1<!-- 2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3 - Copyright (C) 2000-2003 Internet Software Consortium. 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17<!-- $Id: Bv9ARM.ch06.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18<html> 19<head> 20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21<title>Chapter�6.�BIND 9 Configuration Reference</title> 22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 25<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter�5.�The BIND 9 Lightweight Resolver"> 26<link rel="next" href="Bv9ARM.ch07.html" title="Chapter�7.�BIND 9 Security Considerations"> 27</head> 28<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29<div class="navheader"> 30<table width="100%" summary="Navigation header"> 31<tr><th colspan="3" align="center">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr> 32<tr> 33<td width="20%" align="left"> 34<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td> 35<th width="60%" align="center">�</th> 36<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a> 37</td> 38</tr> 39</table> 40<hr> 41</div> 42<div class="chapter" lang="en"> 43<div class="titlepage"><div><div><h2 class="title"> 44<a name="Bv9ARM.ch06"></a>Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div> 45<div class="toc"> 46<p><b>Table of Contents</b></p> 47<dl> 48<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> 49<dd><dl> 50<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> 51<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573281">Comment Syntax</a></span></dt> 52</dl></dd> 53<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> 54<dd><dl> 55<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574009"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> 56<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and 57 Usage</a></span></dt> 58<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574321"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> 59<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and 60 Usage</a></span></dt> 61<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574748"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> 62<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574765"><span><strong class="command">include</strong></span> Statement Definition and 63 Usage</a></span></dt> 64<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574789"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> 65<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574812"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> 66<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574903"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> 67<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">logging</strong></span> Statement Definition and 68 Usage</a></span></dt> 69<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577252"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> 70<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577336"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> 71<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577400"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> 72<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577517"><span><strong class="command">masters</strong></span> Statement Definition and 73 Usage</a></span></dt> 74<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577539"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> 75<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and 76 Usage</a></span></dt> 77<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> 78<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and 79 Usage</a></span></dt> 80<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> 81<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591758"><span><strong class="command">statistics-channels</strong></span> Statement Definition and 82 Usage</a></span></dt> 83<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> 84<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592176"><span><strong class="command">trusted-keys</strong></span> Statement Definition 85 and Usage</a></span></dt> 86<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592222"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> 87<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition 88 and Usage</a></span></dt> 89<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> 90<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592589"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> 91<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> 92 Statement Grammar</a></span></dt> 93<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594602"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> 94</dl></dd> 95<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2598289">Zone File</a></span></dt> 96<dd><dl> 97<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> 98<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600587">Discussion of MX Records</a></span></dt> 99<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> 100<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601134">Inverse Mapping in IPv4</a></span></dt> 101<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601261">Other Zone File Directives</a></span></dt> 102<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2601534"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> 103<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> 104</dl></dd> 105<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> 106<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd> 107</dl> 108</div> 109<p> 110 <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar 111 to <acronym class="acronym">BIND</acronym> 8; however, there are a few new 112 areas 113 of configuration, such as views. <acronym class="acronym">BIND</acronym> 114 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym> 115 9, although more complex configurations should be reviewed to check 116 if they can be more efficiently implemented using the new features 117 found in <acronym class="acronym">BIND</acronym> 9. 118 </p> 119<p> 120 <acronym class="acronym">BIND</acronym> 4 configuration files can be 121 converted to the new format 122 using the shell script 123 <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>. 124 </p> 125<div class="sect1" lang="en"> 126<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 127<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div> 128<p> 129 Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration 130 file documentation: 131 </p> 132<div class="informaltable"><table border="1"> 133<colgroup> 134<col> 135<col> 136</colgroup> 137<tbody> 138<tr> 139<td> 140 <p> 141 <code class="varname">acl_name</code> 142 </p> 143 </td> 144<td> 145 <p> 146 The name of an <code class="varname">address_match_list</code> as 147 defined by the <span><strong class="command">acl</strong></span> statement. 148 </p> 149 </td> 150</tr> 151<tr> 152<td> 153 <p> 154 <code class="varname">address_match_list</code> 155 </p> 156 </td> 157<td> 158 <p> 159 A list of one or more 160 <code class="varname">ip_addr</code>, 161 <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, 162 or <code class="varname">acl_name</code> elements, see 163 <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. 164 </p> 165 </td> 166</tr> 167<tr> 168<td> 169 <p> 170 <code class="varname">masters_list</code> 171 </p> 172 </td> 173<td> 174 <p> 175 A named list of one or more <code class="varname">ip_addr</code> 176 with optional <code class="varname">key_id</code> and/or 177 <code class="varname">ip_port</code>. 178 A <code class="varname">masters_list</code> may include other 179 <code class="varname">masters_lists</code>. 180 </p> 181 </td> 182</tr> 183<tr> 184<td> 185 <p> 186 <code class="varname">domain_name</code> 187 </p> 188 </td> 189<td> 190 <p> 191 A quoted string which will be used as 192 a DNS name, for example "<code class="literal">my.test.domain</code>". 193 </p> 194 </td> 195</tr> 196<tr> 197<td> 198 <p> 199 <code class="varname">namelist</code> 200 </p> 201 </td> 202<td> 203 <p> 204 A list of one or more <code class="varname">domain_name</code> 205 elements. 206 </p> 207 </td> 208</tr> 209<tr> 210<td> 211 <p> 212 <code class="varname">dotted_decimal</code> 213 </p> 214 </td> 215<td> 216 <p> 217 One to four integers valued 0 through 218 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, 219 <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>. 220 </p> 221 </td> 222</tr> 223<tr> 224<td> 225 <p> 226 <code class="varname">ip4_addr</code> 227 </p> 228 </td> 229<td> 230 <p> 231 An IPv4 address with exactly four elements 232 in <code class="varname">dotted_decimal</code> notation. 233 </p> 234 </td> 235</tr> 236<tr> 237<td> 238 <p> 239 <code class="varname">ip6_addr</code> 240 </p> 241 </td> 242<td> 243 <p> 244 An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>. 