type <command>forward</command>,
9359 no forwarding is done for the zone and the global options are
9366 <term><command>ixfr-base</command></term>
9369 Was used in <acronym>BIND</acronym> 8 to
9371 of the transaction log (journal) file for dynamic update
9373 <acronym>BIND</acronym> 9 ignores the option
9374 and constructs the name of the journal
9375 file by appending "<filename>.jnl</filename>"
9383 <term><command>ixfr-tmp-file</command></term>
9386 Was an undocumented option in <acronym>BIND</acronym> 8.
9387 Ignored in <acronym>BIND</acronym> 9.
9393 <term><command>journal</command></term>
9396 Allow the default journal's filename to be overridden.
9397 The default is the zone's filename with "<filename>.jnl</filename>" appended.
9398 This is applicable to <command>master</command> and <command>slave</command> zones.
9404 <term><command>max-journal-size</command></term>
9407 See the description of
9408 <command>max-journal-size</command> in <xref linkend="server_resource_limits"/>.
9414 <term><command>max-transfer-time-in</command></term>
9417 See the description of
9418 <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
9424 <term><command>max-transfer-idle-in</command></term>
9427 See the description of
9428 <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
9434 <term><command>max-transfer-time-out</command></term>
9437 See the description of
9438 <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
9444 <term><command>max-transfer-idle-out</command></term>
9447 See the description of
9448 <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
9454 <term><command>notify</command></term>
9457 See the description of
9458 <command>notify</command> in <xref linkend="boolean_options"/>.
9464 <term><command>notify-delay</command></term>
9467 See the description of
9468 <command>notify-delay</command> in <xref linkend="tuning"/>.
9474 <term><command>notify-to-soa</command></term>
9477 See the description of
9478 <command>notify-to-soa</command> in
9479 <xref linkend="boolean_options"/>.
9485 <term><command>pubkey</command></term>
9488 In <acronym>BIND</acronym> 8, this option was
9489 intended for specifying
9490 a public zone key for verification of signatures in DNSSEC
9492 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
9493 on load and ignores the option.
9499 <term><command>zone-statistics</command></term>
9502 If <userinput>yes</userinput>, the server will keep
9504 information for this zone, which can be dumped to the
9505 <command>statistics-file</command> defined in
9512 <term><command>sig-validity-interval</command></term>
9515 See the description of
9516 <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
9522 <term><command>sig-signing-nodes</command></term>
9525 See the description of
9526 <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
9532 <term><command>sig-signing-signatures</command></term>
9535 See the description of
9536 <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
9542 <term><command>sig-signing-type</command></term>
9545 See the description of
9546 <command>sig-signing-type</command> in <xref linkend="tuning"/>.
9552 <term><command>transfer-source</command></term>
9555 See the description of
9556 <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
9562 <term><command>transfer-source-v6</command></term>
9565 See the description of
9566 <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9572 <term><command>alt-transfer-source</command></term>
9575 See the description of
9576 <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9582 <term><command>alt-transfer-source-v6</command></term>
9585 See the description of
9586 <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9592 <term><command>use-alt-transfer-source</command></term>
9595 See the description of
9596 <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9603 <term><command>notify-source</command></term>
9606 See the description of
9607 <command>notify-source</command> in <xref linkend="zone_transfers"/>.
9613 <term><command>notify-source-v6</command></term>
9616 See the description of
9617 <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
9623 <term><command>min-refresh-time</command></term>
9624 <term><command>max-refresh-time</command></term>
9625 <term><command>min-retry-time</command></term>
9626 <term><command>max-retry-time</command></term>
9629 See the description in <xref linkend="tuning"/>.
9635 <term><command>ixfr-from-differences</command></term>
9638 See the description of
9639 <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
9640 (Note that the <command>ixfr-from-differences</command>
9641 <userinput>master</userinput> and
9642 <userinput>slave</userinput> choices are not
9643 available at the zone level.)
9649 <term><command>key-directory</command></term>
9652 See the description of
9653 <command>key-directory</command> in <xref linkend="options"/>.
9659 <term><command>multi-master</command></term>
9662 See the description of <command>multi-master</command> in
9663 <xref linkend="boolean_options"/>.
9669 <term><command>masterfile-format</command></term>
9672 See the description of <command>masterfile-format</command>
9673 in <xref linkend="tuning"/>.
9681 <sect3 id="dynamic_update_policies">
9682 <title>Dynamic Update Policies</title>
9683 <para><acronym>BIND</acronym> 9 supports two alternative
9684 methods of granting clients the right to perform
9685 dynamic updates to a zone, configured by the
9686 <command>allow-update</command> and
9687 <command>update-policy</command> option, respectively.
9690 The <command>allow-update</command> clause works the
9691 same way as in previous versions of <acronym>BIND</acronym>.
9692 It grants given clients the permission to update any
9693 record of any name in the zone.
9696 The <command>update-policy</command> clause is new
9697 in <acronym>BIND</acronym> 9 and allows more fine-grained
9698 control over what updates are allowed. A set of rules
9699 is specified, where each rule either grants or denies
9700 permissions for one or more names to be updated by
9701 one or more identities. If the dynamic update request
9702 message is signed (that is, it includes either a TSIG
9703 or SIG(0) record), the identity of the signer can be
9707 Rules are specified in the <command>update-policy</command>
9708 zone option, and are only meaningful for master zones.
9709 When the <command>update-policy</command> statement
9710 is present, it is a configuration error for the
9711 <command>allow-update</command> statement to be
9712 present. The <command>update-policy</command> statement
9713 only examines the signer of a message; the source
9714 address is not relevant.
9718 This is how a rule definition looks:
9722 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
9726 Each rule grants or denies privileges. Once a message has
9727 successfully matched a rule, the operation is immediately
9729 or denied and no further rules are examined. A rule is matched
9730 when the signer matches the identity field, the name matches the
9731 name field in accordance with the nametype field, and the type
9733 the types specified in the type field.
9736 No signer is required for <replaceable>tcp-self</replaceable>
9737 or <replaceable>6to4-self</replaceable> however the standard
9738 reverse mapping / prefix conversion must match the identity
9742 The identity field specifies a name or a wildcard
9743 name. Normally, this is the name of the TSIG or
9744 SIG(0) key used to sign the update request. When a
9745 TKEY exchange has been used to create a shared secret,
9746 the identity of the shared secret is the same as the
9747 identity of the key used to authenticate the TKEY
9748 exchange. TKEY is also the negotiation method used
9749 by GSS-TSIG, which establishes an identity that is
9750 the Kerberos principal of the client, such as
9751 <userinput>"user@host.domain"</userinput>. When the
9752 <replaceable>identity</replaceable> field specifies
9753 a wildcard name, it is subject to DNS wildcard
9754 expansion, so the rule will apply to multiple identities.
9755 The <replaceable>identity</replaceable> field must
9756 contain a fully-qualified domain name.
9760 The <replaceable>nametype</replaceable> field has 12
9762 <varname>name</varname>, <varname>subdomain</varname>,
9763 <varname>wildcard</varname>, <varname>self</varname>,
9764 <varname>selfsub</varname>, <varname>selfwild</varname>,
9765 <varname>krb5-self</varname>, <varname>ms-self</varname>,
9766 <varname>krb5-subdomain</varname>,
9767 <varname>ms-subdomain</varname>,
9768 <varname>tcp-self</varname> and <varname>6to4-self</varname>.
9771 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9772 <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9773 <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9778 <varname>name</varname>
9780 </entry> <entry colname="2">
9782 Exact-match semantics. This rule matches
9783 when the name being updated is identical
9784 to the contents of the
9785 <replaceable>name</replaceable> field.
9792 <varname>subdomain</varname>
9794 </entry> <entry colname="2">
9796 This rule matches when the name being updated
9797 is a subdomain of, or identical to, the
9798 contents of the <replaceable>name</replaceable>
9806 <varname>wildcard</varname>
9808 </entry> <entry colname="2">
9810 The <replaceable>name</replaceable> field
9811 is subject to DNS wildcard expansion, and
9812 this rule matches when the name being updated
9813 name is a valid expansion of the wildcard.
9820 <varname>self</varname>
9825 This rule matches when the name being updated
9826 matches the contents of the
9827 <replaceable>identity</replaceable> field.
9828 The <replaceable>name</replaceable> field
9829 is ignored, but should be the same as the
9830 <replaceable>identity</replaceable> field.
9831 The <varname>self</varname> nametype is
9832 most useful when allowing using one key per
9833 name to update, where the key has the same
9834 name as the name to be updated. The
9835 <replaceable>identity</replaceable> would
9836 be specified as <constant>*</constant> (an asterisk) in
9844 <varname>selfsub</varname>
9846 </entry> <entry colname="2">
9848 This rule is similar to <varname>self</varname>
9849 except that subdomains of <varname>self</varname>
9850 can also be updated.
9857 <varname>selfwild</varname>
9859 </entry> <entry colname="2">
9861 This rule is similar to <varname>self</varname>
9862 except that only subdomains of
9863 <varname>self</varname> can be updated.
9870 <varname>tcp-self</varname>
9872 </entry> <entry colname="2">
9874 Allow updates that have been sent via TCP and
9875 for which the standard mapping from the initiating
9876 IP address into the IN-ADDR.ARPA and IP6.ARPA
9877 namespaces match the name to be updated.
9880 It is theoretically possible to spoof these TCP
9888 <varname>6to4-self</varname>
9890 </entry> <entry colname="2">
9892 Allow the 6to4 prefix to be update by any TCP
9893 conection from the 6to4 network or from the
9894 corresponding IPv4 address. This is intended
9895 to allow NS or DNAME RRsets to be added to the
9899 It is theoretically possible to spoof these TCP
9909 In all cases, the <replaceable>name</replaceable>
9911 specify a fully-qualified domain name.
9915 If no types are explicitly specified, this rule matches
9916 all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
9917 may be specified by name, including "ANY" (ANY matches
9918 all types except NSEC and NSEC3, which can never be
9919 updated). Note that when an attempt is made to delete
9920 all records associated with a name, the rules are
9921 checked for each existing record type.
9927 <title>Zone File</title>
9928 <sect2 id="types_of_resource_records_and_when_to_use_them">
9929 <title>Types of Resource Records and When to Use Them</title>
9931 This section, largely borrowed from RFC 1034, describes the
9932 concept of a Resource Record (RR) and explains when each is used.
9933 Since the publication of RFC 1034, several new RRs have been
9935 and implemented in the DNS. These are also included.
9938 <title>Resource Records</title>
9941 A domain name identifies a node. Each node has a set of
9942 resource information, which may be empty. The set of resource
9943 information associated with a particular name is composed of
9944 separate RRs. The order of RRs in a set is not significant and
9945 need not be preserved by name servers, resolvers, or other
9946 parts of the DNS. However, sorting of multiple RRs is
9947 permitted for optimization purposes, for example, to specify
9948 that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
9952 The components of a Resource Record are:
9954 <informaltable colsep="0" rowsep="0">
9955 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9956 <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
9957 <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
9967 The domain name where the RR is found.
9979 An encoded 16-bit value that specifies
9980 the type of the resource record.
9992 The time-to-live of the RR. This field
9993 is a 32-bit integer in units of seconds, and is
9995 resolvers when they cache RRs. The TTL describes how
9997 be cached before it should be discarded.
10002 <entry colname="1">
10007 <entry colname="2">
10009 An encoded 16-bit value that identifies
10010 a protocol family or instance of a protocol.
10015 <entry colname="1">
10020 <entry colname="2">
10022 The resource data. The format of the
10023 data is type (and sometimes class) specific.
10031 The following are <emphasis>types</emphasis> of valid RRs:
10033 <informaltable colsep="0" rowsep="0">
10034 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10035 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10036 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
10039 <entry colname="1">
10044 <entry colname="2">
10046 A host address. In the IN class, this is a
10047 32-bit IP address. Described in RFC 1035.
10052 <entry colname="1">
10057 <entry colname="2">
10059 IPv6 address. Described in RFC 1886.
10064 <entry colname="1">
10069 <entry colname="2">
10071 IPv6 address. This can be a partial
10072 address (a suffix) and an indirection to the name
10073 where the rest of the
10074 address (the prefix) can be found. Experimental.
10075 Described in RFC 2874.
10080 <entry colname="1">
10085 <entry colname="2">
10087 Location of AFS database servers.
10088 Experimental. Described in RFC 1183.
10093 <entry colname="1">
10098 <entry colname="2">
10100 Address prefix list. Experimental.
10101 Described in RFC 3123.
10106 <entry colname="1">
10111 <entry colname="2">
10113 Holds a digital certificate.
10114 Described in RFC 2538.
10119 <entry colname="1">
10124 <entry colname="2">
10126 Identifies the canonical name of an alias.
10127 Described in RFC 1035.
10132 <entry colname="1">
10137 <entry colname="2">
10139 Is used for identifying which DHCP client is
10140 associated with this name. Described in RFC 4701.
