1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
6 - Copyright (C) 2000-2003 Internet Software Consortium.
8 - Permission to use, copy, modify, and/or distribute this software for any
9 - purpose with or without fee is hereby granted, provided that the above
10 - copyright notice and this permission notice appear in all copies.
12 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
13 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
16 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
17 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
18 - PERFORMANCE OF THIS SOFTWARE.
21 <!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.24.2.1 2010/02/25 05:39:32 marka Exp $ -->
22 <book xmlns:xi="http://www.w3.org/2001/XInclude">
23 <title>BIND 9 Administrator Reference Manual</title>
34 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
41 <holder>Internet Software Consortium.</holder>
45 <chapter id="Bv9ARM.ch01">
46 <title>Introduction</title>
48 The Internet Domain Name System (<acronym>DNS</acronym>)
49 consists of the syntax
50 to specify the names of entities in the Internet in a hierarchical
51 manner, the rules used for delegating authority over names, and the
52 system implementation that actually maps names to Internet
53 addresses. <acronym>DNS</acronym> data is maintained in a
55 hierarchical databases.
59 <title>Scope of Document</title>
62 The Berkeley Internet Name Domain
63 (<acronym>BIND</acronym>) implements a
64 domain name server for a number of operating systems. This
65 document provides basic information about the installation and
66 care of the Internet Systems Consortium (<acronym>ISC</acronym>)
67 <acronym>BIND</acronym> version 9 software package for
68 system administrators.
72 This version of the manual corresponds to BIND version 9.6.
77 <title>Organization of This Document</title>
79 In this document, <emphasis>Chapter 1</emphasis> introduces
80 the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
81 describes resource requirements for running <acronym>BIND</acronym> in various
82 environments. Information in <emphasis>Chapter 3</emphasis> is
83 <emphasis>task-oriented</emphasis> in its presentation and is
84 organized functionally, to aid in the process of installing the
85 <acronym>BIND</acronym> 9 software. The task-oriented
86 section is followed by
87 <emphasis>Chapter 4</emphasis>, which contains more advanced
88 concepts that the system administrator may need for implementing
89 certain options. <emphasis>Chapter 5</emphasis>
90 describes the <acronym>BIND</acronym> 9 lightweight
91 resolver. The contents of <emphasis>Chapter 6</emphasis> are
92 organized as in a reference manual to aid in the ongoing
93 maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
94 security considerations, and
95 <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
96 main body of the document is followed by several
97 <emphasis>appendices</emphasis> which contain useful reference
98 information, such as a <emphasis>bibliography</emphasis> and
99 historic information related to <acronym>BIND</acronym>
105 <title>Conventions Used in This Document</title>
108 In this document, we use the following general typographic
114 <colspec colname="1" colnum="1" colwidth="3.000in"/>
115 <colspec colname="2" colnum="2" colwidth="2.625in"/>
120 <emphasis>To describe:</emphasis>
125 <emphasis>We use the style:</emphasis>
132 a pathname, filename, URL, hostname,
133 mailing list name, or new term or concept
138 <filename>Fixed width</filename>
151 <userinput>Fixed Width Bold</userinput>
163 <computeroutput>Fixed Width</computeroutput>
172 The following conventions are used in descriptions of the
173 <acronym>BIND</acronym> configuration file:<informaltable colsep="0" frame="all" rowsep="0">
174 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
175 <colspec colname="1" colnum="1" colsep="0" colwidth="3.000in"/>
176 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
179 <entry colname="1" colsep="1" rowsep="1">
181 <emphasis>To describe:</emphasis>
184 <entry colname="2" rowsep="1">
186 <emphasis>We use the style:</emphasis>
191 <entry colname="1" colsep="1" rowsep="1">
196 <entry colname="2" rowsep="1">
198 <literal>Fixed Width</literal>
203 <entry colname="1" colsep="1" rowsep="1">
208 <entry colname="2" rowsep="1">
210 <varname>Fixed Width</varname>
215 <entry colname="1" colsep="1">
222 <optional>Text is enclosed in square brackets</optional>
232 <title>The Domain Name System (<acronym>DNS</acronym>)</title>
234 The purpose of this document is to explain the installation
235 and upkeep of the <acronym>BIND</acronym> (Berkeley Internet
236 Name Domain) software package, and we
237 begin by reviewing the fundamentals of the Domain Name System
238 (<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
242 <title>DNS Fundamentals</title>
245 The Domain Name System (DNS) is a hierarchical, distributed
246 database. It stores information for mapping Internet host names to
248 addresses and vice versa, mail routing information, and other data
249 used by Internet applications.
253 Clients look up information in the DNS by calling a
254 <emphasis>resolver</emphasis> library, which sends queries to one or
255 more <emphasis>name servers</emphasis> and interprets the responses.
256 The <acronym>BIND</acronym> 9 software distribution
258 name server, <command>named</command>, and a resolver
259 library, <command>liblwres</command>. The older
260 <command>libbind</command> resolver library is also available
261 from ISC as a separate download.
265 <title>Domains and Domain Names</title>
268 The data stored in the DNS is identified by <emphasis>domain names</emphasis> that are organized as a tree according to
269 organizational or administrative boundaries. Each node of the tree,
270 called a <emphasis>domain</emphasis>, is given a label. The domain
272 node is the concatenation of all the labels on the path from the
273 node to the <emphasis>root</emphasis> node. This is represented
274 in written form as a string of labels listed from right to left and
275 separated by dots. A label need only be unique within its parent
280 For example, a domain name for a host at the
281 company <emphasis>Example, Inc.</emphasis> could be
282 <literal>ourhost.example.com</literal>,
283 where <literal>com</literal> is the
284 top level domain to which
285 <literal>ourhost.example.com</literal> belongs,
286 <literal>example</literal> is
287 a subdomain of <literal>com</literal>, and
288 <literal>ourhost</literal> is the
293 For administrative purposes, the name space is partitioned into
294 areas called <emphasis>zones</emphasis>, each starting at a node and
295 extending down to the leaf nodes or to nodes where other zones
297 The data for each zone is stored in a <emphasis>name server</emphasis>, which answers queries about the zone using the
298 <emphasis>DNS protocol</emphasis>.
302 The data associated with each domain name is stored in the
303 form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
304 Some of the supported resource record types are described in
305 <xref linkend="types_of_resource_records_and_when_to_use_them"/>.
309 For more detailed information about the design of the DNS and
310 the DNS protocol, please refer to the standards documents listed in
311 <xref linkend="rfcs"/>.
318 To properly operate a name server, it is important to understand
319 the difference between a <emphasis>zone</emphasis>
320 and a <emphasis>domain</emphasis>.
324 As stated previously, a zone is a point of delegation in
325 the <acronym>DNS</acronym> tree. A zone consists of
326 those contiguous parts of the domain
327 tree for which a name server has complete information and over which
328 it has authority. It contains all domain names from a certain point
329 downward in the domain tree except those which are delegated to
330 other zones. A delegation point is marked by one or more
331 <emphasis>NS records</emphasis> in the
332 parent zone, which should be matched by equivalent NS records at
333 the root of the delegated zone.
337 For instance, consider the <literal>example.com</literal>
338 domain which includes names
339 such as <literal>host.aaa.example.com</literal> and
340 <literal>host.bbb.example.com</literal> even though
341 the <literal>example.com</literal> zone includes
342 only delegations for the <literal>aaa.example.com</literal> and
343 <literal>bbb.example.com</literal> zones. A zone can
345 exactly to a single domain, but could also include only part of a
346 domain, the rest of which could be delegated to other
347 name servers. Every name in the <acronym>DNS</acronym>
349 <emphasis>domain</emphasis>, even if it is
350 <emphasis>terminal</emphasis>, that is, has no
351 <emphasis>subdomains</emphasis>. Every subdomain is a domain and
352 every domain except the root is also a subdomain. The terminology is
353 not intuitive and we suggest that you read RFCs 1033, 1034 and 1035
355 gain a complete understanding of this difficult and subtle
360 Though <acronym>BIND</acronym> is called a "domain name
362 it deals primarily in terms of zones. The master and slave
363 declarations in the <filename>named.conf</filename> file
365 zones, not domains. When you ask some other site if it is willing to
366 be a slave server for your <emphasis>domain</emphasis>, you are
367 actually asking for slave service for some collection of zones.
372 <title>Authoritative Name Servers</title>
375 Each zone is served by at least
376 one <emphasis>authoritative name server</emphasis>,
377 which contains the complete data for the zone.
378 To make the DNS tolerant of server and network failures,
379 most zones have two or more authoritative servers, on
384 Responses from authoritative servers have the "authoritative
385 answer" (AA) bit set in the response packets. This makes them
386 easy to identify when debugging DNS configurations using tools like
387 <command>dig</command> (<xref linkend="diagnostic_tools"/>).
391 <title>The Primary Master</title>
394 The authoritative server where the master copy of the zone
395 data is maintained is called the
396 <emphasis>primary master</emphasis> server, or simply the
397 <emphasis>primary</emphasis>. Typically it loads the zone
398 contents from some local file edited by humans or perhaps
399 generated mechanically from some other local file which is
400 edited by humans. This file is called the
401 <emphasis>zone file</emphasis> or
402 <emphasis>master file</emphasis>.
406 In some cases, however, the master file may not be edited
407 by humans at all, but may instead be the result of
408 <emphasis>dynamic update</emphasis> operations.
413 <title>Slave Servers</title>
415 The other authoritative servers, the <emphasis>slave</emphasis>
416 servers (also known as <emphasis>secondary</emphasis> servers)
418 the zone contents from another server using a replication process
419 known as a <emphasis>zone transfer</emphasis>. Typically the data
421 transferred directly from the primary master, but it is also
423 to transfer it from another slave. In other words, a slave server
424 may itself act as a master to a subordinate slave server.
429 <title>Stealth Servers</title>
432 Usually all of the zone's authoritative servers are listed in
433 NS records in the parent zone. These NS records constitute
434 a <emphasis>delegation</emphasis> of the zone from the parent.
435 The authoritative servers are also listed in the zone file itself,
436 at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
437 of the zone. You can list servers in the zone's top-level NS
438 records that are not in the parent's NS delegation, but you cannot
439 list servers in the parent's delegation that are not present at
440 the zone's top level.
444 A <emphasis>stealth server</emphasis> is a server that is
445 authoritative for a zone but is not listed in that zone's NS
446 records. Stealth servers can be used for keeping a local copy of
448 zone to speed up access to the zone's records or to make sure that
450 zone is available even if all the "official" servers for the zone
456 A configuration where the primary master server itself is a
457 stealth server is often referred to as a "hidden primary"
458 configuration. One use for this configuration is when the primary
460 is behind a firewall and therefore unable to communicate directly
461 with the outside world.
469 <title>Caching Name Servers</title>
472 - Terminology here is inconsistent. Probably ought to
473 - convert to using "recursive name server" everywhere
474 - with just a note about "caching" terminology.
478 The resolver libraries provided by most operating systems are
479 <emphasis>stub resolvers</emphasis>, meaning that they are not
481 performing the full DNS resolution process by themselves by talking
482 directly to the authoritative servers. Instead, they rely on a
484 name server to perform the resolution on their behalf. Such a
486 is called a <emphasis>recursive</emphasis> name server; it performs
487 <emphasis>recursive lookups</emphasis> for local clients.
491 To improve performance, recursive servers cache the results of
492 the lookups they perform. Since the processes of recursion and
493 caching are intimately connected, the terms
494 <emphasis>recursive server</emphasis> and
495 <emphasis>caching server</emphasis> are often used synonymously.
499 The length of time for which a record may be retained in
500 the cache of a caching name server is controlled by the
501 Time To Live (TTL) field associated with each resource record.
505 <title>Forwarding</title>
508 Even a caching name server does not necessarily perform
509 the complete recursive lookup itself. Instead, it can
510 <emphasis>forward</emphasis> some or all of the queries
511 that it cannot satisfy from its cache to another caching name
513 commonly referred to as a <emphasis>forwarder</emphasis>.
517 There may be one or more forwarders,
518 and they are queried in turn until the list is exhausted or an
520 is found. Forwarders are typically used when you do not
521 wish all the servers at a given site to interact directly with the
523 the Internet servers. A typical scenario would involve a number
524 of internal <acronym>DNS</acronym> servers and an
525 Internet firewall. Servers unable
526 to pass packets through the firewall would forward to the server
527 that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
528 on the internal server's behalf.
535 <title>Name Servers in Multiple Roles</title>
538 The <acronym>BIND</acronym> name server can
539 simultaneously act as
540 a master for some zones, a slave for other zones, and as a caching
541 (recursive) server for a set of local clients.
545 However, since the functions of authoritative name service
546 and caching/recursive name service are logically separate, it is
547 often advantageous to run them on separate server machines.
549 A server that only provides authoritative name service
550 (an <emphasis>authoritative-only</emphasis> server) can run with
551 recursion disabled, improving reliability and security.
553 A server that is not authoritative for any zones and only provides
554 recursive service to local
555 clients (a <emphasis>caching-only</emphasis> server)
556 does not need to be reachable from the Internet at large and can
557 be placed inside a firewall.
565 <chapter id="Bv9ARM.ch02">
566 <title><acronym>BIND</acronym> Resource Requirements</title>
569 <title>Hardware requirements</title>
572 <acronym>DNS</acronym> hardware requirements have
573 traditionally been quite modest.
574 For many installations, servers that have been pensioned off from
575 active duty have performed admirably as <acronym>DNS</acronym> servers.
578 The DNSSEC features of <acronym>BIND</acronym> 9
579 may prove to be quite
580 CPU intensive however, so organizations that make heavy use of these
581 features may wish to consider larger systems for these applications.
582 <acronym>BIND</acronym> 9 is fully multithreaded, allowing
584 multiprocessor systems for installations that need it.
588 <title>CPU Requirements</title>
590 CPU requirements for <acronym>BIND</acronym> 9 range from
592 for serving of static zones without caching, to enterprise-class
593 machines if you intend to process many dynamic updates and DNSSEC
594 signed zones, serving many thousands of queries per second.
599 <title>Memory Requirements</title>
601 The memory of the server has to be large enough to fit the
602 cache and zones loaded off disk. The <command>max-cache-size</command>
603 option can be used to limit the amount of memory used by the cache,
604 at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
606 Additionally, if additional section caching
607 (<xref linkend="acache"/>) is enabled,
608 the <command>max-acache-size</command> option can be used to
610 of memory used by the mechanism.
611 It is still good practice to have enough memory to load
612 all zone and cache data into memory — unfortunately, the best
614 to determine this for a given installation is to watch the name server
615 in operation. After a few weeks the server process should reach
616 a relatively stable size where entries are expiring from the cache as
617 fast as they are being inserted.
620 - Add something here about leaving overhead for attacks?
621 - How much overhead? Percentage?
626 <title>Name Server Intensive Environment Issues</title>
628 For name server intensive environments, there are two alternative
629 configurations that may be used. The first is where clients and
630 any second-level internal name servers query a main name server, which
631 has enough memory to build a large cache. This approach minimizes
632 the bandwidth used by external name lookups. The second alternative
633 is to set up second-level internal name servers to make queries
635 In this configuration, none of the individual machines needs to
636 have as much memory or CPU power as in the first alternative, but
637 this has the disadvantage of making many more external queries,
638 as none of the name servers share their cached data.
643 <title>Supported Operating Systems</title>
645 ISC <acronym>BIND</acronym> 9 compiles and runs on a large
647 of Unix-like operating systems and on NT-derived versions of
648 Microsoft Windows such as Windows 2000 and Windows XP. For an
650 list of supported systems, see the README file in the top level
652 of the BIND 9 source distribution.
657 <chapter id="Bv9ARM.ch03">
658 <title>Name Server Configuration</title>
660 In this chapter we provide some suggested configurations along
661 with guidelines for their use. We suggest reasonable values for
662 certain option settings.
665 <sect1 id="sample_configuration">
666 <title>Sample Configurations</title>
668 <title>A Caching-only Name Server</title>
670 The following sample configuration is appropriate for a caching-only
671 name server for use by clients internal to a corporation. All
673 from outside clients are refused using the <command>allow-query</command>
674 option. Alternatively, the same effect could be achieved using
680 // Two corporate subnets we wish to allow queries from.
681 acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
683 directory "/etc/namedb"; // Working directory
684 allow-query { corpnets; };
686 // Provide a reverse mapping for the loopback address 127.0.0.1
687 zone "0.0.127.in-addr.arpa" {
689 file "localhost.rev";
697 <title>An Authoritative-only Name Server</title>
699 This sample configuration is for an authoritative-only server
700 that is the master server for "<filename>example.com</filename>"
701 and a slave for the subdomain "<filename>eng.example.com</filename>".
706 directory "/etc/namedb"; // Working directory
707 allow-query-cache { none; }; // Do not allow access to cache
708 allow-query { any; }; // This is the default
709 recursion no; // Do not provide recursive service
712 // Provide a reverse mapping for the loopback address 127.0.0.1
713 zone "0.0.127.in-addr.arpa" {
715 file "localhost.rev";
718 // We are the master server for example.com
721 file "example.com.db";
722 // IP addresses of slave servers allowed to transfer example.com
728 // We are a slave server for eng.example.com
729 zone "eng.example.com" {
731 file "eng.example.com.bk";
732 // IP address of eng.example.com master server
733 masters { 192.168.4.12; };
741 <title>Load Balancing</title>
743 - Add explanation of why load balancing is fragile at best
744 - and completely pointless in the general case.
748 A primitive form of load balancing can be achieved in
749 the <acronym>DNS</acronym> by using multiple records
750 (such as multiple A records) for one name.
754 For example, if you have three WWW servers with network addresses
755 of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
756 following means that clients will connect to each machine one third
760 <informaltable colsep="0" rowsep="0">
761 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="2Level-table">
762 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
763 <colspec colname="2" colnum="2" colsep="0" colwidth="0.500in"/>
764 <colspec colname="3" colnum="3" colsep="0" colwidth="0.750in"/>
765 <colspec colname="4" colnum="4" colsep="0" colwidth="0.750in"/>
766 <colspec colname="5" colnum="5" colsep="0" colwidth="2.028in"/>
791 Resource Record (RR) Data
798 <literal>www</literal>
803 <literal>600</literal>
808 <literal>IN</literal>
818 <literal>10.0.0.1</literal>
828 <literal>600</literal>
833 <literal>IN</literal>
843 <literal>10.0.0.2</literal>
853 <literal>600</literal>
858 <literal>IN</literal>
868 <literal>10.0.0.3</literal>
876 When a resolver queries for these records, <acronym>BIND</acronym> will rotate
877 them and respond to the query with the records in a different
878 order. In the example above, clients will randomly receive
879 records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
880 will use the first record returned and discard the rest.
883 For more detail on ordering responses, check the
884 <command>rrset-order</command> substatement in the
885 <command>options</command> statement, see
886 <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
892 <title>Name Server Operations</title>
895 <title>Tools for Use With the Name Server Daemon</title>
897 This section describes several indispensable diagnostic,
898 administrative and monitoring tools available to the system
899 administrator for controlling and debugging the name server
902 <sect3 id="diagnostic_tools">
903 <title>Diagnostic Tools</title>
905 The <command>dig</command>, <command>host</command>, and
906 <command>nslookup</command> programs are all command
908 for manually querying name servers. They differ in style and
914 <term id="dig"><command>dig</command></term>
917 The domain information groper (<command>dig</command>)
918 is the most versatile and complete of these lookup tools.
919 It has two modes: simple interactive
920 mode for a single query, and batch mode which executes a
922 each in a list of several query lines. All query options are
924 from the command line.
926 <cmdsynopsis label="Usage">
927 <command>dig</command>
928 <arg>@<replaceable>server</replaceable></arg>
929 <arg choice="plain"><replaceable>domain</replaceable></arg>
930 <arg><replaceable>query-type</replaceable></arg>
931 <arg><replaceable>query-class</replaceable></arg>
932 <arg>+<replaceable>query-option</replaceable></arg>
933 <arg>-<replaceable>dig-option</replaceable></arg>
934 <arg>%<replaceable>comment</replaceable></arg>
937 The usual simple use of <command>dig</command> will take the form
940 <command>dig @server domain query-type query-class</command>
943 For more information and a list of available commands and
944 options, see the <command>dig</command> man
951 <term><command>host</command></term>
954 The <command>host</command> utility emphasizes
956 and ease of use. By default, it converts
957 between host names and Internet addresses, but its
959 can be extended with the use of options.
961 <cmdsynopsis label="Usage">
962 <command>host</command>
963 <arg>-aCdlnrsTwv</arg>
964 <arg>-c <replaceable>class</replaceable></arg>
965 <arg>-N <replaceable>ndots</replaceable></arg>
966 <arg>-t <replaceable>type</replaceable></arg>
967 <arg>-W <replaceable>timeout</replaceable></arg>
968 <arg>-R <replaceable>retries</replaceable></arg>
969 <arg>-m <replaceable>flag</replaceable></arg>
972 <arg choice="plain"><replaceable>hostname</replaceable></arg>
973 <arg><replaceable>server</replaceable></arg>
976 For more information and a list of available commands and
977 options, see the <command>host</command> man
984 <term><command>nslookup</command></term>
986 <para><command>nslookup</command>
987 has two modes: interactive and
988 non-interactive. Interactive mode allows the user to
989 query name servers for information about various
990 hosts and domains or to print a list of hosts in a
991 domain. Non-interactive mode is used to print just
992 the name and requested information for a host or
995 <cmdsynopsis label="Usage">
996 <command>nslookup</command>
997 <arg rep="repeat">-option</arg>
999 <arg><replaceable>host-to-find</replaceable></arg>
1000 <arg>- <arg>server</arg></arg>
1004 Interactive mode is entered when no arguments are given (the
1005 default name server will be used) or when the first argument
1007 hyphen (`-') and the second argument is the host name or
1012 Non-interactive mode is used when the name or Internet
1014 of the host to be looked up is given as the first argument.
1016 optional second argument specifies the host name or address
1020 Due to its arcane user interface and frequently inconsistent
1021 behavior, we do not recommend the use of <command>nslookup</command>.
1022 Use <command>dig</command> instead.
1030 <sect3 id="admin_tools">
1031 <title>Administrative Tools</title>
1033 Administrative tools play an integral part in the management
1037 <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
1039 <term><command>named-checkconf</command></term>
1042 The <command>named-checkconf</command> program
1043 checks the syntax of a <filename>named.conf</filename> file.
1045 <cmdsynopsis label="Usage">
1046 <command>named-checkconf</command>
1048 <arg>-t <replaceable>directory</replaceable></arg>
1049 <arg><replaceable>filename</replaceable></arg>
1053 <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
1055 <term><command>named-checkzone</command></term>
1058 The <command>named-checkzone</command> program
1059 checks a master file for
1060 syntax and consistency.
1062 <cmdsynopsis label="Usage">
1063 <command>named-checkzone</command>
1065 <arg>-c <replaceable>class</replaceable></arg>
1066 <arg>-o <replaceable>output</replaceable></arg>
1067 <arg>-t <replaceable>directory</replaceable></arg>
1068 <arg>-w <replaceable>directory</replaceable></arg>
1069 <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
1070 <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
1071 <arg>-W <replaceable>(ignore|warn)</replaceable></arg>
1072 <arg choice="plain"><replaceable>zone</replaceable></arg>
1073 <arg><replaceable>filename</replaceable></arg>
1077 <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
1078 <term><command>named-compilezone</command></term>
1081 Similar to <command>named-checkzone,</command> but
1082 it always dumps the zone content to a specified file
1083 (typically in a different format).
1087 <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
1089 <term><command>rndc</command></term>
1092 The remote name daemon control
1093 (<command>rndc</command>) program allows the
1095 administrator to control the operation of a name server.
1096 Since <acronym>BIND</acronym> 9.2, <command>rndc</command>
1097 supports all the commands of the BIND 8 <command>ndc</command>
1098 utility except <command>ndc start</command> and
1099 <command>ndc restart</command>, which were also
1100 not supported in <command>ndc</command>'s
1102 If you run <command>rndc</command> without any
1104 it will display a usage message as follows:
1106 <cmdsynopsis label="Usage">
1107 <command>rndc</command>
1108 <arg>-c <replaceable>config</replaceable></arg>
1109 <arg>-s <replaceable>server</replaceable></arg>
1110 <arg>-p <replaceable>port</replaceable></arg>
1111 <arg>-y <replaceable>key</replaceable></arg>
1112 <arg choice="plain"><replaceable>command</replaceable></arg>
1113 <arg rep="repeat"><replaceable>command</replaceable></arg>
1115 <para>The <command>command</command>
1116 is one of the following:
1122 <term><userinput>reload</userinput></term>
1125 Reload configuration file and zones.
1131 <term><userinput>reload <replaceable>zone</replaceable>
1132 <optional><replaceable>class</replaceable>
1133 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1136 Reload the given zone.
1142 <term><userinput>refresh <replaceable>zone</replaceable>
1143 <optional><replaceable>class</replaceable>
1144 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1147 Schedule zone maintenance for the given zone.
1153 <term><userinput>retransfer <replaceable>zone</replaceable>
1155 <optional><replaceable>class</replaceable>
1156 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1159 Retransfer the given zone from the master.
1166 <term><userinput>freeze
1167 <optional><replaceable>zone</replaceable>
1168 <optional><replaceable>class</replaceable>
1169 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1172 Suspend updates to a dynamic zone. If no zone is
1174 then all zones are suspended. This allows manual
1175 edits to be made to a zone normally updated by dynamic
1177 also causes changes in the journal file to be synced
1179 and the journal file to be removed. All dynamic
1180 update attempts will
1181 be refused while the zone is frozen.
1187 <term><userinput>thaw
1188 <optional><replaceable>zone</replaceable>
1189 <optional><replaceable>class</replaceable>
1190 <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
1193 Enable updates to a frozen dynamic zone. If no zone
1195 specified, then all frozen zones are enabled. This
1197 the server to reload the zone from disk, and
1198 re-enables dynamic updates
1199 after the load has completed. After a zone is thawed,
1201 will no longer be refused.
1207 <term><userinput>notify <replaceable>zone</replaceable>
1208 <optional><replaceable>class</replaceable>
1209 <optional><replaceable>view</replaceable></optional></optional></userinput></term>
1212 Resend NOTIFY messages for the zone.
1218 <term><userinput>reconfig</userinput></term>
1221 Reload the configuration file and load new zones,
1222 but do not reload existing zone files even if they
1224 This is faster than a full <command>reload</command> when there
1225 is a large number of zones because it avoids the need
1227 modification times of the zones files.
1233 <term><userinput>stats</userinput></term>
1236 Write server statistics to the statistics file.
1242 <term><userinput>querylog</userinput></term>
1245 Toggle query logging. Query logging can also be enabled
1246 by explicitly directing the <command>queries</command>
1247 <command>category</command> to a
1248 <command>channel</command> in the
1249 <command>logging</command> section of
1250 <filename>named.conf</filename> or by specifying
1251 <command>querylog yes;</command> in the
1252 <command>options</command> section of
1253 <filename>named.conf</filename>.
1259 <term><userinput>dumpdb
1260 <optional>-all|-cache|-zone</optional>
1261 <optional><replaceable>view ...</replaceable></optional></userinput></term>
1264 Dump the server's caches (default) and/or zones to
1266 dump file for the specified views. If no view is
1274 <term><userinput>stop <optional>-p</optional></userinput></term>
1277 Stop the server, making sure any recent changes
1278 made through dynamic update or IXFR are first saved to
1279 the master files of the updated zones.
1280 If <option>-p</option> is specified <command>named</command>'s process id is returned.
1281 This allows an external process to determine when <command>named</command>
1282 had completed stopping.
1288 <term><userinput>halt <optional>-p</optional></userinput></term>
1291 Stop the server immediately. Recent changes
1292 made through dynamic update or IXFR are not saved to
1293 the master files, but will be rolled forward from the
1294 journal files when the server is restarted.
1295 If <option>-p</option> is specified <command>named</command>'s process id is returned.
1296 This allows an external process to determine when <command>named</command>
1297 had completed halting.
1303 <term><userinput>trace</userinput></term>
1306 Increment the servers debugging level by one.
1312 <term><userinput>trace <replaceable>level</replaceable></userinput></term>
1315 Sets the server's debugging level to an explicit
1322 <term><userinput>notrace</userinput></term>
1325 Sets the server's debugging level to 0.
1331 <term><userinput>flush</userinput></term>
1334 Flushes the server's cache.
1340 <term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
1343 Flushes the given name from the server's cache.
1349 <term><userinput>status</userinput></term>
1352 Display status of the server.
1353 Note that the number of zones includes the internal <command>bind/CH</command> zone
1354 and the default <command>./IN</command>
1355 hint zone if there is not an
1356 explicit root zone configured.
1362 <term><userinput>recursing</userinput></term>
1365 Dump the list of queries <command>named</command> is currently recursing
1372 <term><userinput>validation
1373 <optional>on|off</optional>
1374 <optional><replaceable>view ...</replaceable></optional>
1378 Enable or disable DNSSEC validation.
1379 Note <command>dnssec-enable</command> also needs to be
1380 set to <userinput>yes</userinput> to be effective.
1381 It defaults to enabled.
1389 A configuration file is required, since all
1390 communication with the server is authenticated with
1391 digital signatures that rely on a shared secret, and
1392 there is no way to provide that secret other than with a
1393 configuration file. The default location for the
1394 <command>rndc</command> configuration file is
1395 <filename>/etc/rndc.conf</filename>, but an
1397 location can be specified with the <option>-c</option>
1398 option. If the configuration file is not found,
1399 <command>rndc</command> will also look in
1400 <filename>/etc/rndc.key</filename> (or whatever
1401 <varname>sysconfdir</varname> was defined when
1402 the <acronym>BIND</acronym> build was
1404 The <filename>rndc.key</filename> file is
1406 running <command>rndc-confgen -a</command> as
1408 <xref linkend="controls_statement_definition_and_usage"/>.
1412 The format of the configuration file is similar to
1413 that of <filename>named.conf</filename>, but
1415 only four statements, the <command>options</command>,
1416 <command>key</command>, <command>server</command> and
1417 <command>include</command>
1418 statements. These statements are what associate the
1419 secret keys to the servers with which they are meant to
1420 be shared. The order of statements is not
1425 The <command>options</command> statement has
1427 <command>default-server</command>, <command>default-key</command>,
1428 and <command>default-port</command>.
1429 <command>default-server</command> takes a
1430 host name or address argument and represents the server
1432 be contacted if no <option>-s</option>
1433 option is provided on the command line.
1434 <command>default-key</command> takes
1435 the name of a key as its argument, as defined by a <command>key</command> statement.
1436 <command>default-port</command> specifies the
1438 <command>rndc</command> should connect if no
1439 port is given on the command line or in a
1440 <command>server</command> statement.
1444 The <command>key</command> statement defines a
1446 by <command>rndc</command> when authenticating
1448 <command>named</command>. Its syntax is
1450 <command>key</command> statement in <filename>named.conf</filename>.
1451 The keyword <userinput>key</userinput> is
1452 followed by a key name, which must be a valid
1453 domain name, though it need not actually be hierarchical;
1455 a string like "<userinput>rndc_key</userinput>" is a valid
1457 The <command>key</command> statement has two
1459 <command>algorithm</command> and <command>secret</command>.
1460 While the configuration parser will accept any string as the
1462 to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
1463 has any meaning. The secret is a base-64 encoded string
1464 as specified in RFC 3548.
1468 The <command>server</command> statement
1470 defined using the <command>key</command>
1471 statement with a server.
1472 The keyword <userinput>server</userinput> is followed by a
1473 host name or address. The <command>server</command> statement
1474 has two clauses: <command>key</command> and <command>port</command>.
1475 The <command>key</command> clause specifies the
1477 to be used when communicating with this server, and the
1478 <command>port</command> clause can be used to
1479 specify the port <command>rndc</command> should
1485 A sample minimal configuration file is as follows:
1490 algorithm "hmac-md5";
1491 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
1494 default-server 127.0.0.1;
1495 default-key rndc_key;
1500 This file, if installed as <filename>/etc/rndc.conf</filename>,
1501 would allow the command:
1505 <prompt>$ </prompt><userinput>rndc reload</userinput>
1509 to connect to 127.0.0.1 port 953 and cause the name server
1510 to reload, if a name server on the local machine were
1512 following controls statements:
1517 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
1522 and it had an identical key statement for
1523 <literal>rndc_key</literal>.
1527 Running the <command>rndc-confgen</command>
1529 conveniently create a <filename>rndc.conf</filename>
1530 file for you, and also display the
1531 corresponding <command>controls</command>
1532 statement that you need to
1533 add to <filename>named.conf</filename>.
1535 you can run <command>rndc-confgen -a</command>
1537 a <filename>rndc.key</filename> file and not
1539 <filename>named.conf</filename> at all.
1550 <title>Signals</title>
1552 Certain UNIX signals cause the name server to take specific
1553 actions, as described in the following table. These signals can
1554 be sent using the <command>kill</command> command.
1556 <informaltable frame="all">
1558 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
1559 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
1563 <para><command>SIGHUP</command></para>
1567 Causes the server to read <filename>named.conf</filename> and
1568 reload the database.
1574 <para><command>SIGTERM</command></para>
1578 Causes the server to clean up and exit.
1584 <para><command>SIGINT</command></para>
1588 Causes the server to clean up and exit.
1599 <chapter id="Bv9ARM.ch04">
1600 <title>Advanced DNS Features</title>
1604 <title>Notify</title>
1606 <acronym>DNS</acronym> NOTIFY is a mechanism that allows master
1607 servers to notify their slave servers of changes to a zone's data. In
1608 response to a <command>NOTIFY</command> from a master server, the
1609 slave will check to see that its version of the zone is the
1610 current version and, if not, initiate a zone transfer.
1614 For more information about <acronym>DNS</acronym>
1615 <command>NOTIFY</command>, see the description of the
1616 <command>notify</command> option in <xref linkend="boolean_options"/> and
1617 the description of the zone option <command>also-notify</command> in
1618 <xref linkend="zone_transfers"/>. The <command>NOTIFY</command>
1619 protocol is specified in RFC 1996.
1623 As a slave zone can also be a master to other slaves, <command>named</command>,
1624 by default, sends <command>NOTIFY</command> messages for every zone
1625 it loads. Specifying <command>notify master-only;</command> will
1626 cause <command>named</command> to only send <command>NOTIFY</command> for master
1627 zones that it loads.
1632 <sect1 id="dynamic_update">
1633 <title>Dynamic Update</title>
1636 Dynamic Update is a method for adding, replacing or deleting
1637 records in a master server by sending it a special form of DNS
1638 messages. The format and meaning of these messages is specified
1643 Dynamic update is enabled by including an
1644 <command>allow-update</command> or <command>update-policy</command>
1645 clause in the <command>zone</command> statement. The
1646 <command>tkey-gssapi-credential</command> and
1647 <command>tkey-domain</command> clauses in the
1648 <command>options</command> statement enable the
1649 server to negotiate keys that can be matched against those
1650 in <command>update-policy</command> or
1651 <command>allow-update</command>.
1655 Updating of secure zones (zones using DNSSEC) follows RFC
1656 3007: RRSIG, NSEC and NSEC3 records affected by updates are
1657 automatically regenerated by the server using an online
1658 zone key. Update authorization is based on transaction
1659 signatures and an explicit server policy.
1662 <sect2 id="journal">
1663 <title>The journal file</title>
1666 All changes made to a zone using dynamic update are stored
1667 in the zone's journal file. This file is automatically created
1668 by the server when the first dynamic update takes place.
1669 The name of the journal file is formed by appending the extension
1670 <filename>.jnl</filename> to the name of the
1672 file unless specifically overridden. The journal file is in a
1673 binary format and should not be edited manually.
1677 The server will also occasionally write ("dump")
1678 the complete contents of the updated zone to its zone file.
1679 This is not done immediately after
1680 each dynamic update, because that would be too slow when a large
1681 zone is updated frequently. Instead, the dump is delayed by
1682 up to 15 minutes, allowing additional updates to take place.
1683 During the dump process, transient files will be created
1684 with the extensions <filename>.jnw</filename> and
1685 <filename>.jbk</filename>; under ordinary circumstances, these
1686 will be removed when the dump is complete, and can be safely
1691 When a server is restarted after a shutdown or crash, it will replay
1692 the journal file to incorporate into the zone any updates that
1694 place after the last zone dump.
1698 Changes that result from incoming incremental zone transfers are
1700 journalled in a similar way.
1704 The zone files of dynamic zones cannot normally be edited by
1705 hand because they are not guaranteed to contain the most recent
1706 dynamic changes — those are only in the journal file.
1707 The only way to ensure that the zone file of a dynamic zone
1708 is up to date is to run <command>rndc stop</command>.
1712 If you have to make changes to a dynamic zone
1713 manually, the following procedure will work: Disable dynamic updates
1715 <command>rndc freeze <replaceable>zone</replaceable></command>.
1716 This will also remove the zone's <filename>.jnl</filename> file
1717 and update the master file. Edit the zone file. Run
1718 <command>rndc thaw <replaceable>zone</replaceable></command>
1719 to reload the changed zone and re-enable dynamic updates.
1726 <sect1 id="incremental_zone_transfers">
1727 <title>Incremental Zone Transfers (IXFR)</title>
1730 The incremental zone transfer (IXFR) protocol is a way for
1731 slave servers to transfer only changed data, instead of having to
1732 transfer the entire zone. The IXFR protocol is specified in RFC
1733 1995. See <xref linkend="proposed_standards"/>.
1737 When acting as a master, <acronym>BIND</acronym> 9
1738 supports IXFR for those zones
1739 where the necessary change history information is available. These
1740 include master zones maintained by dynamic update and slave zones
1741 whose data was obtained by IXFR. For manually maintained master
1742 zones, and for slave zones obtained by performing a full zone
1743 transfer (AXFR), IXFR is supported only if the option
1744 <command>ixfr-from-differences</command> is set
1745 to <userinput>yes</userinput>.
1749 When acting as a slave, <acronym>BIND</acronym> 9 will
1750 attempt to use IXFR unless
1751 it is explicitly disabled. For more information about disabling
1752 IXFR, see the description of the <command>request-ixfr</command> clause
1753 of the <command>server</command> statement.
1758 <title>Split DNS</title>
1760 Setting up different views, or visibility, of the DNS space to
1761 internal and external resolvers is usually referred to as a
1762 <emphasis>Split DNS</emphasis> setup. There are several
1763 reasons an organization would want to set up its DNS this way.
1766 One common reason for setting up a DNS system this way is
1767 to hide "internal" DNS information from "external" clients on the
1768 Internet. There is some debate as to whether or not this is actually
1770 Internal DNS information leaks out in many ways (via email headers,
1771 for example) and most savvy "attackers" can find the information
1772 they need using other means.
1773 However, since listing addresses of internal servers that
1774 external clients cannot possibly reach can result in
1775 connection delays and other annoyances, an organization may
1776 choose to use a Split DNS to present a consistent view of itself
1777 to the outside world.