245 IPv6 scoped addresses that have ambiguity on their 246 scope zones must be disambiguated by an appropriate 247 zone ID with the percent character (`%') as 248 delimiter. It is strongly recommended to use 249 string zone names rather than numeric identifiers, 250 in order to be robust against system configuration 251 changes. However, since there is no standard 252 mapping for such names and identifier values, 253 currently only interface names as link identifiers 254 are supported, assuming one-to-one mapping between 255 interfaces and links. For example, a link-local 256 address <span><strong class="command">fe80::1</strong></span> on the link 257 attached to the interface <span><strong class="command">ne0</strong></span> 258 can be specified as <span><strong class="command">fe80::1%ne0</strong></span>. 259 Note that on most systems link-local addresses 260 always have the ambiguity, and need to be 261 disambiguated. 262 </p> 263 </td> 264</tr> 265<tr> 266<td> 267 <p> 268 <code class="varname">ip_addr</code> 269 </p> 270 </td> 271<td> 272 <p> 273 An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>. 274 </p> 275 </td> 276</tr> 277<tr> 278<td> 279 <p> 280 <code class="varname">ip_dscp</code> 281 </p> 282 </td> 283<td> 284 <p> 285 A <code class="varname">number</code> between 0 and 63, used 286 to select a differentiated services code point (DSCP) 287 value for use with outgoing traffic on operating systems 288 that support DSCP. 289 </p> 290 </td> 291</tr> 292<tr> 293<td> 294 <p> 295 <code class="varname">ip_port</code> 296 </p> 297 </td> 298<td> 299 <p> 300 An IP port <code class="varname">number</code>. 301 The <code class="varname">number</code> is limited to 0 302 through 65535, with values 303 below 1024 typically restricted to use by processes running 304 as root. 305 In some cases, an asterisk (`*') character can be used as a 306 placeholder to 307 select a random high-numbered port. 308 </p> 309 </td> 310</tr> 311<tr> 312<td> 313 <p> 314 <code class="varname">ip_prefix</code> 315 </p> 316 </td> 317<td> 318 <p> 319 An IP network specified as an <code class="varname">ip_addr</code>, 320 followed by a slash (`/') and then the number of bits in the 321 netmask. 322 Trailing zeros in a <code class="varname">ip_addr</code> 323 may omitted. 324 For example, <span><strong class="command">127/8</strong></span> is the 325 network <span><strong class="command">127.0.0.0</strong></span> with 326 netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is 327 network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>. 328 </p> 329 <p> 330 When specifying a prefix involving a IPv6 scoped address 331 the scope may be omitted. In that case the prefix will 332 match packets from any scope. 333 </p> 334 </td> 335</tr> 336<tr> 337<td> 338 <p> 339 <code class="varname">key_id</code> 340 </p> 341 </td> 342<td> 343 <p> 344 A <code class="varname">domain_name</code> representing 345 the name of a shared key, to be used for transaction 346 security. 347 </p> 348 </td> 349</tr> 350<tr> 351<td> 352 <p> 353 <code class="varname">key_list</code> 354 </p> 355 </td> 356<td> 357 <p> 358 A list of one or more 359 <code class="varname">key_id</code>s, 360 separated by semicolons and ending with a semicolon. 361 </p> 362 </td> 363</tr> 364<tr> 365<td> 366 <p> 367 <code class="varname">number</code> 368 </p> 369 </td> 370<td> 371 <p> 372 A non-negative 32-bit integer 373 (i.e., a number between 0 and 4294967295, inclusive). 374 Its acceptable value might further 375 be limited by the context in which it is used. 376 </p> 377 </td> 378</tr> 379<tr> 380<td> 381 <p> 382 <code class="varname">path_name</code> 383 </p> 384 </td> 385<td> 386 <p> 387 A quoted string which will be used as 388 a pathname, such as <code class="filename">zones/master/my.test.domain</code>. 389 </p> 390 </td> 391</tr> 392<tr> 393<td> 394 <p> 395 <code class="varname">port_list</code> 396 </p> 397 </td> 398<td> 399 <p> 400 A list of an <code class="varname">ip_port</code> or a port 401 range. 402 A port range is specified in the form of 403 <strong class="userinput"><code>range</code></strong> followed by 404 two <code class="varname">ip_port</code>s, 405 <code class="varname">port_low</code> and 406 <code class="varname">port_high</code>, which represents 407 port numbers from <code class="varname">port_low</code> through 408 <code class="varname">port_high</code>, inclusive. 409 <code class="varname">port_low</code> must not be larger than 410 <code class="varname">port_high</code>. 411 For example, 412 <strong class="userinput"><code>range 1024 65535</code></strong> represents 413 ports from 1024 through 65535. 414 In either case an asterisk (`*') character is not 415 allowed as a valid <code class="varname">ip_port</code>. 416 </p> 417 </td> 418</tr> 419<tr> 420<td> 421 <p> 422 <code class="varname">size_spec</code> 423 </p> 424 </td> 425<td> 426 <p> 427 A 64-bit unsigned integer, or the keywords 428 <strong class="userinput"><code>unlimited</code></strong> or 429 <strong class="userinput"><code>default</code></strong>. 430 </p> 431 <p> 432 Integers may take values 433 0 <= value <= 18446744073709551615, though 434 certain parameters 435 (such as <span><strong class="command">max-journal-size</strong></span>) may 436 use a more limited range within these extremes. 437 In most cases, setting a value to 0 does not 438 literally mean zero; it means "undefined" or 439 "as big as possible", depending on the context. 440 See the explanations of particular parameters 441 that use <code class="varname">size_spec</code> 442 for details on how they interpret its use. 443 </p> 444 <p> 445 Numeric values can optionally be followed by a 446 scaling factor: 447 <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> 448 for kilobytes, 449 <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> 450 for megabytes, and 451 <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> 452 for gigabytes, which scale by 1024, 1024*1024, and 453 1024*1024*1024 respectively. 454 </p> 455 <p> 456 <code class="varname">unlimited</code> generally means 457 "as big as possible", and is usually the best 458 way to safely set a very large number. 459 </p> 460 <p> 461 <code class="varname">default</code> 462 uses the limit that was in force when the server was started. 463 </p> 464 </td> 465</tr> 466<tr> 467<td> 468 <p> 469 <code class="varname">yes_or_no</code> 470 </p> 471 </td> 472<td> 473 <p> 474 Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>. 475 The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are 476 also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> 477 and <strong class="userinput"><code>0</code></strong>. 478 </p> 479 </td> 480</tr> 481<tr> 482<td> 483 <p> 484 <code class="varname">dialup_option</code> 485 </p> 486 </td> 487<td> 488 <p> 489 One of <strong class="userinput"><code>yes</code></strong>, 490 <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>, 491 <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or 492 <strong class="userinput"><code>passive</code></strong>. 493 When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>, 494 <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong> 495 are restricted to slave and stub zones. 496 </p> 497 </td> 498</tr> 499</tbody> 500</table></div> 501<div class="sect2" lang="en"> 502<div class="titlepage"><div><div><h3 class="title"> 503<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> 504<div class="sect3" lang="en"> 505<div class="titlepage"><div><div><h4 class="title"> 506<a name="id2573115"></a>Syntax</h4></div></div></div> 507<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; 508 [<span class="optional"> address_match_list_element; ... </span>] 509<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | 510 key key_id | acl_name | { address_match_list } ) 511</pre> 512</div> 513<div class="sect3" lang="en"> 514<div class="titlepage"><div><div><h4 class="title"> 515<a name="id2573143"></a>Definition and Usage</h4></div></div></div> 516<p> 517 Address match lists are primarily used to determine access 518 control for various server operations. They are also used in 519 the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span> 520 statements. The elements which constitute an address match 521 list can be any of the following: 522 </p> 523<div class="itemizedlist"><ul type="disc"> 524<li>an IP address (IPv4 or IPv6)</li> 525<li>an IP prefix (in `/' notation)</li> 526<li> 527 a key ID, as defined by the <span><strong class="command">key</strong></span> 528 statement 529 </li> 530<li>the name of an address match list defined with 531 the <span><strong class="command">acl</strong></span> statement 532 </li> 533<li>a nested address match list enclosed in braces</li> 534</ul></div> 535<p> 536 Elements can be negated with a leading exclamation mark (`!'), 537 and the match list names "any", "none", "localhost", and 538 "localnets" are predefined. More information on those names 539 can be found in the description of the acl statement. 