10145 <entry colname="1">
10150 <entry colname="2">
10152 Replaces the domain name specified with
10153 another name to be looked up, effectively aliasing an
10155 subtree of the domain name space rather than a single
10157 as in the case of the CNAME RR.
10158 Described in RFC 2672.
10163 <entry colname="1">
10168 <entry colname="2">
10170 Stores a public key associated with a signed
10171 DNS zone. Described in RFC 4034.
10176 <entry colname="1">
10181 <entry colname="2">
10183 Stores the hash of a public key associated with a
10184 signed DNS zone. Described in RFC 4034.
10189 <entry colname="1">
10194 <entry colname="2">
10196 Specifies the global position. Superseded by LOC.
10201 <entry colname="1">
10206 <entry colname="2">
10208 Identifies the CPU and OS used by a host.
10209 Described in RFC 1035.
10214 <entry colname="1">
10219 <entry colname="2">
10221 Provides a method for storing IPsec keying material in
10222 DNS. Described in RFC 4025.
10227 <entry colname="1">
10232 <entry colname="2">
10234 Representation of ISDN addresses.
10235 Experimental. Described in RFC 1183.
10240 <entry colname="1">
10245 <entry colname="2">
10247 Stores a public key associated with a
10248 DNS name. Used in original DNSSEC; replaced
10249 by DNSKEY in DNSSECbis, but still used with
10250 SIG(0). Described in RFCs 2535 and 2931.
10255 <entry colname="1">
10260 <entry colname="2">
10262 Identifies a key exchanger for this
10263 DNS name. Described in RFC 2230.
10268 <entry colname="1">
10273 <entry colname="2">
10275 For storing GPS info. Described in RFC 1876.
10281 <entry colname="1">
10286 <entry colname="2">
10288 Identifies a mail exchange for the domain with
10289 a 16-bit preference value (lower is better)
10290 followed by the host name of the mail exchange.
10291 Described in RFC 974, RFC 1035.
10296 <entry colname="1">
10301 <entry colname="2">
10303 Name authority pointer. Described in RFC 2915.
10308 <entry colname="1">
10313 <entry colname="2">
10315 A network service access point.
10316 Described in RFC 1706.
10321 <entry colname="1">
10326 <entry colname="2">
10328 The authoritative name server for the
10329 domain. Described in RFC 1035.
10334 <entry colname="1">
10339 <entry colname="2">
10341 Used in DNSSECbis to securely indicate that
10342 RRs with an owner name in a certain name interval do
10344 a zone and indicate what RR types are present for an
10346 Described in RFC 4034.
10351 <entry colname="1">
10356 <entry colname="2">
10358 Used in DNSSECbis to securely indicate that
10359 RRs with an owner name in a certain name
10360 interval do not exist in a zone and indicate
10361 what RR types are present for an existing
10362 name. NSEC3 differs from NSEC in that it
10363 prevents zone enumeration but is more
10364 computationally expensive on both the server
10365 and the client than NSEC. Described in RFC
10371 <entry colname="1">
10376 <entry colname="2">
10378 Used in DNSSECbis to tell the authoritative
10379 server which NSEC3 chains are available to use.
10380 Described in RFC 5155.
10385 <entry colname="1">
10390 <entry colname="2">
10392 Used in DNSSEC to securely indicate that
10393 RRs with an owner name in a certain name interval do
10395 a zone and indicate what RR types are present for an
10397 Used in original DNSSEC; replaced by NSEC in
10399 Described in RFC 2535.
10404 <entry colname="1">
10409 <entry colname="2">
10411 A pointer to another part of the domain
10412 name space. Described in RFC 1035.
10417 <entry colname="1">
10422 <entry colname="2">
10424 Provides mappings between RFC 822 and X.400
10425 addresses. Described in RFC 2163.
10430 <entry colname="1">
10435 <entry colname="2">
10437 Information on persons responsible
10438 for the domain. Experimental. Described in RFC 1183.
10443 <entry colname="1">
10448 <entry colname="2">
10450 Contains DNSSECbis signature data. Described
10456 <entry colname="1">
10461 <entry colname="2">
10463 Route-through binding for hosts that
10464 do not have their own direct wide area network
10466 Experimental. Described in RFC 1183.
10471 <entry colname="1">
10476 <entry colname="2">
10478 Contains DNSSEC signature data. Used in
10479 original DNSSEC; replaced by RRSIG in
10480 DNSSECbis, but still used for SIG(0).
10481 Described in RFCs 2535 and 2931.
10486 <entry colname="1">
10491 <entry colname="2">
10493 Identifies the start of a zone of authority.
10494 Described in RFC 1035.
10499 <entry colname="1">
10504 <entry colname="2">
10506 Contains the Sender Policy Framework information
10507 for a given email domain. Described in RFC 4408.
10512 <entry colname="1">
10517 <entry colname="2">
10519 Information about well known network
10520 services (replaces WKS). Described in RFC 2782.
10525 <entry colname="1">
10530 <entry colname="2">
10532 Provides a way to securely publish a secure shell key's
10533 fingerprint. Described in RFC 4255.
10538 <entry colname="1">
10543 <entry colname="2">
10545 Text records. Described in RFC 1035.
10550 <entry colname="1">
10555 <entry colname="2">
10557 Information about which well known
10558 network services, such as SMTP, that a domain
10559 supports. Historical.
10564 <entry colname="1">
10569 <entry colname="2">
10571 Representation of X.25 network addresses.
10572 Experimental. Described in RFC 1183.
10580 The following <emphasis>classes</emphasis> of resource records
10581 are currently valid in the DNS:
10583 <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10584 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10585 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
10589 <entry colname="1">
10594 <entry colname="2">
10602 <entry colname="1">
10607 <entry colname="2">
10609 Chaosnet, a LAN protocol created at MIT in the
10611 Rarely used for its historical purpose, but reused for
10613 built-in server information zones, e.g.,
10614 <literal>version.bind</literal>.
10620 <entry colname="1">
10625 <entry colname="2">
10627 Hesiod, an information service
10628 developed by MIT's Project Athena. It is used to share
10630 about various systems databases, such as users,
10642 The owner name is often implicit, rather than forming an
10644 part of the RR. For example, many name servers internally form
10646 or hash structures for the name space, and chain RRs off nodes.
10647 The remaining RR parts are the fixed header (type, class, TTL)
10648 which is consistent for all RRs, and a variable part (RDATA)
10650 fits the needs of the resource being described.
10653 The meaning of the TTL field is a time limit on how long an
10654 RR can be kept in a cache. This limit does not apply to
10656 data in zones; it is also timed out, but by the refreshing
10658 for the zone. The TTL is assigned by the administrator for the
10659 zone where the data originates. While short TTLs can be used to
10660 minimize caching, and a zero TTL prohibits caching, the
10662 of Internet performance suggest that these times should be on
10664 order of days for the typical host. If a change can be
10666 the TTL can be reduced prior to the change to minimize
10668 during the change, and then increased back to its former value
10673 The data in the RDATA section of RRs is carried as a combination
10674 of binary strings and domain names. The domain names are
10676 used as "pointers" to other data in the DNS.
10680 <title>Textual expression of RRs</title>
10682 RRs are represented in binary form in the packets of the DNS
10683 protocol, and are usually represented in highly encoded form
10685 stored in a name server or resolver. In the examples provided
10687 RFC 1034, a style similar to that used in master files was
10689 in order to show the contents of RRs. In this format, most RRs
10690 are shown on a single line, although continuation lines are
10695 The start of the line gives the owner of the RR. If a line
10696 begins with a blank, then the owner is assumed to be the same as
10697 that of the previous RR. Blank lines are often included for
10701 Following the owner, we list the TTL, type, and class of the
10702 RR. Class and type use the mnemonics defined above, and TTL is
10703 an integer before the type field. In order to avoid ambiguity
10705 parsing, type and class mnemonics are disjoint, TTLs are
10707 and the type mnemonic is always last. The IN class and TTL
10709 are often omitted from examples in the interests of clarity.
10712 The resource data or RDATA section of the RR are given using
10713 knowledge of the typical representation for the data.
10716 For example, we might show the RRs carried in a message as:
10718 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10719 <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
10720 <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
10721 <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
10724 <entry colname="1">
10726 <literal>ISI.EDU.</literal>
10729 <entry colname="2">
10731 <literal>MX</literal>
10734 <entry colname="3">
10736 <literal>10 VENERA.ISI.EDU.</literal>
10741 <entry colname="1">
10744 <entry colname="2">
10746 <literal>MX</literal>
10749 <entry colname="3">
10751 <literal>10 VAXA.ISI.EDU</literal>
10756 <entry colname="1">
10758 <literal>VENERA.ISI.EDU</literal>
10761 <entry colname="2">
10763 <literal>A</literal>
10766 <entry colname="3">
10768 <literal>128.9.0.32</literal>
10773 <entry colname="1">
10776 <entry colname="2">
10778 <literal>A</literal>
10781 <entry colname="3">
10783 <literal>10.1.0.52</literal>
10788 <entry colname="1">
10790 <literal>VAXA.ISI.EDU</literal>
10793 <entry colname="2">
10795 <literal>A</literal>
10798 <entry colname="3">
10800 <literal>10.2.0.27</literal>
10805 <entry colname="1">
10808 <entry colname="2">
10810 <literal>A</literal>
10813 <entry colname="3">
10815 <literal>128.9.0.33</literal>
10823 The MX RRs have an RDATA section which consists of a 16-bit
10824 number followed by a domain name. The address RRs use a
10826 IP address format to contain a 32-bit internet address.
10829 The above example shows six RRs, with two RRs at each of three
10833 Similarly we might see:
10835 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10836 <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
10837 <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
10838 <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
10841 <entry colname="1">
10843 <literal>XX.LCS.MIT.EDU.</literal>
10846 <entry colname="2">
10848 <literal>IN A</literal>
10851 <entry colname="3">
10853 <literal>10.0.0.44</literal>
10858 <entry colname="1"/>
10859 <entry colname="2">
10861 <literal>CH A</literal>
10864 <entry colname="3">
10866 <literal>MIT.EDU. 2420</literal>
10874 This example shows two addresses for
10875 <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10881 <title>Discussion of MX Records</title>
10884 As described above, domain servers store information as a
10885 series of resource records, each of which contains a particular
10886 piece of information about a given domain name (which is usually,
10887 but not always, a host). The simplest way to think of a RR is as
10888 a typed pair of data, a domain name matched with a relevant datum,
10889 and stored with some additional type information to help systems
10890 determine when the RR is relevant.
10894 MX records are used to control delivery of email. The data
10895 specified in the record is a priority and a domain name. The
10897 controls the order in which email delivery is attempted, with the
10898 lowest number first. If two priorities are the same, a server is
10899 chosen randomly. If no servers at a given priority are responding,
10900 the mail transport agent will fall back to the next largest
10902 Priority numbers do not have any absolute meaning — they are
10904 only respective to other MX records for that domain name. The
10906 name given is the machine to which the mail will be delivered.
10907 It <emphasis>must</emphasis> have an associated address record
10908 (A or AAAA) — CNAME is not sufficient.
10911 For a given domain, if there is both a CNAME record and an
10912 MX record, the MX record is in error, and will be ignored.
10914 the mail will be delivered to the server specified in the MX
10916 pointed to by the CNAME.
10919 <informaltable colsep="0" rowsep="0">
10920 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10921 <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10922 <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10923 <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10924 <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10925 <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10928 <entry colname="1">
10930 <literal>example.com.</literal>
10933 <entry colname="2">
10935 <literal>IN</literal>
10938 <entry colname="3">
10940 <literal>MX</literal>
10943 <entry colname="4">
10945 <literal>10</literal>
10948 <entry colname="5">
10950 <literal>mail.example.com.</literal>
10955 <entry colname="1">
10958 <entry colname="2">
10960 <literal>IN</literal>
10963 <entry colname="3">
10965 <literal>MX</literal>
10968 <entry colname="4">
10970 <literal>10</literal>
10973 <entry colname="5">
10975 <literal>mail2.example.com.</literal>
10980 <entry colname="1">
10983 <entry colname="2">
10985 <literal>IN</literal>
10988 <entry colname="3">
10990 <literal>MX</literal>
10993 <entry colname="4">
10995 <literal>20</literal>
10998 <entry colname="5">
11000 <literal>mail.backup.org.</literal>
11005 <entry colname="1">
11007 <literal>mail.example.com.</literal>
11010 <entry colname="2">
11012 <literal>IN</literal>
11015 <entry colname="3">
11017 <literal>A</literal>
11020 <entry colname="4">
11022 <literal>10.0.0.1</literal>
11025 <entry colname="5">
11030 <entry colname="1">
11032 <literal>mail2.example.com.</literal>
11035 <entry colname="2">
11037 <literal>IN</literal>
11040 <entry colname="3">
11042 <literal>A</literal>
11045 <entry colname="4">
11047 <literal>10.0.0.2</literal>
11050 <entry colname="5">
11056 </informaltable><para>
11057 Mail delivery will be attempted to <literal>mail.example.com</literal> and
11058 <literal>mail2.example.com</literal> (in
11059 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
11063 <sect2 id="Setting_TTLs">
11064 <title>Setting TTLs</title>
11066 The time-to-live of the RR field is a 32-bit integer represented
11067 in units of seconds, and is primarily used by resolvers when they
11068 cache RRs. The TTL describes how long a RR can be cached before it
11069 should be discarded. The following three types of TTL are
11071 used in a zone file.