1780 Another common reason for setting up a Split DNS system is
1781 to allow internal networks that are behind filters or in RFC 1918
1782 space (reserved IP space, as documented in RFC 1918) to resolve DNS
1783 on the Internet. Split DNS can also be used to allow mail from outside
1784 back in to the internal network.
1787 <title>Example split DNS setup</title>
1789 Let's say a company named <emphasis>Example, Inc.</emphasis>
1790 (<literal>example.com</literal>)
1791 has several corporate sites that have an internal network with
1793 Internet Protocol (IP) space and an external demilitarized zone (DMZ),
1794 or "outside" section of a network, that is available to the public.
1797 <emphasis>Example, Inc.</emphasis> wants its internal clients
1798 to be able to resolve external hostnames and to exchange mail with
1799 people on the outside. The company also wants its internal resolvers
1800 to have access to certain internal-only zones that are not available
1801 at all outside of the internal network.
1804 In order to accomplish this, the company will set up two sets
1805 of name servers. One set will be on the inside network (in the
1807 IP space) and the other set will be on bastion hosts, which are
1809 hosts that can talk to both sides of its network, in the DMZ.
1812 The internal servers will be configured to forward all queries,
1813 except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
1814 and <filename>site2.example.com</filename>, to the servers
1816 DMZ. These internal servers will have complete sets of information
1817 for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis/> <filename>site1.internal</filename>,
1818 and <filename>site2.internal</filename>.
1821 To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
1822 the internal name servers must be configured to disallow all queries
1823 to these domains from any external hosts, including the bastion
1827 The external servers, which are on the bastion hosts, will
1828 be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
1829 This could include things such as the host records for public servers
1830 (<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
1831 and mail exchange (MX) records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).
1834 In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
1835 should have special MX records that contain wildcard (`*') records
1836 pointing to the bastion hosts. This is needed because external mail
1837 servers do not have any other way of looking up how to deliver mail
1838 to those internal hosts. With the wildcard records, the mail will
1839 be delivered to the bastion host, which can then forward it on to
1843 Here's an example of a wildcard MX record:
1845 <programlisting>* IN MX 10 external1.example.com.</programlisting>
1847 Now that they accept mail on behalf of anything in the internal
1848 network, the bastion hosts will need to know how to deliver mail
1849 to internal hosts. In order for this to work properly, the resolvers
1851 the bastion hosts will need to be configured to point to the internal
1852 name servers for DNS resolution.
1855 Queries for internal hostnames will be answered by the internal
1856 servers, and queries for external hostnames will be forwarded back
1857 out to the DNS servers on the bastion hosts.
1860 In order for all this to work properly, internal clients will
1861 need to be configured to query <emphasis>only</emphasis> the internal
1862 name servers for DNS queries. This could also be enforced via
1864 filtering on the network.
1867 If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
1868 internal clients will now be able to:
1873 Look up any hostnames in the <literal>site1</literal>
1875 <literal>site2.example.com</literal> zones.
1880 Look up any hostnames in the <literal>site1.internal</literal> and
1881 <literal>site2.internal</literal> domains.
1885 <simpara>Look up any hostnames on the Internet.</simpara>
1888 <simpara>Exchange mail with both internal and external people.</simpara>
1892 Hosts on the Internet will be able to:
1897 Look up any hostnames in the <literal>site1</literal>
1899 <literal>site2.example.com</literal> zones.
1904 Exchange mail with anyone in the <literal>site1</literal> and
1905 <literal>site2.example.com</literal> zones.
1911 Here is an example configuration for the setup we just
1912 described above. Note that this is only configuration information;
1913 for information on how to configure your zone files, see <xref linkend="sample_configuration"/>.
1917 Internal DNS server config:
1922 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1924 acl externals { <varname>bastion-ips-go-here</varname>; };
1930 forwarders { // forward to external servers
1931 <varname>bastion-ips-go-here</varname>;
1933 allow-transfer { none; }; // sample allow-transfer (no one)
1934 allow-query { internals; externals; }; // restrict query access
1935 allow-recursion { internals; }; // restrict recursion
1940 zone "site1.example.com" { // sample master zone
1942 file "m/site1.example.com";
1943 forwarders { }; // do normal iterative
1944 // resolution (do not forward)
1945 allow-query { internals; externals; };
1946 allow-transfer { internals; };
1949 zone "site2.example.com" { // sample slave zone
1951 file "s/site2.example.com";
1952 masters { 172.16.72.3; };
1954 allow-query { internals; externals; };
1955 allow-transfer { internals; };
1958 zone "site1.internal" {
1960 file "m/site1.internal";
1962 allow-query { internals; };
1963 allow-transfer { internals; }
1966 zone "site2.internal" {
1968 file "s/site2.internal";
1969 masters { 172.16.72.3; };
1971 allow-query { internals };
1972 allow-transfer { internals; }
1977 External (bastion host) DNS server config:
1981 acl internals { 172.16.72.0/24; 192.168.1.0/24; };
1983 acl externals { bastion-ips-go-here; };
1988 allow-transfer { none; }; // sample allow-transfer (no one)
1989 allow-query { any; }; // default query access
1990 allow-query-cache { internals; externals; }; // restrict cache access
1991 allow-recursion { internals; externals; }; // restrict recursion
1996 zone "site1.example.com" { // sample slave zone
1998 file "m/site1.foo.com";
1999 allow-transfer { internals; externals; };
2002 zone "site2.example.com" {
2004 file "s/site2.foo.com";
2005 masters { another_bastion_host_maybe; };
2006 allow-transfer { internals; externals; }
2011 In the <filename>resolv.conf</filename> (or equivalent) on
2012 the bastion host(s):
2017 nameserver 172.16.72.2
2018 nameserver 172.16.72.3
2019 nameserver 172.16.72.4
2027 This is a short guide to setting up Transaction SIGnatures
2028 (TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
2029 to the configuration file as well as what changes are required for
2030 different features, including the process of creating transaction
2031 keys and using transaction signatures with <acronym>BIND</acronym>.
2034 <acronym>BIND</acronym> primarily supports TSIG for server
2035 to server communication.
2036 This includes zone transfer, notify, and recursive query messages.
2037 Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
2042 TSIG can also be useful for dynamic update. A primary
2043 server for a dynamic zone should control access to the dynamic
2044 update service, but IP-based access control is insufficient.
2045 The cryptographic access control provided by TSIG
2046 is far superior. The <command>nsupdate</command>
2047 program supports TSIG via the <option>-k</option> and
2048 <option>-y</option> command line options or inline by use
2049 of the <command>key</command>.
2053 <title>Generate Shared Keys for Each Pair of Hosts</title>
2055 A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
2056 An arbitrary key name is chosen: "host1-host2.". The key name must
2057 be the same on both hosts.
2060 <title>Automatic Generation</title>
2062 The following command will generate a 128-bit (16 byte) HMAC-SHA256
2063 key as described above. Longer keys are better, but shorter keys
2064 are easier to read. Note that the maximum key length is the digest
2065 length, here 256 bits.
2068 <userinput>dnssec-keygen -a hmac-sha256 -b 128 -n HOST host1-host2.</userinput>
2071 The key is in the file <filename>Khost1-host2.+163+00000.private</filename>.
2072 Nothing directly uses this file, but the base-64 encoded string
2073 following "<literal>Key:</literal>"
2074 can be extracted from the file and used as a shared secret:
2076 <programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
2078 The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
2079 be used as the shared secret.
2083 <title>Manual Generation</title>
2085 The shared secret is simply a random sequence of bits, encoded
2086 in base-64. Most ASCII strings are valid base-64 strings (assuming
2087 the length is a multiple of 4 and only valid characters are used),
2088 so the shared secret can be manually generated.
2091 Also, a known string can be run through <command>mmencode</command> or
2092 a similar program to generate base-64 encoded data.
2097 <title>Copying the Shared Secret to Both Machines</title>
2099 This is beyond the scope of DNS. A secure transport mechanism
2100 should be used. This could be secure FTP, ssh, telephone, etc.
2104 <title>Informing the Servers of the Key's Existence</title>
2106 Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis>
2108 both servers. The following is added to each server's <filename>named.conf</filename> file:
2113 algorithm hmac-sha256;
2114 secret "La/E5CjG9O+os1jq0a2jdA==";
2119 The secret is the one generated above. Since this is a secret, it
2120 is recommended that either <filename>named.conf</filename> be
2121 non-world readable, or the key directive be added to a non-world
2122 readable file that is included by <filename>named.conf</filename>.
2125 At this point, the key is recognized. This means that if the
2126 server receives a message signed by this key, it can verify the
2127 signature. If the signature is successfully verified, the
2128 response is signed by the same key.
2133 <title>Instructing the Server to Use the Key</title>
2135 Since keys are shared between two hosts only, the server must
2136 be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
2137 for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
2143 keys { host1-host2. ;};
2148 Multiple keys may be present, but only the first is used.
2149 This directive does not contain any secrets, so it may be in a
2154 If <emphasis>host1</emphasis> sends a message that is a request
2155 to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
2156 expect any responses to signed messages to be signed with the same
2160 A similar statement must be present in <emphasis>host2</emphasis>'s
2161 configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
2162 sign request messages to <emphasis>host1</emphasis>.
2166 <title>TSIG Key Based Access Control</title>
2168 <acronym>BIND</acronym> allows IP addresses and ranges
2169 to be specified in ACL
2171 <command>allow-{ query | transfer | update }</command>
2173 This has been extended to allow TSIG keys also. The above key would
2174 be denoted <command>key host1-host2.</command>
2177 An example of an <command>allow-update</command> directive would be:
2181 allow-update { key host1-host2. ;};
2185 This allows dynamic updates to succeed only if the request
2186 was signed by a key named "<command>host1-host2.</command>".
2190 You may want to read about the more powerful
2191 <command>update-policy</command> statement in
2192 <xref linkend="dynamic_update_policies"/>.
2197 <title>Errors</title>
2200 The processing of TSIG signed messages can result in
2201 several errors. If a signed message is sent to a non-TSIG aware
2202 server, a FORMERR (format error) will be returned, since the server will not
2203 understand the record. This is a result of misconfiguration,
2204 since the server must be explicitly configured to send a TSIG
2205 signed message to a specific server.
2209 If a TSIG aware server receives a message signed by an
2210 unknown key, the response will be unsigned with the TSIG
2211 extended error code set to BADKEY. If a TSIG aware server
2212 receives a message with a signature that does not validate, the
2213 response will be unsigned with the TSIG extended error code set
2214 to BADSIG. If a TSIG aware server receives a message with a time
2215 outside of the allowed range, the response will be signed with
2216 the TSIG extended error code set to BADTIME, and the time values
2217 will be adjusted so that the response can be successfully
2218 verified. In any of these cases, the message's rcode (response code) is set to
2219 NOTAUTH (not authenticated).
2227 <para><command>TKEY</command>
2228 is a mechanism for automatically generating a shared secret
2229 between two hosts. There are several "modes" of
2230 <command>TKEY</command> that specify how the key is generated
2231 or assigned. <acronym>BIND</acronym> 9 implements only one of
2232 these modes, the Diffie-Hellman key exchange. Both hosts are
2233 required to have a Diffie-Hellman KEY record (although this
2234 record is not required to be present in a zone). The
2235 <command>TKEY</command> process must use signed messages,
2236 signed either by TSIG or SIG(0). The result of
2237 <command>TKEY</command> is a shared secret that can be used to
2238 sign messages with TSIG. <command>TKEY</command> can also be
2239 used to delete shared secrets that it had previously
2244 The <command>TKEY</command> process is initiated by a
2246 or server by sending a signed <command>TKEY</command>
2248 (including any appropriate KEYs) to a TKEY-aware server. The
2249 server response, if it indicates success, will contain a
2250 <command>TKEY</command> record and any appropriate keys.
2252 this exchange, both participants have enough information to
2253 determine the shared secret; the exact process depends on the
2254 <command>TKEY</command> mode. When using the
2256 <command>TKEY</command> mode, Diffie-Hellman keys are
2258 and the shared secret is derived by both participants.
2263 <title>SIG(0)</title>
2266 <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
2267 transaction signatures as specified in RFC 2535 and RFC 2931.
2269 uses public/private keys to authenticate messages. Access control
2270 is performed in the same manner as TSIG keys; privileges can be
2271 granted or denied based on the key name.
2275 When a SIG(0) signed message is received, it will only be
2276 verified if the key is known and trusted by the server; the server
2277 will not attempt to locate and/or validate the key.
2281 SIG(0) signing of multiple-message TCP streams is not
2286 The only tool shipped with <acronym>BIND</acronym> 9 that
2287 generates SIG(0) signed messages is <command>nsupdate</command>.
2292 <title>DNSSEC</title>
2295 Cryptographic authentication of DNS information is possible
2296 through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
2297 defined in RFC 4033, RFC 4034, and RFC 4035.
2298 This section describes the creation and use of DNSSEC signed zones.
2302 In order to set up a DNSSEC secure zone, there are a series
2303 of steps which must be followed. <acronym>BIND</acronym>
2306 that are used in this process, which are explained in more detail
2307 below. In all cases, the <option>-h</option> option prints a
2308 full list of parameters. Note that the DNSSEC tools require the
2309 keyset files to be in the working directory or the
2310 directory specified by the <option>-d</option> option, and
2311 that the tools shipped with BIND 9.2.x and earlier are not compatible
2312 with the current ones.
2316 There must also be communication with the administrators of
2317 the parent and/or child zone to transmit keys. A zone's security
2318 status must be indicated by the parent zone for a DNSSEC capable
2319 resolver to trust its data. This is done through the presence
2320 or absence of a <literal>DS</literal> record at the
2326 For other servers to trust data in this zone, they must
2327 either be statically configured with this zone's zone key or the
2328 zone key of another zone above this one in the DNS tree.
2332 <title>Generating Keys</title>
2335 The <command>dnssec-keygen</command> program is used to
2340 A secure zone must contain one or more zone keys. The
2341 zone keys will sign all other records in the zone, as well as
2342 the zone keys of any secure delegated zones. Zone keys must
2343 have the same name as the zone, a name type of
2344 <command>ZONE</command>, and must be usable for
2346 It is recommended that zone keys use a cryptographic algorithm
2347 designated as "mandatory to implement" by the IETF; currently
2348 the only one is RSASHA1.
2352 The following command will generate a 768-bit RSASHA1 key for
2353 the <filename>child.example</filename> zone:
2357 <userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput>
2361 Two output files will be produced:
2362 <filename>Kchild.example.+005+12345.key</filename> and
2363 <filename>Kchild.example.+005+12345.private</filename>
2365 12345 is an example of a key tag). The key filenames contain
2366 the key name (<filename>child.example.</filename>),
2368 is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in
2370 The private key (in the <filename>.private</filename>
2372 used to generate signatures, and the public key (in the
2373 <filename>.key</filename> file) is used for signature
2378 To generate another key with the same properties (but with
2379 a different key tag), repeat the above command.
2383 The <command>dnssec-keyfromlabel</command> program is used
2384 to get a key pair from a crypto hardware and build the key
2385 files. Its usage is similar to <command>dnssec-keygen</command>.
2389 The public keys should be inserted into the zone file by
2390 including the <filename>.key</filename> files using
2391 <command>$INCLUDE</command> statements.
2396 <title>Signing the Zone</title>
2399 The <command>dnssec-signzone</command> program is used
2404 Any <filename>keyset</filename> files corresponding to
2405 secure subzones should be present. The zone signer will
2406 generate <literal>NSEC</literal>, <literal>NSEC3</literal>
2407 and <literal>RRSIG</literal> records for the zone, as
2408 well as <literal>DS</literal> for the child zones if
2409 <literal>'-g'</literal> is specified. If <literal>'-g'</literal>
2410 is not specified, then DS RRsets for the secure child
2411 zones need to be added manually.
2415 The following command signs the zone, assuming it is in a
2416 file called <filename>zone.child.example</filename>. By
2417 default, all zone keys which have an available private key are
2418 used to generate signatures.
2422 <userinput>dnssec-signzone -o child.example zone.child.example</userinput>
2426 One output file is produced:
2427 <filename>zone.child.example.signed</filename>. This
2429 should be referenced by <filename>named.conf</filename>
2431 input file for the zone.
2434 <para><command>dnssec-signzone</command>
2435 will also produce a keyset and dsset files and optionally a
2436 dlvset file. These are used to provide the parent zone
2437 administrators with the <literal>DNSKEYs</literal> (or their
2438 corresponding <literal>DS</literal> records) that are the
2439 secure entry point to the zone.
2445 <title>Configuring Servers</title>
2448 To enable <command>named</command> to respond appropriately
2449 to DNS requests from DNSSEC aware clients,
2450 <command>dnssec-enable</command> must be set to yes.
2451 (This is the default setting.)
2455 To enable <command>named</command> to validate answers from
2456 other servers, the <command>dnssec-enable</command> and
2457 <command>dnssec-validation</command> options must both be
2458 set to yes (the default setting in <acronym>BIND</acronym> 9.5
2459 and later), and at least one trust anchor must be configured
2460 with a <command>trusted-keys</command> statement in
2461 <filename>named.conf</filename>.
2465 <command>trusted-keys</command> are copies of DNSKEY RRs
2466 for zones that are used to form the first link in the
2467 cryptographic chain of trust. All keys listed in
2468 <command>trusted-keys</command> (and corresponding zones)
2469 are deemed to exist and only the listed keys will be used
2470 to validated the DNSKEY RRset that they are from.
2474 <command>trusted-keys</command> are described in more detail
2475 later in this document.
2479 Unlike <acronym>BIND</acronym> 8, <acronym>BIND</acronym>
2480 9 does not verify signatures on load, so zone keys for
2481 authoritative zones do not need to be specified in the
2486 After DNSSEC gets established, a typical DNSSEC configuration
2487 will look something like the following. It has a one or
2488 more public keys for the root. This allows answers from
2489 outside the organization to be validated. It will also
2490 have several keys for parts of the namespace the organization
2491 controls. These are here to ensure that <command>named</command> is immune
2492 to compromises in the DNSSEC components of the security
2500 "." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
2501 E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
2502 zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
2503 MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
2504 /lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
2505 iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
2506 Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
2508 /* Key for our organization's forward zone */
2509 example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
2510 3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
2511 OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
2512 lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
2513 8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
2514 iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
2515 SCThlHf3xiYleDbt/o1OTQ09A0=";
2517 /* Key for our reverse zone. */
2518 2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
2519 VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
2520 tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
2521 yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
2522 4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
2523 zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
2524 7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
2525 52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
2531 dnssec-validation yes;
2536 None of the keys listed in this example are valid. In particular,
2537 the root key is not valid.
2541 When DNSSEC validation is enabled and properly configured,
2542 the resolver will reject any answers from signed, secure zones
2543 which fail to validate, and will return SERVFAIL to the client.
2547 Responses may fail to validate for any of several reasons,
2548 including missing, expired, or invalid signatures, a key which
2549 does not match the DS RRset in the parent zone, or an insecure
2550 response from a zone which, according to its parent, should have
2556 When the validator receives a response from an unsigned zone
2557 that has a signed parent, it must confirm with the parent
2558 that the zone was intentionally left unsigned. It does
2559 this by verifying, via signed and validated NSEC/NSEC3 records,
2560 that the parent zone contains no DS records for the child.
2563 If the validator <emphasis>can</emphasis> prove that the zone
2564 is insecure, then the response is accepted. However, if it
2565 cannot, then it must assume an insecure response to be a
2566 forgery; it rejects the response and logs an error.
2569 The logged error reads "insecurity proof failed" and
2570 "got insecure response; parent indicates it should be secure".
2571 (Prior to BIND 9.7, the logged error was "not insecure".
2572 This referred to the zone, not the response.)
2579 <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
2582 <acronym>BIND</acronym> 9 fully supports all currently
2583 defined forms of IPv6 name to address and address to name
2584 lookups. It will also use IPv6 addresses to make queries when
2585 running on an IPv6 capable system.
2589 For forward lookups, <acronym>BIND</acronym> 9 supports
2590 only AAAA records. RFC 3363 deprecated the use of A6 records,
2591 and client-side support for A6 records was accordingly removed
2592 from <acronym>BIND</acronym> 9.
2593 However, authoritative <acronym>BIND</acronym> 9 name servers still
2594 load zone files containing A6 records correctly, answer queries
2595 for A6 records, and accept zone transfer for a zone containing A6
2600 For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
2601 the traditional "nibble" format used in the
2602 <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
2603 <emphasis>ip6.int</emphasis> domain.
2604 Older versions of <acronym>BIND</acronym> 9
2605 supported the "binary label" (also known as "bitstring") format,
2606 but support of binary labels has been completely removed per
2608 Many applications in <acronym>BIND</acronym> 9 do not understand
2609 the binary label format at all any more, and will return an
2611 In particular, an authoritative <acronym>BIND</acronym> 9
2612 name server will not load a zone file containing binary labels.
2616 For an overview of the format and structure of IPv6 addresses,
2617 see <xref linkend="ipv6addresses"/>.
2621 <title>Address Lookups Using AAAA Records</title>
2624 The IPv6 AAAA record is a parallel to the IPv4 A record,
2625 and, unlike the deprecated A6 record, specifies the entire
2626 IPv6 address in a single record. For example,
2630 $ORIGIN example.com.
2631 host 3600 IN AAAA 2001:db8::1
2635 Use of IPv4-in-IPv6 mapped addresses is not recommended.
2636 If a host has an IPv4 address, use an A record, not
2637 a AAAA, with <literal>::ffff:192.168.42.1</literal> as
2642 <title>Address to Name Lookups Using Nibble Format</title>
2645 When looking up an address in nibble format, the address
2646 components are simply reversed, just as in IPv4, and
2647 <literal>ip6.arpa.</literal> is appended to the
2649 For example, the following would provide reverse name lookup for
2651 <literal>2001:db8::1</literal>.
2655 $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
2656 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 14400 IN PTR host.example.com.
2663 <chapter id="Bv9ARM.ch05">
2664 <title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
2666 <title>The Lightweight Resolver Library</title>
2668 Traditionally applications have been linked with a stub resolver
2669 library that sends recursive DNS queries to a local caching name
2673 IPv6 once introduced new complexity into the resolution process,
2674 such as following A6 chains and DNAME records, and simultaneous
2675 lookup of IPv4 and IPv6 addresses. Though most of the complexity was
2676 then removed, these are hard or impossible
2677 to implement in a traditional stub resolver.
2680 <acronym>BIND</acronym> 9 therefore can also provide resolution
2681 services to local clients
2682 using a combination of a lightweight resolver library and a resolver
2683 daemon process running on the local host. These communicate using
2684 a simple UDP-based protocol, the "lightweight resolver protocol"
2685 that is distinct from and simpler than the full DNS protocol.
2689 <title>Running a Resolver Daemon</title>
2692 To use the lightweight resolver interface, the system must
2693 run the resolver daemon <command>lwresd</command> or a
2695 name server configured with a <command>lwres</command>
2700 By default, applications using the lightweight resolver library will
2702 UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.
2704 address can be overridden by <command>lwserver</command>
2706 <filename>/etc/resolv.conf</filename>.
2710 The daemon currently only looks in the DNS, but in the future
2711 it may use other sources such as <filename>/etc/hosts</filename>,
2716 The <command>lwresd</command> daemon is essentially a
2717 caching-only name server that responds to requests using the
2719 resolver protocol rather than the DNS protocol. Because it needs
2720 to run on each host, it is designed to require no or minimal
2722 Unless configured otherwise, it uses the name servers listed on
2723 <command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
2724 as forwarders, but is also capable of doing the resolution
2729 The <command>lwresd</command> daemon may also be
2731 <filename>named.conf</filename> style configuration file,
2733 <filename>/etc/lwresd.conf</filename> by default. A name
2735 be configured to act as a lightweight resolver daemon using the
2736 <command>lwres</command> statement in <filename>named.conf</filename>.
2742 <chapter id="Bv9ARM.ch06">
2743 <title><acronym>BIND</acronym> 9 Configuration Reference</title>
2746 <acronym>BIND</acronym> 9 configuration is broadly similar
2747 to <acronym>BIND</acronym> 8; however, there are a few new
2749 of configuration, such as views. <acronym>BIND</acronym>
2750 8 configuration files should work with few alterations in <acronym>BIND</acronym>
2751 9, although more complex configurations should be reviewed to check
2752 if they can be more efficiently implemented using the new features
2753 found in <acronym>BIND</acronym> 9.
2757 <acronym>BIND</acronym> 4 configuration files can be
2758 converted to the new format
2759 using the shell script
2760 <filename>contrib/named-bootconf/named-bootconf.sh</filename>.
2762 <sect1 id="configuration_file_elements">
2763 <title>Configuration File Elements</title>
2765 Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
2768 <informaltable colsep="0" rowsep="0">
2769 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
2770 <colspec colname="1" colnum="1" colsep="0" colwidth="1.855in"/>
2771 <colspec colname="2" colnum="2" colsep="0" colwidth="3.770in"/>
2776 <varname>acl_name</varname>
2781 The name of an <varname>address_match_list</varname> as
2782 defined by the <command>acl</command> statement.
2789 <varname>address_match_list</varname>
2794 A list of one or more
2795 <varname>ip_addr</varname>,
2796 <varname>ip_prefix</varname>, <varname>key_id</varname>,
2797 or <varname>acl_name</varname> elements, see
2798 <xref linkend="address_match_lists"/>.
2805 <varname>masters_list</varname>
2810 A named list of one or more <varname>ip_addr</varname>
2811 with optional <varname>key_id</varname> and/or
2812 <varname>ip_port</varname>.
2813 A <varname>masters_list</varname> may include other
2814 <varname>masters_lists</varname>.
2821 <varname>domain_name</varname>
2826 A quoted string which will be used as
2827 a DNS name, for example "<literal>my.test.domain</literal>".
2834 <varname>dotted_decimal</varname>
2839 One to four integers valued 0 through
2840 255 separated by dots (`.'), such as <command>123</command>,
2841 <command>45.67</command> or <command>89.123.45.67</command>.
2848 <varname>ip4_addr</varname>
2853 An IPv4 address with exactly four elements
2854 in <varname>dotted_decimal</varname> notation.
2861 <varname>ip6_addr</varname>
2866 An IPv6 address, such as <command>2001:db8::1234</command>.
2867 IPv6 scoped addresses that have ambiguity on their
2868 scope zones must be disambiguated by an appropriate
2869 zone ID with the percent character (`%') as
2870 delimiter. It is strongly recommended to use
2871 string zone names rather than numeric identifiers,
2872 in order to be robust against system configuration
2873 changes. However, since there is no standard
2874 mapping for such names and identifier values,
2875 currently only interface names as link identifiers
2876 are supported, assuming one-to-one mapping between
2877 interfaces and links. For example, a link-local
2878 address <command>fe80::1</command> on the link
2879 attached to the interface <command>ne0</command>
2880 can be specified as <command>fe80::1%ne0</command>.
2881 Note that on most systems link-local addresses
2882 always have the ambiguity, and need to be
2890 <varname>ip_addr</varname>
2895 An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.
2902 <varname>ip_port</varname>
2907 An IP port <varname>number</varname>.
2908 The <varname>number</varname> is limited to 0
2909 through 65535, with values
2910 below 1024 typically restricted to use by processes running
2912 In some cases, an asterisk (`*') character can be used as a
2914 select a random high-numbered port.
2921 <varname>ip_prefix</varname>
2926 An IP network specified as an <varname>ip_addr</varname>,
2927 followed by a slash (`/') and then the number of bits in the
2929 Trailing zeros in a <varname>ip_addr</varname>
2931 For example, <command>127/8</command> is the
2932 network <command>127.0.0.0</command> with
2933 netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
2934 network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
2937 When specifying a prefix involving a IPv6 scoped address
2938 the scope may be omitted. In that case the prefix will
2939 match packets from any scope.
2946 <varname>key_id</varname>
2951 A <varname>domain_name</varname> representing
2952 the name of a shared key, to be used for transaction
2960 <varname>key_list</varname>
2965 A list of one or more
2966 <varname>key_id</varname>s,
2967 separated by semicolons and ending with a semicolon.
2974 <varname>number</varname>
2979 A non-negative 32-bit integer
2980 (i.e., a number between 0 and 4294967295, inclusive).
2981 Its acceptable value might further
2982 be limited by the context in which it is used.
2989 <varname>path_name</varname>
2994 A quoted string which will be used as
2995 a pathname, such as <filename>zones/master/my.test.domain</filename>.
3002 <varname>port_list</varname>
3007 A list of an <varname>ip_port</varname> or a port
3009 A port range is specified in the form of
3010 <userinput>range</userinput> followed by
3011 two <varname>ip_port</varname>s,
3012 <varname>port_low</varname> and
3013 <varname>port_high</varname>, which represents
3014 port numbers from <varname>port_low</varname> through
3015 <varname>port_high</varname>, inclusive.
3016 <varname>port_low</varname> must not be larger than
3017 <varname>port_high</varname>.
3019 <userinput>range 1024 65535</userinput> represents
3020 ports from 1024 through 65535.
3021 In either case an asterisk (`*') character is not
3022 allowed as a valid <varname>ip_port</varname>.
3029 <varname>size_spec</varname>
3034 A number, the word <userinput>unlimited</userinput>,
3035 or the word <userinput>default</userinput>.
3038 An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
3039 use, or the maximum available amount. A <varname>default size_spec</varname> uses
3040 the limit that was in force when the server was started.
3043 A <varname>number</varname> can optionally be
3044 followed by a scaling factor:
3045 <userinput>K</userinput> or <userinput>k</userinput>
3047 <userinput>M</userinput> or <userinput>m</userinput>
3049 <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
3050 which scale by 1024, 1024*1024, and 1024*1024*1024
3054 The value must be representable as a 64-bit unsigned integer
3055 (0 to 18446744073709551615, inclusive).
3056 Using <varname>unlimited</varname> is the best
3058 to safely set a really large number.
3065 <varname>yes_or_no</varname>
3070 Either <userinput>yes</userinput> or <userinput>no</userinput>.
3071 The words <userinput>true</userinput> and <userinput>false</userinput> are
3072 also accepted, as are the numbers <userinput>1</userinput>
3073 and <userinput>0</userinput>.
3080 <varname>dialup_option</varname>
3085 One of <userinput>yes</userinput>,
3086 <userinput>no</userinput>, <userinput>notify</userinput>,
3087 <userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
3088 <userinput>passive</userinput>.
3089 When used in a zone, <userinput>notify-passive</userinput>,
3090 <userinput>refresh</userinput>, and <userinput>passive</userinput>
3091 are restricted to slave and stub zones.
3098 <sect2 id="address_match_lists">
3099 <title>Address Match Lists</title>
3101 <title>Syntax</title>
3103 <programlisting><varname>address_match_list</varname> = address_match_list_element ;
3104 <optional> address_match_list_element; ... </optional>
3105 <varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
3106 key key_id | acl_name | { address_match_list } )
3111 <title>Definition and Usage</title>
3113 Address match lists are primarily used to determine access
3114 control for various server operations. They are also used in
3115 the <command>listen-on</command> and <command>sortlist</command>
3116 statements. The elements which constitute an address match
3117 list can be any of the following:
3121 <simpara>an IP address (IPv4 or IPv6)</simpara>
3124 <simpara>an IP prefix (in `/' notation)</simpara>
3128 a key ID, as defined by the <command>key</command>
3133 <simpara>the name of an address match list defined with
3134 the <command>acl</command> statement
3138 <simpara>a nested address match list enclosed in braces</simpara>
3143 Elements can be negated with a leading exclamation mark (`!'),
3144 and the match list names "any", "none", "localhost", and
3145 "localnets" are predefined. More information on those names
3146 can be found in the description of the acl statement.
3150 The addition of the key clause made the name of this syntactic
3151 element something of a misnomer, since security keys can be used
3152 to validate access without regard to a host or network address.
3153 Nonetheless, the term "address match list" is still used
3154 throughout the documentation.
3158 When a given IP address or prefix is compared to an address
3159 match list, the comparison takes place in approximately O(1)
3160 time. However, key comparisons require that the list of keys
3161 be traversed until a matching key is found, and therefore may
3166 The interpretation of a match depends on whether the list is being
3167 used for access control, defining <command>listen-on</command> ports, or in a
3168 <command>sortlist</command>, and whether the element was negated.
3172 When used as an access control list, a non-negated match
3173 allows access and a negated match denies access. If
3174 there is no match, access is denied. The clauses
3175 <command>allow-notify</command>,
3176 <command>allow-recursion</command>,
3177 <command>allow-recursion-on</command>,
3178 <command>allow-query</command>,
3179 <command>allow-query-on</command>,
3180 <command>allow-query-cache</command>,
3181 <command>allow-query-cache-on</command>,
3182 <command>allow-transfer</command>,
3183 <command>allow-update</command>,
3184 <command>allow-update-forwarding</command>, and
3185 <command>blackhole</command> all use address match
3186 lists. Similarly, the <command>listen-on</command> option will cause the
3187 server to refuse queries on any of the machine's
3188 addresses which do not match the list.
3192 Order of insertion is significant. If more than one element
3193 in an ACL is found to match a given IP address or prefix,
3194 preference will be given to the one that came
3195 <emphasis>first</emphasis> in the ACL definition.
3196 Because of this first-match behavior, an element that
3197 defines a subset of another element in the list should
3198 come before the broader element, regardless of whether
3199 either is negated. For example, in
3200 <command>1.2.3/24; ! 1.2.3.13;</command>
3201 the 1.2.3.13 element is completely useless because the
3202 algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
3203 element. Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
3204 that problem by having 1.2.3.13 blocked by the negation, but
3205 all other 1.2.3.* hosts fall through.
3211 <title>Comment Syntax</title>
3214 The <acronym>BIND</acronym> 9 comment syntax allows for
3216 anywhere that whitespace may appear in a <acronym>BIND</acronym> configuration
3217 file. To appeal to programmers of all kinds, they can be written
3218 in the C, C++, or shell/perl style.
3222 <title>Syntax</title>
3225 <programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
3226 <programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
3227 <programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
3231 <title>Definition and Usage</title>
3233 Comments may appear anywhere that whitespace may appear in
3234 a <acronym>BIND</acronym> configuration file.
3237 C-style comments start with the two characters /* (slash,
3238 star) and end with */ (star, slash). Because they are completely
3239 delimited with these characters, they can be used to comment only
3240 a portion of a line or to span multiple lines.
3243 C-style comments cannot be nested. For example, the following
3244 is not valid because the entire comment ends with the first */:
3248 <programlisting>/* This is the start of a comment.
3249 This is still part of the comment.
3250 /* This is an incorrect attempt at nesting a comment. */
3251 This is no longer in any comment. */
3257 C++-style comments start with the two characters // (slash,
3258 slash) and continue to the end of the physical line. They cannot
3259 be continued across multiple physical lines; to have one logical
3260 comment span multiple lines, each line must use the // pair.
3265 <programlisting>// This is the start of a comment. The next line
3266 // is a new comment, even though it is logically
3267 // part of the previous comment.
3272 Shell-style (or perl-style, if you prefer) comments start
3273 with the character <literal>#</literal> (number sign)
3274 and continue to the end of the
3275 physical line, as in C++ comments.
3281 <programlisting># This is the start of a comment. The next line
3282 # is a new comment, even though it is logically
3283 # part of the previous comment.
3290 You cannot use the semicolon (`;') character
3291 to start a comment such as you would in a zone file. The
3292 semicolon indicates the end of a configuration
3300 <sect1 id="Configuration_File_Grammar">
3301 <title>Configuration File Grammar</title>
3304 A <acronym>BIND</acronym> 9 configuration consists of
3305 statements and comments.
3306 Statements end with a semicolon. Statements and comments are the
3307 only elements that can appear without enclosing braces. Many
3308 statements contain a block of sub-statements, which are also
3309 terminated with a semicolon.
3313 The following statements are supported:
3316 <informaltable colsep="0" rowsep="0">
3317 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="2Level-table">
3318 <colspec colname="1" colnum="1" colsep="0" colwidth="1.336in"/>
3319 <colspec colname="2" colnum="2" colsep="0" colwidth="3.778in"/>
3323 <para><command>acl</command></para>
3327 defines a named IP address
3328 matching list, for access control and other uses.
3334 <para><command>controls</command></para>
3338 declares control channels to be used
3339 by the <command>rndc</command> utility.
3345 <para><command>include</command></para>
3355 <para><command>key</command></para>
3359 specifies key information for use in
3360 authentication and authorization using TSIG.
3366 <para><command>logging</command></para>
3370 specifies what the server logs, and where
3371 the log messages are sent.
3377 <para><command>lwres</command></para>
3381 configures <command>named</command> to
3382 also act as a light-weight resolver daemon (<command>lwresd</command>).
3388 <para><command>masters</command></para>
3392 defines a named masters list for
3393 inclusion in stub and slave zone masters clauses.
3399 <para><command>options</command></para>
3403 controls global server configuration
3404 options and sets defaults for other statements.
3410 <para><command>server</command></para>
3414 sets certain configuration options on
3421 <para><command>statistics-channels</command></para>
3425 declares communication channels to get access to
3426 <command>named</command> statistics.
3432 <para><command>trusted-keys</command></para>
3436 defines trusted DNSSEC keys.
3442 <para><command>view</command></para>
3452 <para><command>zone</command></para>
3465 The <command>logging</command> and
3466 <command>options</command> statements may only occur once
3472 <title><command>acl</command> Statement Grammar</title>
3474 <programlisting><command>acl</command> acl-name {
3481 <title><command>acl</command> Statement Definition and
3485 The <command>acl</command> statement assigns a symbolic
3486 name to an address match list. It gets its name from a primary
3487 use of address match lists: Access Control Lists (ACLs).
3491 Note that an address match list's name must be defined
3492 with <command>acl</command> before it can be used
3493 elsewhere; no forward references are allowed.
3497 The following ACLs are built-in:
3500 <informaltable colsep="0" rowsep="0">
3501 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
3502 <colspec colname="1" colnum="1" colsep="0" colwidth="1.130in"/>
3503 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
3507 <para><command>any</command></para>
3517 <para><command>none</command></para>
3527 <para><command>localhost</command></para>
3531 Matches the IPv4 and IPv6 addresses of all network
3532 interfaces on the system.
3538 <para><command>localnets</command></para>
3542 Matches any host on an IPv4 or IPv6 network
3543 for which the system has an interface.
3544 Some systems do not provide a way to determine the prefix
3546 local IPv6 addresses.
3547 In such a case, <command>localnets</command>
3548 only matches the local
3549 IPv6 addresses, just like <command>localhost</command>.
3559 <title><command>controls</command> Statement Grammar</title>
3561 <programlisting><command>controls</command> {
3562 [ inet ( ip_addr | * ) [ port ip_port ] allow { <replaceable> address_match_list </replaceable> }
3563 keys { <replaceable>key_list</replaceable> }; ]
3565 [ unix <replaceable>path</replaceable> perm <replaceable>number</replaceable> owner <replaceable>number</replaceable> group <replaceable>number</replaceable> keys { <replaceable>key_list</replaceable> }; ]
3572 <sect2 id="controls_statement_definition_and_usage">
3573 <title><command>controls</command> Statement Definition and
3577 The <command>controls</command> statement declares control
3578 channels to be used by system administrators to control the
3579 operation of the name server. These control channels are
3580 used by the <command>rndc</command> utility to send
3581 commands to and retrieve non-DNS results from a name server.