540 </p> 541<p> 542 The addition of the key clause made the name of this syntactic 543 element something of a misnomer, since security keys can be used 544 to validate access without regard to a host or network address. 545 Nonetheless, the term "address match list" is still used 546 throughout the documentation. 547 </p> 548<p> 549 When a given IP address or prefix is compared to an address 550 match list, the comparison takes place in approximately O(1) 551 time. However, key comparisons require that the list of keys 552 be traversed until a matching key is found, and therefore may 553 be somewhat slower. 554 </p> 555<p> 556 The interpretation of a match depends on whether the list is being 557 used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a 558 <span><strong class="command">sortlist</strong></span>, and whether the element was negated. 559 </p> 560<p> 561 When used as an access control list, a non-negated match 562 allows access and a negated match denies access. If 563 there is no match, access is denied. The clauses 564 <span><strong class="command">allow-notify</strong></span>, 565 <span><strong class="command">allow-recursion</strong></span>, 566 <span><strong class="command">allow-recursion-on</strong></span>, 567 <span><strong class="command">allow-query</strong></span>, 568 <span><strong class="command">allow-query-on</strong></span>, 569 <span><strong class="command">allow-query-cache</strong></span>, 570 <span><strong class="command">allow-query-cache-on</strong></span>, 571 <span><strong class="command">allow-transfer</strong></span>, 572 <span><strong class="command">allow-update</strong></span>, 573 <span><strong class="command">allow-update-forwarding</strong></span>, and 574 <span><strong class="command">blackhole</strong></span> all use address match 575 lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the 576 server to refuse queries on any of the machine's 577 addresses which do not match the list. 578 </p> 579<p> 580 Order of insertion is significant. If more than one element 581 in an ACL is found to match a given IP address or prefix, 582 preference will be given to the one that came 583 <span class="emphasis"><em>first</em></span> in the ACL definition. 584 Because of this first-match behavior, an element that 585 defines a subset of another element in the list should 586 come before the broader element, regardless of whether 587 either is negated. For example, in 588 <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> 589 the 1.2.3.13 element is completely useless because the 590 algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 591 element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes 592 that problem by having 1.2.3.13 blocked by the negation, but 593 all other 1.2.3.* hosts fall through. 594 </p> 595</div> 596</div> 597<div class="sect2" lang="en"> 598<div class="titlepage"><div><div><h3 class="title"> 599<a name="id2573281"></a>Comment Syntax</h3></div></div></div> 600<p> 601 The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for 602 comments to appear 603 anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration 604 file. To appeal to programmers of all kinds, they can be written 605 in the C, C++, or shell/perl style. 606 </p> 607<div class="sect3" lang="en"> 608<div class="titlepage"><div><div><h4 class="title"> 609<a name="id2573296"></a>Syntax</h4></div></div></div> 610<p> 611 </p> 612<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> 613<p> 614 </p> 615<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre> 616<p> 617 </p> 618<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells 619# and perl</pre> 620<p> 621 </p> 622</div> 623<div class="sect3" lang="en"> 624<div class="titlepage"><div><div><h4 class="title"> 625<a name="id2573394"></a>Definition and Usage</h4></div></div></div> 626<p> 627 Comments may appear anywhere that whitespace may appear in 628 a <acronym class="acronym">BIND</acronym> configuration file. 629 </p> 630<p> 631 C-style comments start with the two characters /* (slash, 632 star) and end with */ (star, slash). Because they are completely 633 delimited with these characters, they can be used to comment only 634 a portion of a line or to span multiple lines. 635 </p> 636<p> 637 C-style comments cannot be nested. For example, the following 638 is not valid because the entire comment ends with the first */: 639 </p> 640<p> 641 642</p> 643<pre class="programlisting">/* This is the start of a comment. 644 This is still part of the comment. 645/* This is an incorrect attempt at nesting a comment. */ 646 This is no longer in any comment. */ 647</pre> 648<p> 649 650 </p> 651<p> 652 C++-style comments start with the two characters // (slash, 653 slash) and continue to the end of the physical line. They cannot 654 be continued across multiple physical lines; to have one logical 655 comment span multiple lines, each line must use the // pair. 656 For example: 657 </p> 658<p> 659 660</p> 661<pre class="programlisting">// This is the start of a comment. The next line 662// is a new comment, even though it is logically 663// part of the previous comment. 664</pre> 665<p> 666 667 </p> 668<p> 669 Shell-style (or perl-style, if you prefer) comments start 670 with the character <code class="literal">#</code> (number sign) 671 and continue to the end of the 672 physical line, as in C++ comments. 673 For example: 674 </p> 675<p> 676 677</p> 678<pre class="programlisting"># This is the start of a comment. The next line 679# is a new comment, even though it is logically 680# part of the previous comment. 681</pre> 682<p> 683 684 </p> 685<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> 686<h3 class="title">Warning</h3> 687<p> 688 You cannot use the semicolon (`;') character 689 to start a comment such as you would in a zone file. The 690 semicolon indicates the end of a configuration 691 statement. 692 </p> 693</div> 694</div> 695</div> 696</div> 697<div class="sect1" lang="en"> 698<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 699<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div> 700<p> 701 A <acronym class="acronym">BIND</acronym> 9 configuration consists of 702 statements and comments. 703 Statements end with a semicolon. Statements and comments are the 704 only elements that can appear without enclosing braces. Many 705 statements contain a block of sub-statements, which are also 706 terminated with a semicolon. 707 </p> 708<p> 709 The following statements are supported: 710 </p> 711<div class="informaltable"><table border="1"> 712<colgroup> 713<col> 714<col> 715</colgroup> 716<tbody> 717<tr> 718<td> 719 <p><span><strong class="command">acl</strong></span></p> 720 </td> 721<td> 722 <p> 723 defines a named IP address 724 matching list, for access control and other uses. 725 </p> 726 </td> 727</tr> 728<tr> 729<td> 730 <p><span><strong class="command">controls</strong></span></p> 731 </td> 732<td> 733 <p> 734 declares control channels to be used 735 by the <span><strong class="command">rndc</strong></span> utility. 736 </p> 737 </td> 738</tr> 739<tr> 740<td> 741 <p><span><strong class="command">include</strong></span></p> 742 </td> 743<td> 744 <p> 745 includes a file. 746 </p> 747 </td> 748</tr> 749<tr> 750<td> 751 <p><span><strong class="command">key</strong></span></p> 752 </td> 753<td> 754 <p> 755 specifies key information for use in 756 authentication and authorization using TSIG. 757 </p> 758 </td> 759</tr> 760<tr> 761<td> 762 <p><span><strong class="command">logging</strong></span></p> 763 </td> 764<td> 765 <p> 766 specifies what the server logs, and where 767 the log messages are sent. 768 </p> 769 </td> 770</tr> 771<tr> 772<td> 773 <p><span><strong class="command">lwres</strong></span></p> 774 </td> 775<td> 776 <p> 777 configures <span><strong class="command">named</strong></span> to 778 also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>). 779 </p> 780 </td> 781</tr> 782<tr> 783<td> 784 <p><span><strong class="command">masters</strong></span></p> 785 </td> 786<td> 787 <p> 788 defines a named masters list for 789 inclusion in stub and slave zones' 790 <span><strong class="command">masters</strong></span> or 791 <span><strong class="command">also-notify</strong></span> lists. 792 </p> 793 </td> 794</tr> 795<tr> 796<td> 797 <p><span><strong class="command">options</strong></span></p> 798 </td> 799<td> 800 <p> 801 controls global server configuration 802 options and sets defaults for other statements. 803 </p> 804 </td> 805</tr> 806<tr> 807<td> 808 <p><span><strong class="command">server</strong></span></p> 809 </td> 810<td> 811 <p> 812 sets certain configuration options on 813 a per-server basis. 