1/* 2 * Copyright (C) 2004, 2007, 2011 Internet Systems Consortium, Inc. ("ISC") 3 * Copyright (C) 1999-2001 Internet Software Consortium. 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 * PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* Id: named.conf,v 1.60 2011/03/03 23:47:31 tbox Exp */ 19 20/* 21 * This is a worthless, nonrunnable example of a named.conf file that has 22 * every conceivable syntax element in use. We use it to test the parser. 23 * It could also be used as a conceptual template for users of new features. 24 */ 25 26/* 27 * C-style comments are OK 28 */ 29 30// So are C++-style comments 31 32# So are shell-style comments 33 34// watch out for ";" -- it's important! 35 36options { 37 additional-from-auth true; 38 additional-from-cache false; 39 40 version "my version string"; 41 random-device "/dev/random"; 42 directory "/tmp"; 43 44 port 666; 45 46 sig-validity-interval 33; 47 48# Obsolete 49 named-xfer "/usr/libexec/named-xfer"; // _PATH_XFER 50 51 dump-file "named_dump.db"; // _PATH_DUMPFILE 52 pid-file "/var/run/named.pid"; // _PATH_PIDFILE 53 statistics-file "named.stats"; // _PATH_STATS 54 memstatistics-file "named.memstats"; // _PATH_MEMSTATS 55 56 max-cache-ttl 999; 57 auth-nxdomain yes; // always set AA on NXDOMAIN. 58 // don't set this to 'no' unless 59 // you know what you're doing -- older 60 // servers won't like it. 61 62# Obsolete 63 deallocate-on-exit no; 64 65 dialup yes; 66 67# Obsolete 68 fake-iquery no; 69 70 fetch-glue yes; 71 has-old-clients yes; 72 host-statistics no; 73 74# Obsolete 75 multiple-cnames no; // if yes, then a name my have more 76 // than one CNAME RR. This use 77 // is non-standard and is not 78 // recommended, but it is available 79 // because previous releases supported 80 // it and it was used by large sites 81 // for load balancing. 82 83 notify yes; // send NOTIFY messages. You can set 84 // notify on a zone-by-zone 85 // basis in the "zone" statement 86 // see (below) 87 recursion yes; 88 rfc2308-type1 no; 89 90# Obsolete 91 use-id-pool yes; 92 93# Obsolete 94 treat-cr-as-space yes; 95 96 also-notify { 10.0.2.3; }; 97 98 // The "forward" option is only meaningful if you've defined 99 // forwarders. "first" gives the normal BIND 100 // forwarding behavior, i.e. ask the forwarders first, and if that 101 // doesn't work then do the full lookup. You can also say 102 // "forward only;" which is what used to be specified with 103 // "slave" or "options forward-only". "only" will never attempt 104 // a full lookup; only the forwarders will be used. 105 forward first; 106 forwarders { 107 1.2.3.4; 108 5.6.7.8; 109 }; 110 111 check-names master fail; 112 check-names slave warn; 113 check-names response ignore; 114 115 allow-query { any; }; 116 allow-transfer { any; }; 117 allow-recursion { !any; }; 118 blackhole { 45/24; }; 119 120 listen-on { 121 10/24; 122 10.0.0.3; 123 }; 124 125 listen-on port 53 { any; }; 126 127 listen-on { 5.6.7.8; }; 128 129 listen-on port 1234 { 130 !1.2.3.4; 131 1.2.3/24; 132 }; 133 134 listen-on-v6 { 135 1:1:1:1:1:1:1:1; 136 }; 137 138 listen-on-v6 port 777 { 139 2:2:2:2:2:2:2:2; 140 }; 141 142 query-source-v6 address 8:7:6:5:4:3:2:1 port *; 143 query-source port * address 10.0.0.54 ; 144 145 lame-ttl 444; 146 147 max-transfer-time-in 300; 148 max-transfer-time-out 10; 149 max-transfer-idle-in 100; 150 max-transfer-idle-out 11; 151 152 max-retry-time 1234; 153 min-retry-time 1111; 154 max-refresh-time 888; 155 min-refresh-time 777; 156 157 max-ncache-ttl 333; 158 min-roots 15; 159 serial-queries 34; 160 161 transfer-format one-answer; 162 163 transfers-in 10; 164 transfers-per-ns 2; 165 transfers-out 0; 166 167 transfer-source 10.0.0.5; 168 transfer-source-v6 4:3:2:1:5:6:7:8; 169 170 request-ixfr yes; 171 provide-ixfr yes; 172 173# Now called 'provide-ixfr' 174# maintain-ixfr-base no; // If yes, keep transaction log file for IXFR 175 176 max-ixfr-log-size 20m; 177 coresize 100; 178 datasize 101; 179 files 230; 180 max-cache-size 1m; 181 stacksize 231; 182 cleaning-interval 1000; 183 heartbeat-interval 1001; 184 interface-interval 1002; 185 statistics-interval 1003; 186 187 topology { 188 10/8; 189 190 !1.2.3/24; 191 192 { 1.2/16; 3/8; }; 193 194 195 }; 196 197 sortlist { 10/8; 11/8; }; 198 199 tkey-domain "foo.com"; 200 tkey-dhkey "xyz" 666 ; 201 202 rrset-order { 203 class IN type A name "foo" order random; 204 order cyclic; 205 }; 206}; 207 208/* 209 * Control listeners, for "ndc". Every nameserver needs at least one. 210 */ 211controls { 212 // 'inet' lines without a 'port' defaults to 'port 953' 213 // 'keys' must be used and the list must have at least one entry 214 inet * port 52 allow { any; } keys { "key2"; }; 215 unix "/var/run/ndc" perm 0600 owner 0 group 0; // ignored by named. 