11073 <informaltable colsep="0" rowsep="0">
11074 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
11075 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
11076 <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
11079 <entry colname="1">
11084 <entry colname="2">
11086 The last field in the SOA is the negative
11087 caching TTL. This controls how long other servers will
11088 cache no-such-domain
11089 (NXDOMAIN) responses from you.
11092 The maximum time for
11093 negative caching is 3 hours (3h).
11098 <entry colname="1">
11103 <entry colname="2">
11105 The $TTL directive at the top of the
11106 zone file (before the SOA) gives a default TTL for every
11108 a specific TTL set.
11113 <entry colname="1">
11118 <entry colname="2">
11120 Each RR can have a TTL as the second
11121 field in the RR, which will control how long other
11131 All of these TTLs default to units of seconds, though units
11132 can be explicitly specified, for example, <literal>1h30m</literal>.
11136 <title>Inverse Mapping in IPv4</title>
11138 Reverse name resolution (that is, translation from IP address
11139 to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
11140 and PTR records. Entries in the in-addr.arpa domain are made in
11141 least-to-most significant order, read left to right. This is the
11142 opposite order to the way IP addresses are usually written. Thus,
11143 a machine with an IP address of 10.1.2.3 would have a
11145 in-addr.arpa name of
11146 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
11147 whose data field is the name of the machine or, optionally,
11149 PTR records if the machine has more than one name. For example,
11150 in the <optional>example.com</optional> domain:
11152 <informaltable colsep="0" rowsep="0">
11153 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
11154 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
11155 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
11158 <entry colname="1">
11160 <literal>$ORIGIN</literal>
11163 <entry colname="2">
11165 <literal>2.1.10.in-addr.arpa</literal>
11170 <entry colname="1">
11172 <literal>3</literal>
11175 <entry colname="2">
11177 <literal>IN PTR foo.example.com.</literal>
11186 The <command>$ORIGIN</command> lines in the examples
11187 are for providing context to the examples only — they do not
11189 appear in the actual usage. They are only used here to indicate
11190 that the example is relative to the listed origin.
11195 <title>Other Zone File Directives</title>
11197 The Master File Format was initially defined in RFC 1035 and
11198 has subsequently been extended. While the Master File Format
11200 is class independent all records in a Master File must be of the
11205 Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
11206 and <command>$TTL.</command>
11209 <title>The <command>$ORIGIN</command> Directive</title>
11211 Syntax: <command>$ORIGIN</command>
11212 <replaceable>domain-name</replaceable>
11213 <optional><replaceable>comment</replaceable></optional>
11215 <para><command>$ORIGIN</command>
11216 sets the domain name that will be appended to any
11217 unqualified records. When a zone is first read in there
11218 is an implicit <command>$ORIGIN</command>
11219 <<varname>zone-name</varname>><command>.</command>
11220 The current <command>$ORIGIN</command> is appended to
11221 the domain specified in the <command>$ORIGIN</command>
11222 argument if it is not absolute.
11226 $ORIGIN example.com.
11227 WWW CNAME MAIN-SERVER
11235 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
11240 <title>The <command>$INCLUDE</command> Directive</title>
11242 Syntax: <command>$INCLUDE</command>
11243 <replaceable>filename</replaceable>
11245 <replaceable>origin</replaceable> </optional>
11246 <optional> <replaceable>comment</replaceable> </optional>
11249 Read and process the file <filename>filename</filename> as
11250 if it were included into the file at this point. If <command>origin</command> is
11251 specified the file is processed with <command>$ORIGIN</command> set
11252 to that value, otherwise the current <command>$ORIGIN</command> is
11256 The origin and the current domain name
11257 revert to the values they had prior to the <command>$INCLUDE</command> once
11258 the file has been read.
11262 RFC 1035 specifies that the current origin should be restored
11264 an <command>$INCLUDE</command>, but it is silent
11265 on whether the current
11266 domain name should also be restored. BIND 9 restores both of
11268 This could be construed as a deviation from RFC 1035, a
11274 <title>The <command>$TTL</command> Directive</title>
11276 Syntax: <command>$TTL</command>
11277 <replaceable>default-ttl</replaceable>
11279 <replaceable>comment</replaceable> </optional>
11282 Set the default Time To Live (TTL) for subsequent records
11283 with undefined TTLs. Valid TTLs are of the range 0-2147483647
11286 <para><command>$TTL</command>
11287 is defined in RFC 2308.
11292 <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
11294 Syntax: <command>$GENERATE</command>
11295 <replaceable>range</replaceable>
11296 <replaceable>lhs</replaceable>
11297 <optional><replaceable>ttl</replaceable></optional>
11298 <optional><replaceable>class</replaceable></optional>
11299 <replaceable>type</replaceable>
11300 <replaceable>rhs</replaceable>
11301 <optional><replaceable>comment</replaceable></optional>
11303 <para><command>$GENERATE</command>
11304 is used to create a series of resource records that only
11305 differ from each other by an
11306 iterator. <command>$GENERATE</command> can be used to
11307 easily generate the sets of records required to support
11308 sub /24 reverse delegations described in RFC 2317:
11309 Classless IN-ADDR.ARPA delegation.
11312 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
11313 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
11314 $GENERATE 1-127 $ CNAME $.0</programlisting>
11320 <programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
11321 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
11322 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
11323 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
11325 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
11328 <informaltable colsep="0" rowsep="0">
11329 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
11330 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
11331 <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
11334 <entry colname="1">
11335 <para><command>range</command></para>
11337 <entry colname="2">
11339 This can be one of two forms: start-stop
11340 or start-stop/step. If the first form is used, then step
11342 1. All of start, stop and step must be positive.
11347 <entry colname="1">
11348 <para><command>lhs</command></para>
11350 <entry colname="2">
11352 describes the owner name of the resource records
11353 to be created. Any single <command>$</command>
11355 symbols within the <command>lhs</command> string
11356 are replaced by the iterator value.
11358 To get a $ in the output, you need to escape the
11359 <command>$</command> using a backslash
11360 <command>\</command>,
11361 e.g. <command>\$</command>. The
11362 <command>$</command> may optionally be followed
11363 by modifiers which change the offset from the
11364 iterator, field width and base.
11366 Modifiers are introduced by a
11367 <command>{</command> (left brace) immediately following the
11368 <command>$</command> as
11369 <command>${offset[,width[,base]]}</command>.
11370 For example, <command>${-20,3,d}</command>
11371 subtracts 20 from the current value, prints the
11372 result as a decimal in a zero-padded field of
11375 Available output forms are decimal
11376 (<command>d</command>), octal
11377 (<command>o</command>) and hexadecimal
11378 (<command>x</command> or <command>X</command>
11379 for uppercase). The default modifier is
11380 <command>${0,0,d}</command>. If the
11381 <command>lhs</command> is not absolute, the
11382 current <command>$ORIGIN</command> is appended
11386 For compatibility with earlier versions, <command>$$</command> is still
11387 recognized as indicating a literal $ in the output.
11392 <entry colname="1">
11393 <para><command>ttl</command></para>
11395 <entry colname="2">
11397 Specifies the time-to-live of the generated records. If
11398 not specified this will be inherited using the
11399 normal TTL inheritance rules.
11401 <para><command>class</command>
11402 and <command>ttl</command> can be
11403 entered in either order.
11408 <entry colname="1">
11409 <para><command>class</command></para>
11411 <entry colname="2">
11413 Specifies the class of the generated records.
11414 This must match the zone class if it is
11417 <para><command>class</command>
11418 and <command>ttl</command> can be
11419 entered in either order.
11424 <entry colname="1">
11425 <para><command>type</command></para>
11427 <entry colname="2">
11429 At present the only supported types are
11430 PTR, CNAME, DNAME, A, AAAA and NS.
11435 <entry colname="1">
11436 <para><command>rhs</command></para>
11438 <entry colname="2">
11440 <command>rhs</command> is a domain name. It is processed
11449 The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
11450 and not part of the standard zone file format.
11453 BIND 8 does not support the optional TTL and CLASS fields.
11457 <sect2 id="zonefile_format">
11458 <title>Additional File Formats</title>
11460 In addition to the standard textual format, BIND 9
11461 supports the ability to read or dump to zone files in
11462 other formats. The <constant>raw</constant> format is
11463 currently available as an additional format. It is a
11464 binary format representing BIND 9's internal data
11465 structure directly, thereby remarkably improving the
11469 For a primary server, a zone file in the
11470 <constant>raw</constant> format is expected to be
11471 generated from a textual zone file by the
11472 <command>named-compilezone</command> command. For a
11473 secondary server or for a dynamic zone, it is automatically
11474 generated (if this format is specified by the
11475 <command>masterfile-format</command> option) when
11476 <command>named</command> dumps the zone contents after
11477 zone transfer or when applying prior updates.
11480 If a zone file in a binary format needs manual modification,
11481 it first must be converted to a textual form by the
11482 <command>named-compilezone</command> command. All
11483 necessary modification should go to the text file, which
11484 should then be converted to the binary form by the
11485 <command>named-compilezone</command> command again.
11488 Although the <constant>raw</constant> format uses the
11489 network byte order and avoids architecture-dependent
11490 data alignment so that it is as much portable as
11491 possible, it is primarily expected to be used inside
11492 the same single system. In order to export a zone
11493 file in the <constant>raw</constant> format or make a
11494 portable backup of the file, it is recommended to
11495 convert the file to the standard textual representation.
11500 <sect1 id="statistics">
11501 <title>BIND9 Statistics</title>
11503 <acronym>BIND</acronym> 9 maintains lots of statistics
11504 information and provides several interfaces for users to
11505 get access to the statistics.
11506 The available statistics include all statistics counters
11507 that were available in <acronym>BIND</acronym> 8 and
11508 are meaningful in <acronym>BIND</acronym> 9,
11509 and other information that is considered useful.
11513 The statistics information is categorized into the following
11517 <informaltable frame="all">
11519 <colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
11520 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
11524 <entry colname="1">
11525 <para>Incoming Requests</para>
11527 <entry colname="2">
11529 The number of incoming DNS requests for each OPCODE.
11535 <entry colname="1">
11536 <para>Incoming Queries</para>
11538 <entry colname="2">
11540 The number of incoming queries for each RR type.
11546 <entry colname="1">
11547 <para>Outgoing Queries</para>
11549 <entry colname="2">
11551 The number of outgoing queries for each RR
11552 type sent from the internal resolver.
11553 Maintained per view.
11559 <entry colname="1">
11560 <para>Name Server Statistics</para>
11562 <entry colname="2">
11564 Statistics counters about incoming request processing.
11570 <entry colname="1">
11571 <para>Zone Maintenance Statistics</para>
11573 <entry colname="2">
11575 Statistics counters regarding zone maintenance
11576 operations such as zone transfers.
11582 <entry colname="1">
11583 <para>Resolver Statistics</para>
11585 <entry colname="2">
11587 Statistics counters about name resolution
11588 performed in the internal resolver.
11589 Maintained per view.
11595 <entry colname="1">
11596 <para>Cache DB RRsets</para>
11598 <entry colname="2">
11600 The number of RRsets per RR type (positive
11601 or negative) and nonexistent names stored in the
11603 Maintained per view.
11609 <entry colname="1">
11610 <para>Socket I/O Statistics</para>
11612 <entry colname="2">
11614 Statistics counters about network related events.
11624 A subset of Name Server Statistics is collected and shown
11625 per zone for which the server has the authority when
11626 <command>zone-statistics</command> is set to
11627 <userinput>yes</userinput>.
11628 These statistics counters are shown with their zone and view
11630 In some cases the view names are omitted for the default view.
11634 There are currently two user interfaces to get access to the
11636 One is in the plain text format dumped to the file specified
11637 by the <command>statistics-file</command> configuration option.
11638 The other is remotely accessible via a statistics channel
11639 when the <command>statistics-channels</command> statement
11640 is specified in the configuration file
11641 (see <xref linkend="statschannels"/>.)
11644 <sect3 id="statsfile">
11645 <title>The Statistics File</title>
11647 The text format statistics dump begins with a line, like:
11650 <command>+++ Statistics Dump +++ (973798949)</command>
11653 The number in parentheses is a standard
11654 Unix-style timestamp, measured as seconds since January 1, 1970.
11657 that line is a set of statistics information, which is categorized
11658 as described above.