814 </p> 815 </td> 816</tr> 817<tr> 818<td> 819 <p><span><strong class="command">statistics-channels</strong></span></p> 820 </td> 821<td> 822 <p> 823 declares communication channels to get access to 824 <span><strong class="command">named</strong></span> statistics. 825 </p> 826 </td> 827</tr> 828<tr> 829<td> 830 <p><span><strong class="command">trusted-keys</strong></span></p> 831 </td> 832<td> 833 <p> 834 defines trusted DNSSEC keys. 835 </p> 836 </td> 837</tr> 838<tr> 839<td> 840 <p><span><strong class="command">managed-keys</strong></span></p> 841 </td> 842<td> 843 <p> 844 lists DNSSEC keys to be kept up to date 845 using RFC 5011 trust anchor maintenance. 846 </p> 847 </td> 848</tr> 849<tr> 850<td> 851 <p><span><strong class="command">view</strong></span></p> 852 </td> 853<td> 854 <p> 855 defines a view. 856 </p> 857 </td> 858</tr> 859<tr> 860<td> 861 <p><span><strong class="command">zone</strong></span></p> 862 </td> 863<td> 864 <p> 865 defines a zone. 866 </p> 867 </td> 868</tr> 869</tbody> 870</table></div> 871<p> 872 The <span><strong class="command">logging</strong></span> and 873 <span><strong class="command">options</strong></span> statements may only occur once 874 per 875 configuration. 876 </p> 877<div class="sect2" lang="en"> 878<div class="titlepage"><div><div><h3 class="title"> 879<a name="id2574009"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> 880<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { 881 address_match_list 882}; 883</pre> 884</div> 885<div class="sect2" lang="en"> 886<div class="titlepage"><div><div><h3 class="title"> 887<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and 888 Usage</h3></div></div></div> 889<p> 890 The <span><strong class="command">acl</strong></span> statement assigns a symbolic 891 name to an address match list. It gets its name from a primary 892 use of address match lists: Access Control Lists (ACLs). 893 </p> 894<p> 895 The following ACLs are built-in: 896 </p> 897<div class="informaltable"><table border="1"> 898<colgroup> 899<col> 900<col> 901</colgroup> 902<tbody> 903<tr> 904<td> 905 <p><span><strong class="command">any</strong></span></p> 906 </td> 907<td> 908 <p> 909 Matches all hosts. 910 </p> 911 </td> 912</tr> 913<tr> 914<td> 915 <p><span><strong class="command">none</strong></span></p> 916 </td> 917<td> 918 <p> 919 Matches no hosts. 920 </p> 921 </td> 922</tr> 923<tr> 924<td> 925 <p><span><strong class="command">localhost</strong></span></p> 926 </td> 927<td> 928 <p> 929 Matches the IPv4 and IPv6 addresses of all network 930 interfaces on the system. When addresses are 931 added or removed, the <span><strong class="command">localhost</strong></span> 932 ACL element is updated to reflect the changes. 933 </p> 934 </td> 935</tr> 936<tr> 937<td> 938 <p><span><strong class="command">localnets</strong></span></p> 939 </td> 940<td> 941 <p> 942 Matches any host on an IPv4 or IPv6 network 943 for which the system has an interface. 944 When addresses are added or removed, 945 the <span><strong class="command">localnets</strong></span> 946 ACL element is updated to reflect the changes. 947 Some systems do not provide a way to determine the prefix 948 lengths of 949 local IPv6 addresses. 950 In such a case, <span><strong class="command">localnets</strong></span> 951 only matches the local 952 IPv6 addresses, just like <span><strong class="command">localhost</strong></span>. 953 </p> 954 </td> 955</tr> 956</tbody> 957</table></div> 958<p> 959 When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support, 960 ACLs can also be used for geographic access restrictions. 961 This is done by specifying an ACL element of the form: 962 <span><strong class="command">geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span> 963 </p> 964<p> 965 The <em class="replaceable"><code>field</code></em> indicates which field 966 to search for a match. Available fields are "country", 967 "region", "city", "continent", "postal" (postal code), 968 "metro" (metro code), "area" (area code), "tz" (timezone), 969 "isp", "org", "asnum", "domain" and "netspeed". 970 </p> 971<p> 972 <em class="replaceable"><code>value</code></em> is the value to search 973 for within the database. A string may be quoted if it 974 contains spaces or other special characters. If this is 975 an "asnum" search, then the leading "ASNNNN" string can be 976 used, otherwise the full description must be used (e.g. 977 "ASNNNN Example Company Name"). If this is a "country" 978 search and the string is two characters long, then it must 979 be a standard ISO-3166-1 two-letter country code, and if it 980 is three characters long then it must be an ISO-3166-1 981 three-letter country code; otherwise it is the full name 982 of the country. Similarly, if this is a "region" search 983 and the string is two characters long, then it must be a 984 standard two-letter state or province abbreviation; 985 otherwise it is the full name of the state or province. 986 </p> 987<p> 988 The <em class="replaceable"><code>database</code></em> field indicates which 989 GeoIP database to search for a match. In most cases this is 990 unnecessary, because most search fields can only be found in 991 a single database. However, searches for country can be 992 answered from the "city", "region", or "country" databases, 993 and searches for region (i.e., state or province) can be 994 answered from the "city" or "region" databases. For these 995 search types, specifying a <em class="replaceable"><code>database</code></em> 996 will force the query to be answered from that database and no 997 other. If <em class="replaceable"><code>database</code></em> is not 998 specified, then these queries will be answered from the "city", 999 database if it is installed, or the "region" database if it is 1000 installed, or the "country" database, in that order. 1001 </p> 1002<p> 1003 Some example GeoIP ACLs: 1004 </p> 1005<pre class="programlisting">geoip country US; 1006geoip country JAP; 1007geoip db country country Canada; 1008geoip db region region WA; 1009geoip city "San Francisco"; 1010geoip region Oklahoma; 1011geoip postal 95062; 1012geoip tz "America/Los_Angeles"; 1013geoip org "Internet Systems Consortium"; 1014</pre> 1015</div> 1016<div class="sect2" lang="en"> 1017<div class="titlepage"><div><div><h3 class="title"> 1018<a name="id2574321"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> 1019<pre class="programlisting"><span><strong class="command">controls</strong></span> { 1020 [ inet ( ip_addr | * ) [ port ip_port ] 1021 allow { <em class="replaceable"><code> address_match_list </code></em> } 1022 keys { <em class="replaceable"><code>key_list</code></em> }; ] 1023 [ inet ...; ] 1024 [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> 1025 keys { <em class="replaceable"><code>key_list</code></em> }; ] 1026 [ unix ...; ] 1027}; 1028</pre> 1029</div> 1030<div class="sect2" lang="en"> 1031<div class="titlepage"><div><div><h3 class="title"> 1032<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and 1033 Usage</h3></div></div></div> 1034<p> 1035 The <span><strong class="command">controls</strong></span> statement declares control 1036 channels to be used by system administrators to control the 1037 operation of the name server. These control channels are 1038 used by the <span><strong class="command">rndc</strong></span> utility to send 1039 commands to and retrieve non-DNS results from a name server. 1040 </p> 1041<p> 1042 An <span><strong class="command">inet</strong></span> control channel is a TCP socket 1043 listening at the specified <span><strong class="command">ip_port</strong></span> on the 1044 specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 1045 address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is 1046 interpreted as the IPv4 wildcard address; connections will be 1047 accepted on any of the system's IPv4 addresses. 1048 To listen on the IPv6 wildcard address, 1049 use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. 1050 If you will only use <span><strong class="command">rndc</strong></span> on the local host, 1051 using the loopback address (<code class="literal">127.0.0.1</code> 1052 or <code class="literal">::1</code>) is recommended for maximum security. 1053 </p> 1054<p> 1055 If no port is specified, port 953 is used. The asterisk 1056 "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>. 1057 </p> 1058<p> 1059 The ability to issue commands over the control channel is 1060 restricted by the <span><strong class="command">allow</strong></span> and 1061 <span><strong class="command">keys</strong></span> clauses. 1062 Connections to the control channel are permitted based on the 1063 <span><strong class="command">address_match_list</strong></span>. This is for simple 1064 IP address based filtering only; any <span><strong class="command">key_id</strong></span> 1065 elements of the <span><strong class="command">address_match_list</strong></span> 1066 are ignored. 