3585 An <command>inet</command> control channel is a TCP socket
3586 listening at the specified <command>ip_port</command> on the
3587 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
3588 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
3589 interpreted as the IPv4 wildcard address; connections will be
3590 accepted on any of the system's IPv4 addresses.
3591 To listen on the IPv6 wildcard address,
3592 use an <command>ip_addr</command> of <literal>::</literal>.
3593 If you will only use <command>rndc</command> on the local host,
3594 using the loopback address (<literal>127.0.0.1</literal>
3595 or <literal>::1</literal>) is recommended for maximum security.
3599 If no port is specified, port 953 is used. The asterisk
3600 "<literal>*</literal>" cannot be used for <command>ip_port</command>.
3604 The ability to issue commands over the control channel is
3605 restricted by the <command>allow</command> and
3606 <command>keys</command> clauses.
3607 Connections to the control channel are permitted based on the
3608 <command>address_match_list</command>. This is for simple
3609 IP address based filtering only; any <command>key_id</command>
3610 elements of the <command>address_match_list</command>
3615 A <command>unix</command> control channel is a UNIX domain
3616 socket listening at the specified path in the file system.
3617 Access to the socket is specified by the <command>perm</command>,
3618 <command>owner</command> and <command>group</command> clauses.
3619 Note on some platforms (SunOS and Solaris) the permissions
3620 (<command>perm</command>) are applied to the parent directory
3621 as the permissions on the socket itself are ignored.
3625 The primary authorization mechanism of the command
3626 channel is the <command>key_list</command>, which
3627 contains a list of <command>key_id</command>s.
3628 Each <command>key_id</command> in the <command>key_list</command>
3629 is authorized to execute commands over the control channel.
3630 See <xref linkend="rndc"/> in <xref linkend="admin_tools"/>)
3631 for information about configuring keys in <command>rndc</command>.
3635 If no <command>controls</command> statement is present,
3636 <command>named</command> will set up a default
3637 control channel listening on the loopback address 127.0.0.1
3638 and its IPv6 counterpart ::1.
3639 In this case, and also when the <command>controls</command> statement
3640 is present but does not have a <command>keys</command> clause,
3641 <command>named</command> will attempt to load the command channel key
3642 from the file <filename>rndc.key</filename> in
3643 <filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
3644 was specified as when <acronym>BIND</acronym> was built).
3645 To create a <filename>rndc.key</filename> file, run
3646 <userinput>rndc-confgen -a</userinput>.
3650 The <filename>rndc.key</filename> feature was created to
3651 ease the transition of systems from <acronym>BIND</acronym> 8,
3652 which did not have digital signatures on its command channel
3653 messages and thus did not have a <command>keys</command> clause.
3655 It makes it possible to use an existing <acronym>BIND</acronym> 8
3656 configuration file in <acronym>BIND</acronym> 9 unchanged,
3657 and still have <command>rndc</command> work the same way
3658 <command>ndc</command> worked in BIND 8, simply by executing the
3659 command <userinput>rndc-confgen -a</userinput> after BIND 9 is
3664 Since the <filename>rndc.key</filename> feature
3665 is only intended to allow the backward-compatible usage of
3666 <acronym>BIND</acronym> 8 configuration files, this
3668 have a high degree of configurability. You cannot easily change
3669 the key name or the size of the secret, so you should make a
3670 <filename>rndc.conf</filename> with your own key if you
3672 those things. The <filename>rndc.key</filename> file
3674 permissions set such that only the owner of the file (the user that
3675 <command>named</command> is running as) can access it.
3677 desire greater flexibility in allowing other users to access
3678 <command>rndc</command> commands, then you need to create
3680 <filename>rndc.conf</filename> file and make it group
3682 that contains the users who should have access.
3686 To disable the command channel, use an empty
3687 <command>controls</command> statement:
3688 <command>controls { };</command>.
3693 <title><command>include</command> Statement Grammar</title>
3694 <programlisting><command>include</command> <replaceable>filename</replaceable>;</programlisting>
3697 <title><command>include</command> Statement Definition and
3701 The <command>include</command> statement inserts the
3702 specified file at the point where the <command>include</command>
3703 statement is encountered. The <command>include</command>
3704 statement facilitates the administration of configuration
3706 by permitting the reading or writing of some things but not
3707 others. For example, the statement could include private keys
3708 that are readable only by the name server.
3713 <title><command>key</command> Statement Grammar</title>
3715 <programlisting><command>key</command> <replaceable>key_id</replaceable> {
3716 algorithm <replaceable>string</replaceable>;
3717 secret <replaceable>string</replaceable>;
3724 <title><command>key</command> Statement Definition and Usage</title>
3727 The <command>key</command> statement defines a shared
3728 secret key for use with TSIG (see <xref linkend="tsig"/>)
3729 or the command channel
3730 (see <xref linkend="controls_statement_definition_and_usage"/>).
3734 The <command>key</command> statement can occur at the
3736 of the configuration file or inside a <command>view</command>
3737 statement. Keys defined in top-level <command>key</command>
3738 statements can be used in all views. Keys intended for use in
3739 a <command>controls</command> statement
3740 (see <xref linkend="controls_statement_definition_and_usage"/>)
3741 must be defined at the top level.
3745 The <replaceable>key_id</replaceable>, also known as the
3746 key name, is a domain name uniquely identifying the key. It can
3747 be used in a <command>server</command>
3748 statement to cause requests sent to that
3749 server to be signed with this key, or in address match lists to
3750 verify that incoming requests have been signed with a key
3751 matching this name, algorithm, and secret.
3755 The <replaceable>algorithm_id</replaceable> is a string
3756 that specifies a security/authentication algorithm. Named
3757 supports <literal>hmac-md5</literal>,
3758 <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
3759 <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>
3760 and <literal>hmac-sha512</literal> TSIG authentication.
3761 Truncated hashes are supported by appending the minimum
3762 number of required bits preceded by a dash, e.g.
3763 <literal>hmac-sha1-80</literal>. The
3764 <replaceable>secret_string</replaceable> is the secret
3765 to be used by the algorithm, and is treated as a base-64
3771 <title><command>logging</command> Statement Grammar</title>
3773 <programlisting><command>logging</command> {
3774 [ <command>channel</command> <replaceable>channel_name</replaceable> {
3775 ( <command>file</command> <replaceable>path_name</replaceable>
3776 [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
3777 [ <command>size</command> <replaceable>size spec</replaceable> ]
3778 | <command>syslog</command> <replaceable>syslog_facility</replaceable>
3779 | <command>stderr</command>
3780 | <command>null</command> );
3781 [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
3782 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
3783 [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
3784 [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
3785 [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
3787 [ <command>category</command> <replaceable>category_name</replaceable> {
3788 <replaceable>channel_name</replaceable> ; [ <replaceable>channel_name</replaceable> ; ... ]
3797 <title><command>logging</command> Statement Definition and
3801 The <command>logging</command> statement configures a
3803 variety of logging options for the name server. Its <command>channel</command> phrase
3804 associates output methods, format options and severity levels with
3805 a name that can then be used with the <command>category</command> phrase
3806 to select how various classes of messages are logged.
3809 Only one <command>logging</command> statement is used to
3811 as many channels and categories as are wanted. If there is no <command>logging</command> statement,
3812 the logging configuration will be:
3815 <programlisting>logging {
3816 category default { default_syslog; default_debug; };
3817 category unmatched { null; };
3822 In <acronym>BIND</acronym> 9, the logging configuration
3823 is only established when
3824 the entire configuration file has been parsed. In <acronym>BIND</acronym> 8, it was
3825 established as soon as the <command>logging</command>
3827 was parsed. When the server is starting up, all logging messages
3828 regarding syntax errors in the configuration file go to the default
3829 channels, or to standard error if the "<option>-g</option>" option
3834 <title>The <command>channel</command> Phrase</title>
3837 All log output goes to one or more <emphasis>channels</emphasis>;
3838 you can make as many of them as you want.
3842 Every channel definition must include a destination clause that
3843 says whether messages selected for the channel go to a file, to a
3844 particular syslog facility, to the standard error stream, or are
3845 discarded. It can optionally also limit the message severity level
3846 that will be accepted by the channel (the default is
3847 <command>info</command>), and whether to include a
3848 <command>named</command>-generated time stamp, the
3850 and/or severity level (the default is not to include any).
3854 The <command>null</command> destination clause
3855 causes all messages sent to the channel to be discarded;
3856 in that case, other options for the channel are meaningless.
3860 The <command>file</command> destination clause directs
3862 to a disk file. It can include limitations
3863 both on how large the file is allowed to become, and how many
3865 of the file will be saved each time the file is opened.
3869 If you use the <command>versions</command> log file
3871 <command>named</command> will retain that many backup
3872 versions of the file by
3873 renaming them when opening. For example, if you choose to keep
3875 of the file <filename>lamers.log</filename>, then just
3877 <filename>lamers.log.1</filename> is renamed to
3878 <filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
3879 to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
3880 renamed to <filename>lamers.log.0</filename>.
3881 You can say <command>versions unlimited</command> to
3883 the number of versions.
3884 If a <command>size</command> option is associated with
3886 then renaming is only done when the file being opened exceeds the
3887 indicated size. No backup versions are kept by default; any
3889 log file is simply appended.
3893 The <command>size</command> option for files is used
3895 growth. If the file ever exceeds the size, then <command>named</command> will
3896 stop writing to the file unless it has a <command>versions</command> option
3897 associated with it. If backup versions are kept, the files are
3899 described above and a new one begun. If there is no
3900 <command>versions</command> option, no more data will
3901 be written to the log
3902 until some out-of-band mechanism removes or truncates the log to
3904 maximum size. The default behavior is not to limit the size of
3910 Example usage of the <command>size</command> and
3911 <command>versions</command> options:
3914 <programlisting>channel an_example_channel {
3915 file "example.log" versions 3 size 20m;
3922 The <command>syslog</command> destination clause
3924 channel to the system log. Its argument is a
3925 syslog facility as described in the <command>syslog</command> man
3926 page. Known facilities are <command>kern</command>, <command>user</command>,
3927 <command>mail</command>, <command>daemon</command>, <command>auth</command>,
3928 <command>syslog</command>, <command>lpr</command>, <command>news</command>,
3929 <command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
3930 <command>ftp</command>, <command>local0</command>, <command>local1</command>,
3931 <command>local2</command>, <command>local3</command>, <command>local4</command>,
3932 <command>local5</command>, <command>local6</command> and
3933 <command>local7</command>, however not all facilities
3935 all operating systems.
3936 How <command>syslog</command> will handle messages
3938 this facility is described in the <command>syslog.conf</command> man
3939 page. If you have a system which uses a very old version of <command>syslog</command> that
3940 only uses two arguments to the <command>openlog()</command> function,
3941 then this clause is silently ignored.
3944 The <command>severity</command> clause works like <command>syslog</command>'s
3945 "priorities", except that they can also be used if you are writing
3946 straight to a file rather than using <command>syslog</command>.
3947 Messages which are not at least of the severity level given will
3948 not be selected for the channel; messages of higher severity
3953 If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
3954 will also determine what eventually passes through. For example,
3955 defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
3956 only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
3957 cause messages of severity <command>info</command> and
3958 <command>notice</command> to
3959 be dropped. If the situation were reversed, with <command>named</command> writing
3960 messages of only <command>warning</command> or higher,
3961 then <command>syslogd</command> would
3962 print all messages it received from the channel.
3966 The <command>stderr</command> destination clause
3968 channel to the server's standard error stream. This is intended
3970 use when the server is running as a foreground process, for
3972 when debugging a configuration.
3976 The server can supply extensive debugging information when
3977 it is in debugging mode. If the server's global debug level is
3979 than zero, then debugging mode will be active. The global debug
3980 level is set either by starting the <command>named</command> server
3981 with the <option>-d</option> flag followed by a positive integer,
3982 or by running <command>rndc trace</command>.
3983 The global debug level
3984 can be set to zero, and debugging mode turned off, by running <command>rndc
3985 notrace</command>. All debugging messages in the server have a debug
3986 level, and higher debug levels give more detailed output. Channels
3987 that specify a specific debug severity, for example:
3990 <programlisting>channel specific_debug_level {
3997 will get debugging output of level 3 or less any time the
3998 server is in debugging mode, regardless of the global debugging
3999 level. Channels with <command>dynamic</command>
4001 server's global debug level to determine what messages to print.
4004 If <command>print-time</command> has been turned on,
4006 the date and time will be logged. <command>print-time</command> may
4007 be specified for a <command>syslog</command> channel,
4009 pointless since <command>syslog</command> also logs
4011 time. If <command>print-category</command> is
4013 category of the message will be logged as well. Finally, if <command>print-severity</command> is
4014 on, then the severity level of the message will be logged. The <command>print-</command> options may
4015 be used in any combination, and will always be printed in the
4017 order: time, category, severity. Here is an example where all
4018 three <command>print-</command> options
4023 <computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput>
4027 There are four predefined channels that are used for
4028 <command>named</command>'s default logging as follows.
4030 used is described in <xref linkend="the_category_phrase"/>.
4033 <programlisting>channel default_syslog {
4034 syslog daemon; // send to syslog's daemon
4036 severity info; // only send priority info
4040 channel default_debug {
4041 file "named.run"; // write to named.run in
4042 // the working directory
4043 // Note: stderr is used instead
4045 // if the server is started
4046 // with the '-f' option.
4047 severity dynamic; // log at the server's
4048 // current debug level
4051 channel default_stderr {
4052 stderr; // writes to stderr
4053 severity info; // only send priority info
4058 null; // toss anything sent to
4064 The <command>default_debug</command> channel has the
4066 property that it only produces output when the server's debug
4068 nonzero. It normally writes to a file called <filename>named.run</filename>
4069 in the server's working directory.
4073 For security reasons, when the "<option>-u</option>"
4074 command line option is used, the <filename>named.run</filename> file
4075 is created only after <command>named</command> has
4077 new UID, and any debug output generated while <command>named</command> is
4078 starting up and still running as root is discarded. If you need
4079 to capture this output, you must run the server with the "<option>-g</option>"
4080 option and redirect standard error to a file.
4084 Once a channel is defined, it cannot be redefined. Thus you
4085 cannot alter the built-in channels directly, but you can modify
4086 the default logging by pointing categories at channels you have
4091 <sect3 id="the_category_phrase">
4092 <title>The <command>category</command> Phrase</title>
4095 There are many categories, so you can send the logs you want
4096 to see wherever you want, without seeing logs you don't want. If
4097 you don't specify a list of channels for a category, then log
4099 in that category will be sent to the <command>default</command> category
4100 instead. If you don't specify a default category, the following
4101 "default default" is used:
4104 <programlisting>category default { default_syslog; default_debug; };
4108 As an example, let's say you want to log security events to
4109 a file, but you also want keep the default logging behavior. You'd
4110 specify the following:
4113 <programlisting>channel my_security_channel {
4114 file "my_security_file";
4118 my_security_channel;
4124 To discard all messages in a category, specify the <command>null</command> channel:
4127 <programlisting>category xfer-out { null; };
4128 category notify { null; };
4132 Following are the available categories and brief descriptions
4133 of the types of log information they contain. More
4134 categories may be added in future <acronym>BIND</acronym> releases.
4136 <informaltable colsep="0" rowsep="0">
4137 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4138 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
4139 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
4143 <para><command>default</command></para>
4147 The default category defines the logging
4148 options for those categories where no specific
4149 configuration has been
4156 <para><command>general</command></para>
4160 The catch-all. Many things still aren't
4161 classified into categories, and they all end up here.
4167 <para><command>database</command></para>
4171 Messages relating to the databases used
4172 internally by the name server to store zone and cache
4179 <para><command>security</command></para>
4183 Approval and denial of requests.
4189 <para><command>config</command></para>
4193 Configuration file parsing and processing.
4199 <para><command>resolver</command></para>
4203 DNS resolution, such as the recursive
4204 lookups performed on behalf of clients by a caching name
4211 <para><command>xfer-in</command></para>
4215 Zone transfers the server is receiving.
4221 <para><command>xfer-out</command></para>
4225 Zone transfers the server is sending.
4231 <para><command>notify</command></para>
4235 The NOTIFY protocol.
4241 <para><command>client</command></para>
4245 Processing of client requests.
4251 <para><command>unmatched</command></para>
4255 Messages that <command>named</command> was unable to determine the
4256 class of or for which there was no matching <command>view</command>.
4257 A one line summary is also logged to the <command>client</command> category.
4258 This category is best sent to a file or stderr, by
4259 default it is sent to
4260 the <command>null</command> channel.
4266 <para><command>network</command></para>
4276 <para><command>update</command></para>
4286 <para><command>update-security</command></para>
4290 Approval and denial of update requests.
4296 <para><command>queries</command></para>
4300 Specify where queries should be logged to.
4303 At startup, specifying the category <command>queries</command> will also
4304 enable query logging unless <command>querylog</command> option has been
4309 The query log entry reports the client's IP
4310 address and port number, and the query name,
4311 class and type. It also reports whether the
4312 Recursion Desired flag was set (+ if set, -
4313 if not set), if the query was signed (S),
4314 EDNS was in use (E), if DO (DNSSEC Ok) was
4315 set (D), or if CD (Checking Disabled) was set
4320 <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
4323 <computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
4329 <para><command>query-errors</command></para>
4333 Information about queries that resulted in some
4340 <para><command>dispatch</command></para>
4344 Dispatching of incoming packets to the
4345 server modules where they are to be processed.
4351 <para><command>dnssec</command></para>
4355 DNSSEC and TSIG protocol processing.
4361 <para><command>lame-servers</command></para>
4365 Lame servers. These are misconfigurations
4366 in remote servers, discovered by BIND 9 when trying to
4367 query those servers during resolution.
4373 <para><command>delegation-only</command></para>
4377 Delegation only. Logs queries that have been
4378 forced to NXDOMAIN as the result of a
4379 delegation-only zone or a
4380 <command>delegation-only</command> in a hint
4381 or stub zone declaration.
4387 <para><command>edns-disabled</command></para>
4391 Log queries that have been forced to use plain
4392 DNS due to timeouts. This is often due to
4393 the remote servers not being RFC 1034 compliant
4394 (not always returning FORMERR or similar to
4395 EDNS queries and other extensions to the DNS
4396 when they are not understood). In other words, this is
4397 targeted at servers that fail to respond to
4398 DNS queries that they don't understand.
4401 Note: the log message can also be due to
4402 packet loss. Before reporting servers for
4403 non-RFC 1034 compliance they should be re-tested
4404 to determine the nature of the non-compliance.
4405 This testing should prevent or reduce the
4406 number of false-positive reports.
4409 Note: eventually <command>named</command> will have to stop
4410 treating such timeouts as due to RFC 1034 non
4411 compliance and start treating it as plain
4412 packet loss. Falsely classifying packet
4413 loss as due to RFC 1034 non compliance impacts
4414 on DNSSEC validation which requires EDNS for
4415 the DNSSEC records to be returned.
4424 <title>The <command>query-errors</command> Category</title>
4426 The <command>query-errors</command> category is
4427 specifically intended for debugging purposes: To identify
4428 why and how specific queries result in responses which
4430 Messages of this category are therefore only logged
4431 with <command>debug</command> levels.
4435 At the debug levels of 1 or higher, each response with the
4436 rcode of SERVFAIL is logged as follows:
4439 <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
4442 This means an error resulting in SERVFAIL was
4443 detected at line 3880 of source file
4444 <filename>query.c</filename>.
4445 Log messages of this level will particularly
4446 help identify the cause of SERVFAIL for an
4447 authoritative server.
4450 At the debug levels of 2 or higher, detailed context
4451 information of recursive resolutions that resulted in
4453 The log message will look like as follows:
4456 <computeroutput>fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</computeroutput>
4459 The first part before the colon shows that a recursive
4460 resolution for AAAA records of www.example.com completed
4461 in 30.000183 seconds and the final result that led to the
4462 SERVFAIL was determined at line 2970 of source file
4463 <filename>resolver.c</filename>.
4466 The following part shows the detected final result and the
4467 latest result of DNSSEC validation.
4468 The latter is always success when no validation attempt
4470 In this example, this query resulted in SERVFAIL probably
4471 because all name servers are down or unreachable, leading
4472 to a timeout in 30 seconds.
4473 DNSSEC validation was probably not attempted.
4476 The last part enclosed in square brackets shows statistics
4477 information collected for this particular resolution
4479 The <varname>domain</varname> field shows the deepest zone
4480 that the resolver reached;
4481 it is the zone where the error was finally detected.
4482 The meaning of the other fields is summarized in the
4486 <informaltable colsep="0" rowsep="0">
4487 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
4488 <colspec colname="1" colnum="1" colsep="0" />
4489 <colspec colname="2" colnum="2" colsep="0" />
4493 <para><varname>referral</varname></para>
4497 The number of referrals the resolver received
4498 throughout the resolution process.
4499 In the above example this is 2, which are most
4500 likely com and example.com.
4506 <para><varname>restart</varname></para>
4510 The number of cycles that the resolver tried
4511 remote servers at the <varname>domain</varname>
4513 In each cycle the resolver sends one query
4514 (possibly resending it, depending on the response)
4515 to each known name server of
4516 the <varname>domain</varname> zone.
4522 <para><varname>qrysent</varname></para>
4526 The number of queries the resolver sent at the
4527 <varname>domain</varname> zone.
4533 <para><varname>timeout</varname></para>
4537 The number of timeouts since the resolver
4538 received the last response.
4544 <para><varname>lame</varname></para>
4548 The number of lame servers the resolver detected
4549 at the <varname>domain</varname> zone.
4550 A server is detected to be lame either by an
4551 invalid response or as a result of lookup in
4552 BIND9's address database (ADB), where lame
4559 <para><varname>neterr</varname></para>
4563 The number of erroneous results that the
4564 resolver encountered in sending queries
4565 at the <varname>domain</varname> zone.
4566 One common case is the remote server is
4567 unreachable and the resolver receives an ICMP
4568 unreachable error message.
4574 <para><varname>badresp</varname></para>
4578 The number of unexpected responses (other than
4579 <varname>lame</varname>) to queries sent by the
4580 resolver at the <varname>domain</varname> zone.
4586 <para><varname>adberr</varname></para>
4590 Failures in finding remote server addresses
4591 of the <varname>domain</varname> zone in the ADB.
4592 One common case of this is that the remote
4593 server's name does not have any address records.
4599 <para><varname>findfail</varname></para>
4603 Failures of resolving remote server addresses.
4604 This is a total number of failures throughout
4605 the resolution process.
4611 <para><varname>valfail</varname></para>
4615 Failures of DNSSEC validation.
4616 Validation failures are counted throughout
4617 the resolution process (not limited to
4618 the <varname>domain</varname> zone), but should
4619 only happen in <varname>domain</varname>.
4627 At the debug levels of 3 or higher, the same messages
4628 as those at the debug 1 level are logged for other errors
4630 Note that negative responses such as NXDOMAIN are not
4631 regarded as errors here.
4634 At the debug levels of 4 or higher, the same messages
4635 as those at the debug 2 level are logged for other errors
4637 Unlike the above case of level 3, messages are logged for
4639 This is because any unexpected results can be difficult to
4640 debug in the recursion case.
4646 <title><command>lwres</command> Statement Grammar</title>
4649 This is the grammar of the <command>lwres</command>
4650 statement in the <filename>named.conf</filename> file:
4653 <programlisting><command>lwres</command> {
4654 <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4655 <optional> view <replaceable>view_name</replaceable>; </optional>
4656 <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
4657 <optional> ndots <replaceable>number</replaceable>; </optional>
4663 <title><command>lwres</command> Statement Definition and Usage</title>
4666 The <command>lwres</command> statement configures the
4668 server to also act as a lightweight resolver server. (See
4669 <xref linkend="lwresd"/>.) There may be multiple
4670 <command>lwres</command> statements configuring
4671 lightweight resolver servers with different properties.
4675 The <command>listen-on</command> statement specifies a
4677 addresses (and ports) that this instance of a lightweight resolver
4679 should accept requests on. If no port is specified, port 921 is
4681 If this statement is omitted, requests will be accepted on
4687 The <command>view</command> statement binds this
4689 lightweight resolver daemon to a view in the DNS namespace, so that
4691 response will be constructed in the same manner as a normal DNS
4693 matching this view. If this statement is omitted, the default view
4695 used, and if there is no default view, an error is triggered.
4699 The <command>search</command> statement is equivalent to
4701 <command>search</command> statement in
4702 <filename>/etc/resolv.conf</filename>. It provides a
4704 which are appended to relative names in queries.
4708 The <command>ndots</command> statement is equivalent to
4710 <command>ndots</command> statement in
4711 <filename>/etc/resolv.conf</filename>. It indicates the
4713 number of dots in a relative domain name that should result in an
4714 exact match lookup before search path elements are appended.
4718 <title><command>masters</command> Statement Grammar</title>
4721 <command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> };
4727 <title><command>masters</command> Statement Definition and
4729 <para><command>masters</command>
4730 lists allow for a common set of masters to be easily used by
4731 multiple stub and slave zones.
4736 <title><command>options</command> Statement Grammar</title>
4739 This is the grammar of the <command>options</command>
4740 statement in the <filename>named.conf</filename> file:
4743 <programlisting><command>options</command> {
4744 <optional> version <replaceable>version_string</replaceable>; </optional>
4745 <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
4746 <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
4747 <optional> directory <replaceable>path_name</replaceable>; </optional>
4748 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
4749 <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
4750 <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
4751 <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
4752 <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
4753 <optional> cache-file <replaceable>path_name</replaceable>; </optional>
4754 <optional> dump-file <replaceable>path_name</replaceable>; </optional>
4755 <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
4756 <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
4757 <optional> pid-file <replaceable>path_name</replaceable>; </optional>
4758 <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
4759 <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
4760 <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
4761 <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
4762 <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
4763 <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
4764 <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
4765 <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
4766 <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
4767 <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
4768 <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
4769 <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
4770 <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
4771 <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
4772 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
4773 <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
4774 <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
4775 <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
4776 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
4777 <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
4778 <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
4779 <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
4780 <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
4781 <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
4782 <optional> dnssec-accept-expired <replaceable>yes_or_no</replaceable>; </optional>
4783 <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
4784 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4785 <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> {
4786 ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> |
4787 <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ;
4789 <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )
4790 ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4791 <optional> check-mx ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4792 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
4793 <optional> check-integrity <replaceable>yes_or_no</replaceable>; </optional>
4794 <optional> check-mx-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4795 <optional> check-srv-cname ( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
4796 <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
4797 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
4798 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
4799 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
4800 <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
4801 <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
4802 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
4803 <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
4804 <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
4805 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
4806 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
4807 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
4808 <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
4809 <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
4810 <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
4811 <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4812 <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4813 <optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4814 <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
4815 <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4816 <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
4817 <optional> query-source ( ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> )
4818 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4819 <optional> address ( <replaceable>ip4_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4820 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4821 <optional> query-source-v6 ( ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> )
4822 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> |
4823 <optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional>
4824 <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
4825 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
4826 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
4827 <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
4828 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
4829 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
4830 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
4831 <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
4832 <optional> tcp-clients <replaceable>number</replaceable>; </optional>
4833 <optional> reserved-sockets <replaceable>number</replaceable>; </optional>
4834 <optional> recursive-clients <replaceable>number</replaceable>; </optional>
4835 <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
4836 <optional> serial-queries <replaceable>number</replaceable>; </optional>
4837 <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
4838 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
4839 <optional> transfers-in <replaceable>number</replaceable>; </optional>
4840 <optional> transfers-out <replaceable>number</replaceable>; </optional>
4841 <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
4842 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4843 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4844 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4845 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4846 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
4847 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
4848 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4849 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
4850 <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
4851 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
4852 <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
4853 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
4854 <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
4855 <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
4856 <optional> files <replaceable>size_spec</replaceable> ; </optional>
4857 <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
4858 <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
4859 <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
4860 <optional> interface-interval <replaceable>number</replaceable>; </optional>
4861 <optional> statistics-interval <replaceable>number</replaceable>; </optional>
4862 <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
4863 <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
4864 <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
4865 <optional> lame-ttl <replaceable>number</replaceable>; </optional>
4866 <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
4867 <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
4868 <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
4869 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
4870 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
4871 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
4872 <optional> min-roots <replaceable>number</replaceable>; </optional>
4873 <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
4874 <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4875 <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
4876 <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
4877 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
4878 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
4879 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
4880 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
4881 <optional> port <replaceable>ip_port</replaceable>; </optional>
4882 <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
4883 <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
4884 <optional> random-device <replaceable>path_name</replaceable> ; </optional>
4885 <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
4886 <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
4887 <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
4888 <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
4889 <optional> max-udp-size <replaceable>number</replaceable>; </optional>
4890 <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
4891 <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
4892 <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
4893 <optional> acache-enable <replaceable>yes_or_no</replaceable> ; </optional>
4894 <optional> acache-cleaning-interval <replaceable>number</replaceable>; </optional>
4895 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
4896 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
4897 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
4898 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
4899 <optional> empty-server <replaceable>name</replaceable> ; </optional>
4900 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
4901 <optional> empty-zones-enable <replaceable>yes_or_no</replaceable> ; </optional>
4902 <optional> disable-empty-zone <replaceable>zone_name</replaceable> ; </optional>
4903 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
4904 <optional> zero-no-soa-ttl-cache <replaceable>yes_or_no</replaceable> ; </optional>
4910 <sect2 id="options">
4911 <title><command>options</command> Statement Definition and
4915 The <command>options</command> statement sets up global
4917 to be used by <acronym>BIND</acronym>. This statement
4919 once in a configuration file. If there is no <command>options</command>
4920 statement, an options block with each option set to its default will
4927 <term><command>directory</command></term>
4930 The working directory of the server.
4931 Any non-absolute pathnames in the configuration file will be
4933 as relative to this directory. The default location for most
4935 output files (e.g. <filename>named.run</filename>)
4937 If a directory is not specified, the working directory
4938 defaults to `<filename>.</filename>', the directory from
4940 was started. The directory specified should be an absolute
4947 <term><command>key-directory</command></term>
4950 When performing dynamic update of secure zones, the
4951 directory where the public and private DNSSEC key files
4952 should be found, if different than the current working
4953 directory. The directory specified must be an absolute
4954 path. (Note that this option has no effect on the paths
4955 for files containing non-DNSSEC keys such as the
4956 <filename>rndc.key</filename>.
4962 <term><command>named-xfer</command></term>
4965 <emphasis>This option is obsolete.</emphasis> It
4966 was used in <acronym>BIND</acronym> 8 to specify
4967 the pathname to the <command>named-xfer</command>
4968 program. In <acronym>BIND</acronym> 9, no separate
4969 <command>named-xfer</command> program is needed;
4970 its functionality is built into the name server.
4976 <term><command>tkey-gssapi-credential</command></term>
4979 The security credential with which the server should
4980 authenticate keys requested by the GSS-TSIG protocol.
4981 Currently only Kerberos 5 authentication is available
4982 and the credential is a Kerberos principal which
4983 the server can acquire through the default system
4984 key file, normally <filename>/etc/krb5.keytab</filename>.
4985 Normally this principal is of the form
4986 "<userinput>dns/</userinput><varname>server.domain</varname>".
4987 To use GSS-TSIG, <command>tkey-domain</command>
4994 <term><command>tkey-domain</command></term>
4997 The domain appended to the names of all shared keys
4998 generated with <command>TKEY</command>. When a
4999 client requests a <command>TKEY</command> exchange,
5000 it may or may not specify the desired name for the
5001 key. If present, the name of the shared key will
5002 be <varname>client specified part</varname> +
5003 <varname>tkey-domain</varname>. Otherwise, the
5004 name of the shared key will be <varname>random hex
5005 digits</varname> + <varname>tkey-domain</varname>.
5006 In most cases, the <command>domainname</command>
5007 should be the server's domain name, or an otherwise
5008 non-existent subdomain like
5009 "_tkey.<varname>domainname</varname>". If you are
5010 using GSS-TSIG, this variable must be defined.
5016 <term><command>tkey-dhkey</command></term>
5019 The Diffie-Hellman key used by the server
5020 to generate shared keys with clients using the Diffie-Hellman
5022 of <command>TKEY</command>. The server must be
5024 public and private keys from files in the working directory.
5026 most cases, the keyname should be the server's host name.
5032 <term><command>cache-file</command></term>
5035 This is for testing only. Do not use.
5041 <term><command>dump-file</command></term>
5044 The pathname of the file the server dumps
5045 the database to when instructed to do so with
5046 <command>rndc dumpdb</command>.
5047 If not specified, the default is <filename>named_dump.db</filename>.
5053 <term><command>memstatistics-file</command></term>
5056 The pathname of the file the server writes memory
5057 usage statistics to on exit. If not specified,
5058 the default is <filename>named.memstats</filename>.
5064 <term><command>pid-file</command></term>
5067 The pathname of the file the server writes its process ID
5068 in. If not specified, the default is
5069 <filename>/var/run/named/named.pid</filename>.
5070 The PID file is used by programs that want to send signals to
5072 name server. Specifying <command>pid-file none</command> disables the
5073 use of a PID file — no file will be written and any
5074 existing one will be removed. Note that <command>none</command>
5075 is a keyword, not a filename, and therefore is not enclosed
5083 <term><command>recursing-file</command></term>
5086 The pathname of the file the server dumps
5087 the queries that are currently recursing when instructed
5088 to do so with <command>rndc recursing</command>.
5089 If not specified, the default is <filename>named.recursing</filename>.
5095 <term><command>statistics-file</command></term>
5098 The pathname of the file the server appends statistics
5099 to when instructed to do so using <command>rndc stats</command>.
5100 If not specified, the default is <filename>named.stats</filename> in the
5101 server's current directory. The format of the file is
5103 in <xref linkend="statsfile"/>.
5109 <term><command>port</command></term>
5112 The UDP/TCP port number the server uses for
5113 receiving and sending DNS protocol traffic.
5114 The default is 53. This option is mainly intended for server
5116 a server using a port other than 53 will not be able to
5124 <term><command>random-device</command></term>
5127 The source of entropy to be used by the server. Entropy is
5129 for DNSSEC operations, such as TKEY transactions and dynamic
5131 zones. This options specifies the device (or file) from which
5133 entropy. If this is a file, operations requiring entropy will
5135 file has been exhausted. If not specified, the default value
5137 <filename>/dev/random</filename>
5138 (or equivalent) when present, and none otherwise. The
5139 <command>random-device</command> option takes
5141 the initial configuration load at server startup time and
5142 is ignored on subsequent reloads.
5148 <term><command>preferred-glue</command></term>
5151 If specified, the listed type (A or AAAA) will be emitted
5153 in the additional section of a query response.
5154 The default is not to prefer any type (NONE).
5159 <varlistentry id="root_delegation_only">
5160 <term><command>root-delegation-only</command></term>
5163 Turn on enforcement of delegation-only in TLDs
5164 (top level domains) and root zones with an optional
5168 DS queries are expected to be made to and be answered by
5169 delegation only zones. Such queries and responses are
5170 treated as a exception to delegation-only processing
5171 and are not converted to NXDOMAIN responses provided
5172 a CNAME is not discovered at the query name.
5175 If a delegation only zone server also serves a child
5176 zone it is not always possible to determine whether
5177 a answer comes from the delegation only zone or the
5178 child zone. SOA NS and DNSKEY records are apex
5179 only records and a matching response that contains
5180 these records or DS is treated as coming from a
5181 child zone. RRSIG records are also examined to see
5182 if they are signed by a child zone or not. The
5183 authority section is also examined to see if there
5184 is evidence that the answer is from the child zone.
5185 Answers that are determined to be from a child zone
5186 are not converted to NXDOMAIN responses. Despite
5187 all these checks there is still a possibility of
5188 false negatives when a child zone is being served.
5191 Similarly false positives can arise from empty nodes
5192 (no records at the name) in the delegation only zone
5193 when the query type is not ANY.
5196 Note some TLDs are not delegation only (e.g. "DE", "LV",
5197 "US" and "MUSEUM"). This list is not exhaustive.
5202 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
5210 <term><command>disable-algorithms</command></term>
5213 Disable the specified DNSSEC algorithms at and below the
5215 Multiple <command>disable-algorithms</command>
5216 statements are allowed.
5217 Only the most specific will be applied.
5223 <term><command>dnssec-lookaside</command></term>
5226 When set, <command>dnssec-lookaside</command>
5228 validator with an alternate method to validate DNSKEY records
5230 top of a zone. When a DNSKEY is at or below a domain
5232 deepest <command>dnssec-lookaside</command>, and
5233 the normal DNSSEC validation
5234 has left the key untrusted, the trust-anchor will be append to
5236 name and a DLV record will be looked up to see if it can
5238 key. If the DLV record validates a DNSKEY (similarly to the
5240 record does) the DNSKEY RRset is deemed to be trusted.
5246 <term><command>dnssec-must-be-secure</command></term>
5249 Specify hierarchies which must be or may not be secure (signed and
5251 If <userinput>yes</userinput>, then <command>named</command> will only accept
5254 If <userinput>no</userinput>, then normal DNSSEC validation
5256 allowing for insecure answers to be accepted.
5257 The specified domain must be under a <command>trusted-key</command> or
5258 <command>dnssec-lookaside</command> must be
5266 <sect3 id="boolean_options">
5267 <title>Boolean Options</title>
5272 <term><command>auth-nxdomain</command></term>
5275 If <userinput>yes</userinput>, then the <command>AA</command> bit
5276 is always set on NXDOMAIN responses, even if the server is
5278 authoritative. The default is <userinput>no</userinput>;
5280 a change from <acronym>BIND</acronym> 8. If you
5281 are using very old DNS software, you
5282 may need to set it to <userinput>yes</userinput>.
5288 <term><command>deallocate-on-exit</command></term>
5291 This option was used in <acronym>BIND</acronym>
5292 8 to enable checking
5293 for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
5300 <term><command>memstatistics</command></term>
5303 Write memory statistics to the file specified by
5304 <command>memstatistics-file</command> at exit.
5305 The default is <userinput>no</userinput> unless
5306 '-m record' is specified on the command line in
5307 which case it is <userinput>yes</userinput>.
5313 <term><command>dialup</command></term>
5316 If <userinput>yes</userinput>, then the
5317 server treats all zones as if they are doing zone transfers
5319 a dial-on-demand dialup link, which can be brought up by
5321 originating from this server. This has different effects
5323 to zone type and concentrates the zone maintenance so that
5325 happens in a short interval, once every <command>heartbeat-interval</command> and
5326 hopefully during the one call. It also suppresses some of
5328 zone maintenance traffic. The default is <userinput>no</userinput>.