216 inet 10.0.0.1 allow { any; key foo; } keys { "key4";}; 217 inet 10.0.0.2 allow { none; } keys { "key-1"; "key-2"; }; 218 inet 10.0.0.2 allow { none; }; 219}; 220 221zone "master.demo.zone" { 222 type master; // what used to be called "primary" 223 database "somedb -option1 -option2 arg1 arg2 arg3"; 224 file "master.demo.zone"; 225 check-names fail; 226 allow-update { none; }; 227 allow-update-forwarding { 10.0.0.5; !any; }; 228 allow-transfer { any; }; 229 allow-query { any; }; 230 sig-validity-interval 990; 231 notify explicit; 232 also-notify { 1.0.0.1; }; // don't notify any nameservers other 233 // than those on the NS list for this 234 // zone 235 forward first; 236 forwarders { 10.0.0.3; 1:2:3:4:5:6:7:8; }; 237}; 238 239zone "slave.demo.zone" { 240 type slave; // what used to be called "secondary" 241 file "slave.demo.zone"; 242 ixfr-base "slave.demo.zone.ixfr"; // File name for IXFR transaction log file 243 masters { 244 1.2.3.4 port 10 key "foo"; // where to zone transfer from 245 5.6.7.8; 246 6.7.8.9 key "zippo"; 247 }; 248 transfer-source 10.0.0.53; // fixes multihoming problems 249 check-names warn; 250 allow-update { none; }; 251 allow-transfer { any; }; 252 allow-update-forwarding { any; }; 253 allow-query { any; }; 254 max-transfer-time-in 120; // if not set, global option is used. 255 max-transfer-time-out 1; // if not set, global option is used. 256 max-transfer-idle-in 2; // if not set, global option is used. 257 max-transfer-idle-out 3; // if not set, global option is used. 258 also-notify { 1.0.0.2; }; 259 forward only; 260 forwarders { 10.45.45.45; 10.0.0.3; 1:2:3:4:5:6:7:8; }; 261}; 262 263key "non-viewkey" { secret "YWFh" ; algorithm "zzz" ; }; 264 265view "test-view" in { 266 key "viewkey" { algorithm "xxx" ; secret "eXl5" ; }; 267 also-notify { 10.2.2.3; }; 268 trusted-keys { 269 foo.com. 4 3 2 "abdefghijklmnopqrstuvwxyz"; 270 }; 271 sig-validity-interval 45; 272 max-cache-size 100000; 273 allow-query { 10.0.0.30;}; 274 additional-from-cache false; 275 additional-from-auth no; 276 match-clients { 10.0.0.1 ; }; 277 check-names master warn; 278 check-names slave ignore; 279 check-names response fail; 280 auth-nxdomain false; 281 recursion true; 282 provide-ixfr false; 283 request-ixfr true; 284 fetch-glue true; 285 notify false; 286 rfc2308-type1 false; 287 transfer-source 10.0.0.55; 288 transfer-source-v6 4:3:8:1:5:6:7:8; 289 query-source port * address 10.0.0.54 ; 290 query-source-v6 address 6:6:6:6:6:6:6:6 port *; 291 max-transfer-time-out 45; 292 max-transfer-idle-out 55; 293 cleaning-interval 100; 294 min-roots 3; 295 lame-ttl 477; 296 max-ncache-ttl 333; 297 max-cache-ttl 777; 298 transfer-format many-answers; 299 max-retry-time 7; 300 min-retry-time 4; 301 max-refresh-time 999; 302 min-refresh-time 111; 303 304 zone "view-zone.com" { 305 type master; 306 allow-update-forwarding { 10.0.0.34;}; 307 file "view-zone-master"; 308 }; 309 310 server 5.6.7.8 { 311 keys "viewkey"; 312 }; 313 314 server 10.9.8.7 { 315 keys "non-viewkey"; 316 }; 317 dialup yes; 318}; 319 320 321zone "stub.demo.zone" { 322 type stub; // stub zones are like slave zones, 323 // except that only the NS records 324 // are transferred. 325 dialup yes; 326 file "stub.demo.zone"; 327 masters { 328 1.2.3.4 ; // where to zone transfer from 329 5.6.7.8 port 999; 330 }; 331 check-names warn; 332 allow-update { none; }; 333 allow-transfer { any; }; 334 allow-query { any; }; 335 336 max-retry-time 10; 337 min-retry-time 11; 338 max-refresh-time 12; 339 min-refresh-time 13; 340 341 max-transfer-time-in 120; // if not set, global option is used. 342 pubkey 257 255 1 "a useless key"; 343 pubkey 257 255 1 "another useless key"; 344}; 345 346zone "." { 347 type hint; // used to be specified w/ "cache" 348 file "cache.db"; 349// pubkey 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; 350}; 351 352trusted-keys { 353 "." 