1067 </p> 1068<p> 1069 A <span><strong class="command">unix</strong></span> control channel is a UNIX domain 1070 socket listening at the specified path in the file system. 1071 Access to the socket is specified by the <span><strong class="command">perm</strong></span>, 1072 <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses. 1073 Note on some platforms (SunOS and Solaris) the permissions 1074 (<span><strong class="command">perm</strong></span>) are applied to the parent directory 1075 as the permissions on the socket itself are ignored. 1076 </p> 1077<p> 1078 The primary authorization mechanism of the command 1079 channel is the <span><strong class="command">key_list</strong></span>, which 1080 contains a list of <span><strong class="command">key_id</strong></span>s. 1081 Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span> 1082 is authorized to execute commands over the control channel. 1083 See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) 1084 for information about configuring keys in <span><strong class="command">rndc</strong></span>. 1085 </p> 1086<p> 1087 If no <span><strong class="command">controls</strong></span> statement is present, 1088 <span><strong class="command">named</strong></span> will set up a default 1089 control channel listening on the loopback address 127.0.0.1 1090 and its IPv6 counterpart ::1. 1091 In this case, and also when the <span><strong class="command">controls</strong></span> statement 1092 is present but does not have a <span><strong class="command">keys</strong></span> clause, 1093 <span><strong class="command">named</strong></span> will attempt to load the command channel key 1094 from the file <code class="filename">rndc.key</code> in 1095 <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> 1096 was specified as when <acronym class="acronym">BIND</acronym> was built). 1097 To create a <code class="filename">rndc.key</code> file, run 1098 <strong class="userinput"><code>rndc-confgen -a</code></strong>. 1099 </p> 1100<p> 1101 The <code class="filename">rndc.key</code> feature was created to 1102 ease the transition of systems from <acronym class="acronym">BIND</acronym> 8, 1103 which did not have digital signatures on its command channel 1104 messages and thus did not have a <span><strong class="command">keys</strong></span> clause. 1105 1106 It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8 1107 configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged, 1108 and still have <span><strong class="command">rndc</strong></span> work the same way 1109 <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the 1110 command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is 1111 installed. 1112 </p> 1113<p> 1114 Since the <code class="filename">rndc.key</code> feature 1115 is only intended to allow the backward-compatible usage of 1116 <acronym class="acronym">BIND</acronym> 8 configuration files, this 1117 feature does not 1118 have a high degree of configurability. You cannot easily change 1119 the key name or the size of the secret, so you should make a 1120 <code class="filename">rndc.conf</code> with your own key if you 1121 wish to change 1122 those things. The <code class="filename">rndc.key</code> file 1123 also has its 1124 permissions set such that only the owner of the file (the user that 1125 <span><strong class="command">named</strong></span> is running as) can access it. 1126 If you 1127 desire greater flexibility in allowing other users to access 1128 <span><strong class="command">rndc</strong></span> commands, then you need to create 1129 a 1130 <code class="filename">rndc.conf</code> file and make it group 1131 readable by a group 1132 that contains the users who should have access. 1133 </p> 1134<p> 1135 To disable the command channel, use an empty 1136 <span><strong class="command">controls</strong></span> statement: 1137 <span><strong class="command">controls { };</strong></span>. 1138 </p> 1139</div> 1140<div class="sect2" lang="en"> 1141<div class="titlepage"><div><div><h3 class="title"> 1142<a name="id2574748"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> 1143<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> 1144</div> 1145<div class="sect2" lang="en"> 1146<div class="titlepage"><div><div><h3 class="title"> 1147<a name="id2574765"></a><span><strong class="command">include</strong></span> Statement Definition and 1148 Usage</h3></div></div></div> 1149<p> 1150 The <span><strong class="command">include</strong></span> statement inserts the 1151 specified file at the point where the <span><strong class="command">include</strong></span> 1152 statement is encountered. The <span><strong class="command">include</strong></span> 1153 statement facilitates the administration of configuration 1154 files 1155 by permitting the reading or writing of some things but not 1156 others. For example, the statement could include private keys 1157 that are readable only by the name server. 1158 </p> 1159</div> 1160<div class="sect2" lang="en"> 1161<div class="titlepage"><div><div><h3 class="title"> 1162<a name="id2574789"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> 1163<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> { 1164 algorithm <em class="replaceable"><code>string</code></em>; 1165 secret <em class="replaceable"><code>string</code></em>; 1166}; 1167</pre> 1168</div> 1169<div class="sect2" lang="en"> 1170<div class="titlepage"><div><div><h3 class="title"> 1171<a name="id2574812"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> 1172<p> 1173 The <span><strong class="command">key</strong></span> statement defines a shared 1174 secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) 1175 or the command channel 1176 (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and 1177 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and 1178 Usage”</a>). 1179 </p> 1180<p> 1181 The <span><strong class="command">key</strong></span> statement can occur at the 1182 top level 1183 of the configuration file or inside a <span><strong class="command">view</strong></span> 1184 statement. Keys defined in top-level <span><strong class="command">key</strong></span> 1185 statements can be used in all views. Keys intended for use in 1186 a <span><strong class="command">controls</strong></span> statement 1187 (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and 1188 Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and 1189 Usage”</a>) 1190 must be defined at the top level. 1191 </p> 1192<p> 1193 The <em class="replaceable"><code>key_id</code></em>, also known as the 1194 key name, is a domain name uniquely identifying the key. It can 1195 be used in a <span><strong class="command">server</strong></span> 1196 statement to cause requests sent to that 1197 server to be signed with this key, or in address match lists to 1198 verify that incoming requests have been signed with a key 1199 matching this name, algorithm, and secret. 1200 </p> 1201<p> 1202 The <em class="replaceable"><code>algorithm_id</code></em> is a string 1203 that specifies a security/authentication algorithm. Named 1204 supports <code class="literal">hmac-md5</code>, 1205 <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>, 1206 <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code> 1207 and <code class="literal">hmac-sha512</code> TSIG authentication. 1208 Truncated hashes are supported by appending the minimum 1209 number of required bits preceded by a dash, e.g. 1210 <code class="literal">hmac-sha1-80</code>. The 1211 <em class="replaceable"><code>secret_string</code></em> is the secret 1212 to be used by the algorithm, and is treated as a base-64 1213 encoded string. 1214 </p> 1215</div> 1216<div class="sect2" lang="en"> 1217<div class="titlepage"><div><div><h3 class="title"> 1218<a name="id2574903"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> 1219<pre class="programlisting"><span><strong class="command">logging</strong></span> { 1220 [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { 1221 ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> 1222 [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ] 1223 [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] 1224 | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> 1225 | <span><strong class="command">stderr</strong></span> 1226 | <span><strong class="command">null</strong></span> ); 1227 [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | 1228 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ] 1229 [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] 1230 [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] 1231 [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] 1232 }; ] 1233 [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> { 1234 <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ] 1235 }; ] 1236 ... 