5331 The <command>dialup</command> option
5332 may also be specified in the <command>view</command> and
5333 <command>zone</command> statements,
5334 in which case it overrides the global <command>dialup</command>
5338 If the zone is a master zone, then the server will send out a
5340 request to all the slaves (default). This should trigger the
5342 number check in the slave (providing it supports NOTIFY)
5344 to verify the zone while the connection is active.
5345 The set of servers to which NOTIFY is sent can be controlled
5347 <command>notify</command> and <command>also-notify</command>.
5351 zone is a slave or stub zone, then the server will suppress
5353 "zone up to date" (refresh) queries and only perform them
5355 <command>heartbeat-interval</command> expires in
5360 Finer control can be achieved by using
5361 <userinput>notify</userinput> which only sends NOTIFY
5363 <userinput>notify-passive</userinput> which sends NOTIFY
5365 suppresses the normal refresh queries, <userinput>refresh</userinput>
5366 which suppresses normal refresh processing and sends refresh
5368 when the <command>heartbeat-interval</command>
5370 <userinput>passive</userinput> which just disables normal
5375 <informaltable colsep="0" rowsep="0">
5376 <tgroup cols="4" colsep="0" rowsep="0" tgroupstyle="4Level-table">
5377 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
5378 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
5379 <colspec colname="3" colnum="3" colsep="0" colwidth="1.150in"/>
5380 <colspec colname="4" colnum="4" colsep="0" colwidth="1.150in"/>
5406 <para><command>no</command> (default)</para>
5426 <para><command>yes</command></para>
5446 <para><command>notify</command></para>
5466 <para><command>refresh</command></para>
5486 <para><command>passive</command></para>
5506 <para><command>notify-passive</command></para>
5529 Note that normal NOTIFY processing is not affected by
5530 <command>dialup</command>.
5537 <term><command>fake-iquery</command></term>
5540 In <acronym>BIND</acronym> 8, this option
5541 enabled simulating the obsolete DNS query type
5542 IQUERY. <acronym>BIND</acronym> 9 never does
5549 <term><command>fetch-glue</command></term>
5552 This option is obsolete.
5553 In BIND 8, <userinput>fetch-glue yes</userinput>
5554 caused the server to attempt to fetch glue resource records
5556 didn't have when constructing the additional
5557 data section of a response. This is now considered a bad
5559 and BIND 9 never does it.
5565 <term><command>flush-zones-on-shutdown</command></term>
5568 When the nameserver exits due receiving SIGTERM,
5569 flush or do not flush any pending zone writes. The default
5571 <command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
5577 <term><command>has-old-clients</command></term>
5580 This option was incorrectly implemented
5581 in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
5582 To achieve the intended effect
5584 <command>has-old-clients</command> <userinput>yes</userinput>, specify
5585 the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
5586 and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
5592 <term><command>host-statistics</command></term>
5595 In BIND 8, this enables keeping of
5596 statistics for every host that the name server interacts
5598 Not implemented in BIND 9.
5604 <term><command>maintain-ixfr-base</command></term>
5607 <emphasis>This option is obsolete</emphasis>.
5608 It was used in <acronym>BIND</acronym> 8 to
5609 determine whether a transaction log was
5610 kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
5611 log whenever possible. If you need to disable outgoing
5613 transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
5619 <term><command>minimal-responses</command></term>
5622 If <userinput>yes</userinput>, then when generating
5623 responses the server will only add records to the authority
5624 and additional data sections when they are required (e.g.
5625 delegations, negative responses). This may improve the
5626 performance of the server.
5627 The default is <userinput>no</userinput>.
5633 <term><command>multiple-cnames</command></term>
5636 This option was used in <acronym>BIND</acronym> 8 to allow
5637 a domain name to have multiple CNAME records in violation of
5638 the DNS standards. <acronym>BIND</acronym> 9.2 onwards
5639 always strictly enforces the CNAME rules both in master
5640 files and dynamic updates.
5646 <term><command>notify</command></term>
5649 If <userinput>yes</userinput> (the default),
5650 DNS NOTIFY messages are sent when a zone the server is
5652 changes, see <xref linkend="notify"/>. The messages are
5654 servers listed in the zone's NS records (except the master
5656 in the SOA MNAME field), and to any servers listed in the
5657 <command>also-notify</command> option.
5660 If <userinput>master-only</userinput>, notifies are only
5663 If <userinput>explicit</userinput>, notifies are sent only
5665 servers explicitly listed using <command>also-notify</command>.
5666 If <userinput>no</userinput>, no notifies are sent.
5669 The <command>notify</command> option may also be
5670 specified in the <command>zone</command>
5672 in which case it overrides the <command>options notify</command> statement.
5673 It would only be necessary to turn off this option if it
5681 <term><command>notify-to-soa</command></term>
5684 If <userinput>yes</userinput> do not check the nameservers
5685 in the NS RRset against the SOA MNAME. Normally a NOTIFY
5686 message is not sent to the SOA MNAME (SOA ORIGIN) as it is
5687 supposed to contain the name of the ultimate master.
5688 Sometimes, however, a slave is listed as the SOA MNAME in
5689 hidden master configurations and in that case you would
5690 want the ultimate master to still send NOTIFY messages to
5691 all the nameservers listed in the NS RRset.
5697 <term><command>recursion</command></term>
5700 If <userinput>yes</userinput>, and a
5701 DNS query requests recursion, then the server will attempt
5703 all the work required to answer the query. If recursion is
5705 and the server does not already know the answer, it will
5707 referral response. The default is
5708 <userinput>yes</userinput>.
5709 Note that setting <command>recursion no</command> does not prevent
5710 clients from getting data from the server's cache; it only
5711 prevents new data from being cached as an effect of client
5713 Caching may still occur as an effect the server's internal
5714 operation, such as NOTIFY address lookups.
5715 See also <command>fetch-glue</command> above.
5721 <term><command>rfc2308-type1</command></term>
5724 Setting this to <userinput>yes</userinput> will
5725 cause the server to send NS records along with the SOA
5727 answers. The default is <userinput>no</userinput>.
5731 Not yet implemented in <acronym>BIND</acronym>
5739 <term><command>use-id-pool</command></term>
5742 <emphasis>This option is obsolete</emphasis>.
5743 <acronym>BIND</acronym> 9 always allocates query
5750 <term><command>zone-statistics</command></term>
5753 If <userinput>yes</userinput>, the server will collect
5754 statistical data on all zones (unless specifically turned
5756 on a per-zone basis by specifying <command>zone-statistics no</command>
5757 in the <command>zone</command> statement).
5758 These statistics may be accessed
5759 using <command>rndc stats</command>, which will
5760 dump them to the file listed
5761 in the <command>statistics-file</command>. See
5762 also <xref linkend="statsfile"/>.
5768 <term><command>use-ixfr</command></term>
5771 <emphasis>This option is obsolete</emphasis>.
5772 If you need to disable IXFR to a particular server or
5774 the information on the <command>provide-ixfr</command> option
5775 in <xref linkend="server_statement_definition_and_usage"/>.
5777 <xref linkend="incremental_zone_transfers"/>.
5783 <term><command>provide-ixfr</command></term>
5786 See the description of
5787 <command>provide-ixfr</command> in
5788 <xref linkend="server_statement_definition_and_usage"/>.
5794 <term><command>request-ixfr</command></term>
5797 See the description of
5798 <command>request-ixfr</command> in
5799 <xref linkend="server_statement_definition_and_usage"/>.
5805 <term><command>treat-cr-as-space</command></term>
5808 This option was used in <acronym>BIND</acronym>
5810 the server treat carriage return ("<command>\r</command>") characters the same way
5811 as a space or tab character,
5812 to facilitate loading of zone files on a UNIX system that
5814 on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
5815 and NT/DOS "<command>\r\n</command>" newlines
5816 are always accepted,
5817 and the option is ignored.
5823 <term><command>additional-from-auth</command></term>
5824 <term><command>additional-from-cache</command></term>
5828 These options control the behavior of an authoritative
5830 answering queries which have additional data, or when
5836 When both of these options are set to <userinput>yes</userinput>
5838 query is being answered from authoritative data (a zone
5839 configured into the server), the additional data section of
5841 reply will be filled in using data from other authoritative
5843 and from the cache. In some situations this is undesirable,
5845 as when there is concern over the correctness of the cache,
5847 in servers where slave zones may be added and modified by
5848 untrusted third parties. Also, avoiding
5849 the search for this additional data will speed up server
5851 at the possible expense of additional queries to resolve
5853 otherwise be provided in the additional section.
5857 For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
5858 and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
5859 records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
5860 if known, even though they are not in the example.com zone.
5861 Setting these options to <command>no</command>
5862 disables this behavior and makes
5863 the server only search for additional data in the zone it
5868 These options are intended for use in authoritative-only
5869 servers, or in authoritative-only views. Attempts to set
5870 them to <command>no</command> without also
5872 <command>recursion no</command> will cause the
5874 ignore the options and log a warning message.
5878 Specifying <command>additional-from-cache no</command> actually
5879 disables the use of the cache not only for additional data
5881 but also when looking up the answer. This is usually the
5883 behavior in an authoritative-only server where the
5885 the cached data is an issue.
5889 When a name server is non-recursively queried for a name
5891 below the apex of any served zone, it normally answers with
5893 "upwards referral" to the root servers or the servers of
5895 known parent of the query name. Since the data in an
5897 comes from the cache, the server will not be able to provide
5899 referrals when <command>additional-from-cache no</command>
5900 has been specified. Instead, it will respond to such
5902 with REFUSED. This should not cause any problems since
5903 upwards referrals are not required for the resolution
5911 <term><command>match-mapped-addresses</command></term>
5914 If <userinput>yes</userinput>, then an
5915 IPv4-mapped IPv6 address will match any address match
5916 list entries that match the corresponding IPv4 address.
5919 This option was introduced to work around a kernel quirk
5920 in some operating systems that causes IPv4 TCP
5921 connections, such as zone transfers, to be accepted on an
5922 IPv6 socket using mapped addresses. This caused address
5923 match lists designed for IPv4 to fail to match. However,
5924 <command>named</command> now solves this problem
5925 internally. The use of this option is discouraged.
5931 <term><command>ixfr-from-differences</command></term>
5934 When <userinput>yes</userinput> and the server loads a new version of a master
5935 zone from its zone file or receives a new version of a slave
5936 file by a non-incremental zone transfer, it will compare
5937 the new version to the previous one and calculate a set
5938 of differences. The differences are then logged in the
5939 zone's journal file such that the changes can be transmitted
5940 to downstream slaves as an incremental zone transfer.
5943 By allowing incremental zone transfers to be used for
5944 non-dynamic zones, this option saves bandwidth at the
5945 expense of increased CPU and memory consumption at the
5947 In particular, if the new version of a zone is completely
5948 different from the previous one, the set of differences
5949 will be of a size comparable to the combined size of the
5950 old and new zone version, and the server will need to
5951 temporarily allocate memory to hold this complete
5954 <para><command>ixfr-from-differences</command>
5955 also accepts <command>master</command> and
5956 <command>slave</command> at the view and options
5958 <command>ixfr-from-differences</command> to be enabled for
5959 all <command>master</command> or
5960 <command>slave</command> zones respectively.
5961 It is off by default.
5967 <term><command>multi-master</command></term>
5970 This should be set when you have multiple masters for a zone
5972 addresses refer to different machines. If <userinput>yes</userinput>, <command>named</command> will
5974 when the serial number on the master is less than what <command>named</command>
5976 has. The default is <userinput>no</userinput>.
5982 <term><command>dnssec-enable</command></term>
5985 Enable DNSSEC support in <command>named</command>. Unless set to <userinput>yes</userinput>,
5986 <command>named</command> behaves as if it does not support DNSSEC.
5987 The default is <userinput>yes</userinput>.
5993 <term><command>dnssec-validation</command></term>
5996 Enable DNSSEC validation in <command>named</command>.
5997 Note <command>dnssec-enable</command> also needs to be
5998 set to <userinput>yes</userinput> to be effective.
5999 The default is <userinput>yes</userinput>.
6005 <term><command>dnssec-accept-expired</command></term>
6008 Accept expired signatures when verifying DNSSEC signatures.
6009 The default is <userinput>no</userinput>.
6010 Setting this option to "yes" leaves <command>named</command> vulnerable to replay attacks.
6016 <term><command>querylog</command></term>
6019 Specify whether query logging should be started when <command>named</command>
6021 If <command>querylog</command> is not specified,
6022 then the query logging
6023 is determined by the presence of the logging category <command>queries</command>.
6029 <term><command>check-names</command></term>
6032 This option is used to restrict the character set and syntax
6034 certain domain names in master files and/or DNS responses
6036 from the network. The default varies according to usage
6038 <command>master</command> zones the default is <command>fail</command>.
6039 For <command>slave</command> zones the default
6040 is <command>warn</command>.
6041 For answers received from the network (<command>response</command>)
6042 the default is <command>ignore</command>.
6045 The rules for legal hostnames and mail domains are derived
6046 from RFC 952 and RFC 821 as modified by RFC 1123.
6048 <para><command>check-names</command>
6049 applies to the owner names of A, AAAA and MX records.
6050 It also applies to the domain names in the RDATA of NS, SOA,
6051 MX, and SRV records.
6052 It also applies to the RDATA of PTR records where the owner
6053 name indicated that it is a reverse lookup of a hostname
6054 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
6060 <term><command>check-mx</command></term>
6063 Check whether the MX record appears to refer to a IP address.
6064 The default is to <command>warn</command>. Other possible
6065 values are <command>fail</command> and
6066 <command>ignore</command>.
6072 <term><command>check-wildcard</command></term>
6075 This option is used to check for non-terminal wildcards.
6076 The use of non-terminal wildcards is almost always as a
6078 to understand the wildcard matching algorithm (RFC 1034).
6080 affects master zones. The default (<command>yes</command>) is to check
6081 for non-terminal wildcards and issue a warning.
6087 <term><command>check-integrity</command></term>
6090 Perform post load zone integrity checks on master
6091 zones. This checks that MX and SRV records refer
6092 to address (A or AAAA) records and that glue
6093 address records exist for delegated zones. For
6094 MX and SRV records only in-zone hostnames are
6095 checked (for out-of-zone hostnames use
6096 <command>named-checkzone</command>).
6097 For NS records only names below top of zone are
6098 checked (for out-of-zone names and glue consistency
6099 checks use <command>named-checkzone</command>).
6100 The default is <command>yes</command>.
6106 <term><command>check-mx-cname</command></term>
6109 If <command>check-integrity</command> is set then
6110 fail, warn or ignore MX records that refer
6111 to CNAMES. The default is to <command>warn</command>.
6117 <term><command>check-srv-cname</command></term>
6120 If <command>check-integrity</command> is set then
6121 fail, warn or ignore SRV records that refer
6122 to CNAMES. The default is to <command>warn</command>.
6128 <term><command>check-sibling</command></term>
6131 When performing integrity checks, also check that
6132 sibling glue exists. The default is <command>yes</command>.
6138 <term><command>zero-no-soa-ttl</command></term>
6141 When returning authoritative negative responses to
6142 SOA queries set the TTL of the SOA record returned in
6143 the authority section to zero.
6144 The default is <command>yes</command>.
6150 <term><command>zero-no-soa-ttl-cache</command></term>
6153 When caching a negative response to a SOA query
6154 set the TTL to zero.
6155 The default is <command>no</command>.
6161 <term><command>update-check-ksk</command></term>
6164 When regenerating the RRSIGs following a UPDATE
6165 request to a secure zone, check the KSK flag on
6166 the DNSKEY RR to determine if this key should be
6167 used to generate the RRSIG. This flag is ignored
6168 if there are not DNSKEY RRs both with and without
6170 The default is <command>yes</command>.
6176 <term><command>try-tcp-refresh</command></term>
6179 Try to refresh the zone using TCP if UDP queries fail.
6180 For BIND 8 compatibility, the default is
6181 <command>yes</command>.
6191 <title>Forwarding</title>
6193 The forwarding facility can be used to create a large site-wide
6194 cache on a few servers, reducing traffic over links to external
6195 name servers. It can also be used to allow queries by servers that
6196 do not have direct access to the Internet, but wish to look up
6198 names anyway. Forwarding occurs only on those queries for which
6199 the server is not authoritative and does not have the answer in
6205 <term><command>forward</command></term>
6208 This option is only meaningful if the
6209 forwarders list is not empty. A value of <varname>first</varname>,
6210 the default, causes the server to query the forwarders
6212 if that doesn't answer the question, the server will then
6214 the answer itself. If <varname>only</varname> is
6216 server will only query the forwarders.
6222 <term><command>forwarders</command></term>
6225 Specifies the IP addresses to be used
6226 for forwarding. The default is the empty list (no
6235 Forwarding can also be configured on a per-domain basis, allowing
6236 for the global forwarding options to be overridden in a variety
6237 of ways. You can set particular domains to use different
6239 or have a different <command>forward only/first</command> behavior,
6240 or not forward at all, see <xref linkend="zone_statement_grammar"/>.
6245 <title>Dual-stack Servers</title>
6247 Dual-stack servers are used as servers of last resort to work
6249 problems in reachability due the lack of support for either IPv4
6251 on the host machine.
6256 <term><command>dual-stack-servers</command></term>
6259 Specifies host names or addresses of machines with access to
6260 both IPv4 and IPv6 transports. If a hostname is used, the
6262 to resolve the name using only the transport it has. If the
6264 stacked, then the <command>dual-stack-servers</command> have no effect unless
6265 access to a transport has been disabled on the command line
6266 (e.g. <command>named -4</command>).
6273 <sect3 id="access_control">
6274 <title>Access Control</title>
6277 Access to the server can be restricted based on the IP address
6278 of the requesting system. See <xref linkend="address_match_lists"/> for
6279 details on how to specify IP address lists.
6285 <term><command>allow-notify</command></term>
6288 Specifies which hosts are allowed to
6289 notify this server, a slave, of zone changes in addition
6290 to the zone masters.
6291 <command>allow-notify</command> may also be
6293 <command>zone</command> statement, in which case
6295 <command>options allow-notify</command>
6296 statement. It is only meaningful
6297 for a slave zone. If not specified, the default is to
6298 process notify messages
6299 only from a zone's master.
6305 <term><command>allow-query</command></term>
6308 Specifies which hosts are allowed to ask ordinary
6309 DNS questions. <command>allow-query</command> may
6310 also be specified in the <command>zone</command>
6311 statement, in which case it overrides the
6312 <command>options allow-query</command> statement.
6313 If not specified, the default is to allow queries
6318 <command>allow-query-cache</command> is now
6319 used to specify access to the cache.
6326 <term><command>allow-query-on</command></term>
6329 Specifies which local addresses can accept ordinary
6330 DNS questions. This makes it possible, for instance,
6331 to allow queries on internal-facing interfaces but
6332 disallow them on external-facing ones, without
6333 necessarily knowing the internal network's addresses.
6336 <command>allow-query-on</command> may
6337 also be specified in the <command>zone</command>
6338 statement, in which case it overrides the
6339 <command>options allow-query-on</command> statement.
6342 If not specified, the default is to allow queries
6347 <command>allow-query-cache</command> is
6348 used to specify access to the cache.
6355 <term><command>allow-query-cache</command></term>
6358 Specifies which hosts are allowed to get answers
6359 from the cache. If <command>allow-query-cache</command>
6360 is not set then <command>allow-recursion</command>
6361 is used if set, otherwise <command>allow-query</command>
6362 is used if set unless <command>recursion no;</command> is
6363 set in which case <command>none;</command> is used,
6364 otherwise the default (<command>localnets;</command>
6365 <command>localhost;</command>) is used.
6371 <term><command>allow-query-cache-on</command></term>
6374 Specifies which local addresses can give answers
6375 from the cache. If not specified, the default is
6376 to allow cache queries on any address,
6377 <command>localnets</command> and
6378 <command>localhost</command>.
6384 <term><command>allow-recursion</command></term>
6387 Specifies which hosts are allowed to make recursive
6388 queries through this server. If
6389 <command>allow-recursion</command> is not set
6390 then <command>allow-query-cache</command> is
6391 used if set, otherwise <command>allow-query</command>
6392 is used if set, otherwise the default
6393 (<command>localnets;</command>
6394 <command>localhost;</command>) is used.
6400 <term><command>allow-recursion-on</command></term>
6403 Specifies which local addresses can accept recursive
6404 queries. If not specified, the default is to allow
6405 recursive queries on all addresses.
6411 <term><command>allow-update</command></term>
6414 Specifies which hosts are allowed to
6415 submit Dynamic DNS updates for master zones. The default is
6417 updates from all hosts. Note that allowing updates based
6418 on the requestor's IP address is insecure; see
6419 <xref linkend="dynamic_update_security"/> for details.
6425 <term><command>allow-update-forwarding</command></term>
6428 Specifies which hosts are allowed to
6429 submit Dynamic DNS updates to slave zones to be forwarded to
6431 master. The default is <userinput>{ none; }</userinput>,
6433 means that no update forwarding will be performed. To
6435 update forwarding, specify
6436 <userinput>allow-update-forwarding { any; };</userinput>.
6437 Specifying values other than <userinput>{ none; }</userinput> or
6438 <userinput>{ any; }</userinput> is usually
6439 counterproductive, since
6440 the responsibility for update access control should rest
6442 master server, not the slaves.
6445 Note that enabling the update forwarding feature on a slave
6447 may expose master servers relying on insecure IP address
6449 access control to attacks; see <xref linkend="dynamic_update_security"/>
6456 <term><command>allow-v6-synthesis</command></term>
6459 This option was introduced for the smooth transition from
6461 to A6 and from "nibble labels" to binary labels.
6462 However, since both A6 and binary labels were then
6464 this option was also deprecated.
6465 It is now ignored with some warning messages.
6471 <term><command>allow-transfer</command></term>
6474 Specifies which hosts are allowed to
6475 receive zone transfers from the server. <command>allow-transfer</command> may
6476 also be specified in the <command>zone</command>
6478 case it overrides the <command>options allow-transfer</command> statement.
6479 If not specified, the default is to allow transfers to all
6486 <term><command>blackhole</command></term>
6489 Specifies a list of addresses that the
6490 server will not accept queries from or use to resolve a
6492 from these addresses will not be responded to. The default
6493 is <userinput>none</userinput>.
6503 <title>Interfaces</title>
6505 The interfaces and ports that the server will answer queries
6506 from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
6507 an optional port and an <varname>address_match_list</varname>.
6508 The server will listen on all interfaces allowed by the address
6509 match list. If a port is not specified, port 53 will be used.
6512 Multiple <command>listen-on</command> statements are
6517 <programlisting>listen-on { 5.6.7.8; };
6518 listen-on port 1234 { !1.2.3.4; 1.2/16; };
6522 will enable the name server on port 53 for the IP address
6523 5.6.7.8, and on port 1234 of an address on the machine in net
6524 1.2 that is not 1.2.3.4.
6528 If no <command>listen-on</command> is specified, the
6529 server will listen on port 53 on all IPv4 interfaces.
6533 The <command>listen-on-v6</command> option is used to
6534 specify the interfaces and the ports on which the server will
6536 for incoming queries sent using IPv6.
6540 When <programlisting>{ any; }</programlisting> is
6542 as the <varname>address_match_list</varname> for the
6543 <command>listen-on-v6</command> option,
6544 the server does not bind a separate socket to each IPv6 interface
6545 address as it does for IPv4 if the operating system has enough API
6546 support for IPv6 (specifically if it conforms to RFC 3493 and RFC
6548 Instead, it listens on the IPv6 wildcard address.
6549 If the system only has incomplete API support for IPv6, however,
6550 the behavior is the same as that for IPv4.
6554 A list of particular IPv6 addresses can also be specified, in
6556 the server listens on a separate socket for each specified
6558 regardless of whether the desired API is supported by the system.
6562 Multiple <command>listen-on-v6</command> options can
6567 <programlisting>listen-on-v6 { any; };
6568 listen-on-v6 port 1234 { !2001:db8::/32; any; };
6572 will enable the name server on port 53 for any IPv6 addresses
6573 (with a single wildcard socket),
6574 and on port 1234 of IPv6 addresses that is not in the prefix
6575 2001:db8::/32 (with separate sockets for each matched address.)
6579 To make the server not listen on any IPv6 address, use
6582 <programlisting>listen-on-v6 { none; };
6586 If no <command>listen-on-v6</command> option is
6587 specified, the server will not listen on any IPv6 address
6588 unless <command>-6</command> is specified when <command>named</command> is
6589 invoked. If <command>-6</command> is specified then
6590 <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
6594 <sect3 id="query_address">
6595 <title>Query Address</title>
6597 If the server doesn't know the answer to a question, it will
6598 query other name servers. <command>query-source</command> specifies
6599 the address and port used for such queries. For queries sent over
6600 IPv6, there is a separate <command>query-source-v6</command> option.
6601 If <command>address</command> is <command>*</command> (asterisk) or is omitted,
6602 a wildcard IP address (<command>INADDR_ANY</command>)
6607 If <command>port</command> is <command>*</command> or is omitted,
6608 a random port number from a pre-configured
6609 range is picked up and will be used for each query.
6610 The port range(s) is that specified in
6611 the <command>use-v4-udp-ports</command> (for IPv4)
6612 and <command>use-v6-udp-ports</command> (for IPv6)
6613 options, excluding the ranges specified in
6614 the <command>avoid-v4-udp-ports</command>
6615 and <command>avoid-v6-udp-ports</command> options, respectively.
6619 The defaults of the <command>query-source</command> and
6620 <command>query-source-v6</command> options
6624 <programlisting>query-source address * port *;
6625 query-source-v6 address * port *;
6629 If <command>use-v4-udp-ports</command> or
6630 <command>use-v6-udp-ports</command> is unspecified,
6631 <command>named</command> will check if the operating
6632 system provides a programming interface to retrieve the
6633 system's default range for ephemeral ports.
6634 If such an interface is available,
6635 <command>named</command> will use the corresponding system
6636 default range; otherwise, it will use its own defaults:
6639 <programlisting>use-v4-udp-ports { range 1024 65535; };
6640 use-v6-udp-ports { range 1024 65535; };
6644 Note: make sure the ranges be sufficiently large for
6645 security. A desirable size depends on various parameters,
6646 but we generally recommend it contain at least 16384 ports
6647 (14 bits of entropy).
6648 Note also that the system's default range when used may be
6649 too small for this purpose, and that the range may even be
6650 changed while <command>named</command> is running; the new
6651 range will automatically be applied when <command>named</command>
6654 configure <command>use-v4-udp-ports</command> and
6655 <command>use-v6-udp-ports</command> explicitly so that the
6656 ranges are sufficiently large and are reasonably
6657 independent from the ranges used by other applications.
6661 Note: the operational configuration
6662 where <command>named</command> runs may prohibit the use
6663 of some ports. For example, UNIX systems will not allow
6664 <command>named</command> running without a root privilege
6665 to use ports less than 1024.
6666 If such ports are included in the specified (or detected)
6667 set of query ports, the corresponding query attempts will
6668 fail, resulting in resolution failures or delay.
6669 It is therefore important to configure the set of ports
6670 that can be safely used in the expected operational environment.
6674 The defaults of the <command>avoid-v4-udp-ports</command> and
6675 <command>avoid-v6-udp-ports</command> options
6679 <programlisting>avoid-v4-udp-ports {};
6680 avoid-v6-udp-ports {};
6684 Note: BIND 9.5.0 introduced
6685 the <command>use-queryport-pool</command>
6686 option to support a pool of such random ports, but this
6687 option is now obsolete because reusing the same ports in
6688 the pool may not be sufficiently secure.
6689 For the same reason, it is generally strongly discouraged to
6690 specify a particular port for the
6691 <command>query-source</command> or
6692 <command>query-source-v6</command> options;
6693 it implicitly disables the use of randomized port numbers.
6698 <term><command>use-queryport-pool</command></term>
6701 This option is obsolete.
6707 <term><command>queryport-pool-ports</command></term>
6710 This option is obsolete.
6716 <term><command>queryport-pool-updateinterval</command></term>
6719 This option is obsolete.
6727 The address specified in the <command>query-source</command> option
6728 is used for both UDP and TCP queries, but the port applies only
6729 to UDP queries. TCP queries always use a random
6735 Solaris 2.5.1 and earlier does not support setting the source
6736 address for TCP sockets.
6741 See also <command>transfer-source</command> and
6742 <command>notify-source</command>.
6747 <sect3 id="zone_transfers">
6748 <title>Zone Transfers</title>
6750 <acronym>BIND</acronym> has mechanisms in place to
6751 facilitate zone transfers
6752 and set limits on the amount of load that transfers place on the
6753 system. The following options apply to zone transfers.
6759 <term><command>also-notify</command></term>
6762 Defines a global list of IP addresses of name servers
6763 that are also sent NOTIFY messages whenever a fresh copy of
6765 zone is loaded, in addition to the servers listed in the
6767 This helps to ensure that copies of the zones will
6768 quickly converge on stealth servers.
6769 Optionally, a port may be specified with each
6770 <command>also-notify</command> address to send
6771 the notify messages to a port other than the
6773 If an <command>also-notify</command> list
6774 is given in a <command>zone</command> statement,
6776 the <command>options also-notify</command>
6777 statement. When a <command>zone notify</command>
6779 is set to <command>no</command>, the IP
6780 addresses in the global <command>also-notify</command> list will
6781 not be sent NOTIFY messages for that zone. The default is
6783 list (no global notification list).
6789 <term><command>max-transfer-time-in</command></term>
6792 Inbound zone transfers running longer than
6793 this many minutes will be terminated. The default is 120
6795 (2 hours). The maximum value is 28 days (40320 minutes).
6801 <term><command>max-transfer-idle-in</command></term>
6804 Inbound zone transfers making no progress
6805 in this many minutes will be terminated. The default is 60
6807 (1 hour). The maximum value is 28 days (40320 minutes).
6813 <term><command>max-transfer-time-out</command></term>
6816 Outbound zone transfers running longer than
6817 this many minutes will be terminated. The default is 120
6819 (2 hours). The maximum value is 28 days (40320 minutes).
6825 <term><command>max-transfer-idle-out</command></term>
6828 Outbound zone transfers making no progress
6829 in this many minutes will be terminated. The default is 60
6831 hour). The maximum value is 28 days (40320 minutes).
6837 <term><command>serial-query-rate</command></term>
6840 Slave servers will periodically query master servers
6841 to find out if zone serial numbers have changed. Each such
6843 a minute amount of the slave server's network bandwidth. To
6845 amount of bandwidth used, BIND 9 limits the rate at which
6847 sent. The value of the <command>serial-query-rate</command> option,
6848 an integer, is the maximum number of queries sent per
6856 <term><command>serial-queries</command></term>
6859 In BIND 8, the <command>serial-queries</command>
6861 set the maximum number of concurrent serial number queries
6862 allowed to be outstanding at any given time.
6863 BIND 9 does not limit the number of outstanding
6864 serial queries and ignores the <command>serial-queries</command> option.
6865 Instead, it limits the rate at which the queries are sent
6866 as defined using the <command>serial-query-rate</command> option.
6872 <term><command>transfer-format</command></term>
6876 Zone transfers can be sent using two different formats,
6877 <command>one-answer</command> and
6878 <command>many-answers</command>.
6879 The <command>transfer-format</command> option is used
6880 on the master server to determine which format it sends.
6881 <command>one-answer</command> uses one DNS message per
6882 resource record transferred.
6883 <command>many-answers</command> packs as many resource
6884 records as possible into a message.
6885 <command>many-answers</command> is more efficient, but is
6886 only supported by relatively new slave servers,
6887 such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
6888 8.x and <acronym>BIND</acronym> 4.9.5 onwards.
6889 The <command>many-answers</command> format is also supported by
6890 recent Microsoft Windows nameservers.
6891 The default is <command>many-answers</command>.
6892 <command>transfer-format</command> may be overridden on a
6893 per-server basis by using the <command>server</command>
6901 <term><command>transfers-in</command></term>
6904 The maximum number of inbound zone transfers
6905 that can be running concurrently. The default value is <literal>10</literal>.
6906 Increasing <command>transfers-in</command> may
6907 speed up the convergence
6908 of slave zones, but it also may increase the load on the
6915 <term><command>transfers-out</command></term>
6918 The maximum number of outbound zone transfers
6919 that can be running concurrently. Zone transfer requests in
6921 of the limit will be refused. The default value is <literal>10</literal>.
6927 <term><command>transfers-per-ns</command></term>
6930 The maximum number of inbound zone transfers
6931 that can be concurrently transferring from a given remote
6933 The default value is <literal>2</literal>.
6934 Increasing <command>transfers-per-ns</command>
6936 speed up the convergence of slave zones, but it also may
6938 the load on the remote name server. <command>transfers-per-ns</command> may
6939 be overridden on a per-server basis by using the <command>transfers</command> phrase
6940 of the <command>server</command> statement.
6946 <term><command>transfer-source</command></term>
6948 <para><command>transfer-source</command>
6949 determines which local address will be bound to IPv4
6950 TCP connections used to fetch zones transferred
6951 inbound by the server. It also determines the
6952 source IPv4 address, and optionally the UDP port,
6953 used for the refresh queries and forwarded dynamic
6954 updates. If not set, it defaults to a system
6955 controlled value which will usually be the address
6956 of the interface "closest to" the remote end. This
6957 address must appear in the remote end's
6958 <command>allow-transfer</command> option for the
6959 zone being transferred, if one is specified. This
6961 <command>transfer-source</command> for all zones,
6962 but can be overridden on a per-view or per-zone
6963 basis by including a
6964 <command>transfer-source</command> statement within
6965 the <command>view</command> or
6966 <command>zone</command> block in the configuration
6971 Solaris 2.5.1 and earlier does not support setting the
6972 source address for TCP sockets.
6979 <term><command>transfer-source-v6</command></term>
6982 The same as <command>transfer-source</command>,
6983 except zone transfers are performed using IPv6.
6989 <term><command>alt-transfer-source</command></term>
6992 An alternate transfer source if the one listed in
6993 <command>transfer-source</command> fails and
6994 <command>use-alt-transfer-source</command> is
6998 If you do not wish the alternate transfer source
6999 to be used, you should set
7000 <command>use-alt-transfer-source</command>
7001 appropriately and you should not depend upon
7002 getting an answer back to the first refresh
7009 <term><command>alt-transfer-source-v6</command></term>
7012 An alternate transfer source if the one listed in
7013 <command>transfer-source-v6</command> fails and
7014 <command>use-alt-transfer-source</command> is
7021 <term><command>use-alt-transfer-source</command></term>
7024 Use the alternate transfer sources or not. If views are
7025 specified this defaults to <command>no</command>
7026 otherwise it defaults to
7027 <command>yes</command> (for BIND 8
7034 <term><command>notify-source</command></term>
7036 <para><command>notify-source</command>
7037 determines which local source address, and
7038 optionally UDP port, will be used to send NOTIFY
7039 messages. This address must appear in the slave
7040 server's <command>masters</command> zone clause or
7041 in an <command>allow-notify</command> clause. This
7042 statement sets the <command>notify-source</command>
7043 for all zones, but can be overridden on a per-zone or
7044 per-view basis by including a
7045 <command>notify-source</command> statement within
7046 the <command>zone</command> or
7047 <command>view</command> block in the configuration
7052 Solaris 2.5.1 and earlier does not support setting the
7053 source address for TCP sockets.
7060 <term><command>notify-source-v6</command></term>
7063 Like <command>notify-source</command>,
7064 but applies to notify messages sent to IPv6 addresses.
7074 <title>UDP Port Lists</title>
7076 <command>use-v4-udp-ports</command>,
7077 <command>avoid-v4-udp-ports</command>,
7078 <command>use-v6-udp-ports</command>, and
7079 <command>avoid-v6-udp-ports</command>
7080 specify a list of IPv4 and IPv6 UDP ports that will be
7081 used or not used as source ports for UDP messages.
7082 See <xref linkend="query_address"/> about how the
7083 available ports are determined.
7084 For example, with the following configuration
7088 use-v6-udp-ports { range 32768 65535; };
7089 avoid-v6-udp-ports { 40000; range 50000 60000; };
7093 UDP ports of IPv6 messages sent
7094 from <command>named</command> will be in one
7095 of the following ranges: 32768 to 39999, 40001 to 49999,
7100 <command>avoid-v4-udp-ports</command> and
7101 <command>avoid-v6-udp-ports</command> can be used
7102 to prevent <command>named</command> from choosing as its random source port a
7103 port that is blocked by your firewall or a port that is
7104 used by other applications;
7105 if a query went out with a source port blocked by a
7107 answer would not get by the firewall and the name server would
7108 have to query again.
7109 Note: the desired range can also be represented only with
7110 <command>use-v4-udp-ports</command> and
7111 <command>use-v6-udp-ports</command>, and the
7112 <command>avoid-</command> options are redundant in that
7113 sense; they are provided for backward compatibility and
7114 to possibly simplify the port specification.
7119 <title>Operating System Resource Limits</title>
7122 The server's usage of many system resources can be limited.
7123 Scaled values are allowed when specifying resource limits. For
7124 example, <command>1G</command> can be used instead of
7125 <command>1073741824</command> to specify a limit of
7127 gigabyte. <command>unlimited</command> requests
7128 unlimited use, or the
7129 maximum available amount. <command>default</command>
7131 that was in force when the server was started. See the description
7132 of <command>size_spec</command> in <xref linkend="configuration_file_elements"/>.
7136 The following options set operating system resource limits for
7137 the name server process. Some operating systems don't support
7139 any of the limits. On such systems, a warning will be issued if
7141 unsupported limit is used.
7147 <term><command>coresize</command></term>
7150 The maximum size of a core dump. The default
7151 is <literal>default</literal>.
7157 <term><command>datasize</command></term>
7160 The maximum amount of data memory the server
7161 may use. The default is <literal>default</literal>.
7162 This is a hard limit on server memory usage.
7163 If the server attempts to allocate memory in excess of this
7164 limit, the allocation will fail, which may in turn leave
7165 the server unable to perform DNS service. Therefore,
7166 this option is rarely useful as a way of limiting the
7167 amount of memory used by the server, but it can be used
7168 to raise an operating system data size limit that is
7169 too small by default. If you wish to limit the amount
7170 of memory used by the server, use the
7171 <command>max-cache-size</command> and
7172 <command>recursive-clients</command>
7179 <term><command>files</command></term>
7182 The maximum number of files the server
7183 may have open concurrently. The default is <literal>unlimited</literal>.
7189 <term><command>stacksize</command></term>
7192 The maximum amount of stack memory the server
7193 may use. The default is <literal>default</literal>.
7202 <sect3 id="server_resource_limits">
7203 <title>Server Resource Limits</title>
7206 The following options set limits on the server's
7207 resource consumption that are enforced internally by the
7208 server rather than the operating system.
7214 <term><command>max-ixfr-log-size</command></term>
7217 This option is obsolete; it is accepted
7218 and ignored for BIND 8 compatibility. The option
7219 <command>max-journal-size</command> performs a
7220 similar function in BIND 9.