11659 Each section begins with a line, like:
11663 <command>++ Name Server Statistics ++</command>
11667 Each section consists of lines, each containing the statistics
11668 counter value followed by its textual description.
11669 See below for available counters.
11670 For brevity, counters that have a value of 0 are not shown
11671 in the statistics file.
11675 The statistics dump ends with the line where the
11676 number is identical to the number in the beginning line; for example:
11679 <command>--- Statistics Dump --- (973798949)</command>
11683 <sect2 id="statistics_counters">
11684 <title>Statistics Counters</title>
11686 The following tables summarize statistics counters that
11687 <acronym>BIND</acronym> 9 provides.
11688 For each row of the tables, the leftmost column is the
11689 abbreviated symbol name of that counter.
11690 These symbols are shown in the statistics information
11691 accessed via an HTTP statistics channel.
11692 The rightmost column gives the description of the counter,
11693 which is also shown in the statistics file
11694 (but, in this document, possibly with slight modification
11695 for better readability).
11696 Additional notes may also be provided in this column.
11697 When a middle column exists between these two columns,
11698 it gives the corresponding counter name of the
11699 <acronym>BIND</acronym> 8 statistics, if applicable.
11703 <title>Name Server Statistics Counters</title>
11705 <informaltable colsep="0" rowsep="0">
11706 <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11707 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11708 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
11709 <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
11712 <entry colname="1">
11714 <emphasis>Symbol</emphasis>
11717 <entry colname="2">
11719 <emphasis>BIND8 Symbol</emphasis>
11722 <entry colname="3">
11724 <emphasis>Description</emphasis>
11730 <entry colname="1">
11731 <para><command>Requestv4</command></para>
11733 <entry colname="2">
11734 <para><command>RQ</command></para>
11736 <entry colname="3">
11738 IPv4 requests received.
11739 Note: this also counts non query requests.
11744 <entry colname="1">
11745 <para><command>Requestv6</command></para>
11747 <entry colname="2">
11748 <para><command>RQ</command></para>
11750 <entry colname="3">
11752 IPv6 requests received.
11753 Note: this also counts non query requests.
11758 <entry colname="1">
11759 <para><command>ReqEdns0</command></para>
11761 <entry colname="2">
11762 <para><command></command></para>
11764 <entry colname="3">
11766 Requests with EDNS(0) received.
11771 <entry colname="1">
11772 <para><command>ReqBadEDNSVer</command></para>
11774 <entry colname="2">
11775 <para><command></command></para>
11777 <entry colname="3">
11779 Requests with unsupported EDNS version received.
11784 <entry colname="1">
11785 <para><command>ReqTSIG</command></para>
11787 <entry colname="2">
11788 <para><command></command></para>
11790 <entry colname="3">
11792 Requests with TSIG received.
11797 <entry colname="1">
11798 <para><command>ReqSIG0</command></para>
11800 <entry colname="2">
11801 <para><command></command></para>
11803 <entry colname="3">
11805 Requests with SIG(0) received.
11810 <entry colname="1">
11811 <para><command>ReqBadSIG</command></para>
11813 <entry colname="2">
11814 <para><command></command></para>
11816 <entry colname="3">
11818 Requests with invalid (TSIG or SIG(0)) signature.
11823 <entry colname="1">
11824 <para><command>ReqTCP</command></para>
11826 <entry colname="2">
11827 <para><command>RTCP</command></para>
11829 <entry colname="3">
11831 TCP requests received.
11836 <entry colname="1">
11837 <para><command>AuthQryRej</command></para>
11839 <entry colname="2">
11840 <para><command>RUQ</command></para>
11842 <entry colname="3">
11844 Authoritative (non recursive) queries rejected.
11849 <entry colname="1">
11850 <para><command>RecQryRej</command></para>
11852 <entry colname="2">
11853 <para><command>RURQ</command></para>
11855 <entry colname="3">
11857 Recursive queries rejected.
11862 <entry colname="1">
11863 <para><command>XfrRej</command></para>
11865 <entry colname="2">
11866 <para><command>RUXFR</command></para>
11868 <entry colname="3">
11870 Zone transfer requests rejected.
11875 <entry colname="1">
11876 <para><command>UpdateRej</command></para>
11878 <entry colname="2">
11879 <para><command>RUUpd</command></para>
11881 <entry colname="3">
11883 Dynamic update requests rejected.
11888 <entry colname="1">
11889 <para><command>Response</command></para>
11891 <entry colname="2">
11892 <para><command>SAns</command></para>
11894 <entry colname="3">
11901 <entry colname="1">
11902 <para><command>RespTruncated</command></para>
11904 <entry colname="2">
11905 <para><command></command></para>
11907 <entry colname="3">
11909 Truncated responses sent.
11914 <entry colname="1">
11915 <para><command>RespEDNS0</command></para>
11917 <entry colname="2">
11918 <para><command></command></para>
11920 <entry colname="3">
11922 Responses with EDNS(0) sent.
11927 <entry colname="1">
11928 <para><command>RespTSIG</command></para>
11930 <entry colname="2">
11931 <para><command></command></para>
11933 <entry colname="3">
11935 Responses with TSIG sent.
11940 <entry colname="1">
11941 <para><command>RespSIG0</command></para>
11943 <entry colname="2">
11944 <para><command></command></para>
11946 <entry colname="3">
11948 Responses with SIG(0) sent.
11953 <entry colname="1">
11954 <para><command>QrySuccess</command></para>
11956 <entry colname="2">
11957 <para><command></command></para>
11959 <entry colname="3">
11961 Queries resulted in a successful answer.
11962 This means the query which returns a NOERROR response
11963 with at least one answer RR.
11964 This corresponds to the
11965 <command>success</command> counter
11966 of previous versions of
11967 <acronym>BIND</acronym> 9.
11972 <entry colname="1">
11973 <para><command>QryAuthAns</command></para>
11975 <entry colname="2">
11976 <para><command></command></para>
11978 <entry colname="3">
11980 Queries resulted in authoritative answer.
11985 <entry colname="1">
11986 <para><command>QryNoauthAns</command></para>
11988 <entry colname="2">
11989 <para><command>SNaAns</command></para>
11991 <entry colname="3">
11993 Queries resulted in non authoritative answer.
11998 <entry colname="1">
11999 <para><command>QryReferral</command></para>
12001 <entry colname="2">
12002 <para><command></command></para>
12004 <entry colname="3">
12006 Queries resulted in referral answer.
12007 This corresponds to the
12008 <command>referral</command> counter
12009 of previous versions of
12010 <acronym>BIND</acronym> 9.
12015 <entry colname="1">
12016 <para><command>QryNxrrset</command></para>
12018 <entry colname="2">
12019 <para><command></command></para>
12021 <entry colname="3">
12023 Queries resulted in NOERROR responses with no data.
12024 This corresponds to the
12025 <command>nxrrset</command> counter
12026 of previous versions of
12027 <acronym>BIND</acronym> 9.
12032 <entry colname="1">
12033 <para><command>QrySERVFAIL</command></para>
12035 <entry colname="2">
12036 <para><command>SFail</command></para>
12038 <entry colname="3">
12040 Queries resulted in SERVFAIL.
12045 <entry colname="1">
12046 <para><command>QryFORMERR</command></para>
12048 <entry colname="2">
12049 <para><command>SFErr</command></para>
12051 <entry colname="3">
12053 Queries resulted in FORMERR.
12058 <entry colname="1">
12059 <para><command>QryNXDOMAIN</command></para>
12061 <entry colname="2">
12062 <para><command>SNXD</command></para>
12064 <entry colname="3">
12066 Queries resulted in NXDOMAIN.
12067 This corresponds to the
12068 <command>nxdomain</command> counter
12069 of previous versions of
12070 <acronym>BIND</acronym> 9.
12075 <entry colname="1">
12076 <para><command>QryRecursion</command></para>
12078 <entry colname="2">
12079 <para><command>RFwdQ</command></para>
12081 <entry colname="3">
12083 Queries which caused the server
12084 to perform recursion in order to find the final answer.
12085 This corresponds to the
12086 <command>recursion</command> counter
12087 of previous versions of
12088 <acronym>BIND</acronym> 9.
12093 <entry colname="1">
12094 <para><command>QryDuplicate</command></para>
12096 <entry colname="2">
12097 <para><command>RDupQ</command></para>
12099 <entry colname="3">
12101 Queries which the server attempted to
12102 recurse but discovered an existing query with the same
12103 IP address, port, query ID, name, type and class
12104 already being processed.
12105 This corresponds to the
12106 <command>duplicate</command> counter
12107 of previous versions of
12108 <acronym>BIND</acronym> 9.
12113 <entry colname="1">
12114 <para><command>QryDropped</command></para>
12116 <entry colname="2">
12117 <para><command></command></para>
12119 <entry colname="3">
12121 Recursive queries for which the server
12122 discovered an excessive number of existing
12123 recursive queries for the same name, type and
12124 class and were subsequently dropped.
12125 This is the number of dropped queries due to
12126 the reason explained with the
12127 <command>clients-per-query</command>
12129 <command>max-clients-per-query</command>
12131 (see the description about
12132 <xref linkend="clients-per-query"/>.)
12133 This corresponds to the
12134 <command>dropped</command> counter
12135 of previous versions of
12136 <acronym>BIND</acronym> 9.
12141 <entry colname="1">
12142 <para><command>QryFailure</command></para>
12144 <entry colname="2">
12145 <para><command></command></para>
12147 <entry colname="3">
12149 Other query failures.
12150 This corresponds to the
12151 <command>failure</command> counter
12152 of previous versions of
12153 <acronym>BIND</acronym> 9.
12154 Note: this counter is provided mainly for
12155 backward compatibility with the previous versions.
12156 Normally a more fine-grained counters such as
12157 <command>AuthQryRej</command> and
12158 <command>RecQryRej</command>
12159 that would also fall into this counter are provided,
12160 and so this counter would not be of much
12161 interest in practice.
12166 <entry colname="1">
12167 <para><command>XfrReqDone</command></para>
12169 <entry colname="2">
12170 <para><command></command></para>
12172 <entry colname="3">
12174 Requested zone transfers completed.
12179 <entry colname="1">
12180 <para><command>UpdateReqFwd</command></para>
12182 <entry colname="2">
12183 <para><command></command></para>
12185 <entry colname="3">
12187 Update requests forwarded.
12192 <entry colname="1">
12193 <para><command>UpdateRespFwd</command></para>
12195 <entry colname="2">
12196 <para><command></command></para>
12198 <entry colname="3">
12200 Update responses forwarded.
12205 <entry colname="1">
12206 <para><command>UpdateFwdFail</command></para>
12208 <entry colname="2">
12209 <para><command></command></para>
12211 <entry colname="3">
12213 Dynamic update forward failed.
12218 <entry colname="1">
12219 <para><command>UpdateDone</command></para>
12221 <entry colname="2">
12222 <para><command></command></para>
12224 <entry colname="3">
12226 Dynamic updates completed.
12231 <entry colname="1">
12232 <para><command>UpdateFail</command></para>
12234 <entry colname="2">
12235 <para><command></command></para>
12237 <entry colname="3">
12239 Dynamic updates failed.
12244 <entry colname="1">
12245 <para><command>UpdateBadPrereq</command></para>
12247 <entry colname="2">
12248 <para><command></command></para>
12250 <entry colname="3">
12252 Dynamic updates rejected due to prerequisite failure.
12262 <title>Zone Maintenance Statistics Counters</title>
12264 <informaltable colsep="0" rowsep="0">
12265 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12266 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