1237}; 1238</pre> 1239</div> 1240<div class="sect2" lang="en"> 1241<div class="titlepage"><div><div><h3 class="title"> 1242<a name="id2575029"></a><span><strong class="command">logging</strong></span> Statement Definition and 1243 Usage</h3></div></div></div> 1244<p> 1245 The <span><strong class="command">logging</strong></span> statement configures a 1246 wide 1247 variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase 1248 associates output methods, format options and severity levels with 1249 a name that can then be used with the <span><strong class="command">category</strong></span> phrase 1250 to select how various classes of messages are logged. 1251 </p> 1252<p> 1253 Only one <span><strong class="command">logging</strong></span> statement is used to 1254 define 1255 as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement, 1256 the logging configuration will be: 1257 </p> 1258<pre class="programlisting">logging { 1259 category default { default_syslog; default_debug; }; 1260 category unmatched { null; }; 1261}; 1262</pre> 1263<p> 1264 In <acronym class="acronym">BIND</acronym> 9, the logging configuration 1265 is only established when 1266 the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was 1267 established as soon as the <span><strong class="command">logging</strong></span> 1268 statement 1269 was parsed. When the server is starting up, all logging messages 1270 regarding syntax errors in the configuration file go to the default 1271 channels, or to standard error if the "<code class="option">-g</code>" option 1272 was specified. 1273 </p> 1274<div class="sect3" lang="en"> 1275<div class="titlepage"><div><div><h4 class="title"> 1276<a name="id2575081"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> 1277<p> 1278 All log output goes to one or more <span class="emphasis"><em>channels</em></span>; 1279 you can make as many of them as you want. 1280 </p> 1281<p> 1282 Every channel definition must include a destination clause that 1283 says whether messages selected for the channel go to a file, to a 1284 particular syslog facility, to the standard error stream, or are 1285 discarded. It can optionally also limit the message severity level 1286 that will be accepted by the channel (the default is 1287 <span><strong class="command">info</strong></span>), and whether to include a 1288 <span><strong class="command">named</strong></span>-generated time stamp, the 1289 category name 1290 and/or severity level (the default is not to include any). 1291 </p> 1292<p> 1293 The <span><strong class="command">null</strong></span> destination clause 1294 causes all messages sent to the channel to be discarded; 1295 in that case, other options for the channel are meaningless. 1296 </p> 1297<p> 1298 The <span><strong class="command">file</strong></span> destination clause directs 1299 the channel 1300 to a disk file. It can include limitations 1301 both on how large the file is allowed to become, and how many 1302 versions 1303 of the file will be saved each time the file is opened. 1304 </p> 1305<p> 1306 If you use the <span><strong class="command">versions</strong></span> log file 1307 option, then 1308 <span><strong class="command">named</strong></span> will retain that many backup 1309 versions of the file by 1310 renaming them when opening. For example, if you choose to keep 1311 three old versions 1312 of the file <code class="filename">lamers.log</code>, then just 1313 before it is opened 1314 <code class="filename">lamers.log.1</code> is renamed to 1315 <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed 1316 to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is 1317 renamed to <code class="filename">lamers.log.0</code>. 1318 You can say <span><strong class="command">versions unlimited</strong></span> to 1319 not limit 1320 the number of versions. 1321 If a <span><strong class="command">size</strong></span> option is associated with 1322 the log file, 1323 then renaming is only done when the file being opened exceeds the 1324 indicated size. No backup versions are kept by default; any 1325 existing 1326 log file is simply appended. 1327 </p> 1328<p> 1329 The <span><strong class="command">size</strong></span> option for files is used 1330 to limit log 1331 growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will 1332 stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option 1333 associated with it. If backup versions are kept, the files are 1334 rolled as 1335 described above and a new one begun. If there is no 1336 <span><strong class="command">versions</strong></span> option, no more data will 1337 be written to the log 1338 until some out-of-band mechanism removes or truncates the log to 1339 less than the 1340 maximum size. The default behavior is not to limit the size of 1341 the 1342 file. 1343 </p> 1344<p> 1345 Example usage of the <span><strong class="command">size</strong></span> and 1346 <span><strong class="command">versions</strong></span> options: 1347 </p> 1348<pre class="programlisting">channel an_example_channel { 1349 file "example.log" versions 3 size 20m; 1350 print-time yes; 1351 print-category yes; 1352}; 1353</pre> 1354<p> 1355 The <span><strong class="command">syslog</strong></span> destination clause 1356 directs the 1357 channel to the system log. Its argument is a 1358 syslog facility as described in the <span><strong class="command">syslog</strong></span> man 1359 page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>, 1360 <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>, 1361 <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>, 1362 <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>, 1363 <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>, 1364 <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>, 1365 <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and 1366 <span><strong class="command">local7</strong></span>, however not all facilities 1367 are supported on 1368 all operating systems. 1369 How <span><strong class="command">syslog</strong></span> will handle messages 1370 sent to 1371 this facility is described in the <span><strong class="command">syslog.conf</strong></span> man 1372 page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that 1373 only uses two arguments to the <span><strong class="command">openlog()</strong></span> function, 1374 then this clause is silently ignored. 1375 </p> 1376<p> 1377 On Windows machines syslog messages are directed to the EventViewer. 1378 </p> 1379<p> 1380 The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s 1381 "priorities", except that they can also be used if you are writing 1382 straight to a file rather than using <span><strong class="command">syslog</strong></span>. 1383 Messages which are not at least of the severity level given will 1384 not be selected for the channel; messages of higher severity 1385 levels 1386 will be accepted. 1387 </p> 1388<p> 1389 If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities 1390 will also determine what eventually passes through. For example, 1391 defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but 1392 only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will 1393 cause messages of severity <span><strong class="command">info</strong></span> and 1394 <span><strong class="command">notice</strong></span> to 1395 be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing 1396 messages of only <span><strong class="command">warning</strong></span> or higher, 1397 then <span><strong class="command">syslogd</strong></span> would 1398 print all messages it received from the channel. 1399 </p> 1400<p> 1401 The <span><strong class="command">stderr</strong></span> destination clause 1402 directs the 1403 channel to the server's standard error stream. This is intended 1404 for 1405 use when the server is running as a foreground process, for 1406 example 1407 when debugging a configuration. 1408 </p> 1409<p> 1410 The server can supply extensive debugging information when 1411 it is in debugging mode. If the server's global debug level is 1412 greater 1413 than zero, then debugging mode will be active. The global debug 1414 level is set either by starting the <span><strong class="command">named</strong></span> server 1415 with the <code class="option">-d</code> flag followed by a positive integer, 1416 or by running <span><strong class="command">rndc trace</strong></span>. 