7226 <term><command>max-journal-size</command></term>
7229 Sets a maximum size for each journal file
7230 (see <xref linkend="journal"/>). When the journal file
7232 the specified size, some of the oldest transactions in the
7234 will be automatically removed. The default is
7235 <literal>unlimited</literal>.
7236 This may also be set on a per-zone basis.
7242 <term><command>host-statistics-max</command></term>
7245 In BIND 8, specifies the maximum number of host statistics
7247 Not implemented in BIND 9.
7253 <term><command>recursive-clients</command></term>
7256 The maximum number of simultaneous recursive lookups
7257 the server will perform on behalf of clients. The default
7259 <literal>1000</literal>. Because each recursing
7261 bit of memory, on the order of 20 kilobytes, the value of
7263 <command>recursive-clients</command> option may
7264 have to be decreased
7265 on hosts with limited memory.
7271 <term><command>tcp-clients</command></term>
7274 The maximum number of simultaneous client TCP
7275 connections that the server will accept.
7276 The default is <literal>100</literal>.
7282 <term><command>reserved-sockets</command></term>
7285 The number of file descriptors reserved for TCP, stdio,
7286 etc. This needs to be big enough to cover the number of
7287 interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
7288 to provide room for outgoing TCP queries and incoming zone
7289 transfers. The default is <literal>512</literal>.
7290 The minimum value is <literal>128</literal> and the
7291 maximum value is <literal>128</literal> less than
7292 maxsockets (-S). This option may be removed in the future.
7295 This option has little effect on Windows.
7301 <term><command>max-cache-size</command></term>
7304 The maximum amount of memory to use for the
7305 server's cache, in bytes.
7306 When the amount of data in the cache
7307 reaches this limit, the server will cause records to expire
7308 prematurely based on an LRU based strategy so that
7309 the limit is not exceeded.
7310 A value of 0 is special, meaning that
7311 records are purged from the cache only when their
7313 Another special keyword <userinput>unlimited</userinput>
7314 means the maximum value of 32-bit unsigned integers
7315 (0xffffffff), which may not have the same effect as
7316 0 on machines that support more than 32 bits of
7318 Any positive values less than 2MB will be ignored reset
7320 In a server with multiple views, the limit applies
7321 separately to the cache of each view.
7328 <term><command>tcp-listen-queue</command></term>
7331 The listen queue depth. The default and minimum is 3.
7332 If the kernel supports the accept filter "dataready" this
7334 many TCP connections that will be queued in kernel space
7336 some data before being passed to accept. Values less than 3
7348 <title>Periodic Task Intervals</title>
7353 <term><command>cleaning-interval</command></term>
7356 This interval is effectively obsolete. Previously,
7357 the server would remove expired resource records
7358 from the cache every <command>cleaning-interval</command> minutes.
7359 <acronym>BIND</acronym> 9 now manages cache
7360 memory in a more sophisticated manner and does not
7361 rely on the periodic cleaning any more.
7362 Specifying this option therefore has no effect on
7363 the server's behavior.
7369 <term><command>heartbeat-interval</command></term>
7372 The server will perform zone maintenance tasks
7373 for all zones marked as <command>dialup</command> whenever this
7374 interval expires. The default is 60 minutes. Reasonable
7376 to 1 day (1440 minutes). The maximum value is 28 days
7378 If set to 0, no zone maintenance for these zones will occur.
7384 <term><command>interface-interval</command></term>
7387 The server will scan the network interface list
7388 every <command>interface-interval</command>
7389 minutes. The default
7390 is 60 minutes. The maximum value is 28 days (40320 minutes).
7391 If set to 0, interface scanning will only occur when
7392 the configuration file is loaded. After the scan, the
7394 begin listening for queries on any newly discovered
7395 interfaces (provided they are allowed by the
7396 <command>listen-on</command> configuration), and
7398 stop listening on interfaces that have gone away.
7404 <term><command>statistics-interval</command></term>
7407 Name server statistics will be logged
7408 every <command>statistics-interval</command>
7409 minutes. The default is
7410 60. The maximum value is 28 days (40320 minutes).
7411 If set to 0, no statistics will be logged.
7414 Not yet implemented in
7415 <acronym>BIND</acronym> 9.
7425 <sect3 id="topology">
7426 <title>Topology</title>
7429 All other things being equal, when the server chooses a name
7431 to query from a list of name servers, it prefers the one that is
7432 topologically closest to itself. The <command>topology</command> statement
7433 takes an <command>address_match_list</command> and
7435 in a special way. Each top-level list element is assigned a
7437 Non-negated elements get a distance based on their position in the
7438 list, where the closer the match is to the start of the list, the
7439 shorter the distance is between it and the server. A negated match
7440 will be assigned the maximum distance from the server. If there
7441 is no match, the address will get a distance which is further than
7442 any non-negated list element, and closer than any negated element.
7446 <programlisting>topology {
7453 will prefer servers on network 10 the most, followed by hosts
7454 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
7455 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
7456 is preferred least of all.
7459 The default topology is
7462 <programlisting> topology { localhost; localnets; };
7467 The <command>topology</command> option
7468 is not implemented in <acronym>BIND</acronym> 9.
7473 <sect3 id="the_sortlist_statement">
7475 <title>The <command>sortlist</command> Statement</title>
7478 The response to a DNS query may consist of multiple resource
7479 records (RRs) forming a resource records set (RRset).
7480 The name server will normally return the
7481 RRs within the RRset in an indeterminate order
7482 (but see the <command>rrset-order</command>
7483 statement in <xref linkend="rrset_ordering"/>).
7484 The client resolver code should rearrange the RRs as appropriate,
7485 that is, using any addresses on the local net in preference to
7487 However, not all resolvers can do this or are correctly
7489 When a client is using a local server, the sorting can be performed
7490 in the server, based on the client's address. This only requires
7491 configuring the name servers, not all the clients.
7495 The <command>sortlist</command> statement (see below)
7497 an <command>address_match_list</command> and
7499 more specifically than the <command>topology</command>
7501 does (<xref linkend="topology"/>).
7502 Each top level statement in the <command>sortlist</command> must
7503 itself be an explicit <command>address_match_list</command> with
7504 one or two elements. The first element (which may be an IP
7506 an IP prefix, an ACL name or a nested <command>address_match_list</command>)
7507 of each top level list is checked against the source address of
7508 the query until a match is found.
7511 Once the source address of the query has been matched, if
7512 the top level statement contains only one element, the actual
7514 element that matched the source address is used to select the
7516 in the response to move to the beginning of the response. If the
7517 statement is a list of two elements, then the second element is
7518 treated the same as the <command>address_match_list</command> in
7519 a <command>topology</command> statement. Each top
7521 is assigned a distance and the address in the response with the
7523 distance is moved to the beginning of the response.
7526 In the following example, any queries received from any of
7527 the addresses of the host itself will get responses preferring
7529 on any of the locally connected networks. Next most preferred are
7531 on the 192.168.1/24 network, and after that either the
7534 192.168.3/24 network with no preference shown between these two
7535 networks. Queries received from a host on the 192.168.1/24 network
7536 will prefer other addresses on that network to the 192.168.2/24
7538 192.168.3/24 networks. Queries received from a host on the
7540 or the 192.168.5/24 network will only prefer other addresses on
7541 their directly connected networks.
7544 <programlisting>sortlist {
7545 { localhost; // IF the local host
7546 { localnets; // THEN first fit on the
7547 192.168.1/24; // following nets
7548 { 192.168.2/24; 192.168.3/24; }; }; };
7549 { 192.168.1/24; // IF on class C 192.168.1
7550 { 192.168.1/24; // THEN use .1, or .2 or .3
7551 { 192.168.2/24; 192.168.3/24; }; }; };
7552 { 192.168.2/24; // IF on class C 192.168.2
7553 { 192.168.2/24; // THEN use .2, or .1 or .3
7554 { 192.168.1/24; 192.168.3/24; }; }; };
7555 { 192.168.3/24; // IF on class C 192.168.3
7556 { 192.168.3/24; // THEN use .3, or .1 or .2
7557 { 192.168.1/24; 192.168.2/24; }; }; };
7558 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
7563 The following example will give reasonable behavior for the
7564 local host and hosts on directly connected networks. It is similar
7565 to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
7566 to queries from the local host will favor any of the directly
7568 networks. Responses sent to queries from any other hosts on a
7570 connected network will prefer addresses on that same network.
7572 to other queries will not be sorted.
7575 <programlisting>sortlist {
7576 { localhost; localnets; };
7582 <sect3 id="rrset_ordering">
7583 <title id="rrset_ordering_title">RRset Ordering</title>
7585 When multiple records are returned in an answer it may be
7586 useful to configure the order of the records placed into the
7588 The <command>rrset-order</command> statement permits
7590 of the ordering of the records in a multiple record response.
7591 See also the <command>sortlist</command> statement,
7592 <xref linkend="the_sortlist_statement"/>.
7596 An <command>order_spec</command> is defined as
7600 <optional>class <replaceable>class_name</replaceable></optional>
7601 <optional>type <replaceable>type_name</replaceable></optional>
7602 <optional>name <replaceable>"domain_name"</replaceable></optional>
7603 order <replaceable>ordering</replaceable>
7606 If no class is specified, the default is <command>ANY</command>.
7607 If no type is specified, the default is <command>ANY</command>.
7608 If no name is specified, the default is "<command>*</command>" (asterisk).
7611 The legal values for <command>ordering</command> are:
7613 <informaltable colsep="0" rowsep="0">
7614 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
7615 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
7616 <colspec colname="2" colnum="2" colsep="0" colwidth="3.750in"/>
7620 <para><command>fixed</command></para>
7624 Records are returned in the order they
7625 are defined in the zone file.
7631 <para><command>random</command></para>
7635 Records are returned in some random order.
7641 <para><command>cyclic</command></para>
7645 Records are returned in a cyclic round-robin order.
7648 If <acronym>BIND</acronym> is configured with the
7649 "--enable-fixed-rrset" option at compile time, then
7650 the initial ordering of the RRset will match the
7651 one specified in the zone file.
7662 <programlisting>rrset-order {
7663 class IN type A name "host.example.com" order random;
7669 will cause any responses for type A records in class IN that
7670 have "<literal>host.example.com</literal>" as a
7671 suffix, to always be returned
7672 in random order. All other records are returned in cyclic order.
7675 If multiple <command>rrset-order</command> statements
7677 they are not combined — the last one applies.
7682 In this release of <acronym>BIND</acronym> 9, the
7683 <command>rrset-order</command> statement does not support
7684 "fixed" ordering by default. Fixed ordering can be enabled
7685 at compile time by specifying "--enable-fixed-rrset" on
7686 the "configure" command line.
7692 <title>Tuning</title>
7697 <term><command>lame-ttl</command></term>
7700 Sets the number of seconds to cache a
7701 lame server indication. 0 disables caching. (This is
7702 <emphasis role="bold">NOT</emphasis> recommended.)
7703 The default is <literal>600</literal> (10 minutes) and the
7705 <literal>1800</literal> (30 minutes).
7709 Lame-ttl also controls the amount of time DNSSEC
7710 validation failures are cached. There is a minimum
7711 of 30 seconds applied to bad cache entries if the
7712 lame-ttl is set to less than 30 seconds.
7719 <term><command>max-ncache-ttl</command></term>
7722 To reduce network traffic and increase performance,
7723 the server stores negative answers. <command>max-ncache-ttl</command> is
7724 used to set a maximum retention time for these answers in
7726 in seconds. The default
7727 <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
7728 <command>max-ncache-ttl</command> cannot exceed
7730 be silently truncated to 7 days if set to a greater value.
7736 <term><command>max-cache-ttl</command></term>
7739 Sets the maximum time for which the server will
7740 cache ordinary (positive) answers. The default is
7742 A value of zero may cause all queries to return
7743 SERVFAIL, because of lost caches of intermediate
7744 RRsets (such as NS and glue AAAA/A records) in the
7751 <term><command>min-roots</command></term>
7754 The minimum number of root servers that
7755 is required for a request for the root servers to be
7756 accepted. The default
7757 is <userinput>2</userinput>.
7761 Not implemented in <acronym>BIND</acronym> 9.
7768 <term><command>sig-validity-interval</command></term>
7771 Specifies the number of days into the future when
7772 DNSSEC signatures automatically generated as a
7773 result of dynamic updates (<xref
7774 linkend="dynamic_update"/>) will expire. There
7775 is a optional second field which specifies how
7776 long before expiry that the signatures will be
7777 regenerated. If not specified, the signatures will
7778 be regenerated at 1/4 of base interval. The second
7779 field is specified in days if the base interval is
7780 greater than 7 days otherwise it is specified in hours.
7781 The default base interval is <literal>30</literal> days
7782 giving a re-signing interval of 7 1/2 days. The maximum
7783 values are 10 years (3660 days).
7786 The signature inception time is unconditionally
7787 set to one hour before the current time to allow
7788 for a limited amount of clock skew.
7791 The <command>sig-validity-interval</command>
7792 should be, at least, several multiples of the SOA
7793 expire interval to allow for reasonable interaction
7794 between the various timer and expiry dates.
7800 <term><command>sig-signing-nodes</command></term>
7803 Specify the maximum number of nodes to be
7804 examined in each quantum when signing a zone with
7805 a new DNSKEY. The default is
7806 <literal>100</literal>.
7812 <term><command>sig-signing-signatures</command></term>
7815 Specify a threshold number of signatures that
7816 will terminate processing a quantum when signing
7817 a zone with a new DNSKEY. The default is
7818 <literal>10</literal>.
7824 <term><command>sig-signing-type</command></term>
7827 Specify a private RDATA type to be used when generating
7828 key signing records. The default is
7829 <literal>65535</literal>.
7832 It is expected that this parameter may be removed
7833 in a future version once there is a standard type.
7839 <term><command>min-refresh-time</command></term>
7840 <term><command>max-refresh-time</command></term>
7841 <term><command>min-retry-time</command></term>
7842 <term><command>max-retry-time</command></term>
7845 These options control the server's behavior on refreshing a
7847 (querying for SOA changes) or retrying failed transfers.
7848 Usually the SOA values for the zone are used, but these
7850 are set by the master, giving slave server administrators
7852 control over their contents.
7855 These options allow the administrator to set a minimum and
7857 refresh and retry time either per-zone, per-view, or
7859 These options are valid for slave and stub zones,
7860 and clamp the SOA refresh and retry times to the specified
7867 <term><command>edns-udp-size</command></term>
7870 Sets the advertised EDNS UDP buffer size in bytes
7871 to control the size of packets received.
7872 Valid values are 512 to 4096 (values outside this range
7873 will be silently adjusted). The default value
7874 is 4096. The usual reason for setting
7875 <command>edns-udp-size</command> to a non-default
7876 value is to get UDP answers to pass through broken
7877 firewalls that block fragmented packets and/or
7878 block UDP packets that are greater than 512 bytes.
7884 <term><command>max-udp-size</command></term>
7887 Sets the maximum EDNS UDP message size <command>named</command> will
7888 send in bytes. Valid values are 512 to 4096 (values outside
7889 this range will be silently adjusted). The default
7890 value is 4096. The usual reason for setting
7891 <command>max-udp-size</command> to a non-default value is to get UDP
7892 answers to pass through broken firewalls that
7893 block fragmented packets and/or block UDP packets
7894 that are greater than 512 bytes.
7895 This is independent of the advertised receive
7896 buffer (<command>edns-udp-size</command>).
7902 <term><command>masterfile-format</command></term>
7905 the file format of zone files (see
7906 <xref linkend="zonefile_format"/>).
7907 The default value is <constant>text</constant>, which is the
7908 standard textual representation. Files in other formats
7909 than <constant>text</constant> are typically expected
7910 to be generated by the <command>named-compilezone</command> tool.
7911 Note that when a zone file in a different format than
7912 <constant>text</constant> is loaded, <command>named</command>
7913 may omit some of the checks which would be performed for a
7914 file in the <constant>text</constant> format. In particular,
7915 <command>check-names</command> checks do not apply
7916 for the <constant>raw</constant> format. This means
7917 a zone file in the <constant>raw</constant> format
7918 must be generated with the same check level as that
7919 specified in the <command>named</command> configuration
7920 file. This statement sets the
7921 <command>masterfile-format</command> for all zones,
7922 but can be overridden on a per-zone or per-view basis
7923 by including a <command>masterfile-format</command>
7924 statement within the <command>zone</command> or
7925 <command>view</command> block in the configuration
7931 <varlistentry id="clients-per-query">
7932 <term><command>clients-per-query</command></term>
7933 <term><command>max-clients-per-query</command></term>
7936 initial value (minimum) and maximum number of recursive
7937 simultaneous clients for any given query
7938 (<qname,qtype,qclass>) that the server will accept
7939 before dropping additional clients. <command>named</command> will attempt to
7940 self tune this value and changes will be logged. The
7941 default values are 10 and 100.
7944 This value should reflect how many queries come in for
7945 a given name in the time it takes to resolve that name.
7946 If the number of queries exceed this value, <command>named</command> will
7947 assume that it is dealing with a non-responsive zone
7948 and will drop additional queries. If it gets a response
7949 after dropping queries, it will raise the estimate. The
7950 estimate will then be lowered in 20 minutes if it has
7954 If <command>clients-per-query</command> is set to zero,
7955 then there is no limit on the number of clients per query
7956 and no queries will be dropped.
7959 If <command>max-clients-per-query</command> is set to zero,
7960 then there is no upper bound other than imposed by
7961 <command>recursive-clients</command>.
7967 <term><command>notify-delay</command></term>
7970 The delay, in seconds, between sending sets of notify
7971 messages for a zone. The default is five (5) seconds.
7979 <sect3 id="builtin">
7980 <title>Built-in server information zones</title>
7983 The server provides some helpful diagnostic information
7984 through a number of built-in zones under the
7985 pseudo-top-level-domain <literal>bind</literal> in the
7986 <command>CHAOS</command> class. These zones are part
7988 built-in view (see <xref linkend="view_statement_grammar"/>) of
7990 <command>CHAOS</command> which is separate from the
7992 class <command>IN</command>; therefore, any global
7994 such as <command>allow-query</command> do not apply
7996 If you feel the need to disable these zones, use the options
7997 below, or hide the built-in <command>CHAOS</command>
7999 defining an explicit view of class <command>CHAOS</command>
8000 that matches all clients.
8006 <term><command>version</command></term>
8009 The version the server should report
8010 via a query of the name <literal>version.bind</literal>
8011 with type <command>TXT</command>, class <command>CHAOS</command>.
8012 The default is the real version number of this server.
8013 Specifying <command>version none</command>
8014 disables processing of the queries.
8020 <term><command>hostname</command></term>
8023 The hostname the server should report via a query of
8024 the name <filename>hostname.bind</filename>
8025 with type <command>TXT</command>, class <command>CHAOS</command>.
8026 This defaults to the hostname of the machine hosting the
8028 found by the gethostname() function. The primary purpose of such queries
8030 identify which of a group of anycast servers is actually
8031 answering your queries. Specifying <command>hostname none;</command>
8032 disables processing of the queries.
8038 <term><command>server-id</command></term>
8041 The ID the server should report when receiving a Name
8042 Server Identifier (NSID) query, or a query of the name
8043 <filename>ID.SERVER</filename> with type
8044 <command>TXT</command>, class <command>CHAOS</command>.
8045 The primary purpose of such queries is to
8046 identify which of a group of anycast servers is actually
8047 answering your queries. Specifying <command>server-id none;</command>
8048 disables processing of the queries.
8049 Specifying <command>server-id hostname;</command> will cause <command>named</command> to
8050 use the hostname as found by the gethostname() function.
8051 The default <command>server-id</command> is <command>none</command>.
8061 <title>Built-in Empty Zones</title>
8063 Named has some built-in empty zones (SOA and NS records only).
8064 These are for zones that should normally be answered locally
8065 and which queries should not be sent to the Internet's root
8066 servers. The official servers which cover these namespaces
8067 return NXDOMAIN responses to these queries. In particular,
8068 these cover the reverse namespace for addresses from RFC 1918 and
8069 RFC 3330. They also include the reverse namespace for IPv6 local
8070 address (locally assigned), IPv6 link local addresses, the IPv6
8071 loopback address and the IPv6 unknown address.
8074 Named will attempt to determine if a built-in zone already exists
8075 or is active (covered by a forward-only forwarding declaration)
8076 and will not create a empty zone in that case.
8079 The current list of empty zones is:
8081 <!-- XXX: The RFC1918 addresses are #defined out in sources currently.
8082 <listitem>10.IN-ADDR.ARPA</listitem>
8083 <listitem>16.172.IN-ADDR.ARPA</listitem>
8084 <listitem>17.172.IN-ADDR.ARPA</listitem>
8085 <listitem>18.172.IN-ADDR.ARPA</listitem>
8086 <listitem>19.172.IN-ADDR.ARPA</listitem>
8087 <listitem>20.172.IN-ADDR.ARPA</listitem>
8088 <listitem>21.172.IN-ADDR.ARPA</listitem>
8089 <listitem>22.172.IN-ADDR.ARPA</listitem>
8090 <listitem>23.172.IN-ADDR.ARPA</listitem>
8091 <listitem>24.172.IN-ADDR.ARPA</listitem>
8092 <listitem>25.172.IN-ADDR.ARPA</listitem>
8093 <listitem>26.172.IN-ADDR.ARPA</listitem>
8094 <listitem>27.172.IN-ADDR.ARPA</listitem>
8095 <listitem>28.172.IN-ADDR.ARPA</listitem>
8096 <listitem>29.172.IN-ADDR.ARPA</listitem>
8097 <listitem>30.172.IN-ADDR.ARPA</listitem>
8098 <listitem>31.172.IN-ADDR.ARPA</listitem>
8099 <listitem>168.192.IN-ADDR.ARPA</listitem>
8100 XXX: end of RFC1918 addresses #defined out -->
8101 <listitem>0.IN-ADDR.ARPA</listitem>
8102 <listitem>127.IN-ADDR.ARPA</listitem>
8103 <listitem>254.169.IN-ADDR.ARPA</listitem>
8104 <listitem>2.0.192.IN-ADDR.ARPA</listitem>
8105 <listitem>255.255.255.255.IN-ADDR.ARPA</listitem>
8106 <listitem>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
8107 <listitem>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</listitem>
8108 <listitem>D.F.IP6.ARPA</listitem>
8109 <listitem>8.E.F.IP6.ARPA</listitem>
8110 <listitem>9.E.F.IP6.ARPA</listitem>
8111 <listitem>A.E.F.IP6.ARPA</listitem>
8112 <listitem>B.E.F.IP6.ARPA</listitem>
8116 Empty zones are settable at the view level and only apply to
8117 views of class IN. Disabled empty zones are only inherited
8118 from options if there are no disabled empty zones specified
8119 at the view level. To override the options list of disabled
8120 zones, you can disable the root zone at the view level, for example:
8122 disable-empty-zone ".";
8126 If you are using the address ranges covered here, you should
8127 already have reverse zones covering the addresses you use.
8128 In practice this appears to not be the case with many queries
8129 being made to the infrastructure servers for names in these
8130 spaces. So many in fact that sacrificial servers were needed
8131 to be deployed to channel the query load away from the
8132 infrastructure servers.
8135 The real parent servers for these zones should disable all
8136 empty zone under the parent zone they serve. For the real
8137 root servers, this is all built-in empty zones. This will
8138 enable them to return referrals to deeper in the tree.
8142 <term><command>empty-server</command></term>
8145 Specify what server name will appear in the returned
8146 SOA record for empty zones. If none is specified, then
8147 the zone's name will be used.
8153 <term><command>empty-contact</command></term>
8156 Specify what contact name will appear in the returned
8157 SOA record for empty zones. If none is specified, then
8164 <term><command>empty-zones-enable</command></term>
8167 Enable or disable all empty zones. By default, they
8174 <term><command>disable-empty-zone</command></term>
8177 Disable individual empty zones. By default, none are
8178 disabled. This option can be specified multiple times.
8186 <title>Additional Section Caching</title>
8189 The additional section cache, also called <command>acache</command>,
8190 is an internal cache to improve the response performance of BIND 9.
8191 When additional section caching is enabled, BIND 9 will
8192 cache an internal short-cut to the additional section content for
8194 Note that <command>acache</command> is an internal caching
8195 mechanism of BIND 9, and is not related to the DNS caching
8200 Additional section caching does not change the
8201 response content (except the RRsets ordering of the additional
8202 section, see below), but can improve the response performance
8204 It is particularly effective when BIND 9 acts as an authoritative
8205 server for a zone that has many delegations with many glue RRs.
8209 In order to obtain the maximum performance improvement
8210 from additional section caching, setting
8211 <command>additional-from-cache</command>
8212 to <command>no</command> is recommended, since the current
8213 implementation of <command>acache</command>
8214 does not short-cut of additional section information from the
8219 One obvious disadvantage of <command>acache</command> is
8220 that it requires much more
8221 memory for the internal cached data.
8222 Thus, if the response performance does not matter and memory
8223 consumption is much more critical, the
8224 <command>acache</command> mechanism can be
8225 disabled by setting <command>acache-enable</command> to
8226 <command>no</command>.
8227 It is also possible to specify the upper limit of memory
8229 for acache by using <command>max-acache-size</command>.
8233 Additional section caching also has a minor effect on the
8234 RRset ordering in the additional section.
8235 Without <command>acache</command>,
8236 <command>cyclic</command> order is effective for the additional
8237 section as well as the answer and authority sections.
8238 However, additional section caching fixes the ordering when it
8239 first caches an RRset for the additional section, and the same
8240 ordering will be kept in succeeding responses, regardless of the
8241 setting of <command>rrset-order</command>.
8242 The effect of this should be minor, however, since an
8243 RRset in the additional section
8244 typically only contains a small number of RRs (and in many cases
8245 it only contains a single RR), in which case the
8246 ordering does not matter much.
8250 The following is a summary of options related to
8251 <command>acache</command>.
8257 <term><command>acache-enable</command></term>
8260 If <command>yes</command>, additional section caching is
8261 enabled. The default value is <command>no</command>.
8267 <term><command>acache-cleaning-interval</command></term>
8270 The server will remove stale cache entries, based on an LRU
8272 algorithm, every <command>acache-cleaning-interval</command> minutes.
8273 The default is 60 minutes.
8274 If set to 0, no periodic cleaning will occur.
8280 <term><command>max-acache-size</command></term>
8283 The maximum amount of memory in bytes to use for the server's acache.
8284 When the amount of data in the acache reaches this limit,
8286 will clean more aggressively so that the limit is not
8288 In a server with multiple views, the limit applies
8290 acache of each view.
8291 The default is <literal>16M</literal>.
8302 <sect2 id="server_statement_grammar">
8303 <title><command>server</command> Statement Grammar</title>
8305 <programlisting><command>server</command> <replaceable>ip_addr[/prefixlen]</replaceable> {
8306 <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
8307 <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
8308 <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
8309 <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
8310 <optional> edns-udp-size <replaceable>number</replaceable> ; </optional>
8311 <optional> max-udp-size <replaceable>number</replaceable> ; </optional>
8312 <optional> transfers <replaceable>number</replaceable> ; </optional>
8313 <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
8314 <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
8315 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8316 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8317 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8318 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8319 <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
8320 <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
8321 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
8322 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
8323 <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
8329 <sect2 id="server_statement_definition_and_usage">
8330 <title><command>server</command> Statement Definition and
8334 The <command>server</command> statement defines
8336 to be associated with a remote name server. If a prefix length is
8337 specified, then a range of servers is covered. Only the most
8339 server clause applies regardless of the order in
8340 <filename>named.conf</filename>.
8344 The <command>server</command> statement can occur at
8345 the top level of the
8346 configuration file or inside a <command>view</command>
8348 If a <command>view</command> statement contains
8349 one or more <command>server</command> statements, only
8351 apply to the view and any top-level ones are ignored.
8352 If a view contains no <command>server</command>
8354 any top-level <command>server</command> statements are
8360 If you discover that a remote server is giving out bad data,
8361 marking it as bogus will prevent further queries to it. The
8363 value of <command>bogus</command> is <command>no</command>.
8366 The <command>provide-ixfr</command> clause determines
8368 the local server, acting as master, will respond with an
8370 zone transfer when the given remote server, a slave, requests it.
8371 If set to <command>yes</command>, incremental transfer
8373 whenever possible. If set to <command>no</command>,
8375 to the remote server will be non-incremental. If not set, the
8377 of the <command>provide-ixfr</command> option in the
8379 global options block is used as a default.
8383 The <command>request-ixfr</command> clause determines
8385 the local server, acting as a slave, will request incremental zone
8386 transfers from the given remote server, a master. If not set, the
8387 value of the <command>request-ixfr</command> option in
8389 global options block is used as a default.
8393 IXFR requests to servers that do not support IXFR will
8395 fall back to AXFR. Therefore, there is no need to manually list
8396 which servers support IXFR and which ones do not; the global
8398 of <command>yes</command> should always work.
8399 The purpose of the <command>provide-ixfr</command> and
8400 <command>request-ixfr</command> clauses is
8401 to make it possible to disable the use of IXFR even when both
8403 and slave claim to support it, for example if one of the servers
8404 is buggy and crashes or corrupts data when IXFR is used.
8408 The <command>edns</command> clause determines whether
8409 the local server will attempt to use EDNS when communicating
8410 with the remote server. The default is <command>yes</command>.
8414 The <command>edns-udp-size</command> option sets the EDNS UDP size
8415 that is advertised by <command>named</command> when querying the remote server.
8416 Valid values are 512 to 4096 bytes (values outside this range will be
8417 silently adjusted). This option is useful when you wish to
8418 advertises a different value to this server than the value you
8419 advertise globally, for example, when there is a firewall at the
8420 remote site that is blocking large replies.
8424 The <command>max-udp-size</command> option sets the
8425 maximum EDNS UDP message size <command>named</command> will send. Valid
8426 values are 512 to 4096 bytes (values outside this range will
8427 be silently adjusted). This option is useful when you
8428 know that there is a firewall that is blocking large
8429 replies from <command>named</command>.
8433 The server supports two zone transfer methods. The first, <command>one-answer</command>,
8434 uses one DNS message per resource record transferred. <command>many-answers</command> packs
8435 as many resource records as possible into a message. <command>many-answers</command> is
8436 more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
8437 8.x, and patched versions of <acronym>BIND</acronym>
8438 4.9.5. You can specify which method
8439 to use for a server with the <command>transfer-format</command> option.
8440 If <command>transfer-format</command> is not
8441 specified, the <command>transfer-format</command>
8443 by the <command>options</command> statement will be
8447 <para><command>transfers</command>
8448 is used to limit the number of concurrent inbound zone
8449 transfers from the specified server. If no
8450 <command>transfers</command> clause is specified, the
8451 limit is set according to the
8452 <command>transfers-per-ns</command> option.
8456 The <command>keys</command> clause identifies a
8457 <command>key_id</command> defined by the <command>key</command> statement,
8458 to be used for transaction security (TSIG, <xref linkend="tsig"/>)
8459 when talking to the remote server.
8460 When a request is sent to the remote server, a request signature
8461 will be generated using the key specified here and appended to the
8462 message. A request originating from the remote server is not
8464 to be signed by this key.
8468 Although the grammar of the <command>keys</command>
8470 allows for multiple keys, only a single key per server is
8476 The <command>transfer-source</command> and
8477 <command>transfer-source-v6</command> clauses specify
8478 the IPv4 and IPv6 source
8479 address to be used for zone transfer with the remote server,
8481 For an IPv4 remote server, only <command>transfer-source</command> can
8483 Similarly, for an IPv6 remote server, only
8484 <command>transfer-source-v6</command> can be
8486 For more details, see the description of
8487 <command>transfer-source</command> and
8488 <command>transfer-source-v6</command> in
8489 <xref linkend="zone_transfers"/>.
8493 The <command>notify-source</command> and
8494 <command>notify-source-v6</command> clauses specify the
8495 IPv4 and IPv6 source address to be used for notify
8496 messages sent to remote servers, respectively. For an
8497 IPv4 remote server, only <command>notify-source</command>
8498 can be specified. Similarly, for an IPv6 remote server,
8499 only <command>notify-source-v6</command> can be specified.
8503 The <command>query-source</command> and
8504 <command>query-source-v6</command> clauses specify the
8505 IPv4 and IPv6 source address to be used for queries
8506 sent to remote servers, respectively. For an IPv4
8507 remote server, only <command>query-source</command> can
8508 be specified. Similarly, for an IPv6 remote server,
8509 only <command>query-source-v6</command> can be specified.
8514 <sect2 id="statschannels">
8515 <title><command>statistics-channels</command> Statement Grammar</title>
8517 <programlisting><command>statistics-channels</command> {
8518 [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
8525 <title><command>statistics-channels</command> Statement Definition and
8529 The <command>statistics-channels</command> statement
8530 declares communication channels to be used by system
8531 administrators to get access to statistics information of
8536 This statement intends to be flexible to support multiple
8537 communication protocols in the future, but currently only
8538 HTTP access is supported.
8539 It requires that BIND 9 be compiled with libxml2;
8540 the <command>statistics-channels</command> statement is
8541 still accepted even if it is built without the library,
8542 but any HTTP access will fail with an error.
8546 An <command>inet</command> control channel is a TCP socket
8547 listening at the specified <command>ip_port</command> on the
8548 specified <command>ip_addr</command>, which can be an IPv4 or IPv6
8549 address. An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
8550 interpreted as the IPv4 wildcard address; connections will be
8551 accepted on any of the system's IPv4 addresses.
8552 To listen on the IPv6 wildcard address,
8553 use an <command>ip_addr</command> of <literal>::</literal>.
8557 If no port is specified, port 80 is used for HTTP channels.
8558 The asterisk "<literal>*</literal>" cannot be used for
8559 <command>ip_port</command>.
8563 The attempt of opening a statistics channel is
8564 restricted by the optional <command>allow</command> clause.
8565 Connections to the statistics channel are permitted based on the
8566 <command>address_match_list</command>.
8567 If no <command>allow</command> clause is present,
8568 <command>named</command> accepts connection
8569 attempts from any address; since the statistics may
8570 contain sensitive internal information, it is highly
8571 recommended to restrict the source of connection requests
8576 If no <command>statistics-channels</command> statement is present,
8577 <command>named</command> will not open any communication channels.
8583 <title><command>trusted-keys</command> Statement Grammar</title>
8585 <programlisting><command>trusted-keys</command> {
8586 <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
8587 <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
8593 <title><command>trusted-keys</command> Statement Definition
8596 The <command>trusted-keys</command> statement defines
8597 DNSSEC security roots. DNSSEC is described in <xref
8598 linkend="DNSSEC"/>. A security root is defined when the
8599 public key for a non-authoritative zone is known, but
8600 cannot be securely obtained through DNS, either because
8601 it is the DNS root zone or because its parent zone is
8602 unsigned. Once a key has been configured as a trusted
8603 key, it is treated as if it had been validated and
8604 proven secure. The resolver attempts DNSSEC validation
8605 on all DNS data in subdomains of a security root.
8608 All keys (and corresponding zones) listed in
8609 <command>trusted-keys</command> are deemed to exist regardless
8610 of what parent zones say. Similarly for all keys listed in
8611 <command>trusted-keys</command> only those keys are
8612 used to validate the DNSKEY RRset. The parent's DS RRset
8616 The <command>trusted-keys</command> statement can contain
8617 multiple key entries, each consisting of the key's
8618 domain name, flags, protocol, algorithm, and the Base-64
8619 representation of the key data.
8620 Spaces, tabs, newlines and carriage returns are ignored
8621 in the key data, so the configuration may be split up into
8626 <sect2 id="view_statement_grammar">
8627 <title><command>view</command> Statement Grammar</title>
8629 <programlisting><command>view</command> <replaceable>view_name</replaceable>
8630 <optional><replaceable>class</replaceable></optional> {
8631 match-clients { <replaceable>address_match_list</replaceable> };
8632 match-destinations { <replaceable>address_match_list</replaceable> };
8633 match-recursive-only <replaceable>yes_or_no</replaceable> ;
8634 <optional> <replaceable>view_option</replaceable>; ...</optional>
8635 <optional> <replaceable>zone_statement</replaceable>; ...</optional>
8641 <title><command>view</command> Statement Definition and Usage</title>
8644 The <command>view</command> statement is a powerful
8646 of <acronym>BIND</acronym> 9 that lets a name server
8647 answer a DNS query differently
8648 depending on who is asking. It is particularly useful for
8650 split DNS setups without having to run multiple servers.
8654 Each <command>view</command> statement defines a view
8656 DNS namespace that will be seen by a subset of clients. A client
8658 a view if its source IP address matches the
8659 <varname>address_match_list</varname> of the view's
8660 <command>match-clients</command> clause and its
8661 destination IP address matches
8662 the <varname>address_match_list</varname> of the
8664 <command>match-destinations</command> clause. If not
8666 <command>match-clients</command> and <command>match-destinations</command>
8667 default to matching all addresses. In addition to checking IP
8669 <command>match-clients</command> and <command>match-destinations</command>
8670 can also take <command>keys</command> which provide an
8672 client to select the view. A view can also be specified
8673 as <command>match-recursive-only</command>, which
8674 means that only recursive
8675 requests from matching clients will match that view.
8676 The order of the <command>view</command> statements is
8678 a client request will be resolved in the context of the first
8679 <command>view</command> that it matches.
8683 Zones defined within a <command>view</command>
8685 only be accessible to clients that match the <command>view</command>.
8686 By defining a zone of the same name in multiple views, different
8687 zone data can be given to different clients, for example,
8689 and "external" clients in a split DNS setup.
8693 Many of the options given in the <command>options</command> statement
8694 can also be used within a <command>view</command>
8696 apply only when resolving queries with that view. When no
8698 value is given, the value in the <command>options</command> statement
8699 is used as a default. Also, zone options can have default values
8701 in the <command>view</command> statement; these
8702 view-specific defaults
8703 take precedence over those in the <command>options</command> statement.
8707 Views are class specific. If no class is given, class IN
8708 is assumed. Note that all non-IN views must contain a hint zone,
8709 since only the IN class has compiled-in default hints.
8713 If there are no <command>view</command> statements in
8715 file, a default view that matches any client is automatically
8717 in class IN. Any <command>zone</command> statements
8719 the top level of the configuration file are considered to be part
8721 this default view, and the <command>options</command>
8723 apply to the default view. If any explicit <command>view</command>
8724 statements are present, all <command>zone</command>
8726 occur inside <command>view</command> statements.
8730 Here is an example of a typical split DNS setup implemented
8731 using <command>view</command> statements:
8734 <programlisting>view "internal" {
8735 // This should match our internal networks.
8736 match-clients { 10.0.0.0/8; };
8738 // Provide recursive service to internal clients only.
8741 // Provide a complete view of the example.com zone
8742 // including addresses of internal hosts.
8743 zone "example.com" {
8745 file "example-internal.db";
8750 // Match all clients not matched by the previous view.
8751 match-clients { any; };
8753 // Refuse recursive service to external clients.
8756 // Provide a restricted view of the example.com zone
8757 // containing only publicly accessible hosts.