12267 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
12270 <entry colname="1">
12272 <emphasis>Symbol</emphasis>
12275 <entry colname="2">
12277 <emphasis>Description</emphasis>
12283 <entry colname="1">
12284 <para><command>NotifyOutv4</command></para>
12286 <entry colname="2">
12288 IPv4 notifies sent.
12293 <entry colname="1">
12294 <para><command>NotifyOutv6</command></para>
12296 <entry colname="2">
12298 IPv6 notifies sent.
12303 <entry colname="1">
12304 <para><command>NotifyInv4</command></para>
12306 <entry colname="2">
12308 IPv4 notifies received.
12313 <entry colname="1">
12314 <para><command>NotifyInv6</command></para>
12316 <entry colname="2">
12318 IPv6 notifies received.
12323 <entry colname="1">
12324 <para><command>NotifyRej</command></para>
12326 <entry colname="2">
12328 Incoming notifies rejected.
12333 <entry colname="1">
12334 <para><command>SOAOutv4</command></para>
12336 <entry colname="2">
12338 IPv4 SOA queries sent.
12343 <entry colname="1">
12344 <para><command>SOAOutv6</command></para>
12346 <entry colname="2">
12348 IPv6 SOA queries sent.
12353 <entry colname="1">
12354 <para><command>AXFRReqv4</command></para>
12356 <entry colname="2">
12358 IPv4 AXFR requested.
12363 <entry colname="1">
12364 <para><command>AXFRReqv6</command></para>
12366 <entry colname="2">
12368 IPv6 AXFR requested.
12373 <entry colname="1">
12374 <para><command>IXFRReqv4</command></para>
12376 <entry colname="2">
12378 IPv4 IXFR requested.
12383 <entry colname="1">
12384 <para><command>IXFRReqv6</command></para>
12386 <entry colname="2">
12388 IPv6 IXFR requested.
12393 <entry colname="1">
12394 <para><command>XfrSuccess</command></para>
12396 <entry colname="2">
12398 Zone transfer requests succeeded.
12403 <entry colname="1">
12404 <para><command>XfrFail</command></para>
12406 <entry colname="2">
12408 Zone transfer requests failed.
12418 <title>Resolver Statistics Counters</title>
12420 <informaltable colsep="0" rowsep="0">
12421 <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12422 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
12423 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
12424 <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
12427 <entry colname="1">
12429 <emphasis>Symbol</emphasis>
12432 <entry colname="2">
12434 <emphasis>BIND8 Symbol</emphasis>
12437 <entry colname="3">
12439 <emphasis>Description</emphasis>
12445 <entry colname="1">
12446 <para><command>Queryv4</command></para>
12448 <entry colname="2">
12449 <para><command>SFwdQ</command></para>
12451 <entry colname="3">
12458 <entry colname="1">
12459 <para><command>Queryv6</command></para>
12461 <entry colname="2">
12462 <para><command>SFwdQ</command></para>
12464 <entry colname="3">
12471 <entry colname="1">
12472 <para><command>Responsev4</command></para>
12474 <entry colname="2">
12475 <para><command>RR</command></para>
12477 <entry colname="3">
12479 IPv4 responses received.
12484 <entry colname="1">
12485 <para><command>Responsev6</command></para>
12487 <entry colname="2">
12488 <para><command>RR</command></para>
12490 <entry colname="3">
12492 IPv6 responses received.
12497 <entry colname="1">
12498 <para><command>NXDOMAIN</command></para>
12500 <entry colname="2">
12501 <para><command>RNXD</command></para>
12503 <entry colname="3">
12510 <entry colname="1">
12511 <para><command>SERVFAIL</command></para>
12513 <entry colname="2">
12514 <para><command>RFail</command></para>
12516 <entry colname="3">
12523 <entry colname="1">
12524 <para><command>FORMERR</command></para>
12526 <entry colname="2">
12527 <para><command>RFErr</command></para>
12529 <entry colname="3">
12536 <entry colname="1">
12537 <para><command>OtherError</command></para>
12539 <entry colname="2">
12540 <para><command>RErr</command></para>
12542 <entry colname="3">
12544 Other errors received.
12549 <entry colname="1">
12550 <para><command>EDNS0Fail</command></para>
12552 <entry colname="2">
12553 <para><command></command></para>
12555 <entry colname="3">
12557 EDNS(0) query failures.
12562 <entry colname="1">
12563 <para><command>Mismatch</command></para>
12565 <entry colname="2">
12566 <para><command>RDupR</command></para>
12568 <entry colname="3">
12570 Mismatch responses received.
12575 <entry colname="1">
12576 <para><command>Truncated</command></para>
12578 <entry colname="2">
12579 <para><command></command></para>
12581 <entry colname="3">
12583 Truncated responses received.
12588 <entry colname="1">
12589 <para><command>Lame</command></para>
12591 <entry colname="2">
12592 <para><command>RLame</command></para>
12594 <entry colname="3">
12596 Lame delegations received.
12601 <entry colname="1">
12602 <para><command>Retry</command></para>
12604 <entry colname="2">
12605 <para><command>SDupQ</command></para>
12607 <entry colname="3">
12609 Query retries performed.
12614 <entry colname="1">
12615 <para><command>QueryAbort</command></para>
12617 <entry colname="2">
12618 <para><command></command></para>
12620 <entry colname="3">
12622 Queries aborted due to quota control.
12627 <entry colname="1">
12628 <para><command>QuerySockFail</command></para>
12630 <entry colname="2">
12631 <para><command></command></para>
12633 <entry colname="3">
12635 Failures in opening query sockets.
12636 One common reason for such failures is a
12637 failure of opening a new socket due to a
12638 limitation on file descriptors.
12643 <entry colname="1">
12644 <para><command>QueryTimeout</command></para>
12646 <entry colname="2">
12647 <para><command></command></para>
12649 <entry colname="3">
12656 <entry colname="1">
12657 <para><command>GlueFetchv4</command></para>
12659 <entry colname="2">
12660 <para><command>SSysQ</command></para>
12662 <entry colname="3">
12664 IPv4 NS address fetches invoked.
12669 <entry colname="1">
12670 <para><command>GlueFetchv6</command></para>
12672 <entry colname="2">
12673 <para><command>SSysQ</command></para>
12675 <entry colname="3">
12677 IPv6 NS address fetches invoked.
12682 <entry colname="1">
12683 <para><command>GlueFetchv4Fail</command></para>
12685 <entry colname="2">
12686 <para><command></command></para>
12688 <entry colname="3">
12690 IPv4 NS address fetch failed.
12695 <entry colname="1">
12696 <para><command>GlueFetchv6Fail</command></para>
12698 <entry colname="2">
12699 <para><command></command></para>
12701 <entry colname="3">
12703 IPv6 NS address fetch failed.
12708 <entry colname="1">
12709 <para><command>ValAttempt</command></para>
12711 <entry colname="2">
12712 <para><command></command></para>
12714 <entry colname="3">
12716 DNSSEC validation attempted.
12721 <entry colname="1">
12722 <para><command>ValOk</command></para>
12724 <entry colname="2">
12725 <para><command></command></para>
12727 <entry colname="3">
12729 DNSSEC validation succeeded.
12734 <entry colname="1">
12735 <para><command>ValNegOk</command></para>
12737 <entry colname="2">
12738 <para><command></command></para>
12740 <entry colname="3">
12742 DNSSEC validation on negative information succeeded.
12747 <entry colname="1">
12748 <para><command>ValFail</command></para>
12750 <entry colname="2">
12751 <para><command></command></para>
12753 <entry colname="3">
12755 DNSSEC validation failed.
12760 <entry colname="1">
12761 <para><command>QryRTTnn</command></para>
12763 <entry colname="2">
12764 <para><command></command></para>
12766 <entry colname="3">
12768 Frequency table on round trip times (RTTs) of
12770 Each <command>nn</command> specifies the corresponding
12773 <command>nn_1</command>,
12774 <command>nn_2</command>,
12776 <command>nn_m</command>,
12777 the value of <command>nn_i</command> is the
12778 number of queries whose RTTs are between
12779 <command>nn_(i-1)</command> (inclusive) and
12780 <command>nn_i</command> (exclusive) milliseconds.
12781 For the sake of convenience we define
12782 <command>nn_0</command> to be 0.
12783 The last entry should be represented as
12784 <command>nn_m+</command>, which means the
12785 number of queries whose RTTs are equal to or over
12786 <command>nn_m</command> milliseconds.
12797 <title>Socket I/O Statistics Counters</title>
12800 Socket I/O statistics counters are defined per socket
12802 <command>UDP4</command> (UDP/IPv4),
12803 <command>UDP6</command> (UDP/IPv6),
12804 <command>TCP4</command> (TCP/IPv4),
12805 <command>TCP6</command> (TCP/IPv6),
12806 <command>Unix</command> (Unix Domain), and
12807 <command>FDwatch</command> (sockets opened outside the
12809 In the following table <command><TYPE></command>
12810 represents a socket type.
12811 Not all counters are available for all socket types;
12812 exceptions are noted in the description field.
12815 <informaltable colsep="0" rowsep="0">
12816 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12817 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
12818 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
12821 <entry colname="1">
12823 <emphasis>Symbol</emphasis>
12826 <entry colname="2">
12828 <emphasis>Description</emphasis>
12834 <entry colname="1">
12835 <para><command><TYPE>Open</command></para>
12837 <entry colname="2">
12839 Sockets opened successfully.
12840 This counter is not applicable to the
12841 <command>FDwatch</command> type.
12846 <entry colname="1">
12847 <para><command><TYPE>OpenFail</command></para>
12849 <entry colname="2">
12851 Failures of opening sockets.
12852 This counter is not applicable to the
12853 <command>FDwatch</command> type.
12858 <entry colname="1">
12859 <para><command><TYPE>Close</command></para>
12861 <entry colname="2">
12868 <entry colname="1">
12869 <para><command><TYPE>BindFail</command></para>
12871 <entry colname="2">
12873 Failures of binding sockets.
12878 <entry colname="1">
12879 <para><command><TYPE>ConnFail</command></para>
12881 <entry colname="2">
12883 Failures of connecting sockets.
12888 <entry colname="1">
12889 <para><command><TYPE>Conn</command></para>
12891 <entry colname="2">
12893 Connections established successfully.
12898 <entry colname="1">
12899 <para><command><TYPE>AcceptFail</command></para>
12901 <entry colname="2">
12903 Failures of accepting incoming connection requests.
12904 This counter is not applicable to the
12905 <command>UDP</command> and
12906 <command>FDwatch</command> types.
12911 <entry colname="1">
12912 <para><command><TYPE>Accept</command></para>
12914 <entry colname="2">
12916 Incoming connections successfully accepted.
12917 This counter is not applicable to the
12918 <command>UDP</command> and
12919 <command>FDwatch</command> types.
12924 <entry colname="1">
12925 <para><command><TYPE>SendErr</command></para>
12927 <entry colname="2">
12929 Errors in socket send operations.
12930 This counter corresponds
12931 to <command>SErr</command> counter of
12932 <command>BIND</command> 8.
12937 <entry colname="1">
12938 <para><command><TYPE>RecvErr</command></para>
12940 <entry colname="2">
12942 Errors in socket receive operations.
12943 This includes errors of send operations on a
12944 connected UDP socket notified by an ICMP error
12954 <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
12956 Most statistics counters that were available
12957 in <command>BIND</command> 8 are also supported in
12958 <command>BIND</command> 9 as shown in the above tables.
12959 Here are notes about other counters that do not appear
12965 <term><command>RFwdR,SFwdR</command></term>
12968 These counters are not supported
12969 because <command>BIND</command> 9 does not adopt
12970 the notion of <emphasis>forwarding</emphasis>
12971 as <command>BIND</command> 8 did.
12977 <term><command>RAXFR</command></term>
12980 This counter is accessible in the Incoming Queries section.
12986 <term><command>RIQ</command></term>
12989 This counter is accessible in the Incoming Requests section.
12995 <term><command>ROpts</command></term>
12998 This counter is not supported
12999 because <command>BIND</command> 9 does not care
13000 about IP options in the first place.
13010 <chapter id="Bv9ARM.ch07">
13011 <title><acronym>BIND</acronym> 9 Security Considerations</title>
13012 <sect1 id="Access_Control_Lists">
13013 <title>Access Control Lists</title>
13015 Access Control Lists (ACLs) are address match lists that
13016 you can set up and nickname for future use in <command>allow-notify</command>,
13017 <command>allow-query</command>, <command>allow-query-on</command>,
13018 <command>allow-recursion</command>, <command>allow-recursion-on</command>,
13019 <command>blackhole</command>, <command>allow-transfer</command>,
13023 Using ACLs allows you to have finer control over who can access
13024 your name server, without cluttering up your config files with huge
13025 lists of IP addresses.
13028 It is a <emphasis>good idea</emphasis> to use ACLs, and to
13029 control access to your server. Limiting access to your server by
13030 outside parties can help prevent spoofing and denial of service (DoS) attacks against
13034 Here is an example of how to properly apply ACLs:
13038 // Set up an ACL named "bogusnets" that will block RFC1918 space
13039 // and some reserved space, which is commonly used in spoofing attacks.
13041 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
13042 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
13045 // Set up an ACL called our-nets. Replace this with the real IP numbers.
13046 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
13050 allow-query { our-nets; };
13051 allow-recursion { our-nets; };
13053 blackhole { bogusnets; };
13057 zone "example.com" {
13059 file "m/example.com";
13060 allow-query { any; };
13065 This allows recursive queries of the server from the outside
13066 unless recursion has been previously disabled.
13069 For more information on how to use ACLs to protect your server,
13070 see the <emphasis>AUSCERT</emphasis> advisory at:
13073 <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
13074 >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
13078 <title><command>Chroot</command> and <command>Setuid</command></title>
13080 On UNIX servers, it is possible to run <acronym>BIND</acronym>
13081 in a <emphasis>chrooted</emphasis> environment (using
13082 the <command>chroot()</command> function) by specifying
13083 the "<option>-t</option>" option for <command>named</command>.