1417 The global debug level 1418 can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc 1419notrace</strong></span>. All debugging messages in the server have a debug 1420 level, and higher debug levels give more detailed output. Channels 1421 that specify a specific debug severity, for example: 1422 </p> 1423<pre class="programlisting">channel specific_debug_level { 1424 file "foo"; 1425 severity debug 3; 1426}; 1427</pre> 1428<p> 1429 will get debugging output of level 3 or less any time the 1430 server is in debugging mode, regardless of the global debugging 1431 level. Channels with <span><strong class="command">dynamic</strong></span> 1432 severity use the 1433 server's global debug level to determine what messages to print. 1434 </p> 1435<p> 1436 If <span><strong class="command">print-time</strong></span> has been turned on, 1437 then 1438 the date and time will be logged. <span><strong class="command">print-time</strong></span> may 1439 be specified for a <span><strong class="command">syslog</strong></span> channel, 1440 but is usually 1441 pointless since <span><strong class="command">syslog</strong></span> also logs 1442 the date and 1443 time. If <span><strong class="command">print-category</strong></span> is 1444 requested, then the 1445 category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is 1446 on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may 1447 be used in any combination, and will always be printed in the 1448 following 1449 order: time, category, severity. Here is an example where all 1450 three <span><strong class="command">print-</strong></span> options 1451 are on: 1452 </p> 1453<p> 1454 <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code> 1455 </p> 1456<p> 1457 There are four predefined channels that are used for 1458 <span><strong class="command">named</strong></span>'s default logging as follows. 1459 How they are 1460 used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>. 1461 </p> 1462<pre class="programlisting">channel default_syslog { 1463 // send to syslog's daemon facility 1464 syslog daemon; 1465 // only send priority info and higher 1466 severity info; 1467 1468channel default_debug { 1469 // write to named.run in the working directory 1470 // Note: stderr is used instead of "named.run" if 1471 // the server is started with the '-f' option. 1472 file "named.run"; 1473 // log at the server's current debug level 1474 severity dynamic; 1475}; 1476 1477channel default_stderr { 1478 // writes to stderr 1479 stderr; 1480 // only send priority info and higher 1481 severity info; 1482}; 1483 1484channel null { 1485 // toss anything sent to this channel 1486 null; 1487}; 1488</pre> 1489<p> 1490 The <span><strong class="command">default_debug</strong></span> channel has the 1491 special 1492 property that it only produces output when the server's debug 1493 level is 1494 nonzero. It normally writes to a file called <code class="filename">named.run</code> 1495 in the server's working directory. 1496 </p> 1497<p> 1498 For security reasons, when the "<code class="option">-u</code>" 1499 command line option is used, the <code class="filename">named.run</code> file 1500 is created only after <span><strong class="command">named</strong></span> has 1501 changed to the 1502 new UID, and any debug output generated while <span><strong class="command">named</strong></span> is 1503 starting up and still running as root is discarded. If you need 1504 to capture this output, you must run the server with the "<code class="option">-g</code>" 1505 option and redirect standard error to a file. 1506 </p> 1507<p> 1508 Once a channel is defined, it cannot be redefined. Thus you 1509 cannot alter the built-in channels directly, but you can modify 1510 the default logging by pointing categories at channels you have 1511 defined. 1512 </p> 1513</div> 1514<div class="sect3" lang="en"> 1515<div class="titlepage"><div><div><h4 class="title"> 1516<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div> 1517<p> 1518 There are many categories, so you can send the logs you want 1519 to see wherever you want, without seeing logs you don't want. If 1520 you don't specify a list of channels for a category, then log 1521 messages 1522 in that category will be sent to the <span><strong class="command">default</strong></span> category 1523 instead. If you don't specify a default category, the following 1524 "default default" is used: 1525 </p> 1526<pre class="programlisting">category default { default_syslog; default_debug; }; 1527</pre> 1528<p> 1529 As an example, let's say you want to log security events to 1530 a file, but you also want keep the default logging behavior. You'd 1531 specify the following: 1532 </p> 1533<pre class="programlisting">channel my_security_channel { 1534 file "my_security_file"; 1535 severity info; 1536}; 1537category security { 1538 my_security_channel; 1539 default_syslog; 1540 default_debug; 1541};</pre> 1542<p> 1543 To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel: 1544 </p> 1545<pre class="programlisting">category xfer-out { null; }; 1546category notify { null; }; 1547</pre> 1548<p> 1549 Following are the available categories and brief descriptions 1550 of the types of log information they contain. More 1551 categories may be added in future <acronym class="acronym">BIND</acronym> releases. 1552 </p> 1553<div class="informaltable"><table border="1"> 1554<colgroup> 1555<col> 1556<col> 1557</colgroup> 1558<tbody> 1559<tr> 1560<td> 1561 <p><span><strong class="command">default</strong></span></p> 1562 </td> 1563<td> 1564 <p> 1565 The default category defines the logging 1566 options for those categories where no specific 1567 configuration has been 1568 defined. 1569 </p> 1570 </td> 1571</tr> 1572<tr> 1573<td> 1574 <p><span><strong class="command">general</strong></span></p> 1575 </td> 1576<td> 1577 <p> 1578 The catch-all. Many things still aren't 1579 classified into categories, and they all end up here. 1580 </p> 1581 </td> 1582</tr> 1583<tr> 1584<td> 1585 <p><span><strong class="command">database</strong></span></p> 1586 </td> 1587<td> 1588 <p> 1589 Messages relating to the databases used 1590 internally by the name server to store zone and cache 1591 data. 1592 </p> 1593 </td> 1594</tr> 1595<tr> 1596<td> 1597 <p><span><strong class="command">security</strong></span></p> 1598 </td> 1599<td> 1600 <p> 1601 Approval and denial of requests. 1602 </p> 1603 </td> 1604</tr> 1605<tr> 1606<td> 1607 <p><span><strong class="command">config</strong></span></p> 1608 </td> 1609<td> 1610 <p> 1611 Configuration file parsing and processing. 1612 </p> 1613 </td> 1614</tr> 1615<tr> 1616<td> 1617 <p><span><strong class="command">resolver</strong></span></p> 1618 </td> 1619<td> 1620 <p> 1621 DNS resolution, such as the recursive 1622 lookups performed on behalf of clients by a caching name 1623 server. 1624 </p> 1625 </td> 1626</tr> 1627<tr> 1628<td> 1629 <p><span><strong class="command">xfer-in</strong></span></p> 1630 </td> 1631<td> 1632 <p> 1633 Zone transfers the server is receiving. 1634 </p> 1635 </td> 1636</tr> 1637<tr> 1638<td> 1639 <p><span><strong class="command">xfer-out</strong></span></p> 1640 </td> 1641<td> 1642 <p> 1643 Zone transfers the server is sending. 1644 </p> 1645 </td> 1646</tr> 1647<tr> 1648<td> 1649 <p><span><strong class="command">notify</strong></span></p> 1650 </td> 1651<td> 1652 <p> 1653 The NOTIFY protocol. 1654 </p> 1655 </td> 1656</tr> 1657<tr> 1658<td> 1659 <p><span><strong class="command">client</strong></span></p> 1660 </td> 1661<td> 1662 <p> 1663 Processing of client requests. 1664 </p> 1665 </td> 1666</tr> 1667<tr> 1668<td> 1669 <p><span><strong class="command">unmatched</strong></span></p> 1670 </td> 1671<td> 1672 <p> 1673 Messages that <span><strong class="command">named</strong></span> was unable to determine the 1674 class of or for which there was no matching <span><strong class="command">view</strong></span>. 1675 A one line summary is also logged to the <span><strong class="command">client</strong></span> category. 1676 This category is best sent to a file or stderr, by 1677 default it is sent to 1678 the <span><strong class="command">null</strong></span> channel. 1679 </p> 1680 </td> 1681</tr> 1682<tr> 1683<td> 1684 <p><span><strong class="command">network</strong></span></p> 1685 </td> 1686<td> 1687 <p> 1688 Network operations. 1689 </p> 1690 </td> 1691</tr> 1692<tr> 1693<td> 1694 <p><span><strong class="command">update</strong></span></p> 1695 </td> 1696<td> 1697 <p> 1698 Dynamic updates. 1699 </p> 1700 </td> 1701</tr> 1702<tr> 1703<td> 1704 <p><span><strong class="command">update-security</strong></span></p> 1705 </td> 1706<td> 1707 <p> 1708 Approval and denial of update requests. 1709 </p> 1710 </td> 1711</tr> 1712<tr> 1713<td> 1714 <p><span><strong class="command">queries</strong></span></p> 1715 </td> 1716<td> 1717 <p> 1718 Specify where queries should be logged to. 1719 </p> 1720 <p> 1721 At startup, specifying the category <span><strong class="command">queries</strong></span> will also 1722 enable query logging unless <span><strong class="command">querylog</strong></span> option has been 1723 specified. 