8758 zone "example.com" {
8760 file "example-external.db";
8766 <sect2 id="zone_statement_grammar">
8767 <title><command>zone</command>
8768 Statement Grammar</title>
8770 <programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8772 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8773 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8774 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8775 <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
8776 <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
8777 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8778 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8779 <optional> check-mx (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8780 <optional> check-wildcard <replaceable>yes_or_no</replaceable>; </optional>
8781 <optional> check-integrity <replaceable>yes_or_no</replaceable> ; </optional>
8782 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8783 <optional> file <replaceable>string</replaceable> ; </optional>
8784 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8785 <optional> journal <replaceable>string</replaceable> ; </optional>
8786 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
8787 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8788 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8789 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8790 <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
8791 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8792 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8793 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8794 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8795 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8796 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8797 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8798 <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
8799 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8800 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8801 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8802 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8803 <optional> sig-validity-interval <replaceable>number</replaceable> <optional><replaceable>number</replaceable></optional> ; </optional>
8804 <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
8805 <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
8806 <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
8807 <optional> database <replaceable>string</replaceable> ; </optional>
8808 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8809 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8810 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8811 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8812 <optional> key-directory <replaceable>path_name</replaceable>; </optional>
8813 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8816 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8818 <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
8819 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8820 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8821 <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
8822 <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
8823 <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
8824 <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
8825 <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8826 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8827 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8828 <optional> file <replaceable>string</replaceable> ; </optional>
8829 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8830 <optional> journal <replaceable>string</replaceable> ; </optional>
8831 <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
8832 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8833 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8834 <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
8835 <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
8836 <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
8837 <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
8838 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8839 <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
8840 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8841 <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
8842 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8843 <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
8844 <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
8845 <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
8846 <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
8847 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8848 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8849 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8850 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8851 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8852 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8853 <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8854 <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8855 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8856 <optional> database <replaceable>string</replaceable> ; </optional>
8857 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8858 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8859 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8860 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8861 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8862 <optional> zero-no-soa-ttl <replaceable>yes_or_no</replaceable> ; </optional>
8865 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8867 file <replaceable>string</replaceable> ;
8868 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8869 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; // Not Implemented. </optional>
8872 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8874 <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
8875 <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
8876 <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
8877 <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
8878 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8879 <optional> file <replaceable>string</replaceable> ; </optional>
8880 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
8881 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8882 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8883 <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
8884 <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
8885 <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
8886 <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
8887 <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8888 <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8889 <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8890 <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
8891 <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
8892 <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
8893 <optional> database <replaceable>string</replaceable> ; </optional>
8894 <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
8895 <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
8896 <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
8897 <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
8898 <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
8901 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8903 <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
8904 <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
8905 <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
8908 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
8909 type delegation-only;
8916 <title><command>zone</command> Statement Definition and Usage</title>
8918 <title>Zone Types</title>
8919 <informaltable colsep="0" rowsep="0">
8920 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
8921 <!--colspec colname="1" colnum="1" colsep="0" colwidth="1.108in"/-->
8922 <!--colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/-->
8923 <colspec colname="1" colnum="1" colsep="0"/>
8924 <colspec colname="2" colnum="2" colsep="0" colwidth="4.017in"/>
8929 <varname>master</varname>
8934 The server has a master copy of the data
8935 for the zone and will be able to provide authoritative
8944 <varname>slave</varname>
8949 A slave zone is a replica of a master
8950 zone. The <command>masters</command> list
8951 specifies one or more IP addresses
8952 of master servers that the slave contacts to update
8953 its copy of the zone.
8954 Masters list elements can also be names of other
8956 By default, transfers are made from port 53 on the
8958 be changed for all servers by specifying a port number
8960 list of IP addresses, or on a per-server basis after
8962 Authentication to the master can also be done with
8963 per-server TSIG keys.
8964 If a file is specified, then the
8965 replica will be written to this file whenever the zone
8967 and reloaded from this file on a server restart. Use
8969 recommended, since it often speeds server startup and
8971 a needless waste of bandwidth. Note that for large
8973 tens or hundreds of thousands) of zones per server, it
8975 use a two-level naming scheme for zone filenames. For
8977 a slave server for the zone <literal>example.com</literal> might place
8978 the zone contents into a file called
8979 <filename>ex/example.com</filename> where <filename>ex/</filename> is
8980 just the first two letters of the zone name. (Most
8982 behave very slowly if you put 100000 files into
8983 a single directory.)
8990 <varname>stub</varname>
8995 A stub zone is similar to a slave zone,
8996 except that it replicates only the NS records of a
8998 of the entire zone. Stub zones are not a standard part
9000 they are a feature specific to the <acronym>BIND</acronym> implementation.
9004 Stub zones can be used to eliminate the need for glue
9006 in a parent zone at the expense of maintaining a stub
9008 a set of name server addresses in <filename>named.conf</filename>.
9009 This usage is not recommended for new configurations,
9011 supports it only in a limited way.
9012 In <acronym>BIND</acronym> 4/8, zone
9013 transfers of a parent zone
9014 included the NS records from stub children of that
9016 that, in some cases, users could get away with
9017 configuring child stubs
9018 only in the master server for the parent zone. <acronym>BIND</acronym>
9019 9 never mixes together zone data from different zones
9021 way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
9022 zone has child stub zones configured, all the slave
9024 parent zone also need to have the same child stub
9030 Stub zones can also be used as a way of forcing the
9032 of a given domain to use a particular set of
9033 authoritative servers.
9034 For example, the caching name servers on a private
9036 RFC1918 addressing may be configured with stub zones
9038 <literal>10.in-addr.arpa</literal>
9039 to use a set of internal name servers as the
9041 servers for that domain.
9048 <varname>forward</varname>
9053 A "forward zone" is a way to configure
9054 forwarding on a per-domain basis. A <command>zone</command> statement
9055 of type <command>forward</command> can
9056 contain a <command>forward</command>
9057 and/or <command>forwarders</command>
9059 which will apply to queries within the domain given by
9061 name. If no <command>forwarders</command>
9062 statement is present or
9063 an empty list for <command>forwarders</command> is given, then no
9064 forwarding will be done for the domain, canceling the
9066 any forwarders in the <command>options</command> statement. Thus
9067 if you want to use this type of zone to change the
9069 global <command>forward</command> option
9070 (that is, "forward first"
9071 to, then "forward only", or vice versa, but want to
9073 servers as set globally) you need to re-specify the
9081 <varname>hint</varname>
9086 The initial set of root name servers is
9087 specified using a "hint zone". When the server starts
9089 the root hints to find a root name server and get the
9091 list of root name servers. If no hint zone is
9093 IN, the server uses a compiled-in default set of root
9095 Classes other than IN have no built-in defaults hints.
9102 <varname>delegation-only</varname>
9107 This is used to enforce the delegation-only
9108 status of infrastructure zones (e.g. COM,
9109 NET, ORG). Any answer that is received
9110 without an explicit or implicit delegation
9111 in the authority section will be treated
9112 as NXDOMAIN. This does not apply to the
9113 zone apex. This should not be applied to
9117 <varname>delegation-only</varname> has no
9118 effect on answers received from forwarders.
9121 See caveats in <xref linkend="root_delegation_only"/>.
9131 <title>Class</title>
9133 The zone's name may optionally be followed by a class. If
9134 a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
9135 is assumed. This is correct for the vast majority of cases.
9138 The <literal>hesiod</literal> class is
9139 named for an information service from MIT's Project Athena. It
9141 used to share information about various systems databases, such
9142 as users, groups, printers and so on. The keyword
9143 <literal>HS</literal> is
9144 a synonym for hesiod.
9147 Another MIT development is Chaosnet, a LAN protocol created
9148 in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.
9153 <title>Zone Options</title>
9158 <term><command>allow-notify</command></term>
9161 See the description of
9162 <command>allow-notify</command> in <xref linkend="access_control"/>.
9168 <term><command>allow-query</command></term>
9171 See the description of
9172 <command>allow-query</command> in <xref linkend="access_control"/>.
9178 <term><command>allow-query-on</command></term>
9181 See the description of
9182 <command>allow-query-on</command> in <xref linkend="access_control"/>.
9188 <term><command>allow-transfer</command></term>
9191 See the description of <command>allow-transfer</command>
9192 in <xref linkend="access_control"/>.
9198 <term><command>allow-update</command></term>
9201 See the description of <command>allow-update</command>
9202 in <xref linkend="access_control"/>.
9208 <term><command>update-policy</command></term>
9211 Specifies a "Simple Secure Update" policy. See
9212 <xref linkend="dynamic_update_policies"/>.
9218 <term><command>allow-update-forwarding</command></term>
9221 See the description of <command>allow-update-forwarding</command>
9222 in <xref linkend="access_control"/>.
9228 <term><command>also-notify</command></term>
9231 Only meaningful if <command>notify</command>
9233 active for this zone. The set of machines that will
9235 <literal>DNS NOTIFY</literal> message
9236 for this zone is made up of all the listed name servers
9238 the primary master) for the zone plus any IP addresses
9240 with <command>also-notify</command>. A port
9242 with each <command>also-notify</command>
9243 address to send the notify
9244 messages to a port other than the default of 53.
9245 <command>also-notify</command> is not
9246 meaningful for stub zones.
9247 The default is the empty list.
9253 <term><command>check-names</command></term>
9256 This option is used to restrict the character set and
9258 certain domain names in master files and/or DNS responses
9260 network. The default varies according to zone type. For <command>master</command> zones the default is <command>fail</command>. For <command>slave</command>
9261 zones the default is <command>warn</command>.
9267 <term><command>check-mx</command></term>
9270 See the description of
9271 <command>check-mx</command> in <xref linkend="boolean_options"/>.
9277 <term><command>check-wildcard</command></term>
9280 See the description of
9281 <command>check-wildcard</command> in <xref linkend="boolean_options"/>.
9287 <term><command>check-integrity</command></term>
9290 See the description of
9291 <command>check-integrity</command> in <xref linkend="boolean_options"/>.
9297 <term><command>check-sibling</command></term>
9300 See the description of
9301 <command>check-sibling</command> in <xref linkend="boolean_options"/>.
9307 <term><command>zero-no-soa-ttl</command></term>
9310 See the description of
9311 <command>zero-no-soa-ttl</command> in <xref linkend="boolean_options"/>.
9317 <term><command>update-check-ksk</command></term>
9320 See the description of
9321 <command>update-check-ksk</command> in <xref linkend="boolean_options"/>.
9327 <term><command>try-tcp-refresh</command></term>
9330 See the description of
9331 <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
9337 <term><command>database</command></term>
9340 Specify the type of database to be used for storing the
9341 zone data. The string following the <command>database</command> keyword
9342 is interpreted as a list of whitespace-delimited words.
9344 identifies the database type, and any subsequent words are
9346 as arguments to the database to be interpreted in a way
9348 to the database type.
9351 The default is <userinput>"rbt"</userinput>, BIND 9's
9353 red-black-tree database. This database does not take
9357 Other values are possible if additional database drivers
9358 have been linked into the server. Some sample drivers are
9360 with the distribution but none are linked in by default.
9366 <term><command>dialup</command></term>
9369 See the description of
9370 <command>dialup</command> in <xref linkend="boolean_options"/>.
9376 <term><command>delegation-only</command></term>
9379 The flag only applies to hint and stub zones. If set
9380 to <userinput>yes</userinput>, then the zone will also be
9381 treated as if it is also a delegation-only type zone.
9384 See caveats in <xref linkend="root_delegation_only"/>.
9390 <term><command>forward</command></term>
9393 Only meaningful if the zone has a forwarders
9394 list. The <command>only</command> value causes
9396 after trying the forwarders and getting no answer, while <command>first</command> would
9397 allow a normal lookup to be tried.
9403 <term><command>forwarders</command></term>
9406 Used to override the list of global forwarders.
9407 If it is not specified in a zone of type <command>forward</command>,
9408 no forwarding is done for the zone and the global options are
9415 <term><command>ixfr-base</command></term>
9418 Was used in <acronym>BIND</acronym> 8 to
9420 of the transaction log (journal) file for dynamic update
9422 <acronym>BIND</acronym> 9 ignores the option
9423 and constructs the name of the journal
9424 file by appending "<filename>.jnl</filename>"
9432 <term><command>ixfr-tmp-file</command></term>
9435 Was an undocumented option in <acronym>BIND</acronym> 8.
9436 Ignored in <acronym>BIND</acronym> 9.
9442 <term><command>journal</command></term>
9445 Allow the default journal's filename to be overridden.
9446 The default is the zone's filename with "<filename>.jnl</filename>" appended.
9447 This is applicable to <command>master</command> and <command>slave</command> zones.
9453 <term><command>max-journal-size</command></term>
9456 See the description of
9457 <command>max-journal-size</command> in <xref linkend="server_resource_limits"/>.
9463 <term><command>max-transfer-time-in</command></term>
9466 See the description of
9467 <command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.
9473 <term><command>max-transfer-idle-in</command></term>
9476 See the description of
9477 <command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.
9483 <term><command>max-transfer-time-out</command></term>
9486 See the description of
9487 <command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.
9493 <term><command>max-transfer-idle-out</command></term>
9496 See the description of
9497 <command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.
9503 <term><command>notify</command></term>
9506 See the description of
9507 <command>notify</command> in <xref linkend="boolean_options"/>.
9513 <term><command>notify-delay</command></term>
9516 See the description of
9517 <command>notify-delay</command> in <xref linkend="tuning"/>.
9523 <term><command>notify-to-soa</command></term>
9526 See the description of
9527 <command>notify-to-soa</command> in
9528 <xref linkend="boolean_options"/>.
9534 <term><command>pubkey</command></term>
9537 In <acronym>BIND</acronym> 8, this option was
9538 intended for specifying
9539 a public zone key for verification of signatures in DNSSEC
9541 zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
9542 on load and ignores the option.
9548 <term><command>zone-statistics</command></term>
9551 If <userinput>yes</userinput>, the server will keep
9553 information for this zone, which can be dumped to the
9554 <command>statistics-file</command> defined in
9561 <term><command>sig-validity-interval</command></term>
9564 See the description of
9565 <command>sig-validity-interval</command> in <xref linkend="tuning"/>.
9571 <term><command>sig-signing-nodes</command></term>
9574 See the description of
9575 <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
9581 <term><command>sig-signing-signatures</command></term>
9584 See the description of
9585 <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
9591 <term><command>sig-signing-type</command></term>
9594 See the description of
9595 <command>sig-signing-type</command> in <xref linkend="tuning"/>.
9601 <term><command>transfer-source</command></term>
9604 See the description of
9605 <command>transfer-source</command> in <xref linkend="zone_transfers"/>.
9611 <term><command>transfer-source-v6</command></term>
9614 See the description of
9615 <command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9621 <term><command>alt-transfer-source</command></term>
9624 See the description of
9625 <command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9631 <term><command>alt-transfer-source-v6</command></term>
9634 See the description of
9635 <command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>.
9641 <term><command>use-alt-transfer-source</command></term>
9644 See the description of
9645 <command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>.
9652 <term><command>notify-source</command></term>
9655 See the description of
9656 <command>notify-source</command> in <xref linkend="zone_transfers"/>.
9662 <term><command>notify-source-v6</command></term>
9665 See the description of
9666 <command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
9672 <term><command>min-refresh-time</command></term>
9673 <term><command>max-refresh-time</command></term>
9674 <term><command>min-retry-time</command></term>
9675 <term><command>max-retry-time</command></term>
9678 See the description in <xref linkend="tuning"/>.
9684 <term><command>ixfr-from-differences</command></term>
9687 See the description of
9688 <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
9689 (Note that the <command>ixfr-from-differences</command>
9690 <userinput>master</userinput> and
9691 <userinput>slave</userinput> choices are not
9692 available at the zone level.)
9698 <term><command>key-directory</command></term>
9701 See the description of
9702 <command>key-directory</command> in <xref linkend="options"/>.
9708 <term><command>multi-master</command></term>
9711 See the description of <command>multi-master</command> in
9712 <xref linkend="boolean_options"/>.
9718 <term><command>masterfile-format</command></term>
9721 See the description of <command>masterfile-format</command>
9722 in <xref linkend="tuning"/>.
9730 <sect3 id="dynamic_update_policies">
9731 <title>Dynamic Update Policies</title>
9732 <para><acronym>BIND</acronym> 9 supports two alternative
9733 methods of granting clients the right to perform
9734 dynamic updates to a zone, configured by the
9735 <command>allow-update</command> and
9736 <command>update-policy</command> option, respectively.
9739 The <command>allow-update</command> clause works the
9740 same way as in previous versions of <acronym>BIND</acronym>.
9741 It grants given clients the permission to update any
9742 record of any name in the zone.
9745 The <command>update-policy</command> clause is new
9746 in <acronym>BIND</acronym> 9 and allows more fine-grained
9747 control over what updates are allowed. A set of rules
9748 is specified, where each rule either grants or denies
9749 permissions for one or more names to be updated by
9750 one or more identities. If the dynamic update request
9751 message is signed (that is, it includes either a TSIG
9752 or SIG(0) record), the identity of the signer can be
9756 Rules are specified in the <command>update-policy</command>
9757 zone option, and are only meaningful for master zones.
9758 When the <command>update-policy</command> statement
9759 is present, it is a configuration error for the
9760 <command>allow-update</command> statement to be
9761 present. The <command>update-policy</command> statement
9762 only examines the signer of a message; the source
9763 address is not relevant.
9767 This is how a rule definition looks:
9771 ( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
9775 Each rule grants or denies privileges. Once a message has
9776 successfully matched a rule, the operation is immediately
9778 or denied and no further rules are examined. A rule is matched
9779 when the signer matches the identity field, the name matches the
9780 name field in accordance with the nametype field, and the type
9782 the types specified in the type field.
9785 No signer is required for <replaceable>tcp-self</replaceable>
9786 or <replaceable>6to4-self</replaceable> however the standard
9787 reverse mapping / prefix conversion must match the identity
9791 The identity field specifies a name or a wildcard
9792 name. Normally, this is the name of the TSIG or
9793 SIG(0) key used to sign the update request. When a
9794 TKEY exchange has been used to create a shared secret,
9795 the identity of the shared secret is the same as the
9796 identity of the key used to authenticate the TKEY
9797 exchange. TKEY is also the negotiation method used
9798 by GSS-TSIG, which establishes an identity that is
9799 the Kerberos principal of the client, such as
9800 <userinput>"user@host.domain"</userinput>. When the
9801 <replaceable>identity</replaceable> field specifies
9802 a wildcard name, it is subject to DNS wildcard
9803 expansion, so the rule will apply to multiple identities.
9804 The <replaceable>identity</replaceable> field must
9805 contain a fully-qualified domain name.
9809 The <replaceable>nametype</replaceable> field has 12
9811 <varname>name</varname>, <varname>subdomain</varname>,
9812 <varname>wildcard</varname>, <varname>self</varname>,
9813 <varname>selfsub</varname>, <varname>selfwild</varname>,
9814 <varname>krb5-self</varname>, <varname>ms-self</varname>,
9815 <varname>krb5-subdomain</varname>,
9816 <varname>ms-subdomain</varname>,
9817 <varname>tcp-self</varname> and <varname>6to4-self</varname>.
9820 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
9821 <colspec colname="1" colnum="1" colsep="0" colwidth="0.819in"/>
9822 <colspec colname="2" colnum="2" colsep="0" colwidth="3.681in"/>
9827 <varname>name</varname>
9829 </entry> <entry colname="2">
9831 Exact-match semantics. This rule matches
9832 when the name being updated is identical
9833 to the contents of the
9834 <replaceable>name</replaceable> field.
9841 <varname>subdomain</varname>
9843 </entry> <entry colname="2">
9845 This rule matches when the name being updated
9846 is a subdomain of, or identical to, the
9847 contents of the <replaceable>name</replaceable>
9855 <varname>wildcard</varname>
9857 </entry> <entry colname="2">
9859 The <replaceable>name</replaceable> field
9860 is subject to DNS wildcard expansion, and
9861 this rule matches when the name being updated
9862 name is a valid expansion of the wildcard.
9869 <varname>self</varname>
9874 This rule matches when the name being updated
9875 matches the contents of the
9876 <replaceable>identity</replaceable> field.
9877 The <replaceable>name</replaceable> field
9878 is ignored, but should be the same as the
9879 <replaceable>identity</replaceable> field.
9880 The <varname>self</varname> nametype is
9881 most useful when allowing using one key per
9882 name to update, where the key has the same
9883 name as the name to be updated. The
9884 <replaceable>identity</replaceable> would
9885 be specified as <constant>*</constant> (an asterisk) in
9893 <varname>selfsub</varname>
9895 </entry> <entry colname="2">
9897 This rule is similar to <varname>self</varname>
9898 except that subdomains of <varname>self</varname>
9899 can also be updated.
9906 <varname>selfwild</varname>
9908 </entry> <entry colname="2">
9910 This rule is similar to <varname>self</varname>
9911 except that only subdomains of
9912 <varname>self</varname> can be updated.
9919 <varname>tcp-self</varname>
9921 </entry> <entry colname="2">
9923 Allow updates that have been sent via TCP and
9924 for which the standard mapping from the initiating
9925 IP address into the IN-ADDR.ARPA and IP6.ARPA
9926 namespaces match the name to be updated.
9929 It is theoretically possible to spoof these TCP
9937 <varname>6to4-self</varname>
9939 </entry> <entry colname="2">
9941 Allow the 6to4 prefix to be update by any TCP
9942 conection from the 6to4 network or from the
9943 corresponding IPv4 address. This is intended
9944 to allow NS or DNAME RRsets to be added to the
9948 It is theoretically possible to spoof these TCP
9958 In all cases, the <replaceable>name</replaceable>
9960 specify a fully-qualified domain name.
9964 If no types are explicitly specified, this rule matches
9965 all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
9966 may be specified by name, including "ANY" (ANY matches
9967 all types except NSEC and NSEC3, which can never be
9968 updated). Note that when an attempt is made to delete
9969 all records associated with a name, the rules are
9970 checked for each existing record type.
9976 <title>Zone File</title>
9977 <sect2 id="types_of_resource_records_and_when_to_use_them">
9978 <title>Types of Resource Records and When to Use Them</title>
9980 This section, largely borrowed from RFC 1034, describes the
9981 concept of a Resource Record (RR) and explains when each is used.
9982 Since the publication of RFC 1034, several new RRs have been
9984 and implemented in the DNS. These are also included.
9987 <title>Resource Records</title>
9990 A domain name identifies a node. Each node has a set of
9991 resource information, which may be empty. The set of resource
9992 information associated with a particular name is composed of
9993 separate RRs. The order of RRs in a set is not significant and
9994 need not be preserved by name servers, resolvers, or other
9995 parts of the DNS. However, sorting of multiple RRs is
9996 permitted for optimization purposes, for example, to specify
9997 that a particular nearby server be tried first. See <xref linkend="the_sortlist_statement"/> and <xref linkend="rrset_ordering"/>.
10001 The components of a Resource Record are:
10003 <informaltable colsep="0" rowsep="0">
10004 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10005 <colspec colname="1" colnum="1" colsep="0" colwidth="1.000in"/>
10006 <colspec colname="2" colnum="2" colsep="0" colwidth="3.500in"/>
10009 <entry colname="1">
10014 <entry colname="2">
10016 The domain name where the RR is found.
10021 <entry colname="1">
10026 <entry colname="2">
10028 An encoded 16-bit value that specifies
10029 the type of the resource record.
10034 <entry colname="1">
10039 <entry colname="2">
10041 The time-to-live of the RR. This field
10042 is a 32-bit integer in units of seconds, and is
10044 resolvers when they cache RRs. The TTL describes how
10046 be cached before it should be discarded.
10051 <entry colname="1">
10056 <entry colname="2">
10058 An encoded 16-bit value that identifies
10059 a protocol family or instance of a protocol.
10064 <entry colname="1">
10069 <entry colname="2">
10071 The resource data. The format of the
10072 data is type (and sometimes class) specific.
10080 The following are <emphasis>types</emphasis> of valid RRs:
10082 <informaltable colsep="0" rowsep="0">
10083 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10084 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10085 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
10088 <entry colname="1">
10093 <entry colname="2">
10095 A host address. In the IN class, this is a
10096 32-bit IP address. Described in RFC 1035.
10101 <entry colname="1">
10106 <entry colname="2">
10108 IPv6 address. Described in RFC 1886.
10113 <entry colname="1">
10118 <entry colname="2">
10120 IPv6 address. This can be a partial
10121 address (a suffix) and an indirection to the name
10122 where the rest of the
10123 address (the prefix) can be found. Experimental.
10124 Described in RFC 2874.
10129 <entry colname="1">
10134 <entry colname="2">
10136 Location of AFS database servers.
10137 Experimental. Described in RFC 1183.
10142 <entry colname="1">
10147 <entry colname="2">
10149 Address prefix list. Experimental.
10150 Described in RFC 3123.
10155 <entry colname="1">
10160 <entry colname="2">
10162 Holds a digital certificate.
10163 Described in RFC 2538.
10168 <entry colname="1">
10173 <entry colname="2">
10175 Identifies the canonical name of an alias.
10176 Described in RFC 1035.
10181 <entry colname="1">
10186 <entry colname="2">
10188 Is used for identifying which DHCP client is
10189 associated with this name. Described in RFC 4701.
10194 <entry colname="1">
10199 <entry colname="2">
10201 Replaces the domain name specified with
10202 another name to be looked up, effectively aliasing an
10204 subtree of the domain name space rather than a single
10206 as in the case of the CNAME RR.
10207 Described in RFC 2672.
10212 <entry colname="1">
10217 <entry colname="2">
10219 Stores a public key associated with a signed
10220 DNS zone. Described in RFC 4034.
10225 <entry colname="1">
10230 <entry colname="2">
10232 Stores the hash of a public key associated with a
10233 signed DNS zone. Described in RFC 4034.
10238 <entry colname="1">
10243 <entry colname="2">
10245 Specifies the global position. Superseded by LOC.
10250 <entry colname="1">
10255 <entry colname="2">
10257 Identifies the CPU and OS used by a host.
10258 Described in RFC 1035.
10263 <entry colname="1">
10268 <entry colname="2">
10270 Provides a method for storing IPsec keying material in
10271 DNS. Described in RFC 4025.
10276 <entry colname="1">
10281 <entry colname="2">
10283 Representation of ISDN addresses.
10284 Experimental. Described in RFC 1183.
10289 <entry colname="1">
10294 <entry colname="2">
10296 Stores a public key associated with a
10297 DNS name. Used in original DNSSEC; replaced
10298 by DNSKEY in DNSSECbis, but still used with
10299 SIG(0). Described in RFCs 2535 and 2931.
10304 <entry colname="1">
10309 <entry colname="2">
10311 Identifies a key exchanger for this
10312 DNS name. Described in RFC 2230.
10317 <entry colname="1">
10322 <entry colname="2">
10324 For storing GPS info. Described in RFC 1876.
10330 <entry colname="1">
10335 <entry colname="2">
10337 Identifies a mail exchange for the domain with
10338 a 16-bit preference value (lower is better)
10339 followed by the host name of the mail exchange.
10340 Described in RFC 974, RFC 1035.
10345 <entry colname="1">
10350 <entry colname="2">
10352 Name authority pointer. Described in RFC 2915.
10357 <entry colname="1">
10362 <entry colname="2">
10364 A network service access point.
10365 Described in RFC 1706.
10370 <entry colname="1">
10375 <entry colname="2">
10377 The authoritative name server for the
10378 domain. Described in RFC 1035.
10383 <entry colname="1">
10388 <entry colname="2">
10390 Used in DNSSECbis to securely indicate that
10391 RRs with an owner name in a certain name interval do
10393 a zone and indicate what RR types are present for an
10395 Described in RFC 4034.
10400 <entry colname="1">
10405 <entry colname="2">
10407 Used in DNSSECbis to securely indicate that
10408 RRs with an owner name in a certain name
10409 interval do not exist in a zone and indicate
10410 what RR types are present for an existing
10411 name. NSEC3 differs from NSEC in that it
10412 prevents zone enumeration but is more
10413 computationally expensive on both the server
10414 and the client than NSEC. Described in RFC
10420 <entry colname="1">
10425 <entry colname="2">
10427 Used in DNSSECbis to tell the authoritative
10428 server which NSEC3 chains are available to use.
10429 Described in RFC 5155.
10434 <entry colname="1">
10439 <entry colname="2">
10441 Used in DNSSEC to securely indicate that
10442 RRs with an owner name in a certain name interval do
10444 a zone and indicate what RR types are present for an
10446 Used in original DNSSEC; replaced by NSEC in
10448 Described in RFC 2535.
10453 <entry colname="1">
10458 <entry colname="2">
10460 A pointer to another part of the domain
10461 name space. Described in RFC 1035.
10466 <entry colname="1">
10471 <entry colname="2">
10473 Provides mappings between RFC 822 and X.400
10474 addresses. Described in RFC 2163.
10479 <entry colname="1">
10484 <entry colname="2">
10486 Information on persons responsible
10487 for the domain. Experimental. Described in RFC 1183.
10492 <entry colname="1">
10497 <entry colname="2">
10499 Contains DNSSECbis signature data. Described
10505 <entry colname="1">
10510 <entry colname="2">
10512 Route-through binding for hosts that
10513 do not have their own direct wide area network
10515 Experimental. Described in RFC 1183.
10520 <entry colname="1">
10525 <entry colname="2">
10527 Contains DNSSEC signature data. Used in
10528 original DNSSEC; replaced by RRSIG in
10529 DNSSECbis, but still used for SIG(0).
10530 Described in RFCs 2535 and 2931.
10535 <entry colname="1">
10540 <entry colname="2">
10542 Identifies the start of a zone of authority.
10543 Described in RFC 1035.
10548 <entry colname="1">
10553 <entry colname="2">
10555 Contains the Sender Policy Framework information
10556 for a given email domain. Described in RFC 4408.
10561 <entry colname="1">
10566 <entry colname="2">
10568 Information about well known network
10569 services (replaces WKS). Described in RFC 2782.
10574 <entry colname="1">
10579 <entry colname="2">
10581 Provides a way to securely publish a secure shell key's
10582 fingerprint. Described in RFC 4255.
10587 <entry colname="1">
10592 <entry colname="2">
10594 Text records. Described in RFC 1035.
10599 <entry colname="1">
10604 <entry colname="2">
10606 Information about which well known
10607 network services, such as SMTP, that a domain
10608 supports. Historical.
10613 <entry colname="1">
10618 <entry colname="2">
10620 Representation of X.25 network addresses.
10621 Experimental. Described in RFC 1183.
10629 The following <emphasis>classes</emphasis> of resource records
10630 are currently valid in the DNS:
10632 <informaltable colsep="0" rowsep="0"><tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10633 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
10634 <colspec colname="2" colnum="2" colsep="0" colwidth="3.625in"/>
10638 <entry colname="1">
10643 <entry colname="2">
10651 <entry colname="1">
10656 <entry colname="2">
10658 Chaosnet, a LAN protocol created at MIT in the
10660 Rarely used for its historical purpose, but reused for
10662 built-in server information zones, e.g.,
10663 <literal>version.bind</literal>.
10669 <entry colname="1">
10674 <entry colname="2">
10676 Hesiod, an information service
10677 developed by MIT's Project Athena. It is used to share
10679 about various systems databases, such as users,
10691 The owner name is often implicit, rather than forming an
10693 part of the RR. For example, many name servers internally form
10695 or hash structures for the name space, and chain RRs off nodes.
10696 The remaining RR parts are the fixed header (type, class, TTL)
10697 which is consistent for all RRs, and a variable part (RDATA)
10699 fits the needs of the resource being described.
10702 The meaning of the TTL field is a time limit on how long an
10703 RR can be kept in a cache. This limit does not apply to
10705 data in zones; it is also timed out, but by the refreshing
10707 for the zone. The TTL is assigned by the administrator for the
10708 zone where the data originates. While short TTLs can be used to
10709 minimize caching, and a zero TTL prohibits caching, the
10711 of Internet performance suggest that these times should be on
10713 order of days for the typical host. If a change can be
10715 the TTL can be reduced prior to the change to minimize
10717 during the change, and then increased back to its former value
10722 The data in the RDATA section of RRs is carried as a combination
10723 of binary strings and domain names. The domain names are
10725 used as "pointers" to other data in the DNS.
10729 <title>Textual expression of RRs</title>
10731 RRs are represented in binary form in the packets of the DNS
10732 protocol, and are usually represented in highly encoded form
10734 stored in a name server or resolver. In the examples provided
10736 RFC 1034, a style similar to that used in master files was
10738 in order to show the contents of RRs. In this format, most RRs
10739 are shown on a single line, although continuation lines are
10744 The start of the line gives the owner of the RR. If a line
10745 begins with a blank, then the owner is assumed to be the same as
10746 that of the previous RR. Blank lines are often included for
10750 Following the owner, we list the TTL, type, and class of the
10751 RR. Class and type use the mnemonics defined above, and TTL is
10752 an integer before the type field. In order to avoid ambiguity
10754 parsing, type and class mnemonics are disjoint, TTLs are
10756 and the type mnemonic is always last. The IN class and TTL
10758 are often omitted from examples in the interests of clarity.
10761 The resource data or RDATA section of the RR are given using
10762 knowledge of the typical representation for the data.
10765 For example, we might show the RRs carried in a message as:
10767 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10768 <colspec colname="1" colnum="1" colsep="0" colwidth="1.381in"/>
10769 <colspec colname="2" colnum="2" colsep="0" colwidth="1.020in"/>
10770 <colspec colname="3" colnum="3" colsep="0" colwidth="2.099in"/>
10773 <entry colname="1">
10775 <literal>ISI.EDU.</literal>
10778 <entry colname="2">
10780 <literal>MX</literal>
10783 <entry colname="3">
10785 <literal>10 VENERA.ISI.EDU.</literal>
10790 <entry colname="1">
10793 <entry colname="2">
10795 <literal>MX</literal>
10798 <entry colname="3">
10800 <literal>10 VAXA.ISI.EDU</literal>
10805 <entry colname="1">
10807 <literal>VENERA.ISI.EDU</literal>
10810 <entry colname="2">
10812 <literal>A</literal>
10815 <entry colname="3">
10817 <literal>128.9.0.32</literal>
10822 <entry colname="1">
10825 <entry colname="2">
10827 <literal>A</literal>
10830 <entry colname="3">
10832 <literal>10.1.0.52</literal>
10837 <entry colname="1">
10839 <literal>VAXA.ISI.EDU</literal>
10842 <entry colname="2">
10844 <literal>A</literal>
10847 <entry colname="3">
10849 <literal>10.2.0.27</literal>
10854 <entry colname="1">
10857 <entry colname="2">
10859 <literal>A</literal>
10862 <entry colname="3">
10864 <literal>128.9.0.33</literal>
10872 The MX RRs have an RDATA section which consists of a 16-bit
10873 number followed by a domain name. The address RRs use a
10875 IP address format to contain a 32-bit internet address.
10878 The above example shows six RRs, with two RRs at each of three
10882 Similarly we might see:
10884 <informaltable colsep="0" rowsep="0"><tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
10885 <colspec colname="1" colnum="1" colsep="0" colwidth="1.491in"/>
10886 <colspec colname="2" colnum="2" colsep="0" colwidth="1.067in"/>
10887 <colspec colname="3" colnum="3" colsep="0" colwidth="2.067in"/>
10890 <entry colname="1">
10892 <literal>XX.LCS.MIT.EDU.</literal>
10895 <entry colname="2">
10897 <literal>IN A</literal>
10900 <entry colname="3">
10902 <literal>10.0.0.44</literal>
10907 <entry colname="1"/>
10908 <entry colname="2">
10910 <literal>CH A</literal>
10913 <entry colname="3">
10915 <literal>MIT.EDU. 2420</literal>
10923 This example shows two addresses for
10924 <literal>XX.LCS.MIT.EDU</literal>, each of a different class.
10930 <title>Discussion of MX Records</title>
10933 As described above, domain servers store information as a
10934 series of resource records, each of which contains a particular
10935 piece of information about a given domain name (which is usually,
10936 but not always, a host). The simplest way to think of a RR is as
10937 a typed pair of data, a domain name matched with a relevant datum,
10938 and stored with some additional type information to help systems
10939 determine when the RR is relevant.
10943 MX records are used to control delivery of email. The data
10944 specified in the record is a priority and a domain name. The
10946 controls the order in which email delivery is attempted, with the
10947 lowest number first. If two priorities are the same, a server is
10948 chosen randomly. If no servers at a given priority are responding,
10949 the mail transport agent will fall back to the next largest
10951 Priority numbers do not have any absolute meaning — they are
10953 only respective to other MX records for that domain name. The
10955 name given is the machine to which the mail will be delivered.
10956 It <emphasis>must</emphasis> have an associated address record
10957 (A or AAAA) — CNAME is not sufficient.
10960 For a given domain, if there is both a CNAME record and an
10961 MX record, the MX record is in error, and will be ignored.
10963 the mail will be delivered to the server specified in the MX
10965 pointed to by the CNAME.
10968 <informaltable colsep="0" rowsep="0">
10969 <tgroup cols="5" colsep="0" rowsep="0" tgroupstyle="3Level-table">
10970 <colspec colname="1" colnum="1" colsep="0" colwidth="1.708in"/>
10971 <colspec colname="2" colnum="2" colsep="0" colwidth="0.444in"/>
10972 <colspec colname="3" colnum="3" colsep="0" colwidth="0.444in"/>
10973 <colspec colname="4" colnum="4" colsep="0" colwidth="0.976in"/>
10974 <colspec colname="5" colnum="5" colsep="0" colwidth="1.553in"/>
10977 <entry colname="1">
10979 <literal>example.com.</literal>
10982 <entry colname="2">
10984 <literal>IN</literal>
10987 <entry colname="3">
10989 <literal>MX</literal>
10992 <entry colname="4">
10994 <literal>10</literal>
10997 <entry colname="5">
10999 <literal>mail.example.com.</literal>
11004 <entry colname="1">
11007 <entry colname="2">
11009 <literal>IN</literal>
11012 <entry colname="3">
11014 <literal>MX</literal>
11017 <entry colname="4">
11019 <literal>10</literal>
11022 <entry colname="5">
11024 <literal>mail2.example.com.</literal>
11029 <entry colname="1">
11032 <entry colname="2">
11034 <literal>IN</literal>
11037 <entry colname="3">
11039 <literal>MX</literal>
11042 <entry colname="4">
11044 <literal>20</literal>
11047 <entry colname="5">
11049 <literal>mail.backup.org.</literal>
11054 <entry colname="1">
11056 <literal>mail.example.com.</literal>
11059 <entry colname="2">
11061 <literal>IN</literal>
11064 <entry colname="3">
11066 <literal>A</literal>
11069 <entry colname="4">
11071 <literal>10.0.0.1</literal>
11074 <entry colname="5">
11079 <entry colname="1">
11081 <literal>mail2.example.com.</literal>
11084 <entry colname="2">
11086 <literal>IN</literal>
11089 <entry colname="3">
11091 <literal>A</literal>
11094 <entry colname="4">
11096 <literal>10.0.0.2</literal>
11099 <entry colname="5">
11105 </informaltable><para>
11106 Mail delivery will be attempted to <literal>mail.example.com</literal> and
11107 <literal>mail2.example.com</literal> (in
11108 any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
11112 <sect2 id="Setting_TTLs">
11113 <title>Setting TTLs</title>
11115 The time-to-live of the RR field is a 32-bit integer represented
11116 in units of seconds, and is primarily used by resolvers when they
11117 cache RRs. The TTL describes how long a RR can be cached before it
11118 should be discarded. The following three types of TTL are
11120 used in a zone file.