13084 This can help improve system security by placing
13085 <acronym>BIND</acronym> in a "sandbox", which will limit
13086 the damage done if a server is compromised.
13089 Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
13090 ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
13091 We suggest running as an unprivileged user when using the <command>chroot</command> feature.
13094 Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
13095 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
13099 <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
13103 <title>The <command>chroot</command> Environment</title>
13106 In order for a <command>chroot</command> environment
13108 work properly in a particular directory
13109 (for example, <filename>/var/named</filename>),
13110 you will need to set up an environment that includes everything
13111 <acronym>BIND</acronym> needs to run.
13112 From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
13113 the root of the filesystem. You will need to adjust the values of
13115 like <command>directory</command> and <command>pid-file</command> to account
13119 Unlike with earlier versions of BIND, you typically will
13120 <emphasis>not</emphasis> need to compile <command>named</command>
13121 statically nor install shared libraries under the new root.
13122 However, depending on your operating system, you may need
13123 to set up things like
13124 <filename>/dev/zero</filename>,
13125 <filename>/dev/random</filename>,
13126 <filename>/dev/log</filename>, and
13127 <filename>/etc/localtime</filename>.
13132 <title>Using the <command>setuid</command> Function</title>
13135 Prior to running the <command>named</command> daemon,
13137 the <command>touch</command> utility (to change file
13139 modification times) or the <command>chown</command>
13141 set the user id and/or group id) on files
13142 to which you want <acronym>BIND</acronym>
13146 Note that if the <command>named</command> daemon is running as an
13147 unprivileged user, it will not be able to bind to new restricted
13148 ports if the server is reloaded.
13153 <sect1 id="dynamic_update_security">
13154 <title>Dynamic Update Security</title>
13157 Access to the dynamic
13158 update facility should be strictly limited. In earlier versions of
13159 <acronym>BIND</acronym>, the only way to do this was
13161 address of the host requesting the update, by listing an IP address
13163 network prefix in the <command>allow-update</command>
13165 This method is insecure since the source address of the update UDP
13167 is easily forged. Also note that if the IP addresses allowed by the
13168 <command>allow-update</command> option include the
13170 server which performs forwarding of dynamic updates, the master can
13172 trivially attacked by sending the update to the slave, which will
13173 forward it to the master with its own source IP address causing the
13174 master to approve it without question.
13178 For these reasons, we strongly recommend that updates be
13179 cryptographically authenticated by means of transaction signatures
13180 (TSIG). That is, the <command>allow-update</command>
13182 list only TSIG key names, not IP addresses or network
13183 prefixes. Alternatively, the new <command>update-policy</command>
13184 option can be used.
13188 Some sites choose to keep all dynamically-updated DNS data
13189 in a subdomain and delegate that subdomain to a separate zone. This
13190 way, the top-level zone containing critical data such as the IP
13192 of public web and mail servers need not allow dynamic update at
13199 <chapter id="Bv9ARM.ch08">
13200 <title>Troubleshooting</title>
13202 <title>Common Problems</title>
13204 <title>It's not working; how can I figure out what's wrong?</title>
13207 The best solution to solving installation and
13208 configuration issues is to take preventative measures by setting
13209 up logging files beforehand. The log files provide a
13210 source of hints and information that can be used to figure out
13211 what went wrong and how to fix the problem.
13217 <title>Incrementing and Changing the Serial Number</title>
13220 Zone serial numbers are just numbers — they aren't
13221 date related. A lot of people set them to a number that
13222 represents a date, usually of the form YYYYMMDDRR.
13223 Occasionally they will make a mistake and set them to a
13224 "date in the future" then try to correct them by setting
13225 them to the "current date". This causes problems because
13226 serial numbers are used to indicate that a zone has been
13227 updated. If the serial number on the slave server is
13228 lower than the serial number on the master, the slave
13229 server will attempt to update its copy of the zone.
13233 Setting the serial number to a lower number on the master
13234 server than the slave server means that the slave will not perform
13235 updates to its copy of the zone.
13239 The solution to this is to add 2147483647 (2^31-1) to the
13240 number, reload the zone and make sure all slaves have updated to
13241 the new zone serial number, then reset the number to what you want
13242 it to be, and reload the zone again.
13247 <title>Where Can I Get Help?</title>
13250 The Internet Systems Consortium
13251 (<acronym>ISC</acronym>) offers a wide range
13252 of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
13253 levels of premium support are available and each level includes
13254 support for all <acronym>ISC</acronym> programs,
13255 significant discounts on products
13256 and training, and a recognized priority on bug fixes and
13257 non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
13258 support agreement package which includes services ranging from bug
13259 fix announcements to remote support. It also includes training in
13260 <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
13264 To discuss arrangements for support, contact
13265 <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
13266 <acronym>ISC</acronym> web page at
13267 <ulink url="http://www.isc.org/services/support/"
13268 >http://www.isc.org/services/support/</ulink>
13273 <appendix id="Bv9ARM.ch09">
13274 <title>Appendices</title>
13276 <title>Acknowledgments</title>
13277 <sect2 id="historical_dns_information">
13278 <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
13281 Although the "official" beginning of the Domain Name
13282 System occurred in 1984 with the publication of RFC 920, the
13283 core of the new system was described in 1983 in RFCs 882 and
13284 883. From 1984 to 1987, the ARPAnet (the precursor to today's
13285 Internet) became a testbed of experimentation for developing the
13286 new naming/addressing scheme in a rapidly expanding,
13287 operational network environment. New RFCs were written and
13288 published in 1987 that modified the original documents to
13289 incorporate improvements based on the working model. RFC 1034,
13290 "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
13291 Names-Implementation and Specification" were published and
13292 became the standards upon which all <acronym>DNS</acronym> implementations are
13297 The first working domain name server, called "Jeeves", was
13298 written in 1983-84 by Paul Mockapetris for operation on DEC
13300 machines located at the University of Southern California's
13302 Sciences Institute (USC-ISI) and SRI International's Network
13304 Center (SRI-NIC). A <acronym>DNS</acronym> server for
13305 Unix machines, the Berkeley Internet
13306 Name Domain (<acronym>BIND</acronym>) package, was
13307 written soon after by a group of
13308 graduate students at the University of California at Berkeley
13310 a grant from the US Defense Advanced Research Projects
13315 Versions of <acronym>BIND</acronym> through
13316 4.8.3 were maintained by the Computer
13317 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
13318 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
13319 project team. After that, additional work on the software package
13320 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
13322 employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
13323 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
13324 during that time: Doug Kingston, Craig Partridge, Smoot
13326 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
13327 handled by Mike Karels and Øivind Kure.
13330 <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
13331 released by Digital Equipment
13332 Corporation (now Compaq Computer Corporation). Paul Vixie, then
13333 a DEC employee, became <acronym>BIND</acronym>'s
13334 primary caretaker. He was assisted
13335 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
13337 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
13338 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
13339 Wolfhugel, and others.
13342 In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
13343 Vixie Enterprises. Paul
13344 Vixie became <acronym>BIND</acronym>'s principal
13345 architect/programmer.
13348 <acronym>BIND</acronym> versions from 4.9.3 onward
13349 have been developed and maintained
13350 by the Internet Systems Consortium and its predecessor,
13351 the Internet Software Consortium, with support being provided
13355 As co-architects/programmers, Bob Halley and
13356 Paul Vixie released the first production-ready version of
13357 <acronym>BIND</acronym> version 8 in May 1997.
13360 BIND version 9 was released in September 2000 and is a
13361 major rewrite of nearly all aspects of the underlying
13365 BIND versions 4 and 8 are officially deprecated.
13366 No additional development is done
13367 on BIND version 4 or BIND version 8.
13370 <acronym>BIND</acronym> development work is made
13371 possible today by the sponsorship
13372 of several corporations, and by the tireless work efforts of
13373 numerous individuals.
13378 <title>General <acronym>DNS</acronym> Reference Information</title>
13379 <sect2 id="ipv6addresses">
13380 <title>IPv6 addresses (AAAA)</title>
13382 IPv6 addresses are 128-bit identifiers for interfaces and
13383 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
13384 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
13385 an identifier for a single interface;
13386 <emphasis>Anycast</emphasis>,
13387 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
13388 an identifier for a set of interfaces. Here we describe the global
13389 Unicast address scheme. For more information, see RFC 3587,
13390 "Global Unicast Address Format."
13393 IPv6 unicast addresses consist of a
13394 <emphasis>global routing prefix</emphasis>, a
13395 <emphasis>subnet identifier</emphasis>, and an
13396 <emphasis>interface identifier</emphasis>.
13399 The global routing prefix is provided by the
13400 upstream provider or ISP, and (roughly) corresponds to the
13401 IPv4 <emphasis>network</emphasis> section
13402 of the address range.
13404 The subnet identifier is for local subnetting, much the
13405 same as subnetting an
13406 IPv4 /16 network into /24 subnets.
13408 The interface identifier is the address of an individual
13409 interface on a given network; in IPv6, addresses belong to
13410 interfaces rather than to machines.
13413 The subnetting capability of IPv6 is much more flexible than
13414 that of IPv4: subnetting can be carried out on bit boundaries,
13415 in much the same way as Classless InterDomain Routing
13416 (CIDR), and the DNS PTR representation ("nibble" format)
13417 makes setting up reverse zones easier.
13420 The Interface Identifier must be unique on the local link,
13421 and is usually generated automatically by the IPv6
13422 implementation, although it is usually possible to
13423 override the default setting if necessary. A typical IPv6
13424 address might look like:
13425 <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
13428 IPv6 address specifications often contain long strings
13429 of zeros, so the architects have included a shorthand for
13431 them. The double colon (`::') indicates the longest possible
13433 of zeros that can fit, and can be used only once in an address.
13437 <sect1 id="bibliography">
13438 <title>Bibliography (and Suggested Reading)</title>
13440 <title>Request for Comments (RFCs)</title>
13442 Specification documents for the Internet protocol suite, including
13443 the <acronym>DNS</acronym>, are published as part of
13444 the Request for Comments (RFCs)
13445 series of technical notes. The standards themselves are defined
13446 by the Internet Engineering Task Force (IETF) and the Internet
13447 Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
13450 <ulink url="ftp://www.isi.edu/in-notes/">
13451 ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
13455 (where <replaceable>xxxx</replaceable> is
13456 the number of the RFC). RFCs are also available via the Web at:
13459 <ulink url="http://www.ietf.org/rfc/"
13460 >http://www.ietf.org/rfc/</ulink>.