257 255 1 "AQP2fHpZ4VMpKo/jc9Fod821uyfY5p8j5h/Am0V/KpBTMZjdXmp9QJe6yFRoIIzkaNCgTIftASdpXGgCwFB2j2KXP/rick6gvEer5VcDEkLR5Q=="; 354}; 355 356 357acl can_query { !1.2.3/24; any; }; // network 1.2.3.0 mask 255.255.255.0 358 // is disallowed; rest are OK 359acl can_axfr { 1.2.3.4; can_query; }; // host 1.2.3.4 and any host allowed 360 // by can_query are OK 361 362zone "disabled-zone.com" { 363 type master; 364 file "bar"; 365 366 max-retry-time 100; 367 min-retry-time 110; 368 max-refresh-time 120; 369 min-refresh-time 130; 370}; 371 372zone "non-default-acl.demo.zone" { 373 type master; 374 file "foo"; 375 allow-query { can_query; }; 376 allow-transfer { can_axfr; }; 377 allow-update { 378 1.2.3.4; 379 5.6.7.8; 380 }; 381 pubkey 666 665 664 "key of the beast"; 382 // Errors trapped by parser: 383 // identity or name not absolute 384 // 'wildcard' match type and no wildcard character in name 385 // 386 // issues: 387 // - certain rdatatype values (such as "key") are config file keywords and 388 // must be quoted or a syntax error will occur. 389 // 390 391 update-policy { 392 grant root.domain. subdomain host.domain. A MX CNAME; 393 grant sub.root.domain. wildcard *.host.domain. A; 394 grant root.domain. name host.domain. a ns md mf cname soa mb mg 395 mr "null" wks ptr hinfo minfo mx txt rp afsdb x25 396 isdn rt nsap sig "key" px gpos aaaa loc nxt srv naptr kx 397 cert a6 dname opt unspec uri tkey tsig ; 398 grant foo.bar.com. self foo.bar.com. a; 399 }; 400}; 401 402key sample_key { // for TSIG; supported by parser 403 algorithm hmac-md5; // but not yet implemented in the 404 secret "eW91ciBzZWNyZXQgaGVyZQ=="; // rest of the server 405}; 406 407key key2 { 408 algorithm hmac-md5; 409 secret "ZXJlaCB0ZXJjZXMgcm91eQ=="; 410}; 411 412acl key_acl { key sample_key; }; // a request signed with sample_key 413 414server 1.2.3.4 { 415 request-ixfr no; 416 provide-ixfr no; 417 bogus no; // if yes, we won't query or listen 418 // to this server 419 transfer-format one-answer; // set transfer format for this 420 // server (see the description of 421 // 'transfer-format' above) 422 // if not specified, the global option 423 // will be used 424 transfers 0; // not implemented 425 keys { "sample_key" }; // for TSIG; supported by the parser 426 // but not yet implemented in the 427 // rest of the server 428# Now called 'request-ixfr' 429# support-ixfr yes; // for IXFR supported by server 430 // if yes, the listed server talks IXFR 431}; 432 433logging { 434 /* 435 * All log output goes to one or more "channels"; you can make as 436 * many of them as you want. 437 */ 438 439 channel syslog_errors { // this channel will send errors or 440 syslog user; // or worse to syslog (user facility) 441 severity error; 442 }; 443 444 channel stderr_errors { 445 stderr; 446 }; 447 448 /* 449 * Channels have a severity level. Messages at severity levels 450 * greater than or equal to the channel's level will be logged on 451 * the channel. In order of decreasing severity, the levels are: 452 * 453 * critical a fatal error 454 * error 455 * warning 456 * notice a normal, but significant event 457 * info an informational message 458 * debug 1 the least detailed debugging info 459 * ... 460 * debug 99 the most detailed debugging info 461 */ 462 463 /* 464 * Here are the built-in channels: 465 * 466 * channel default_syslog { 467 * syslog daemon; 468 * severity info; 469 * }; 470 * 471 * channel default_debug { 472 * file "named.run"; // note: stderr is used instead 473 * // of "named.run" if the server 474 * // is started with the "-f" 475 * // option. 476 * severity dynamic; // this means log debugging 477 * // at whatever debugging level 478 * // the server is at, and don't 479 * // log anything if not 480 * // debugging. 481 * }; 482 * 483 * channel null { // this is the bit bucket; 484 * file "/dev/null"; // any logging to this channel 485 * // is discarded. 