11122 <informaltable colsep="0" rowsep="0">
11123 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
11124 <colspec colname="1" colnum="1" colsep="0" colwidth="0.750in"/>
11125 <colspec colname="2" colnum="2" colsep="0" colwidth="4.375in"/>
11128 <entry colname="1">
11133 <entry colname="2">
11135 The last field in the SOA is the negative
11136 caching TTL. This controls how long other servers will
11137 cache no-such-domain
11138 (NXDOMAIN) responses from you.
11141 The maximum time for
11142 negative caching is 3 hours (3h).
11147 <entry colname="1">
11152 <entry colname="2">
11154 The $TTL directive at the top of the
11155 zone file (before the SOA) gives a default TTL for every
11157 a specific TTL set.
11162 <entry colname="1">
11167 <entry colname="2">
11169 Each RR can have a TTL as the second
11170 field in the RR, which will control how long other
11180 All of these TTLs default to units of seconds, though units
11181 can be explicitly specified, for example, <literal>1h30m</literal>.
11185 <title>Inverse Mapping in IPv4</title>
11187 Reverse name resolution (that is, translation from IP address
11188 to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
11189 and PTR records. Entries in the in-addr.arpa domain are made in
11190 least-to-most significant order, read left to right. This is the
11191 opposite order to the way IP addresses are usually written. Thus,
11192 a machine with an IP address of 10.1.2.3 would have a
11194 in-addr.arpa name of
11195 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
11196 whose data field is the name of the machine or, optionally,
11198 PTR records if the machine has more than one name. For example,
11199 in the <optional>example.com</optional> domain:
11201 <informaltable colsep="0" rowsep="0">
11202 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
11203 <colspec colname="1" colnum="1" colsep="0" colwidth="1.125in"/>
11204 <colspec colname="2" colnum="2" colsep="0" colwidth="4.000in"/>
11207 <entry colname="1">
11209 <literal>$ORIGIN</literal>
11212 <entry colname="2">
11214 <literal>2.1.10.in-addr.arpa</literal>
11219 <entry colname="1">
11221 <literal>3</literal>
11224 <entry colname="2">
11226 <literal>IN PTR foo.example.com.</literal>
11235 The <command>$ORIGIN</command> lines in the examples
11236 are for providing context to the examples only — they do not
11238 appear in the actual usage. They are only used here to indicate
11239 that the example is relative to the listed origin.
11244 <title>Other Zone File Directives</title>
11246 The Master File Format was initially defined in RFC 1035 and
11247 has subsequently been extended. While the Master File Format
11249 is class independent all records in a Master File must be of the
11254 Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
11255 and <command>$TTL.</command>
11258 <title>The <command>@</command> (at-sign)</title>
11260 When used in the label (or name) field, the asperand or
11261 at-sign (@) symbol represents the current origin.
11262 At the start of the zone file, it is the
11263 <<varname>zone_name</varname>> (followed by
11268 <title>The <command>$ORIGIN</command> Directive</title>
11270 Syntax: <command>$ORIGIN</command>
11271 <replaceable>domain-name</replaceable>
11272 <optional><replaceable>comment</replaceable></optional>
11274 <para><command>$ORIGIN</command>
11275 sets the domain name that will be appended to any
11276 unqualified records. When a zone is first read in there
11277 is an implicit <command>$ORIGIN</command>
11278 <<varname>zone_name</varname>><command>.</command>
11279 (followed by trailing dot).
11280 The current <command>$ORIGIN</command> is appended to
11281 the domain specified in the <command>$ORIGIN</command>
11282 argument if it is not absolute.
11286 $ORIGIN example.com.
11287 WWW CNAME MAIN-SERVER
11295 WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
11300 <title>The <command>$INCLUDE</command> Directive</title>
11302 Syntax: <command>$INCLUDE</command>
11303 <replaceable>filename</replaceable>
11305 <replaceable>origin</replaceable> </optional>
11306 <optional> <replaceable>comment</replaceable> </optional>
11309 Read and process the file <filename>filename</filename> as
11310 if it were included into the file at this point. If <command>origin</command> is
11311 specified the file is processed with <command>$ORIGIN</command> set
11312 to that value, otherwise the current <command>$ORIGIN</command> is
11316 The origin and the current domain name
11317 revert to the values they had prior to the <command>$INCLUDE</command> once
11318 the file has been read.
11322 RFC 1035 specifies that the current origin should be restored
11324 an <command>$INCLUDE</command>, but it is silent
11325 on whether the current
11326 domain name should also be restored. BIND 9 restores both of
11328 This could be construed as a deviation from RFC 1035, a
11334 <title>The <command>$TTL</command> Directive</title>
11336 Syntax: <command>$TTL</command>
11337 <replaceable>default-ttl</replaceable>
11339 <replaceable>comment</replaceable> </optional>
11342 Set the default Time To Live (TTL) for subsequent records
11343 with undefined TTLs. Valid TTLs are of the range 0-2147483647
11346 <para><command>$TTL</command>
11347 is defined in RFC 2308.
11352 <title><acronym>BIND</acronym> Master File Extension: the <command>$GENERATE</command> Directive</title>
11354 Syntax: <command>$GENERATE</command>
11355 <replaceable>range</replaceable>
11356 <replaceable>lhs</replaceable>
11357 <optional><replaceable>ttl</replaceable></optional>
11358 <optional><replaceable>class</replaceable></optional>
11359 <replaceable>type</replaceable>
11360 <replaceable>rhs</replaceable>
11361 <optional><replaceable>comment</replaceable></optional>
11363 <para><command>$GENERATE</command>
11364 is used to create a series of resource records that only
11365 differ from each other by an
11366 iterator. <command>$GENERATE</command> can be used to
11367 easily generate the sets of records required to support
11368 sub /24 reverse delegations described in RFC 2317:
11369 Classless IN-ADDR.ARPA delegation.
11372 <programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
11373 $GENERATE 1-2 0 NS SERVER$.EXAMPLE.
11374 $GENERATE 1-127 $ CNAME $.0</programlisting>
11380 <programlisting>0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
11381 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
11382 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
11383 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
11385 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
11388 <informaltable colsep="0" rowsep="0">
11389 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="3Level-table">
11390 <colspec colname="1" colnum="1" colsep="0" colwidth="0.875in"/>
11391 <colspec colname="2" colnum="2" colsep="0" colwidth="4.250in"/>
11394 <entry colname="1">
11395 <para><command>range</command></para>
11397 <entry colname="2">
11399 This can be one of two forms: start-stop
11400 or start-stop/step. If the first form is used, then step
11402 1. All of start, stop and step must be positive.
11407 <entry colname="1">
11408 <para><command>lhs</command></para>
11410 <entry colname="2">
11412 describes the owner name of the resource records
11413 to be created. Any single <command>$</command>
11415 symbols within the <command>lhs</command> string
11416 are replaced by the iterator value.
11418 To get a $ in the output, you need to escape the
11419 <command>$</command> using a backslash
11420 <command>\</command>,
11421 e.g. <command>\$</command>. The
11422 <command>$</command> may optionally be followed
11423 by modifiers which change the offset from the
11424 iterator, field width and base.
11426 Modifiers are introduced by a
11427 <command>{</command> (left brace) immediately following the
11428 <command>$</command> as
11429 <command>${offset[,width[,base]]}</command>.
11430 For example, <command>${-20,3,d}</command>
11431 subtracts 20 from the current value, prints the
11432 result as a decimal in a zero-padded field of
11435 Available output forms are decimal
11436 (<command>d</command>), octal
11437 (<command>o</command>) and hexadecimal
11438 (<command>x</command> or <command>X</command>
11439 for uppercase). The default modifier is
11440 <command>${0,0,d}</command>. If the
11441 <command>lhs</command> is not absolute, the
11442 current <command>$ORIGIN</command> is appended
11446 For compatibility with earlier versions, <command>$$</command> is still
11447 recognized as indicating a literal $ in the output.
11452 <entry colname="1">
11453 <para><command>ttl</command></para>
11455 <entry colname="2">
11457 Specifies the time-to-live of the generated records. If
11458 not specified this will be inherited using the
11459 normal TTL inheritance rules.
11461 <para><command>class</command>
11462 and <command>ttl</command> can be
11463 entered in either order.
11468 <entry colname="1">
11469 <para><command>class</command></para>
11471 <entry colname="2">
11473 Specifies the class of the generated records.
11474 This must match the zone class if it is
11477 <para><command>class</command>
11478 and <command>ttl</command> can be
11479 entered in either order.
11484 <entry colname="1">
11485 <para><command>type</command></para>
11487 <entry colname="2">
11489 At present the only supported types are
11490 PTR, CNAME, DNAME, A, AAAA and NS.
11495 <entry colname="1">
11496 <para><command>rhs</command></para>
11498 <entry colname="2">
11500 <command>rhs</command> is a domain name. It is processed
11509 The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
11510 and not part of the standard zone file format.
11513 BIND 8 does not support the optional TTL and CLASS fields.
11517 <sect2 id="zonefile_format">
11518 <title>Additional File Formats</title>
11520 In addition to the standard textual format, BIND 9
11521 supports the ability to read or dump to zone files in
11522 other formats. The <constant>raw</constant> format is
11523 currently available as an additional format. It is a
11524 binary format representing BIND 9's internal data
11525 structure directly, thereby remarkably improving the
11529 For a primary server, a zone file in the
11530 <constant>raw</constant> format is expected to be
11531 generated from a textual zone file by the
11532 <command>named-compilezone</command> command. For a
11533 secondary server or for a dynamic zone, it is automatically
11534 generated (if this format is specified by the
11535 <command>masterfile-format</command> option) when
11536 <command>named</command> dumps the zone contents after
11537 zone transfer or when applying prior updates.
11540 If a zone file in a binary format needs manual modification,
11541 it first must be converted to a textual form by the
11542 <command>named-compilezone</command> command. All
11543 necessary modification should go to the text file, which
11544 should then be converted to the binary form by the
11545 <command>named-compilezone</command> command again.
11548 Although the <constant>raw</constant> format uses the
11549 network byte order and avoids architecture-dependent
11550 data alignment so that it is as much portable as
11551 possible, it is primarily expected to be used inside
11552 the same single system. In order to export a zone
11553 file in the <constant>raw</constant> format or make a
11554 portable backup of the file, it is recommended to
11555 convert the file to the standard textual representation.
11560 <sect1 id="statistics">
11561 <title>BIND9 Statistics</title>
11563 <acronym>BIND</acronym> 9 maintains lots of statistics
11564 information and provides several interfaces for users to
11565 get access to the statistics.
11566 The available statistics include all statistics counters
11567 that were available in <acronym>BIND</acronym> 8 and
11568 are meaningful in <acronym>BIND</acronym> 9,
11569 and other information that is considered useful.
11573 The statistics information is categorized into the following
11577 <informaltable frame="all">
11579 <colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
11580 <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
11584 <entry colname="1">
11585 <para>Incoming Requests</para>
11587 <entry colname="2">
11589 The number of incoming DNS requests for each OPCODE.
11595 <entry colname="1">
11596 <para>Incoming Queries</para>
11598 <entry colname="2">
11600 The number of incoming queries for each RR type.
11606 <entry colname="1">
11607 <para>Outgoing Queries</para>
11609 <entry colname="2">
11611 The number of outgoing queries for each RR
11612 type sent from the internal resolver.
11613 Maintained per view.
11619 <entry colname="1">
11620 <para>Name Server Statistics</para>
11622 <entry colname="2">
11624 Statistics counters about incoming request processing.
11630 <entry colname="1">
11631 <para>Zone Maintenance Statistics</para>
11633 <entry colname="2">
11635 Statistics counters regarding zone maintenance
11636 operations such as zone transfers.
11642 <entry colname="1">
11643 <para>Resolver Statistics</para>
11645 <entry colname="2">
11647 Statistics counters about name resolution
11648 performed in the internal resolver.
11649 Maintained per view.
11655 <entry colname="1">
11656 <para>Cache DB RRsets</para>
11658 <entry colname="2">
11660 The number of RRsets per RR type (positive
11661 or negative) and nonexistent names stored in the
11663 Maintained per view.
11669 <entry colname="1">
11670 <para>Socket I/O Statistics</para>
11672 <entry colname="2">
11674 Statistics counters about network related events.
11684 A subset of Name Server Statistics is collected and shown
11685 per zone for which the server has the authority when
11686 <command>zone-statistics</command> is set to
11687 <userinput>yes</userinput>.
11688 These statistics counters are shown with their zone and view
11690 In some cases the view names are omitted for the default view.
11694 There are currently two user interfaces to get access to the
11696 One is in the plain text format dumped to the file specified
11697 by the <command>statistics-file</command> configuration option.
11698 The other is remotely accessible via a statistics channel
11699 when the <command>statistics-channels</command> statement
11700 is specified in the configuration file
11701 (see <xref linkend="statschannels"/>.)
11704 <sect3 id="statsfile">
11705 <title>The Statistics File</title>
11707 The text format statistics dump begins with a line, like:
11710 <command>+++ Statistics Dump +++ (973798949)</command>
11713 The number in parentheses is a standard
11714 Unix-style timestamp, measured as seconds since January 1, 1970.
11717 that line is a set of statistics information, which is categorized
11718 as described above.
11719 Each section begins with a line, like:
11723 <command>++ Name Server Statistics ++</command>
11727 Each section consists of lines, each containing the statistics
11728 counter value followed by its textual description.
11729 See below for available counters.
11730 For brevity, counters that have a value of 0 are not shown
11731 in the statistics file.
11735 The statistics dump ends with the line where the
11736 number is identical to the number in the beginning line; for example:
11739 <command>--- Statistics Dump --- (973798949)</command>
11743 <sect2 id="statistics_counters">
11744 <title>Statistics Counters</title>
11746 The following tables summarize statistics counters that
11747 <acronym>BIND</acronym> 9 provides.
11748 For each row of the tables, the leftmost column is the
11749 abbreviated symbol name of that counter.
11750 These symbols are shown in the statistics information
11751 accessed via an HTTP statistics channel.
11752 The rightmost column gives the description of the counter,
11753 which is also shown in the statistics file
11754 (but, in this document, possibly with slight modification
11755 for better readability).
11756 Additional notes may also be provided in this column.
11757 When a middle column exists between these two columns,
11758 it gives the corresponding counter name of the
11759 <acronym>BIND</acronym> 8 statistics, if applicable.
11763 <title>Name Server Statistics Counters</title>
11765 <informaltable colsep="0" rowsep="0">
11766 <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
11767 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
11768 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
11769 <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
11772 <entry colname="1">
11774 <emphasis>Symbol</emphasis>
11777 <entry colname="2">
11779 <emphasis>BIND8 Symbol</emphasis>
11782 <entry colname="3">
11784 <emphasis>Description</emphasis>
11790 <entry colname="1">
11791 <para><command>Requestv4</command></para>
11793 <entry colname="2">
11794 <para><command>RQ</command></para>
11796 <entry colname="3">
11798 IPv4 requests received.
11799 Note: this also counts non query requests.
11804 <entry colname="1">
11805 <para><command>Requestv6</command></para>
11807 <entry colname="2">
11808 <para><command>RQ</command></para>
11810 <entry colname="3">
11812 IPv6 requests received.
11813 Note: this also counts non query requests.
11818 <entry colname="1">
11819 <para><command>ReqEdns0</command></para>
11821 <entry colname="2">
11822 <para><command></command></para>
11824 <entry colname="3">
11826 Requests with EDNS(0) received.
11831 <entry colname="1">
11832 <para><command>ReqBadEDNSVer</command></para>
11834 <entry colname="2">
11835 <para><command></command></para>
11837 <entry colname="3">
11839 Requests with unsupported EDNS version received.
11844 <entry colname="1">
11845 <para><command>ReqTSIG</command></para>
11847 <entry colname="2">
11848 <para><command></command></para>
11850 <entry colname="3">
11852 Requests with TSIG received.
11857 <entry colname="1">
11858 <para><command>ReqSIG0</command></para>
11860 <entry colname="2">
11861 <para><command></command></para>
11863 <entry colname="3">
11865 Requests with SIG(0) received.
11870 <entry colname="1">
11871 <para><command>ReqBadSIG</command></para>
11873 <entry colname="2">
11874 <para><command></command></para>
11876 <entry colname="3">
11878 Requests with invalid (TSIG or SIG(0)) signature.
11883 <entry colname="1">
11884 <para><command>ReqTCP</command></para>
11886 <entry colname="2">
11887 <para><command>RTCP</command></para>
11889 <entry colname="3">
11891 TCP requests received.
11896 <entry colname="1">
11897 <para><command>AuthQryRej</command></para>
11899 <entry colname="2">
11900 <para><command>RUQ</command></para>
11902 <entry colname="3">
11904 Authoritative (non recursive) queries rejected.
11909 <entry colname="1">
11910 <para><command>RecQryRej</command></para>
11912 <entry colname="2">
11913 <para><command>RURQ</command></para>
11915 <entry colname="3">
11917 Recursive queries rejected.
11922 <entry colname="1">
11923 <para><command>XfrRej</command></para>
11925 <entry colname="2">
11926 <para><command>RUXFR</command></para>
11928 <entry colname="3">
11930 Zone transfer requests rejected.
11935 <entry colname="1">
11936 <para><command>UpdateRej</command></para>
11938 <entry colname="2">
11939 <para><command>RUUpd</command></para>
11941 <entry colname="3">
11943 Dynamic update requests rejected.
11948 <entry colname="1">
11949 <para><command>Response</command></para>
11951 <entry colname="2">
11952 <para><command>SAns</command></para>
11954 <entry colname="3">
11961 <entry colname="1">
11962 <para><command>RespTruncated</command></para>
11964 <entry colname="2">
11965 <para><command></command></para>
11967 <entry colname="3">
11969 Truncated responses sent.
11974 <entry colname="1">
11975 <para><command>RespEDNS0</command></para>
11977 <entry colname="2">
11978 <para><command></command></para>
11980 <entry colname="3">
11982 Responses with EDNS(0) sent.
11987 <entry colname="1">
11988 <para><command>RespTSIG</command></para>
11990 <entry colname="2">
11991 <para><command></command></para>
11993 <entry colname="3">
11995 Responses with TSIG sent.
12000 <entry colname="1">
12001 <para><command>RespSIG0</command></para>
12003 <entry colname="2">
12004 <para><command></command></para>
12006 <entry colname="3">
12008 Responses with SIG(0) sent.
12013 <entry colname="1">
12014 <para><command>QrySuccess</command></para>
12016 <entry colname="2">
12017 <para><command></command></para>
12019 <entry colname="3">
12021 Queries resulted in a successful answer.
12022 This means the query which returns a NOERROR response
12023 with at least one answer RR.
12024 This corresponds to the
12025 <command>success</command> counter
12026 of previous versions of
12027 <acronym>BIND</acronym> 9.
12032 <entry colname="1">
12033 <para><command>QryAuthAns</command></para>
12035 <entry colname="2">
12036 <para><command></command></para>
12038 <entry colname="3">
12040 Queries resulted in authoritative answer.
12045 <entry colname="1">
12046 <para><command>QryNoauthAns</command></para>
12048 <entry colname="2">
12049 <para><command>SNaAns</command></para>
12051 <entry colname="3">
12053 Queries resulted in non authoritative answer.
12058 <entry colname="1">
12059 <para><command>QryReferral</command></para>
12061 <entry colname="2">
12062 <para><command></command></para>
12064 <entry colname="3">
12066 Queries resulted in referral answer.
12067 This corresponds to the
12068 <command>referral</command> counter
12069 of previous versions of
12070 <acronym>BIND</acronym> 9.
12075 <entry colname="1">
12076 <para><command>QryNxrrset</command></para>
12078 <entry colname="2">
12079 <para><command></command></para>
12081 <entry colname="3">
12083 Queries resulted in NOERROR responses with no data.
12084 This corresponds to the
12085 <command>nxrrset</command> counter
12086 of previous versions of
12087 <acronym>BIND</acronym> 9.
12092 <entry colname="1">
12093 <para><command>QrySERVFAIL</command></para>
12095 <entry colname="2">
12096 <para><command>SFail</command></para>
12098 <entry colname="3">
12100 Queries resulted in SERVFAIL.
12105 <entry colname="1">
12106 <para><command>QryFORMERR</command></para>
12108 <entry colname="2">
12109 <para><command>SFErr</command></para>
12111 <entry colname="3">
12113 Queries resulted in FORMERR.
12118 <entry colname="1">
12119 <para><command>QryNXDOMAIN</command></para>
12121 <entry colname="2">
12122 <para><command>SNXD</command></para>
12124 <entry colname="3">
12126 Queries resulted in NXDOMAIN.
12127 This corresponds to the
12128 <command>nxdomain</command> counter
12129 of previous versions of
12130 <acronym>BIND</acronym> 9.
12135 <entry colname="1">
12136 <para><command>QryRecursion</command></para>
12138 <entry colname="2">
12139 <para><command>RFwdQ</command></para>
12141 <entry colname="3">
12143 Queries which caused the server
12144 to perform recursion in order to find the final answer.
12145 This corresponds to the
12146 <command>recursion</command> counter
12147 of previous versions of
12148 <acronym>BIND</acronym> 9.
12153 <entry colname="1">
12154 <para><command>QryDuplicate</command></para>
12156 <entry colname="2">
12157 <para><command>RDupQ</command></para>
12159 <entry colname="3">
12161 Queries which the server attempted to
12162 recurse but discovered an existing query with the same
12163 IP address, port, query ID, name, type and class
12164 already being processed.
12165 This corresponds to the
12166 <command>duplicate</command> counter
12167 of previous versions of
12168 <acronym>BIND</acronym> 9.
12173 <entry colname="1">
12174 <para><command>QryDropped</command></para>
12176 <entry colname="2">
12177 <para><command></command></para>
12179 <entry colname="3">
12181 Recursive queries for which the server
12182 discovered an excessive number of existing
12183 recursive queries for the same name, type and
12184 class and were subsequently dropped.
12185 This is the number of dropped queries due to
12186 the reason explained with the
12187 <command>clients-per-query</command>
12189 <command>max-clients-per-query</command>
12191 (see the description about
12192 <xref linkend="clients-per-query"/>.)
12193 This corresponds to the
12194 <command>dropped</command> counter
12195 of previous versions of
12196 <acronym>BIND</acronym> 9.
12201 <entry colname="1">
12202 <para><command>QryFailure</command></para>
12204 <entry colname="2">
12205 <para><command></command></para>
12207 <entry colname="3">
12209 Other query failures.
12210 This corresponds to the
12211 <command>failure</command> counter
12212 of previous versions of
12213 <acronym>BIND</acronym> 9.
12214 Note: this counter is provided mainly for
12215 backward compatibility with the previous versions.
12216 Normally a more fine-grained counters such as
12217 <command>AuthQryRej</command> and
12218 <command>RecQryRej</command>
12219 that would also fall into this counter are provided,
12220 and so this counter would not be of much
12221 interest in practice.
12226 <entry colname="1">
12227 <para><command>XfrReqDone</command></para>
12229 <entry colname="2">
12230 <para><command></command></para>
12232 <entry colname="3">
12234 Requested zone transfers completed.
12239 <entry colname="1">
12240 <para><command>UpdateReqFwd</command></para>
12242 <entry colname="2">
12243 <para><command></command></para>
12245 <entry colname="3">
12247 Update requests forwarded.
12252 <entry colname="1">
12253 <para><command>UpdateRespFwd</command></para>
12255 <entry colname="2">
12256 <para><command></command></para>
12258 <entry colname="3">
12260 Update responses forwarded.
12265 <entry colname="1">
12266 <para><command>UpdateFwdFail</command></para>
12268 <entry colname="2">
12269 <para><command></command></para>
12271 <entry colname="3">
12273 Dynamic update forward failed.
12278 <entry colname="1">
12279 <para><command>UpdateDone</command></para>
12281 <entry colname="2">
12282 <para><command></command></para>
12284 <entry colname="3">
12286 Dynamic updates completed.
12291 <entry colname="1">
12292 <para><command>UpdateFail</command></para>
12294 <entry colname="2">
12295 <para><command></command></para>
12297 <entry colname="3">
12299 Dynamic updates failed.
12304 <entry colname="1">
12305 <para><command>UpdateBadPrereq</command></para>
12307 <entry colname="2">
12308 <para><command></command></para>
12310 <entry colname="3">
12312 Dynamic updates rejected due to prerequisite failure.
12322 <title>Zone Maintenance Statistics Counters</title>
12324 <informaltable colsep="0" rowsep="0">
12325 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12326 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
12327 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
12330 <entry colname="1">
12332 <emphasis>Symbol</emphasis>
12335 <entry colname="2">
12337 <emphasis>Description</emphasis>
12343 <entry colname="1">
12344 <para><command>NotifyOutv4</command></para>
12346 <entry colname="2">
12348 IPv4 notifies sent.
12353 <entry colname="1">
12354 <para><command>NotifyOutv6</command></para>
12356 <entry colname="2">
12358 IPv6 notifies sent.
12363 <entry colname="1">
12364 <para><command>NotifyInv4</command></para>
12366 <entry colname="2">
12368 IPv4 notifies received.
12373 <entry colname="1">
12374 <para><command>NotifyInv6</command></para>
12376 <entry colname="2">
12378 IPv6 notifies received.
12383 <entry colname="1">
12384 <para><command>NotifyRej</command></para>
12386 <entry colname="2">
12388 Incoming notifies rejected.
12393 <entry colname="1">
12394 <para><command>SOAOutv4</command></para>
12396 <entry colname="2">
12398 IPv4 SOA queries sent.
12403 <entry colname="1">
12404 <para><command>SOAOutv6</command></para>
12406 <entry colname="2">
12408 IPv6 SOA queries sent.
12413 <entry colname="1">
12414 <para><command>AXFRReqv4</command></para>
12416 <entry colname="2">
12418 IPv4 AXFR requested.
12423 <entry colname="1">
12424 <para><command>AXFRReqv6</command></para>
12426 <entry colname="2">
12428 IPv6 AXFR requested.
12433 <entry colname="1">
12434 <para><command>IXFRReqv4</command></para>
12436 <entry colname="2">
12438 IPv4 IXFR requested.
12443 <entry colname="1">
12444 <para><command>IXFRReqv6</command></para>
12446 <entry colname="2">
12448 IPv6 IXFR requested.
12453 <entry colname="1">
12454 <para><command>XfrSuccess</command></para>
12456 <entry colname="2">
12458 Zone transfer requests succeeded.
12463 <entry colname="1">
12464 <para><command>XfrFail</command></para>
12466 <entry colname="2">
12468 Zone transfer requests failed.
12478 <title>Resolver Statistics Counters</title>
12480 <informaltable colsep="0" rowsep="0">
12481 <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12482 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
12483 <colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
12484 <colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
12487 <entry colname="1">
12489 <emphasis>Symbol</emphasis>
12492 <entry colname="2">
12494 <emphasis>BIND8 Symbol</emphasis>
12497 <entry colname="3">
12499 <emphasis>Description</emphasis>
12505 <entry colname="1">
12506 <para><command>Queryv4</command></para>
12508 <entry colname="2">
12509 <para><command>SFwdQ</command></para>
12511 <entry colname="3">
12518 <entry colname="1">
12519 <para><command>Queryv6</command></para>
12521 <entry colname="2">
12522 <para><command>SFwdQ</command></para>
12524 <entry colname="3">
12531 <entry colname="1">
12532 <para><command>Responsev4</command></para>
12534 <entry colname="2">
12535 <para><command>RR</command></para>
12537 <entry colname="3">
12539 IPv4 responses received.
12544 <entry colname="1">
12545 <para><command>Responsev6</command></para>
12547 <entry colname="2">
12548 <para><command>RR</command></para>
12550 <entry colname="3">
12552 IPv6 responses received.
12557 <entry colname="1">
12558 <para><command>NXDOMAIN</command></para>
12560 <entry colname="2">
12561 <para><command>RNXD</command></para>
12563 <entry colname="3">
12570 <entry colname="1">
12571 <para><command>SERVFAIL</command></para>
12573 <entry colname="2">
12574 <para><command>RFail</command></para>
12576 <entry colname="3">
12583 <entry colname="1">
12584 <para><command>FORMERR</command></para>
12586 <entry colname="2">
12587 <para><command>RFErr</command></para>
12589 <entry colname="3">
12596 <entry colname="1">
12597 <para><command>OtherError</command></para>
12599 <entry colname="2">
12600 <para><command>RErr</command></para>
12602 <entry colname="3">
12604 Other errors received.
12609 <entry colname="1">
12610 <para><command>EDNS0Fail</command></para>
12612 <entry colname="2">
12613 <para><command></command></para>
12615 <entry colname="3">
12617 EDNS(0) query failures.
12622 <entry colname="1">
12623 <para><command>Mismatch</command></para>
12625 <entry colname="2">
12626 <para><command>RDupR</command></para>
12628 <entry colname="3">
12630 Mismatch responses received.
12635 <entry colname="1">
12636 <para><command>Truncated</command></para>
12638 <entry colname="2">
12639 <para><command></command></para>
12641 <entry colname="3">
12643 Truncated responses received.
12648 <entry colname="1">
12649 <para><command>Lame</command></para>
12651 <entry colname="2">
12652 <para><command>RLame</command></para>
12654 <entry colname="3">
12656 Lame delegations received.
12661 <entry colname="1">
12662 <para><command>Retry</command></para>
12664 <entry colname="2">
12665 <para><command>SDupQ</command></para>
12667 <entry colname="3">
12669 Query retries performed.
12674 <entry colname="1">
12675 <para><command>QueryAbort</command></para>
12677 <entry colname="2">
12678 <para><command></command></para>
12680 <entry colname="3">
12682 Queries aborted due to quota control.
12687 <entry colname="1">
12688 <para><command>QuerySockFail</command></para>
12690 <entry colname="2">
12691 <para><command></command></para>
12693 <entry colname="3">
12695 Failures in opening query sockets.
12696 One common reason for such failures is a
12697 failure of opening a new socket due to a
12698 limitation on file descriptors.
12703 <entry colname="1">
12704 <para><command>QueryTimeout</command></para>
12706 <entry colname="2">
12707 <para><command></command></para>
12709 <entry colname="3">
12716 <entry colname="1">
12717 <para><command>GlueFetchv4</command></para>
12719 <entry colname="2">
12720 <para><command>SSysQ</command></para>
12722 <entry colname="3">
12724 IPv4 NS address fetches invoked.
12729 <entry colname="1">
12730 <para><command>GlueFetchv6</command></para>
12732 <entry colname="2">
12733 <para><command>SSysQ</command></para>
12735 <entry colname="3">
12737 IPv6 NS address fetches invoked.
12742 <entry colname="1">
12743 <para><command>GlueFetchv4Fail</command></para>
12745 <entry colname="2">
12746 <para><command></command></para>
12748 <entry colname="3">
12750 IPv4 NS address fetch failed.
12755 <entry colname="1">
12756 <para><command>GlueFetchv6Fail</command></para>
12758 <entry colname="2">
12759 <para><command></command></para>
12761 <entry colname="3">
12763 IPv6 NS address fetch failed.
12768 <entry colname="1">
12769 <para><command>ValAttempt</command></para>
12771 <entry colname="2">
12772 <para><command></command></para>
12774 <entry colname="3">
12776 DNSSEC validation attempted.
12781 <entry colname="1">
12782 <para><command>ValOk</command></para>
12784 <entry colname="2">
12785 <para><command></command></para>
12787 <entry colname="3">
12789 DNSSEC validation succeeded.
12794 <entry colname="1">
12795 <para><command>ValNegOk</command></para>
12797 <entry colname="2">
12798 <para><command></command></para>
12800 <entry colname="3">
12802 DNSSEC validation on negative information succeeded.
12807 <entry colname="1">
12808 <para><command>ValFail</command></para>
12810 <entry colname="2">
12811 <para><command></command></para>
12813 <entry colname="3">
12815 DNSSEC validation failed.
12820 <entry colname="1">
12821 <para><command>QryRTTnn</command></para>
12823 <entry colname="2">
12824 <para><command></command></para>
12826 <entry colname="3">
12828 Frequency table on round trip times (RTTs) of
12830 Each <command>nn</command> specifies the corresponding
12833 <command>nn_1</command>,
12834 <command>nn_2</command>,
12836 <command>nn_m</command>,
12837 the value of <command>nn_i</command> is the
12838 number of queries whose RTTs are between
12839 <command>nn_(i-1)</command> (inclusive) and
12840 <command>nn_i</command> (exclusive) milliseconds.
12841 For the sake of convenience we define
12842 <command>nn_0</command> to be 0.
12843 The last entry should be represented as
12844 <command>nn_m+</command>, which means the
12845 number of queries whose RTTs are equal to or over
12846 <command>nn_m</command> milliseconds.
12857 <title>Socket I/O Statistics Counters</title>
12860 Socket I/O statistics counters are defined per socket
12862 <command>UDP4</command> (UDP/IPv4),
12863 <command>UDP6</command> (UDP/IPv6),
12864 <command>TCP4</command> (TCP/IPv4),
12865 <command>TCP6</command> (TCP/IPv6),
12866 <command>Unix</command> (Unix Domain), and
12867 <command>FDwatch</command> (sockets opened outside the
12869 In the following table <command><TYPE></command>
12870 represents a socket type.
12871 Not all counters are available for all socket types;
12872 exceptions are noted in the description field.
12875 <informaltable colsep="0" rowsep="0">
12876 <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
12877 <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
12878 <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
12881 <entry colname="1">
12883 <emphasis>Symbol</emphasis>
12886 <entry colname="2">
12888 <emphasis>Description</emphasis>
12894 <entry colname="1">
12895 <para><command><TYPE>Open</command></para>
12897 <entry colname="2">
12899 Sockets opened successfully.
12900 This counter is not applicable to the
12901 <command>FDwatch</command> type.
12906 <entry colname="1">
12907 <para><command><TYPE>OpenFail</command></para>
12909 <entry colname="2">
12911 Failures of opening sockets.
12912 This counter is not applicable to the
12913 <command>FDwatch</command> type.
12918 <entry colname="1">
12919 <para><command><TYPE>Close</command></para>
12921 <entry colname="2">
12928 <entry colname="1">
12929 <para><command><TYPE>BindFail</command></para>
12931 <entry colname="2">
12933 Failures of binding sockets.
12938 <entry colname="1">
12939 <para><command><TYPE>ConnFail</command></para>
12941 <entry colname="2">
12943 Failures of connecting sockets.
12948 <entry colname="1">
12949 <para><command><TYPE>Conn</command></para>
12951 <entry colname="2">
12953 Connections established successfully.
12958 <entry colname="1">
12959 <para><command><TYPE>AcceptFail</command></para>
12961 <entry colname="2">
12963 Failures of accepting incoming connection requests.
12964 This counter is not applicable to the
12965 <command>UDP</command> and
12966 <command>FDwatch</command> types.
12971 <entry colname="1">
12972 <para><command><TYPE>Accept</command></para>
12974 <entry colname="2">
12976 Incoming connections successfully accepted.
12977 This counter is not applicable to the
12978 <command>UDP</command> and
12979 <command>FDwatch</command> types.
12984 <entry colname="1">
12985 <para><command><TYPE>SendErr</command></para>
12987 <entry colname="2">
12989 Errors in socket send operations.
12990 This counter corresponds
12991 to <command>SErr</command> counter of
12992 <command>BIND</command> 8.
12997 <entry colname="1">
12998 <para><command><TYPE>RecvErr</command></para>
13000 <entry colname="2">
13002 Errors in socket receive operations.
13003 This includes errors of send operations on a
13004 connected UDP socket notified by an ICMP error
13014 <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
13016 Most statistics counters that were available
13017 in <command>BIND</command> 8 are also supported in
13018 <command>BIND</command> 9 as shown in the above tables.
13019 Here are notes about other counters that do not appear
13025 <term><command>RFwdR,SFwdR</command></term>
13028 These counters are not supported
13029 because <command>BIND</command> 9 does not adopt
13030 the notion of <emphasis>forwarding</emphasis>
13031 as <command>BIND</command> 8 did.
13037 <term><command>RAXFR</command></term>
13040 This counter is accessible in the Incoming Queries section.
13046 <term><command>RIQ</command></term>
13049 This counter is accessible in the Incoming Requests section.
13055 <term><command>ROpts</command></term>
13058 This counter is not supported
13059 because <command>BIND</command> 9 does not care
13060 about IP options in the first place.
13070 <chapter id="Bv9ARM.ch07">
13071 <title><acronym>BIND</acronym> 9 Security Considerations</title>
13072 <sect1 id="Access_Control_Lists">
13073 <title>Access Control Lists</title>
13075 Access Control Lists (ACLs) are address match lists that
13076 you can set up and nickname for future use in <command>allow-notify</command>,
13077 <command>allow-query</command>, <command>allow-query-on</command>,
13078 <command>allow-recursion</command>, <command>allow-recursion-on</command>,
13079 <command>blackhole</command>, <command>allow-transfer</command>,
13083 Using ACLs allows you to have finer control over who can access
13084 your name server, without cluttering up your config files with huge
13085 lists of IP addresses.
13088 It is a <emphasis>good idea</emphasis> to use ACLs, and to
13089 control access to your server. Limiting access to your server by
13090 outside parties can help prevent spoofing and denial of service (DoS) attacks against
13094 Here is an example of how to properly apply ACLs:
13098 // Set up an ACL named "bogusnets" that will block RFC1918 space
13099 // and some reserved space, which is commonly used in spoofing attacks.
13101 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
13102 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
13105 // Set up an ACL called our-nets. Replace this with the real IP numbers.
13106 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
13110 allow-query { our-nets; };
13111 allow-recursion { our-nets; };
13113 blackhole { bogusnets; };
13117 zone "example.com" {
13119 file "m/example.com";
13120 allow-query { any; };
13125 This allows recursive queries of the server from the outside
13126 unless recursion has been previously disabled.
13129 For more information on how to use ACLs to protect your server,
13130 see the <emphasis>AUSCERT</emphasis> advisory at:
13133 <ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
13134 >ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink>
13138 <title><command>Chroot</command> and <command>Setuid</command></title>
13140 On UNIX servers, it is possible to run <acronym>BIND</acronym>
13141 in a <emphasis>chrooted</emphasis> environment (using
13142 the <command>chroot()</command> function) by specifying
13143 the "<option>-t</option>" option for <command>named</command>.
13144 This can help improve system security by placing
13145 <acronym>BIND</acronym> in a "sandbox", which will limit
13146 the damage done if a server is compromised.