13464 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
13465 <title>Standards</title>
13467 <abbrev>RFC974</abbrev>
13469 <surname>Partridge</surname>
13470 <firstname>C.</firstname>
13472 <title>Mail Routing and the Domain System</title>
13473 <pubdate>January 1986</pubdate>
13476 <abbrev>RFC1034</abbrev>
13478 <surname>Mockapetris</surname>
13479 <firstname>P.V.</firstname>
13481 <title>Domain Names — Concepts and Facilities</title>
13482 <pubdate>November 1987</pubdate>
13485 <abbrev>RFC1035</abbrev>
13487 <surname>Mockapetris</surname>
13488 <firstname>P. V.</firstname>
13489 </author> <title>Domain Names — Implementation and
13490 Specification</title>
13491 <pubdate>November 1987</pubdate>
13494 <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
13496 <title>Proposed Standards</title>
13497 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
13499 <abbrev>RFC2181</abbrev>
13501 <surname>Elz</surname>
13502 <firstname>R., R. Bush</firstname>
13504 <title>Clarifications to the <acronym>DNS</acronym>
13505 Specification</title>
13506 <pubdate>July 1997</pubdate>
13509 <abbrev>RFC2308</abbrev>
13511 <surname>Andrews</surname>
13512 <firstname>M.</firstname>
13514 <title>Negative Caching of <acronym>DNS</acronym>
13516 <pubdate>March 1998</pubdate>
13519 <abbrev>RFC1995</abbrev>
13521 <surname>Ohta</surname>
13522 <firstname>M.</firstname>
13524 <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
13525 <pubdate>August 1996</pubdate>
13528 <abbrev>RFC1996</abbrev>
13530 <surname>Vixie</surname>
13531 <firstname>P.</firstname>
13533 <title>A Mechanism for Prompt Notification of Zone Changes</title>
13534 <pubdate>August 1996</pubdate>
13537 <abbrev>RFC2136</abbrev>
13540 <surname>Vixie</surname>
13541 <firstname>P.</firstname>
13544 <firstname>S.</firstname>
13545 <surname>Thomson</surname>
13548 <firstname>Y.</firstname>
13549 <surname>Rekhter</surname>
13552 <firstname>J.</firstname>
13553 <surname>Bound</surname>
13556 <title>Dynamic Updates in the Domain Name System</title>
13557 <pubdate>April 1997</pubdate>
13560 <abbrev>RFC2671</abbrev>
13563 <firstname>P.</firstname>
13564 <surname>Vixie</surname>
13567 <title>Extension Mechanisms for DNS (EDNS0)</title>
13568 <pubdate>August 1997</pubdate>
13571 <abbrev>RFC2672</abbrev>
13574 <firstname>M.</firstname>
13575 <surname>Crawford</surname>
13578 <title>Non-Terminal DNS Name Redirection</title>
13579 <pubdate>August 1999</pubdate>
13582 <abbrev>RFC2845</abbrev>
13585 <surname>Vixie</surname>
13586 <firstname>P.</firstname>
13589 <firstname>O.</firstname>
13590 <surname>Gudmundsson</surname>
13593 <firstname>D.</firstname>
13594 <surname>Eastlake</surname>
13595 <lineage>3rd</lineage>
13598 <firstname>B.</firstname>
13599 <surname>Wellington</surname>
13602 <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
13603 <pubdate>May 2000</pubdate>
13606 <abbrev>RFC2930</abbrev>
13609 <firstname>D.</firstname>
13610 <surname>Eastlake</surname>
13611 <lineage>3rd</lineage>
13614 <title>Secret Key Establishment for DNS (TKEY RR)</title>
13615 <pubdate>September 2000</pubdate>
13618 <abbrev>RFC2931</abbrev>
13621 <firstname>D.</firstname>
13622 <surname>Eastlake</surname>
13623 <lineage>3rd</lineage>
13626 <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
13627 <pubdate>September 2000</pubdate>
13630 <abbrev>RFC3007</abbrev>
13633 <firstname>B.</firstname>
13634 <surname>Wellington</surname>
13637 <title>Secure Domain Name System (DNS) Dynamic Update</title>
13638 <pubdate>November 2000</pubdate>
13641 <abbrev>RFC3645</abbrev>
13644 <firstname>S.</firstname>
13645 <surname>Kwan</surname>
13648 <firstname>P.</firstname>
13649 <surname>Garg</surname>
13652 <firstname>J.</firstname>
13653 <surname>Gilroy</surname>
13656 <firstname>L.</firstname>
13657 <surname>Esibov</surname>
13660 <firstname>J.</firstname>
13661 <surname>Westhead</surname>
13664 <firstname>R.</firstname>
13665 <surname>Hall</surname>
13668 <title>Generic Security Service Algorithm for Secret
13669 Key Transaction Authentication for DNS
13671 <pubdate>October 2003</pubdate>
13675 <title><acronym>DNS</acronym> Security Proposed Standards</title>
13677 <abbrev>RFC3225</abbrev>
13680 <firstname>D.</firstname>
13681 <surname>Conrad</surname>
13684 <title>Indicating Resolver Support of DNSSEC</title>
13685 <pubdate>December 2001</pubdate>
13688 <abbrev>RFC3833</abbrev>
13691 <firstname>D.</firstname>
13692 <surname>Atkins</surname>
13695 <firstname>R.</firstname>
13696 <surname>Austein</surname>
13699 <title>Threat Analysis of the Domain Name System (DNS)</title>
13700 <pubdate>August 2004</pubdate>
13703 <abbrev>RFC4033</abbrev>
13706 <firstname>R.</firstname>
13707 <surname>Arends</surname>
13710 <firstname>R.</firstname>
13711 <surname>Austein</surname>
13714 <firstname>M.</firstname>
13715 <surname>Larson</surname>
13718 <firstname>D.</firstname>
13719 <surname>Massey</surname>
13722 <firstname>S.</firstname>
13723 <surname>Rose</surname>
13726 <title>DNS Security Introduction and Requirements</title>
13727 <pubdate>March 2005</pubdate>
13730 <abbrev>RFC4034</abbrev>
13733 <firstname>R.</firstname>
13734 <surname>Arends</surname>
13737 <firstname>R.</firstname>
13738 <surname>Austein</surname>
13741 <firstname>M.</firstname>
13742 <surname>Larson</surname>
13745 <firstname>D.</firstname>
13746 <surname>Massey</surname>
13749 <firstname>S.</firstname>
13750 <surname>Rose</surname>
13753 <title>Resource Records for the DNS Security Extensions</title>
13754 <pubdate>March 2005</pubdate>
13757 <abbrev>RFC4035</abbrev>
13760 <firstname>R.</firstname>
13761 <surname>Arends</surname>
13764 <firstname>R.</firstname>
13765 <surname>Austein</surname>
13768 <firstname>M.</firstname>
13769 <surname>Larson</surname>
13772 <firstname>D.</firstname>
13773 <surname>Massey</surname>
13776 <firstname>S.</firstname>
13777 <surname>Rose</surname>
13780 <title>Protocol Modifications for the DNS
13781 Security Extensions</title>
13782 <pubdate>March 2005</pubdate>
13786 <title>Other Important RFCs About <acronym>DNS</acronym>
13787 Implementation</title>
13789 <abbrev>RFC1535</abbrev>
13791 <surname>Gavron</surname>
13792 <firstname>E.</firstname>
13794 <title>A Security Problem and Proposed Correction With Widely
13795 Deployed <acronym>DNS</acronym> Software.</title>
13796 <pubdate>October 1993</pubdate>
13799 <abbrev>RFC1536</abbrev>
13802 <surname>Kumar</surname>
13803 <firstname>A.</firstname>
13806 <firstname>J.</firstname>
13807 <surname>Postel</surname>
13810 <firstname>C.</firstname>
13811 <surname>Neuman</surname>
13814 <firstname>P.</firstname>
13815 <surname>Danzig</surname>
13818 <firstname>S.</firstname>
13819 <surname>Miller</surname>
13822 <title>Common <acronym>DNS</acronym> Implementation
13823 Errors and Suggested Fixes</title>
13824 <pubdate>October 1993</pubdate>
13827 <abbrev>RFC1982</abbrev>
13830 <surname>Elz</surname>
13831 <firstname>R.</firstname>
13834 <firstname>R.</firstname>
13835 <surname>Bush</surname>
13838 <title>Serial Number Arithmetic</title>
13839 <pubdate>August 1996</pubdate>
13842 <abbrev>RFC4074</abbrev>
13845 <surname>Morishita</surname>
13846 <firstname>Y.</firstname>
13849 <firstname>T.</firstname>
13850 <surname>Jinmei</surname>
13853 <title>Common Misbehaviour Against <acronym>DNS</acronym>
13854 Queries for IPv6 Addresses</title>
13855 <pubdate>May 2005</pubdate>
13859 <title>Resource Record Types</title>
13861 <abbrev>RFC1183</abbrev>
13864 <surname>Everhart</surname>
13865 <firstname>C.F.</firstname>
13868 <firstname>L. A.</firstname>
13869 <surname>Mamakos</surname>
13872 <firstname>R.</firstname>
13873 <surname>Ullmann</surname>
13876 <firstname>P.</firstname>
13877 <surname>Mockapetris</surname>
13880 <title>New <acronym>DNS</acronym> RR Definitions</title>
13881 <pubdate>October 1990</pubdate>
13884 <abbrev>RFC1706</abbrev>
13887 <surname>Manning</surname>
13888 <firstname>B.</firstname>
13891 <firstname>R.</firstname>
13892 <surname>Colella</surname>
13895 <title><acronym>DNS</acronym> NSAP Resource Records</title>
13896 <pubdate>October 1994</pubdate>
13899 <abbrev>RFC2168</abbrev>
13902 <surname>Daniel</surname>
13903 <firstname>R.</firstname>
13906 <firstname>M.</firstname>
13907 <surname>Mealling</surname>
13910 <title>Resolution of Uniform Resource Identifiers using
13911 the Domain Name System</title>
13912 <pubdate>June 1997</pubdate>
13915 <abbrev>RFC1876</abbrev>
13918 <surname>Davis</surname>
13919 <firstname>C.</firstname>
13922 <firstname>P.</firstname>
13923 <surname>Vixie</surname>
13926 <firstname>T.</firstname>
13927 <firstname>Goodwin</firstname>
13930 <firstname>I.</firstname>
13931 <surname>Dickinson</surname>
13934 <title>A Means for Expressing Location Information in the
13936 Name System</title>
13937 <pubdate>January 1996</pubdate>
13940 <abbrev>RFC2052</abbrev>
13943 <surname>Gulbrandsen</surname>
13944 <firstname>A.</firstname>
13947 <firstname>P.</firstname>
13948 <surname>Vixie</surname>
13951 <title>A <acronym>DNS</acronym> RR for Specifying the
13954 <pubdate>October 1996</pubdate>
13957 <abbrev>RFC2163</abbrev>
13959 <surname>Allocchio</surname>
13960 <firstname>A.</firstname>
13962 <title>Using the Internet <acronym>DNS</acronym> to
13964 Conformant Global Address Mapping</title>
13965 <pubdate>January 1998</pubdate>
13968 <abbrev>RFC2230</abbrev>
13970 <surname>Atkinson</surname>
13971 <firstname>R.</firstname>
13973 <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
13974 <pubdate>October 1997</pubdate>
13977 <abbrev>RFC2536</abbrev>
13979 <surname>Eastlake</surname>
13980 <firstname>D.</firstname>
13981 <lineage>3rd</lineage>
13983 <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
13984 <pubdate>March 1999</pubdate>
13987 <abbrev>RFC2537</abbrev>
13989 <surname>Eastlake</surname>
13990 <firstname>D.</firstname>
13991 <lineage>3rd</lineage>
13993 <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
13994 <pubdate>March 1999</pubdate>
13997 <abbrev>RFC2538</abbrev>
14000 <surname>Eastlake</surname>
14001 <firstname>D.</firstname>
14002 <lineage>3rd</lineage>
14005 <surname>Gudmundsson</surname>
14006 <firstname>O.</firstname>
14009 <title>Storing Certificates in the Domain Name System (DNS)</title>
14010 <pubdate>March 1999</pubdate>
14013 <abbrev>RFC2539</abbrev>
14016 <surname>Eastlake</surname>
14017 <firstname>D.</firstname>
14018 <lineage>3rd</lineage>
14021 <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
14022 <pubdate>March 1999</pubdate>
14025 <abbrev>RFC2540</abbrev>
14028 <surname>Eastlake</surname>
14029 <firstname>D.</firstname>
14030 <lineage>3rd</lineage>
14033 <title>Detached Domain Name System (DNS) Information</title>
14034 <pubdate>March 1999</pubdate>
14037 <abbrev>RFC2782</abbrev>
14039 <surname>Gulbrandsen</surname>
14040 <firstname>A.</firstname>
14043 <surname>Vixie</surname>
14044 <firstname>P.</firstname>
14047 <surname>Esibov</surname>
14048 <firstname>L.</firstname>
14050 <title>A DNS RR for specifying the location of services (DNS SRV)</title>
14051 <pubdate>February 2000</pubdate>
14054 <abbrev>RFC2915</abbrev>
14056 <surname>Mealling</surname>
14057 <firstname>M.</firstname>
14060 <surname>Daniel</surname>
14061 <firstname>R.</firstname>
14063 <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
14064 <pubdate>September 2000</pubdate>
14067 <abbrev>RFC3110</abbrev>
14069 <surname>Eastlake</surname>
14070 <firstname>D.</firstname>
14071 <lineage>3rd</lineage>
14073 <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
14074 <pubdate>May 2001</pubdate>
14077 <abbrev>RFC3123</abbrev>
14079 <surname>Koch</surname>
14080 <firstname>P.</firstname>
14082 <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
14083 <pubdate>June 2001</pubdate>
14086 <abbrev>RFC3596</abbrev>
14089 <surname>Thomson</surname>
14090 <firstname>S.</firstname>
14093 <firstname>C.</firstname>
14094 <surname>Huitema</surname>
14097 <firstname>V.</firstname>
14098 <surname>Ksinant</surname>
14101 <firstname>M.</firstname>
14102 <surname>Souissi</surname>