486 * }; 487 * 488 * channel default_stderr { // writes to stderr 489 * file "<stderr>"; // this is illustrative only; 490 * // there's currently no way 491 * // of saying "stderr" in the 492 * // configuration language. 493 * // i.e. don't try this at home. 494 * severity info; 495 * }; 496 * 497 * default_stderr only works before the server daemonizes (i.e. 498 * during initial startup) or when it is running in foreground 499 * mode (-f command line option). 500 */ 501 502 /* 503 * There are many categories, so you can send the logs 504 * you want to see wherever you want, without seeing logs you 505 * don't want. Right now the categories are 506 * 507 * default the catch-all. many things still 508 * aren't classified into categories, and 509 * they all end up here. also, if you 510 * don't specify any channels for a 511 * category, the default category is used 512 * instead. 513 * config high-level configuration file 514 * processing 515 * parser low-level configuration file processing 516 * queries what used to be called "query logging" 517 * lame-servers messages like "Lame server on ..." 518 * statistics 519 * panic if the server has to shut itself 520 * down due to an internal problem, it 521 * logs the problem here (as well as 522 * in the problem's native category) 523 * update dynamic update 524 * ncache negative caching 525 * xfer-in zone transfers we're receiving 526 * xfer-out zone transfers we're sending 527 * db all database operations 528 * eventlib debugging info from the event system 529 * (see below) 530 * packet dumps of packets received and sent 531 * (see below) 532 * notify the NOTIFY protocol 533 * cname messages like "XX points to a CNAME" 534 * security approved/unapproved requests 535 * os operating system problems 536 * insist consistency check failures 537 * maintenance periodic maintenance 538 * load zone loading 539 * response-checks messages like 540 * "Malformed response ..." 541 * "wrong ans. name ..." 542 * "unrelated additional info ..." 543 * "invalid RR type ..." 544 * "bad referral ..." 545 */ 546 547 category parser { 548 syslog_errors; // you can log to as many channels 549 default_syslog; // as you want 550 }; 551 552 category lame-servers { null; }; // don't log these at all 553 554 channel moderate_debug { 555 file "foo"; // foo 556 severity debug 3; // level 3 debugging to file 557 print-time yes; // timestamp log entries 558 print-category yes; // print category name 559 print-severity yes; // print severity level 560 /* 561 * Note that debugging must have been turned on either 562 * on the command line or with a signal to get debugging 563 * output (non-debugging output will still be written to 564 * this channel). 565 */ 566 }; 567 568 channel another { 569 file "bar" versions 99 size 10M; 570 severity info; 571 }; 572 573 channel third { 574 file "bar" size 100000 versions unlimited; 575 severity debug; // use default debug level 576 }; 577 578 /* 579 * If you don't want to see "zone XXXX loaded" messages but do 580 * want to see any problems, you could do the following. 581 */ 582 channel no_info_messages { 583 syslog; 584 severity notice; 585 }; 586 587 category load { no_info_messages; }; 588 589 /* 590 * You can also define category "default"; it gets used when no 591 * "category" statement has been given for a category. 592 */ 593 category default { 594 default_syslog; 595 moderate_debug; 596 }; 597 598 /* 599 * If you don't define category default yourself, the default 600 * default category will be used. It is 601 * 602 * category default { default_syslog; default_debug; }; 603 */ 604 605 /* 606 * If you don't define category panic yourself, the default 607 * panic category will be used. It is 608 * 609 * category panic { default_syslog; default_stderr; }; 610 */ 611 612 /* 613 * Two categories, 'packet' and 'eventlib', are special. Only one 614 * channel may be assigned to each of them, and it must be a 615 * file channel. If you don't define them yourself, they default to 616 * 617 * category eventlib { default_debug; }; 618 * 619 * category packet { default_debug; }; 620 */ 621}; 622 623#include "filename"; // can't do within a statement 624 625