13149 Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
13150 ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
13151 We suggest running as an unprivileged user when using the <command>chroot</command> feature.
13154 Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot</command> sandbox,
13155 <command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
13159 <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
13163 <title>The <command>chroot</command> Environment</title>
13166 In order for a <command>chroot</command> environment
13168 work properly in a particular directory
13169 (for example, <filename>/var/named</filename>),
13170 you will need to set up an environment that includes everything
13171 <acronym>BIND</acronym> needs to run.
13172 From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
13173 the root of the filesystem. You will need to adjust the values of
13175 like <command>directory</command> and <command>pid-file</command> to account
13179 Unlike with earlier versions of BIND, you typically will
13180 <emphasis>not</emphasis> need to compile <command>named</command>
13181 statically nor install shared libraries under the new root.
13182 However, depending on your operating system, you may need
13183 to set up things like
13184 <filename>/dev/zero</filename>,
13185 <filename>/dev/random</filename>,
13186 <filename>/dev/log</filename>, and
13187 <filename>/etc/localtime</filename>.
13192 <title>Using the <command>setuid</command> Function</title>
13195 Prior to running the <command>named</command> daemon,
13197 the <command>touch</command> utility (to change file
13199 modification times) or the <command>chown</command>
13201 set the user id and/or group id) on files
13202 to which you want <acronym>BIND</acronym>
13206 Note that if the <command>named</command> daemon is running as an
13207 unprivileged user, it will not be able to bind to new restricted
13208 ports if the server is reloaded.
13213 <sect1 id="dynamic_update_security">
13214 <title>Dynamic Update Security</title>
13217 Access to the dynamic
13218 update facility should be strictly limited. In earlier versions of
13219 <acronym>BIND</acronym>, the only way to do this was
13221 address of the host requesting the update, by listing an IP address
13223 network prefix in the <command>allow-update</command>
13225 This method is insecure since the source address of the update UDP
13227 is easily forged. Also note that if the IP addresses allowed by the
13228 <command>allow-update</command> option include the
13230 server which performs forwarding of dynamic updates, the master can
13232 trivially attacked by sending the update to the slave, which will
13233 forward it to the master with its own source IP address causing the
13234 master to approve it without question.
13238 For these reasons, we strongly recommend that updates be
13239 cryptographically authenticated by means of transaction signatures
13240 (TSIG). That is, the <command>allow-update</command>
13242 list only TSIG key names, not IP addresses or network
13243 prefixes. Alternatively, the new <command>update-policy</command>
13244 option can be used.
13248 Some sites choose to keep all dynamically-updated DNS data
13249 in a subdomain and delegate that subdomain to a separate zone. This
13250 way, the top-level zone containing critical data such as the IP
13252 of public web and mail servers need not allow dynamic update at
13259 <chapter id="Bv9ARM.ch08">
13260 <title>Troubleshooting</title>
13262 <title>Common Problems</title>
13264 <title>It's not working; how can I figure out what's wrong?</title>
13267 The best solution to solving installation and
13268 configuration issues is to take preventative measures by setting
13269 up logging files beforehand. The log files provide a
13270 source of hints and information that can be used to figure out
13271 what went wrong and how to fix the problem.
13277 <title>Incrementing and Changing the Serial Number</title>
13280 Zone serial numbers are just numbers — they aren't
13281 date related. A lot of people set them to a number that
13282 represents a date, usually of the form YYYYMMDDRR.
13283 Occasionally they will make a mistake and set them to a
13284 "date in the future" then try to correct them by setting
13285 them to the "current date". This causes problems because
13286 serial numbers are used to indicate that a zone has been
13287 updated. If the serial number on the slave server is
13288 lower than the serial number on the master, the slave
13289 server will attempt to update its copy of the zone.
13293 Setting the serial number to a lower number on the master
13294 server than the slave server means that the slave will not perform
13295 updates to its copy of the zone.
13299 The solution to this is to add 2147483647 (2^31-1) to the
13300 number, reload the zone and make sure all slaves have updated to
13301 the new zone serial number, then reset the number to what you want
13302 it to be, and reload the zone again.
13307 <title>Where Can I Get Help?</title>
13310 The Internet Systems Consortium
13311 (<acronym>ISC</acronym>) offers a wide range
13312 of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
13313 levels of premium support are available and each level includes
13314 support for all <acronym>ISC</acronym> programs,
13315 significant discounts on products
13316 and training, and a recognized priority on bug fixes and
13317 non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
13318 support agreement package which includes services ranging from bug
13319 fix announcements to remote support. It also includes training in
13320 <acronym>BIND</acronym> and <acronym>DHCP</acronym>.
13324 To discuss arrangements for support, contact
13325 <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
13326 <acronym>ISC</acronym> web page at
13327 <ulink url="http://www.isc.org/services/support/"
13328 >http://www.isc.org/services/support/</ulink>
13333 <appendix id="Bv9ARM.ch09">
13334 <title>Appendices</title>
13336 <title>Acknowledgments</title>
13337 <sect2 id="historical_dns_information">
13338 <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
13341 Although the "official" beginning of the Domain Name
13342 System occurred in 1984 with the publication of RFC 920, the
13343 core of the new system was described in 1983 in RFCs 882 and
13344 883. From 1984 to 1987, the ARPAnet (the precursor to today's
13345 Internet) became a testbed of experimentation for developing the
13346 new naming/addressing scheme in a rapidly expanding,
13347 operational network environment. New RFCs were written and
13348 published in 1987 that modified the original documents to
13349 incorporate improvements based on the working model. RFC 1034,
13350 "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
13351 Names-Implementation and Specification" were published and
13352 became the standards upon which all <acronym>DNS</acronym> implementations are
13357 The first working domain name server, called "Jeeves", was
13358 written in 1983-84 by Paul Mockapetris for operation on DEC
13360 machines located at the University of Southern California's
13362 Sciences Institute (USC-ISI) and SRI International's Network
13364 Center (SRI-NIC). A <acronym>DNS</acronym> server for
13365 Unix machines, the Berkeley Internet
13366 Name Domain (<acronym>BIND</acronym>) package, was
13367 written soon after by a group of
13368 graduate students at the University of California at Berkeley
13370 a grant from the US Defense Advanced Research Projects
13375 Versions of <acronym>BIND</acronym> through
13376 4.8.3 were maintained by the Computer
13377 Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
13378 Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
13379 project team. After that, additional work on the software package
13380 was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment
13382 employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
13383 to 1987. Many other people also contributed to <acronym>BIND</acronym> development
13384 during that time: Doug Kingston, Craig Partridge, Smoot
13386 Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
13387 handled by Mike Karels and Øivind Kure.
13390 <acronym>BIND</acronym> versions 4.9 and 4.9.1 were
13391 released by Digital Equipment
13392 Corporation (now Compaq Computer Corporation). Paul Vixie, then
13393 a DEC employee, became <acronym>BIND</acronym>'s
13394 primary caretaker. He was assisted
13395 by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan
13397 Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
13398 Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
13399 Wolfhugel, and others.
13402 In 1994, <acronym>BIND</acronym> version 4.9.2 was sponsored by
13403 Vixie Enterprises. Paul
13404 Vixie became <acronym>BIND</acronym>'s principal
13405 architect/programmer.
13408 <acronym>BIND</acronym> versions from 4.9.3 onward
13409 have been developed and maintained
13410 by the Internet Systems Consortium and its predecessor,
13411 the Internet Software Consortium, with support being provided
13415 As co-architects/programmers, Bob Halley and
13416 Paul Vixie released the first production-ready version of
13417 <acronym>BIND</acronym> version 8 in May 1997.
13420 BIND version 9 was released in September 2000 and is a
13421 major rewrite of nearly all aspects of the underlying
13425 BIND versions 4 and 8 are officially deprecated.
13426 No additional development is done
13427 on BIND version 4 or BIND version 8.
13430 <acronym>BIND</acronym> development work is made
13431 possible today by the sponsorship
13432 of several corporations, and by the tireless work efforts of
13433 numerous individuals.
13438 <title>General <acronym>DNS</acronym> Reference Information</title>
13439 <sect2 id="ipv6addresses">
13440 <title>IPv6 addresses (AAAA)</title>
13442 IPv6 addresses are 128-bit identifiers for interfaces and
13443 sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
13444 scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
13445 an identifier for a single interface;
13446 <emphasis>Anycast</emphasis>,
13447 an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
13448 an identifier for a set of interfaces. Here we describe the global
13449 Unicast address scheme. For more information, see RFC 3587,
13450 "Global Unicast Address Format."
13453 IPv6 unicast addresses consist of a
13454 <emphasis>global routing prefix</emphasis>, a
13455 <emphasis>subnet identifier</emphasis>, and an
13456 <emphasis>interface identifier</emphasis>.
13459 The global routing prefix is provided by the
13460 upstream provider or ISP, and (roughly) corresponds to the
13461 IPv4 <emphasis>network</emphasis> section
13462 of the address range.
13464 The subnet identifier is for local subnetting, much the
13465 same as subnetting an
13466 IPv4 /16 network into /24 subnets.
13468 The interface identifier is the address of an individual
13469 interface on a given network; in IPv6, addresses belong to
13470 interfaces rather than to machines.
13473 The subnetting capability of IPv6 is much more flexible than
13474 that of IPv4: subnetting can be carried out on bit boundaries,
13475 in much the same way as Classless InterDomain Routing
13476 (CIDR), and the DNS PTR representation ("nibble" format)
13477 makes setting up reverse zones easier.
13480 The Interface Identifier must be unique on the local link,
13481 and is usually generated automatically by the IPv6
13482 implementation, although it is usually possible to
13483 override the default setting if necessary. A typical IPv6
13484 address might look like:
13485 <command>2001:db8:201:9:a00:20ff:fe81:2b32</command>
13488 IPv6 address specifications often contain long strings
13489 of zeros, so the architects have included a shorthand for
13491 them. The double colon (`::') indicates the longest possible
13493 of zeros that can fit, and can be used only once in an address.
13497 <sect1 id="bibliography">
13498 <title>Bibliography (and Suggested Reading)</title>
13500 <title>Request for Comments (RFCs)</title>
13502 Specification documents for the Internet protocol suite, including
13503 the <acronym>DNS</acronym>, are published as part of
13504 the Request for Comments (RFCs)
13505 series of technical notes. The standards themselves are defined
13506 by the Internet Engineering Task Force (IETF) and the Internet
13507 Engineering Steering Group (IESG). RFCs can be obtained online via FTP at:
13510 <ulink url="ftp://www.isi.edu/in-notes/">
13511 ftp://www.isi.edu/in-notes/RFC<replaceable>xxxx</replaceable>.txt
13515 (where <replaceable>xxxx</replaceable> is
13516 the number of the RFC). RFCs are also available via the Web at:
13519 <ulink url="http://www.ietf.org/rfc/"
13520 >http://www.ietf.org/rfc/</ulink>.
13524 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
13525 <title>Standards</title>
13527 <abbrev>RFC974</abbrev>
13529 <surname>Partridge</surname>
13530 <firstname>C.</firstname>
13532 <title>Mail Routing and the Domain System</title>
13533 <pubdate>January 1986</pubdate>
13536 <abbrev>RFC1034</abbrev>
13538 <surname>Mockapetris</surname>
13539 <firstname>P.V.</firstname>
13541 <title>Domain Names — Concepts and Facilities</title>
13542 <pubdate>November 1987</pubdate>
13545 <abbrev>RFC1035</abbrev>
13547 <surname>Mockapetris</surname>
13548 <firstname>P. V.</firstname>
13549 </author> <title>Domain Names — Implementation and
13550 Specification</title>
13551 <pubdate>November 1987</pubdate>
13554 <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
13556 <title>Proposed Standards</title>
13557 <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
13559 <abbrev>RFC2181</abbrev>
13561 <surname>Elz</surname>
13562 <firstname>R., R. Bush</firstname>
13564 <title>Clarifications to the <acronym>DNS</acronym>
13565 Specification</title>
13566 <pubdate>July 1997</pubdate>
13569 <abbrev>RFC2308</abbrev>
13571 <surname>Andrews</surname>
13572 <firstname>M.</firstname>
13574 <title>Negative Caching of <acronym>DNS</acronym>
13576 <pubdate>March 1998</pubdate>
13579 <abbrev>RFC1995</abbrev>
13581 <surname>Ohta</surname>
13582 <firstname>M.</firstname>
13584 <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
13585 <pubdate>August 1996</pubdate>
13588 <abbrev>RFC1996</abbrev>
13590 <surname>Vixie</surname>
13591 <firstname>P.</firstname>
13593 <title>A Mechanism for Prompt Notification of Zone Changes</title>
13594 <pubdate>August 1996</pubdate>
13597 <abbrev>RFC2136</abbrev>
13600 <surname>Vixie</surname>
13601 <firstname>P.</firstname>
13604 <firstname>S.</firstname>
13605 <surname>Thomson</surname>
13608 <firstname>Y.</firstname>
13609 <surname>Rekhter</surname>
13612 <firstname>J.</firstname>
13613 <surname>Bound</surname>
13616 <title>Dynamic Updates in the Domain Name System</title>
13617 <pubdate>April 1997</pubdate>
13620 <abbrev>RFC2671</abbrev>
13623 <firstname>P.</firstname>
13624 <surname>Vixie</surname>
13627 <title>Extension Mechanisms for DNS (EDNS0)</title>
13628 <pubdate>August 1997</pubdate>
13631 <abbrev>RFC2672</abbrev>
13634 <firstname>M.</firstname>
13635 <surname>Crawford</surname>
13638 <title>Non-Terminal DNS Name Redirection</title>
13639 <pubdate>August 1999</pubdate>
13642 <abbrev>RFC2845</abbrev>
13645 <surname>Vixie</surname>
13646 <firstname>P.</firstname>
13649 <firstname>O.</firstname>
13650 <surname>Gudmundsson</surname>
13653 <firstname>D.</firstname>
13654 <surname>Eastlake</surname>
13655 <lineage>3rd</lineage>
13658 <firstname>B.</firstname>
13659 <surname>Wellington</surname>
13662 <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
13663 <pubdate>May 2000</pubdate>
13666 <abbrev>RFC2930</abbrev>
13669 <firstname>D.</firstname>
13670 <surname>Eastlake</surname>
13671 <lineage>3rd</lineage>
13674 <title>Secret Key Establishment for DNS (TKEY RR)</title>
13675 <pubdate>September 2000</pubdate>
13678 <abbrev>RFC2931</abbrev>
13681 <firstname>D.</firstname>
13682 <surname>Eastlake</surname>
13683 <lineage>3rd</lineage>
13686 <title>DNS Request and Transaction Signatures (SIG(0)s)</title>
13687 <pubdate>September 2000</pubdate>
13690 <abbrev>RFC3007</abbrev>
13693 <firstname>B.</firstname>
13694 <surname>Wellington</surname>
13697 <title>Secure Domain Name System (DNS) Dynamic Update</title>
13698 <pubdate>November 2000</pubdate>
13701 <abbrev>RFC3645</abbrev>
13704 <firstname>S.</firstname>
13705 <surname>Kwan</surname>
13708 <firstname>P.</firstname>
13709 <surname>Garg</surname>
13712 <firstname>J.</firstname>
13713 <surname>Gilroy</surname>
13716 <firstname>L.</firstname>
13717 <surname>Esibov</surname>
13720 <firstname>J.</firstname>
13721 <surname>Westhead</surname>
13724 <firstname>R.</firstname>
13725 <surname>Hall</surname>
13728 <title>Generic Security Service Algorithm for Secret
13729 Key Transaction Authentication for DNS
13731 <pubdate>October 2003</pubdate>
13735 <title><acronym>DNS</acronym> Security Proposed Standards</title>
13737 <abbrev>RFC3225</abbrev>
13740 <firstname>D.</firstname>
13741 <surname>Conrad</surname>
13744 <title>Indicating Resolver Support of DNSSEC</title>
13745 <pubdate>December 2001</pubdate>
13748 <abbrev>RFC3833</abbrev>
13751 <firstname>D.</firstname>
13752 <surname>Atkins</surname>
13755 <firstname>R.</firstname>
13756 <surname>Austein</surname>
13759 <title>Threat Analysis of the Domain Name System (DNS)</title>
13760 <pubdate>August 2004</pubdate>
13763 <abbrev>RFC4033</abbrev>
13766 <firstname>R.</firstname>
13767 <surname>Arends</surname>
13770 <firstname>R.</firstname>
13771 <surname>Austein</surname>
13774 <firstname>M.</firstname>
13775 <surname>Larson</surname>
13778 <firstname>D.</firstname>
13779 <surname>Massey</surname>
13782 <firstname>S.</firstname>
13783 <surname>Rose</surname>
13786 <title>DNS Security Introduction and Requirements</title>
13787 <pubdate>March 2005</pubdate>
13790 <abbrev>RFC4034</abbrev>
13793 <firstname>R.</firstname>
13794 <surname>Arends</surname>
13797 <firstname>R.</firstname>
13798 <surname>Austein</surname>
13801 <firstname>M.</firstname>
13802 <surname>Larson</surname>
13805 <firstname>D.</firstname>
13806 <surname>Massey</surname>
13809 <firstname>S.</firstname>
13810 <surname>Rose</surname>
13813 <title>Resource Records for the DNS Security Extensions</title>
13814 <pubdate>March 2005</pubdate>
13817 <abbrev>RFC4035</abbrev>
13820 <firstname>R.</firstname>
13821 <surname>Arends</surname>
13824 <firstname>R.</firstname>
13825 <surname>Austein</surname>
13828 <firstname>M.</firstname>
13829 <surname>Larson</surname>
13832 <firstname>D.</firstname>
13833 <surname>Massey</surname>
13836 <firstname>S.</firstname>
13837 <surname>Rose</surname>
13840 <title>Protocol Modifications for the DNS
13841 Security Extensions</title>
13842 <pubdate>March 2005</pubdate>
13846 <title>Other Important RFCs About <acronym>DNS</acronym>
13847 Implementation</title>
13849 <abbrev>RFC1535</abbrev>
13851 <surname>Gavron</surname>
13852 <firstname>E.</firstname>
13854 <title>A Security Problem and Proposed Correction With Widely
13855 Deployed <acronym>DNS</acronym> Software.</title>
13856 <pubdate>October 1993</pubdate>
13859 <abbrev>RFC1536</abbrev>
13862 <surname>Kumar</surname>
13863 <firstname>A.</firstname>
13866 <firstname>J.</firstname>
13867 <surname>Postel</surname>
13870 <firstname>C.</firstname>
13871 <surname>Neuman</surname>
13874 <firstname>P.</firstname>
13875 <surname>Danzig</surname>
13878 <firstname>S.</firstname>
13879 <surname>Miller</surname>
13882 <title>Common <acronym>DNS</acronym> Implementation
13883 Errors and Suggested Fixes</title>
13884 <pubdate>October 1993</pubdate>
13887 <abbrev>RFC1982</abbrev>
13890 <surname>Elz</surname>
13891 <firstname>R.</firstname>
13894 <firstname>R.</firstname>
13895 <surname>Bush</surname>
13898 <title>Serial Number Arithmetic</title>
13899 <pubdate>August 1996</pubdate>
13902 <abbrev>RFC4074</abbrev>
13905 <surname>Morishita</surname>
13906 <firstname>Y.</firstname>
13909 <firstname>T.</firstname>
13910 <surname>Jinmei</surname>
13913 <title>Common Misbehaviour Against <acronym>DNS</acronym>
13914 Queries for IPv6 Addresses</title>
13915 <pubdate>May 2005</pubdate>
13919 <title>Resource Record Types</title>
13921 <abbrev>RFC1183</abbrev>
13924 <surname>Everhart</surname>
13925 <firstname>C.F.</firstname>
13928 <firstname>L. A.</firstname>
13929 <surname>Mamakos</surname>
13932 <firstname>R.</firstname>
13933 <surname>Ullmann</surname>
13936 <firstname>P.</firstname>
13937 <surname>Mockapetris</surname>
13940 <title>New <acronym>DNS</acronym> RR Definitions</title>
13941 <pubdate>October 1990</pubdate>
13944 <abbrev>RFC1706</abbrev>
13947 <surname>Manning</surname>
13948 <firstname>B.</firstname>
13951 <firstname>R.</firstname>
13952 <surname>Colella</surname>
13955 <title><acronym>DNS</acronym> NSAP Resource Records</title>
13956 <pubdate>October 1994</pubdate>
13959 <abbrev>RFC2168</abbrev>
13962 <surname>Daniel</surname>
13963 <firstname>R.</firstname>
13966 <firstname>M.</firstname>
13967 <surname>Mealling</surname>
13970 <title>Resolution of Uniform Resource Identifiers using
13971 the Domain Name System</title>
13972 <pubdate>June 1997</pubdate>
13975 <abbrev>RFC1876</abbrev>
13978 <surname>Davis</surname>
13979 <firstname>C.</firstname>
13982 <firstname>P.</firstname>
13983 <surname>Vixie</surname>
13986 <firstname>T.</firstname>
13987 <firstname>Goodwin</firstname>
13990 <firstname>I.</firstname>
13991 <surname>Dickinson</surname>
13994 <title>A Means for Expressing Location Information in the
13996 Name System</title>
13997 <pubdate>January 1996</pubdate>
14000 <abbrev>RFC2052</abbrev>
14003 <surname>Gulbrandsen</surname>
14004 <firstname>A.</firstname>
14007 <firstname>P.</firstname>
14008 <surname>Vixie</surname>
14011 <title>A <acronym>DNS</acronym> RR for Specifying the
14014 <pubdate>October 1996</pubdate>
14017 <abbrev>RFC2163</abbrev>
14019 <surname>Allocchio</surname>
14020 <firstname>A.</firstname>
14022 <title>Using the Internet <acronym>DNS</acronym> to
14024 Conformant Global Address Mapping</title>
14025 <pubdate>January 1998</pubdate>
14028 <abbrev>RFC2230</abbrev>
14030 <surname>Atkinson</surname>
14031 <firstname>R.</firstname>
14033 <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
14034 <pubdate>October 1997</pubdate>
14037 <abbrev>RFC2536</abbrev>
14039 <surname>Eastlake</surname>
14040 <firstname>D.</firstname>
14041 <lineage>3rd</lineage>
14043 <title>DSA KEYs and SIGs in the Domain Name System (DNS)</title>
14044 <pubdate>March 1999</pubdate>
14047 <abbrev>RFC2537</abbrev>
14049 <surname>Eastlake</surname>
14050 <firstname>D.</firstname>
14051 <lineage>3rd</lineage>
14053 <title>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</title>
14054 <pubdate>March 1999</pubdate>
14057 <abbrev>RFC2538</abbrev>
14060 <surname>Eastlake</surname>
14061 <firstname>D.</firstname>
14062 <lineage>3rd</lineage>
14065 <surname>Gudmundsson</surname>
14066 <firstname>O.</firstname>
14069 <title>Storing Certificates in the Domain Name System (DNS)</title>
14070 <pubdate>March 1999</pubdate>
14073 <abbrev>RFC2539</abbrev>
14076 <surname>Eastlake</surname>
14077 <firstname>D.</firstname>
14078 <lineage>3rd</lineage>
14081 <title>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</title>
14082 <pubdate>March 1999</pubdate>
14085 <abbrev>RFC2540</abbrev>
14088 <surname>Eastlake</surname>
14089 <firstname>D.</firstname>
14090 <lineage>3rd</lineage>
14093 <title>Detached Domain Name System (DNS) Information</title>
14094 <pubdate>March 1999</pubdate>
14097 <abbrev>RFC2782</abbrev>
14099 <surname>Gulbrandsen</surname>
14100 <firstname>A.</firstname>
14103 <surname>Vixie</surname>
14104 <firstname>P.</firstname>
14107 <surname>Esibov</surname>
14108 <firstname>L.</firstname>
14110 <title>A DNS RR for specifying the location of services (DNS SRV)</title>
14111 <pubdate>February 2000</pubdate>
14114 <abbrev>RFC2915</abbrev>
14116 <surname>Mealling</surname>
14117 <firstname>M.</firstname>
14120 <surname>Daniel</surname>
14121 <firstname>R.</firstname>
14123 <title>The Naming Authority Pointer (NAPTR) DNS Resource Record</title>
14124 <pubdate>September 2000</pubdate>
14127 <abbrev>RFC3110</abbrev>
14129 <surname>Eastlake</surname>
14130 <firstname>D.</firstname>
14131 <lineage>3rd</lineage>
14133 <title>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</title>
14134 <pubdate>May 2001</pubdate>
14137 <abbrev>RFC3123</abbrev>
14139 <surname>Koch</surname>
14140 <firstname>P.</firstname>
14142 <title>A DNS RR Type for Lists of Address Prefixes (APL RR)</title>
14143 <pubdate>June 2001</pubdate>
14146 <abbrev>RFC3596</abbrev>
14149 <surname>Thomson</surname>
14150 <firstname>S.</firstname>
14153 <firstname>C.</firstname>
14154 <surname>Huitema</surname>
14157 <firstname>V.</firstname>
14158 <surname>Ksinant</surname>
14161 <firstname>M.</firstname>
14162 <surname>Souissi</surname>
14165 <title><acronym>DNS</acronym> Extensions to support IP
14167 <pubdate>October 2003</pubdate>
14170 <abbrev>RFC3597</abbrev>
14172 <surname>Gustafsson</surname>
14173 <firstname>A.</firstname>
14175 <title>Handling of Unknown DNS Resource Record (RR) Types</title>
14176 <pubdate>September 2003</pubdate>
14180 <title><acronym>DNS</acronym> and the Internet</title>
14182 <abbrev>RFC1101</abbrev>
14184 <surname>Mockapetris</surname>
14185 <firstname>P. V.</firstname>
14187 <title><acronym>DNS</acronym> Encoding of Network Names
14188 and Other Types</title>
14189 <pubdate>April 1989</pubdate>
14192 <abbrev>RFC1123</abbrev>
14194 <surname>Braden</surname>
14195 <surname>R.</surname>
14197 <title>Requirements for Internet Hosts - Application and
14199 <pubdate>October 1989</pubdate>
14202 <abbrev>RFC1591</abbrev>
14204 <surname>Postel</surname>
14205 <firstname>J.</firstname>
14207 <title>Domain Name System Structure and Delegation</title>
14208 <pubdate>March 1994</pubdate>
14211 <abbrev>RFC2317</abbrev>
14214 <surname>Eidnes</surname>
14215 <firstname>H.</firstname>
14218 <firstname>G.</firstname>
14219 <surname>de Groot</surname>
14222 <firstname>P.</firstname>
14223 <surname>Vixie</surname>
14226 <title>Classless IN-ADDR.ARPA Delegation</title>
14227 <pubdate>March 1998</pubdate>
14230 <abbrev>RFC2826</abbrev>
14233 <surname>Internet Architecture Board</surname>
14236 <title>IAB Technical Comment on the Unique DNS Root</title>
14237 <pubdate>May 2000</pubdate>
14240 <abbrev>RFC2929</abbrev>
14243 <surname>Eastlake</surname>
14244 <firstname>D.</firstname>
14245 <lineage>3rd</lineage>
14248 <surname>Brunner-Williams</surname>
14249 <firstname>E.</firstname>
14252 <surname>Manning</surname>
14253 <firstname>B.</firstname>
14256 <title>Domain Name System (DNS) IANA Considerations</title>
14257 <pubdate>September 2000</pubdate>
14261 <title><acronym>DNS</acronym> Operations</title>
14263 <abbrev>RFC1033</abbrev>
14265 <surname>Lottor</surname>
14266 <firstname>M.</firstname>
14268 <title>Domain administrators operations guide.</title>
14269 <pubdate>November 1987</pubdate>
14272 <abbrev>RFC1537</abbrev>
14274 <surname>Beertema</surname>
14275 <firstname>P.</firstname>
14277 <title>Common <acronym>DNS</acronym> Data File
14278 Configuration Errors</title>
14279 <pubdate>October 1993</pubdate>
14282 <abbrev>RFC1912</abbrev>
14284 <surname>Barr</surname>
14285 <firstname>D.</firstname>
14287 <title>Common <acronym>DNS</acronym> Operational and
14288 Configuration Errors</title>
14289 <pubdate>February 1996</pubdate>
14292 <abbrev>RFC2010</abbrev>
14295 <surname>Manning</surname>
14296 <firstname>B.</firstname>
14299 <firstname>P.</firstname>
14300 <surname>Vixie</surname>
14303 <title>Operational Criteria for Root Name Servers.</title>
14304 <pubdate>October 1996</pubdate>
14307 <abbrev>RFC2219</abbrev>
14310 <surname>Hamilton</surname>
14311 <firstname>M.</firstname>
14314 <firstname>R.</firstname>
14315 <surname>Wright</surname>
14318 <title>Use of <acronym>DNS</acronym> Aliases for
14319 Network Services.</title>
14320 <pubdate>October 1997</pubdate>
14324 <title>Internationalized Domain Names</title>
14326 <abbrev>RFC2825</abbrev>
14329 <surname>IAB</surname>
14332 <surname>Daigle</surname>
14333 <firstname>R.</firstname>
14336 <title>A Tangled Web: Issues of I18N, Domain Names,
14337 and the Other Internet protocols</title>
14338 <pubdate>May 2000</pubdate>
14341 <abbrev>RFC3490</abbrev>
14344 <surname>Faltstrom</surname>
14345 <firstname>P.</firstname>
14348 <surname>Hoffman</surname>
14349 <firstname>P.</firstname>
14352 <surname>Costello</surname>
14353 <firstname>A.</firstname>
14356 <title>Internationalizing Domain Names in Applications (IDNA)</title>
14357 <pubdate>March 2003</pubdate>
14360 <abbrev>RFC3491</abbrev>
14363 <surname>Hoffman</surname>
14364 <firstname>P.</firstname>
14367 <surname>Blanchet</surname>
14368 <firstname>M.</firstname>
14371 <title>Nameprep: A Stringprep Profile for Internationalized Domain Names</title>
14372 <pubdate>March 2003</pubdate>
14375 <abbrev>RFC3492</abbrev>
14378 <surname>Costello</surname>
14379 <firstname>A.</firstname>
14382 <title>Punycode: A Bootstring encoding of Unicode
14383 for Internationalized Domain Names in
14384 Applications (IDNA)</title>
14385 <pubdate>March 2003</pubdate>
14389 <title>Other <acronym>DNS</acronym>-related RFCs</title>
14392 Note: the following list of RFCs, although
14393 <acronym>DNS</acronym>-related, are not
14394 concerned with implementing software.
14398 <abbrev>RFC1464</abbrev>
14400 <surname>Rosenbaum</surname>
14401 <firstname>R.</firstname>
14403 <title>Using the Domain Name System To Store Arbitrary String
14405 <pubdate>May 1993</pubdate>
14408 <abbrev>RFC1713</abbrev>
14410 <surname>Romao</surname>
14411 <firstname>A.</firstname>
14413 <title>Tools for <acronym>DNS</acronym> Debugging</title>
14414 <pubdate>November 1994</pubdate>
14417 <abbrev>RFC1794</abbrev>
14419 <surname>Brisco</surname>
14420 <firstname>T.</firstname>
14422 <title><acronym>DNS</acronym> Support for Load
14424 <pubdate>April 1995</pubdate>
14427 <abbrev>RFC2240</abbrev>
14429 <surname>Vaughan</surname>
14430 <firstname>O.</firstname>
14432 <title>A Legal Basis for Domain Name Allocation</title>
14433 <pubdate>November 1997</pubdate>
14436 <abbrev>RFC2345</abbrev>
14439 <surname>Klensin</surname>
14440 <firstname>J.</firstname>
14443 <firstname>T.</firstname>
14444 <surname>Wolf</surname>
14447 <firstname>G.</firstname>
14448 <surname>Oglesby</surname>
14451 <title>Domain Names and Company Name Retrieval</title>
14452 <pubdate>May 1998</pubdate>
14455 <abbrev>RFC2352</abbrev>
14457 <surname>Vaughan</surname>
14458 <firstname>O.</firstname>
14460 <title>A Convention For Using Legal Names as Domain Names</title>
14461 <pubdate>May 1998</pubdate>
14464 <abbrev>RFC3071</abbrev>
14467 <surname>Klensin</surname>
14468 <firstname>J.</firstname>
14471 <title>Reflections on the DNS, RFC 1591, and Categories of Domains</title>
14472 <pubdate>February 2001</pubdate>
14475 <abbrev>RFC3258</abbrev>
14478 <surname>Hardie</surname>
14479 <firstname>T.</firstname>
14482 <title>Distributing Authoritative Name Servers via
14483 Shared Unicast Addresses</title>
14484 <pubdate>April 2002</pubdate>
14487 <abbrev>RFC3901</abbrev>
14490 <surname>Durand</surname>
14491 <firstname>A.</firstname>
14494 <firstname>J.</firstname>
14495 <surname>Ihren</surname>
14498 <title>DNS IPv6 Transport Operational Guidelines</title>
14499 <pubdate>September 2004</pubdate>
14503 <title>Obsolete and Unimplemented Experimental RFC</title>
14505 <abbrev>RFC1712</abbrev>
14508 <surname>Farrell</surname>
14509 <firstname>C.</firstname>
14512 <firstname>M.</firstname>
14513 <surname>Schulze</surname>
14516 <firstname>S.</firstname>
14517 <surname>Pleitner</surname>
14520 <firstname>D.</firstname>
14521 <surname>Baldoni</surname>
14524 <title><acronym>DNS</acronym> Encoding of Geographical
14526 <pubdate>November 1994</pubdate>
14529 <abbrev>RFC2673</abbrev>
14532 <surname>Crawford</surname>
14533 <firstname>M.</firstname>
14536 <title>Binary Labels in the Domain Name System</title>
14537 <pubdate>August 1999</pubdate>
14540 <abbrev>RFC2874</abbrev>
14543 <surname>Crawford</surname>
14544 <firstname>M.</firstname>
14547 <surname>Huitema</surname>
14548 <firstname>C.</firstname>
14551 <title>DNS Extensions to Support IPv6 Address Aggregation
14552 and Renumbering</title>
14553 <pubdate>July 2000</pubdate>
14557 <title>Obsoleted DNS Security RFCs</title>
14560 Most of these have been consolidated into RFC4033,
14561 RFC4034 and RFC4035 which collectively describe DNSSECbis.
14565 <abbrev>RFC2065</abbrev>
14568 <surname>Eastlake</surname>
14569 <lineage>3rd</lineage>
14570 <firstname>D.</firstname>
14573 <firstname>C.</firstname>
14574 <surname>Kaufman</surname>
14577 <title>Domain Name System Security Extensions</title>
14578 <pubdate>January 1997</pubdate>
14581 <abbrev>RFC2137</abbrev>
14583 <surname>Eastlake</surname>
14584 <lineage>3rd</lineage>
14585 <firstname>D.</firstname>
14587 <title>Secure Domain Name System Dynamic Update</title>
14588 <pubdate>April 1997</pubdate>
14591 <abbrev>RFC2535</abbrev>
14594 <surname>Eastlake</surname>
14595 <lineage>3rd</lineage>
14596 <firstname>D.</firstname>
14599 <title>Domain Name System Security Extensions</title>
14600 <pubdate>March 1999</pubdate>
14603 <abbrev>RFC3008</abbrev>
14606 <surname>Wellington</surname>
14607 <firstname>B.</firstname>
14610 <title>Domain Name System Security (DNSSEC)
14611 Signing Authority</title>
14612 <pubdate>November 2000</pubdate>
14615 <abbrev>RFC3090</abbrev>
14618 <surname>Lewis</surname>
14619 <firstname>E.</firstname>
14622 <title>DNS Security Extension Clarification on Zone Status</title>
14623 <pubdate>March 2001</pubdate>
14626 <abbrev>RFC3445</abbrev>
14629 <surname>Massey</surname>
14630 <firstname>D.</firstname>
14633 <surname>Rose</surname>
14634 <firstname>S.</firstname>
14637 <title>Limiting the Scope of the KEY Resource Record (RR)</title>
14638 <pubdate>December 2002</pubdate>
14641 <abbrev>RFC3655</abbrev>
14644 <surname>Wellington</surname>
14645 <firstname>B.</firstname>
14648 <surname>Gudmundsson</surname>
14649 <firstname>O.</firstname>
14652 <title>Redefinition of DNS Authenticated Data (AD) bit</title>
14653 <pubdate>November 2003</pubdate>
14656 <abbrev>RFC3658</abbrev>
14659 <surname>Gudmundsson</surname>
14660 <firstname>O.</firstname>
14663 <title>Delegation Signer (DS) Resource Record (RR)</title>
14664 <pubdate>December 2003</pubdate>
14667 <abbrev>RFC3755</abbrev>
14670 <surname>Weiler</surname>
14671 <firstname>S.</firstname>
14674 <title>Legacy Resolver Compatibility for Delegation Signer (DS)</title>
14675 <pubdate>May 2004</pubdate>
14678 <abbrev>RFC3757</abbrev>
14681 <surname>Kolkman</surname>
14682 <firstname>O.</firstname>
14685 <surname>Schlyter</surname>
14686 <firstname>J.</firstname>
14689 <surname>Lewis</surname>
14690 <firstname>E.</firstname>
14693 <title>Domain Name System KEY (DNSKEY) Resource Record
14694 (RR) Secure Entry Point (SEP) Flag</title>
14695 <pubdate>April 2004</pubdate>
14698 <abbrev>RFC3845</abbrev>
14701 <surname>Schlyter</surname>
14702 <firstname>J.</firstname>
14705 <title>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</title>
14706 <pubdate>August 2004</pubdate>
14711 <sect2 id="internet_drafts">
14712 <title>Internet Drafts</title>
14714 Internet Drafts (IDs) are rough-draft working documents of
14715 the Internet Engineering Task Force. They are, in essence, RFCs
14716 in the preliminary stages of development. Implementors are
14718 to regard IDs as archival, and they should not be quoted or cited
14719 in any formal documents unless accompanied by the disclaimer that
14720 they are "works in progress." IDs have a lifespan of six months
14721 after which they are deleted unless updated by their authors.
14725 <title>Other Documents About <acronym>BIND</acronym></title>
14731 <surname>Albitz</surname>
14732 <firstname>Paul</firstname>
14735 <firstname>Cricket</firstname>
14736 <surname>Liu</surname>
14739 <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
14742 <holder>Sebastopol, CA: O'Reilly and Associates</holder>
14750 <reference id="Bv9ARM.ch10">
14751 <title>Manual pages</title>
14752 <xi:include href="../../bin/dig/dig.docbook"/>
14753 <xi:include href="../../bin/dig/host.docbook"/>
14754 <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
14755 <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
14756 <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
14757 <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
14758 <xi:include href="../../bin/check/named-checkconf.docbook"/>
14759 <xi:include href="../../bin/check/named-checkzone.docbook"/>
14760 <xi:include href="../../bin/named/named.docbook"/>
14761 <!-- named.conf.docbook and others? -->
14762 <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
14763 <xi:include href="../../bin/rndc/rndc.docbook"/>
14764 <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
14765 <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>