14105 <title><acronym>DNS</acronym> Extensions to support IP
14107 <pubdate>October 2003</pubdate>
14110 <abbrev>RFC3597</abbrev>
14112 <surname>Gustafsson</surname>
14113 <firstname>A.</firstname>
14115 <title>Handling of Unknown DNS Resource Record (RR) Types</title>
14116 <pubdate>September 2003</pubdate>
14120 <title><acronym>DNS</acronym> and the Internet</title>
14122 <abbrev>RFC1101</abbrev>
14124 <surname>Mockapetris</surname>
14125 <firstname>P. V.</firstname>
14127 <title><acronym>DNS</acronym> Encoding of Network Names
14128 and Other Types</title>
14129 <pubdate>April 1989</pubdate>
14132 <abbrev>RFC1123</abbrev>
14134 <surname>Braden</surname>
14135 <surname>R.</surname>
14137 <title>Requirements for Internet Hosts - Application and
14139 <pubdate>October 1989</pubdate>
14142 <abbrev>RFC1591</abbrev>
14144 <surname>Postel</surname>
14145 <firstname>J.</firstname>
14147 <title>Domain Name System Structure and Delegation</title>
14148 <pubdate>March 1994</pubdate>
14151 <abbrev>RFC2317</abbrev>
14154 <surname>Eidnes</surname>
14155 <firstname>H.</firstname>
14158 <firstname>G.</firstname>
14159 <surname>de Groot</surname>
14162 <firstname>P.</firstname>
14163 <surname>Vixie</surname>
14166 <title>Classless IN-ADDR.ARPA Delegation</title>
14167 <pubdate>March 1998</pubdate>
14170 <abbrev>RFC2826</abbrev>
14173 <surname>Internet Architecture Board</surname>
14176 <title>IAB Technical Comment on the Unique DNS Root</title>
14177 <pubdate>May 2000</pubdate>
14180 <abbrev>RFC2929</abbrev>
14183 <surname>Eastlake</surname>
14184 <firstname>D.</firstname>
14185 <lineage>3rd</lineage>
14188 <surname>Brunner-Williams</surname>
14189 <firstname>E.</firstname>
14192 <surname>Manning</surname>
14193 <firstname>B.</firstname>
14196 <title>Domain Name System (DNS) IANA Considerations</title>
14197 <pubdate>September 2000</pubdate>
14201 <title><acronym>DNS</acronym> Operations</title>
14203 <abbrev>RFC1033</abbrev>
14205 <surname>Lottor</surname>
14206 <firstname>M.</firstname>
14208 <title>Domain administrators operations guide.</title>
14209 <pubdate>November 1987</pubdate>
14212 <abbrev>RFC1537</abbrev>
14214 <surname>Beertema</surname>
14215 <firstname>P.</firstname>
14217 <title>Common <acronym>DNS</acronym> Data File
14218 Configuration Errors</title>
14219 <pubdate>October 1993</pubdate>
14222 <abbrev>RFC1912</abbrev>
14224 <surname>Barr</surname>
14225 <firstname>D.</firstname>
14227 <title>Common <acronym>DNS</acronym> Operational and
14228 Configuration Errors</title>
14229 <pubdate>February 1996</pubdate>
14232 <abbrev>RFC2010</abbrev>
14235 <surname>Manning</surname>
14236 <firstname>B.</firstname>
14239 <firstname>P.</firstname>
14240 <surname>Vixie</surname>
14243 <title>Operational Criteria for Root Name Servers.</title>
14244 <pubdate>October 1996</pubdate>
14247 <abbrev>RFC2219</abbrev>
14250 <surname>Hamilton</surname>
14251 <firstname>M.</firstname>
14254 <firstname>R.</firstname>
14255 <surname>Wright</surname>
14258 <title>Use of <acronym>DNS</acronym> Aliases for
14259 Network Services.</title>
14260 <pubdate>October 1997</pubdate>
14264 <title>Internationalized Domain Names</title>
14266 <abbrev>RFC2825</abbrev>
14269 <surname>IAB</surname>
14272 <surname>Daigle</surname>
14273 <firstname>R.</firstname>
14276 <title>A Tangled Web: Issues of I18N, Domain Names,
14277 and the Other Internet protocols</title>
14278 <pubdate>May 2000</pubdate>
14281 <abbrev>RFC3490</abbrev>
14284 <surname>Faltstrom</surname>
14285 <firstname>P.</firstname>
14288 <surname>Hoffman</surname>
14289 <firstname>P.</firstname>
14292 <surname>Costello</surname>
14293 <firstname>A.</firstname>
14296 <title>Internationalizing Domain Names in Applications (IDNA)</title>
14297 <pubdate>March 2003</pubdate>
14300 <abbrev>RFC3491</abbrev>
14303 <surname>Hoffman</surname>
14304 <firstname>P.</firstname>
14307 <surname>Blanchet</surname>
14308 <firstname>M.</firstname>
14311 <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
14312 <pubdate>March 2003</pubdate>
14315 <abbrev>RFC3492</abbrev>
14318 <surname>Costello</surname>
14319 <firstname>A.</firstname>
14322 <title>Punycode: A Bootstring encoding of Unicode
14323 for Internationalized Domain Names in
14324 Applications (IDNA)</title>
14325 <pubdate>March 2003</pubdate>
14329 <title>Other <acronym>DNS</acronym>-related RFCs</title>
14332 Note: the following list of RFCs, although
14333 <acronym>DNS</acronym>-related, are not
14334 concerned with implementing software.
14338 <abbrev>RFC1464</abbrev>
14340 <surname>Rosenbaum</surname>
14341 <firstname>R.</firstname>
14343 <title>Using the Domain Name System To Store Arbitrary String
14345 <pubdate>May 1993</pubdate>
14348 <abbrev>RFC1713</abbrev>
14350 <surname>Romao</surname>
14351 <firstname>A.</firstname>
14353 <title>Tools for <acronym>DNS</acronym> Debugging</title>
14354 <pubdate>November 1994</pubdate>
14357 <abbrev>RFC1794</abbrev>
14359 <surname>Brisco</surname>
14360 <firstname>T.</firstname>
14362 <title><acronym>DNS</acronym> Support for Load
14364 <pubdate>April 1995</pubdate>
14367 <abbrev>RFC2240</abbrev>
14369 <surname>Vaughan</surname>
14370 <firstname>O.</firstname>
14372 <title>A Legal Basis for Domain Name Allocation</title>
14373 <pubdate>November 1997</pubdate>
14376 <abbrev>RFC2345</abbrev>
14379 <surname>Klensin</surname>
14380 <firstname>J.</firstname>
14383 <firstname>T.</firstname>
14384 <surname>Wolf</surname>
14387 <firstname>G.</firstname>
14388 <surname>Oglesby</surname>
14391 <title>Domain Names and Company Name Retrieval</title>
14392 <pubdate>May 1998</pubdate>
14395 <abbrev>RFC2352</abbrev>
14397 <surname>Vaughan</surname>
14398 <firstname>O.</firstname>
14400 <title>A Convention For Using Legal Names as Domain Names</title>
14401 <pubdate>May 1998</pubdate>
14404 <abbrev>RFC3071</abbrev>
14407 <surname>Klensin</surname>
14408 <firstname>J.</firstname>
14411 <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
14412 <pubdate>February 2001</pubdate>
14415 <abbrev>RFC3258</abbrev>
14418 <surname>Hardie</surname>
14419 <firstname>T.</firstname>
14422 <title>Distributing Authoritative Name Servers via
14423 Shared Unicast Addresses</title>
14424 <pubdate>April 2002</pubdate>
14427 <abbrev>RFC3901</abbrev>
14430 <surname>Durand</surname>
14431 <firstname>A.</firstname>
14434 <firstname>J.</firstname>
14435 <surname>Ihren</surname>
14438 <title>DNS IPv6 Transport Operational Guidelines</title>
14439 <pubdate>September 2004</pubdate>
14443 <title>Obsolete and Unimplemented Experimental RFC</title>
14445 <abbrev>RFC1712</abbrev>
14448 <surname>Farrell</surname>
14449 <firstname>C.</firstname>
14452 <firstname>M.</firstname>
14453 <surname>Schulze</surname>
14456 <firstname>S.</firstname>
14457 <surname>Pleitner</surname>
14460 <firstname>D.</firstname>
14461 <surname>Baldoni</surname>
14464 <title><acronym>DNS</acronym> Encoding of Geographical
14466 <pubdate>November 1994</pubdate>
14469 <abbrev>RFC2673</abbrev>
14472 <surname>Crawford</surname>
14473 <firstname>M.</firstname>
14476 <title>Binary Labels in the Domain Name System</title>
14477 <pubdate>August 1999</pubdate>
14480 <abbrev>RFC2874</abbrev>
14483 <surname>Crawford</surname>
14484 <firstname>M.</firstname>
14487 <surname>Huitema</surname>
14488 <firstname>C.</firstname>
14491 <title>DNS Extensions to Support IPv6 Address Aggregation
14492 and Renumbering</title>
14493 <pubdate>July 2000</pubdate>
14497 <title>Obsoleted DNS Security RFCs</title>
14500 Most of these have been consolidated into RFC4033,
14501 RFC4034 and RFC4035 which collectively describe DNSSECbis.
14505 <abbrev>RFC2065</abbrev>
14508 <surname>Eastlake</surname>
14509 <lineage>3rd</lineage>
14510 <firstname>D.</firstname>
14513 <firstname>C.</firstname>
14514 <surname>Kaufman</surname>
14517 <title>Domain Name System Security Extensions</title>
14518 <pubdate>January 1997</pubdate>
14521 <abbrev>RFC2137</abbrev>
14523 <surname>Eastlake</surname>
14524 <lineage>3rd</lineage>
14525 <firstname>D.</firstname>
14527 <title>Secure Domain Name System Dynamic Update</title>
14528 <pubdate>April 1997</pubdate>
14531 <abbrev>RFC2535</abbrev>
14534 <surname>Eastlake</surname>
14535 <lineage>3rd</lineage>
14536 <firstname>D.</firstname>
14539 <title>Domain Name System Security Extensions</title>
14540 <pubdate>March 1999</pubdate>
14543 <abbrev>RFC3008</abbrev>
14546 <surname>Wellington</surname>
14547 <firstname>B.</firstname>
14550 <title>Domain Name System Security (DNSSEC)
14551 Signing Authority</title>
14552 <pubdate>November 2000</pubdate>
14555 <abbrev>RFC3090</abbrev>
14558 <surname>Lewis</surname>
14559 <firstname>E.</firstname>
14562 <title>DNS Security Extension Clarification on Zone Status</title>
14563 <pubdate>March 2001</pubdate>
14566 <abbrev>RFC3445</abbrev>
14569 <surname>Massey</surname>
14570 <firstname>D.</firstname>
14573 <surname>Rose</surname>
14574 <firstname>S.</firstname>
14577 <title>Limiting the Scope of the KEY Resource Record (RR)</title>
14578 <pubdate>December 2002</pubdate>
14581 <abbrev>RFC3655</abbrev>
14584 <surname>Wellington</surname>
14585 <firstname>B.</firstname>
14588 <surname>Gudmundsson</surname>
14589 <firstname>O.</firstname>
14592 <title>Redefinition of DNS Authenticated Data (AD) bit</title>
14593 <pubdate>November 2003</pubdate>
14596 <abbrev>RFC3658</abbrev>
14599 <surname>Gudmundsson</surname>
14600 <firstname>O.</firstname>
14603 <title>Delegation Signer (DS) Resource Record (RR)</title>
14604 <pubdate>December 2003</pubdate>
14607 <abbrev>RFC3755</abbrev>
14610 <surname>Weiler</surname>
14611 <firstname>S.</firstname>
14614 <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
14615 <pubdate>May 2004</pubdate>
14618 <abbrev>RFC3757</abbrev>
14621 <surname>Kolkman</surname>
14622 <firstname>O.</firstname>
14625 <surname>Schlyter</surname>
14626 <firstname>J.</firstname>
14629 <surname>Lewis</surname>
14630 <firstname>E.</firstname>
14633 <title>Domain Name System KEY (DNSKEY) Resource Record
14634 (RR) Secure Entry Point (SEP) Flag</title>
14635 <pubdate>April 2004</pubdate>
14638 <abbrev>RFC3845</abbrev>
14641 <surname>Schlyter</surname>
14642 <firstname>J.</firstname>
14645 <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
14646 <pubdate>August 2004</pubdate>
14651 <sect2 id="internet_drafts">
14652 <title>Internet Drafts</title>
14654 Internet Drafts (IDs) are rough-draft working documents of
14655 the Internet Engineering Task Force. They are, in essence, RFCs
14656 in the preliminary stages of development. Implementors are
14658 to regard IDs as archival, and they should not be quoted or cited
14659 in any formal documents unless accompanied by the disclaimer that
14660 they are "works in progress." IDs have a lifespan of six months
14661 after which they are deleted unless updated by their authors.
14665 <title>Other Documents About <acronym>BIND</acronym></title>
14671 <surname>Albitz</surname>
14672 <firstname>Paul</firstname>
14675 <firstname>Cricket</firstname>
14676 <surname>Liu</surname>
14679 <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
14682 <holder>Sebastopol, CA: O'Reilly and Associates</holder>
14690 <reference id="Bv9ARM.ch10">
14691 <title>Manual pages</title>
14692 <xi:include href="../../bin/dig/dig.docbook"/>
14693 <xi:include href="../../bin/dig/host.docbook"/>
14694 <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
14695 <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
14696 <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
14697 <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
14698 <xi:include href="../../bin/check/named-checkconf.docbook"/>
14699 <xi:include href="../../bin/check/named-checkzone.docbook"/>
14700 <xi:include href="../../bin/named/named.docbook"/>
14701 <!-- named.conf.docbook and others? -->
14702 <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
14703 <xi:include href="../../bin/rndc/rndc.docbook"/>
14704 <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
14705 <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>