1724 </p> 1725 1726 <p> 1727 The query log entry reports the client's IP 1728 address and port number, and the query name, 1729 class and type. Next it reports whether the 1730 Recursion Desired flag was set (+ if set, - 1731 if not set), if the query was signed (S), 1732 EDNS was in use (E), if TCP was used (T), if 1733 DO (DNSSEC Ok) was set (D), or if CD (Checking 1734 Disabled) was set (C). After this the 1735 destination address the query was sent to is 1736 reported. 1737 </p> 1738 1739 <p> 1740 <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> 1741 </p> 1742 <p> 1743 <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> 1744 </p> 1745 <p> 1746 (The first part of this log message, showing the 1747 client address/port number and query name, is 1748 repeated in all subsequent log messages related 1749 to the same query.) 1750 </p> 1751 </td> 1752</tr> 1753<tr> 1754<td> 1755 <p><span><strong class="command">query-errors</strong></span></p> 1756 </td> 1757<td> 1758 <p> 1759 Information about queries that resulted in some 1760 failure. 1761 </p> 1762 </td> 1763</tr> 1764<tr> 1765<td> 1766 <p><span><strong class="command">dispatch</strong></span></p> 1767 </td> 1768<td> 1769 <p> 1770 Dispatching of incoming packets to the 1771 server modules where they are to be processed. 1772 </p> 1773 </td> 1774</tr> 1775<tr> 1776<td> 1777 <p><span><strong class="command">dnssec</strong></span></p> 1778 </td> 1779<td> 1780 <p> 1781 DNSSEC and TSIG protocol processing. 1782 </p> 1783 </td> 1784</tr> 1785<tr> 1786<td> 1787 <p><span><strong class="command">lame-servers</strong></span></p> 1788 </td> 1789<td> 1790 <p> 1791 Lame servers. These are misconfigurations 1792 in remote servers, discovered by BIND 9 when trying to 1793 query those servers during resolution. 1794 </p> 1795 </td> 1796</tr> 1797<tr> 1798<td> 1799 <p><span><strong class="command">delegation-only</strong></span></p> 1800 </td> 1801<td> 1802 <p> 1803 Delegation only. Logs queries that have been 1804 forced to NXDOMAIN as the result of a 1805 delegation-only zone or a 1806 <span><strong class="command">delegation-only</strong></span> in a 1807 forward, hint or stub zone declaration. 1808 </p> 1809 </td> 1810</tr> 1811<tr> 1812<td> 1813 <p><span><strong class="command">edns-disabled</strong></span></p> 1814 </td> 1815<td> 1816 <p> 1817 Log queries that have been forced to use plain 1818 DNS due to timeouts. This is often due to 1819 the remote servers not being RFC 1034 compliant 1820 (not always returning FORMERR or similar to 1821 EDNS queries and other extensions to the DNS 1822 when they are not understood). In other words, this is 1823 targeted at servers that fail to respond to 1824 DNS queries that they don't understand. 1825 </p> 1826 <p> 1827 Note: the log message can also be due to 1828 packet loss. Before reporting servers for 1829 non-RFC 1034 compliance they should be re-tested 1830 to determine the nature of the non-compliance. 1831 This testing should prevent or reduce the 1832 number of false-positive reports. 1833 </p> 1834 <p> 1835 Note: eventually <span><strong class="command">named</strong></span> will have to stop 1836 treating such timeouts as due to RFC 1034 non 1837 compliance and start treating it as plain 1838 packet loss. Falsely classifying packet 1839 loss as due to RFC 1034 non compliance impacts 1840 on DNSSEC validation which requires EDNS for 1841 the DNSSEC records to be returned. 1842 </p> 1843 </td> 1844</tr> 1845<tr> 1846<td> 1847 <p><span><strong class="command">RPZ</strong></span></p> 1848 </td> 1849<td> 1850 <p> 1851 Information about errors in response policy zone files, 1852 rewritten responses, and at the highest 1853 <span><strong class="command">debug</strong></span> levels, mere rewriting 1854 attempts. 1855 </p> 1856 </td> 1857</tr> 1858<tr> 1859<td> 1860 <p><span><strong class="command">rate-limit</strong></span></p> 1861 </td> 1862<td> 1863 <p> 1864 The start, periodic, and final notices of the 1865 rate limiting of a stream of responses are logged at 1866 <span><strong class="command">info</strong></span> severity in this category. 1867 These messages include a hash value of the domain name 1868 of the response and the name itself, 1869 except when there is insufficient memory to record 1870 the name for the final notice 1871 The final notice is normally delayed until about one 1872 minute after rate limit stops. 1873 A lack of memory can hurry the final notice, 1874 in which case it starts with an asterisk (*). 1875 Various internal events are logged at debug 1 level 1876 and higher. 1877 </p> 1878 <p> 1879 Rate limiting of individual requests 1880 is logged in the <span><strong class="command">query-errors</strong></span> category. 1881 </p> 1882 </td> 1883</tr> 1884<tr> 1885<td> 1886 <p><span><strong class="command">cname</strong></span></p> 1887 </td> 1888<td> 1889 <p> 1890 Logs nameservers that are skipped due to them being 1891 a CNAME rather than A / AAAA records. 1892 </p> 1893 </td> 1894</tr> 1895</tbody> 1896</table></div> 1897</div> 1898<div class="sect3" lang="en"> 1899<div class="titlepage"><div><div><h4 class="title"> 1900<a name="id2576732"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> 1901<p> 1902 The <span><strong class="command">query-errors</strong></span> category is 1903 specifically intended for debugging purposes: To identify 1904 why and how specific queries result in responses which 1905 indicate an error. 1906 Messages of this category are therefore only logged 1907 with <span><strong class="command">debug</strong></span> levels. 1908 </p> 1909<p> 1910 At the debug levels of 1 or higher, each response with the 1911 rcode of SERVFAIL is logged as follows: 1912 </p> 1913<p> 1914 <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code> 1915 </p> 1916<p> 1917 This means an error resulting in SERVFAIL was 1918 detected at line 3880 of source file 1919 <code class="filename">query.c</code>. 1920 Log messages of this level will particularly 1921 help identify the cause of SERVFAIL for an 1922 authoritative server. 1923 </p> 1924<p> 1925 At the debug levels of 2 or higher, detailed context 1926 information of recursive resolutions that resulted in 1927 SERVFAIL is logged. 1928 The log message will look like as follows: 1929 </p> 1930<p> 1931 1932 </p> 1933<pre class="programlisting"> 1934fetch completed at resolver.c:2970 for www.example.com/A 1935in 30.000183: timed out/success [domain:example.com, 1936referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0, 1937badresp:1,adberr:0,findfail:0,valfail:0] 1938 </pre> 1939<p> 1940 </p> 1941<p> 1942 The first part before the colon shows that a recursive 1943 resolution for AAAA records of www.example.com completed 1944 in 30.000183 seconds and the final result that led to the 1945 SERVFAIL was determined at line 2970 of source file 1946 <code class="filename">resolver.c</code>. 1947 </p> 1948<p> 1949 The following part shows the detected final result and the 1950 latest result of DNSSEC validation. 1951 The latter is always success when no validation attempt 1952 is made. 1953 In this example, this query resulted in SERVFAIL probably 1954 because all name servers are down or unreachable, leading 1955 to a timeout in 30 seconds. 1956 DNSSEC validation was probably not attempted. 1957 </p> 1958<p> 1959 The last part enclosed in square brackets shows statistics 1960 information collected for this particular resolution 1961 attempt. 1962 The <code class="varname">domain</code> field shows the deepest zone 1963 that the resolver reached; 1964 it is the zone where the error was finally detected. 1965 The meaning of the other fields is summarized in the 1966 following table. 1967 </p> 1968<div class="informaltable"><table border="1"> 1969<colgroup> 1970<col> 1971<col> 1972</colgroup> 1973<tbody> 1974<tr> 1975<td> 1976 <p><code class="varname">referral</code></p> 1977 </td> 1978<td> 1979 <p> 1980 The number of referrals the resolver received 1981 throughout the resolution process. 1982 In the above example this is 2, which are most 1983 likely com and example.com. 1984 </p> 1985 </td> 1986</tr> 1987<tr> 1988<td> 1989 <p><code class="varname">restart</code></p> 1990 </td> 1991<td> 1992 <p> 1993 The number of cycles that the resolver tried 1994 remote servers at the <code class="varname">domain</code> 1995 zone. 1996 In each cycle the resolver sends one query 1997 (possibly resending it, depending on the response) 1998 to each known name server of 1999 the <code class="varname">domain</code> zone. 2000 </p> 2001 </td> 2002</tr> 2003<tr> 2004<td> 2005 <p><code class="varname">qrysent</code></p> 2006 </td> 2007<td> 2008 <p> 2009 The number of queries the resolver sent at the 2010 <code class="varname">domain</code> zone. 2011 </p> 2012 </td> 2013</tr> 2014<tr> 2015<td> 2016 <p><code class="varname">timeout</code></p> 2017 </td> 2018<td> 2019 <p> 2020 The number of timeouts since the resolver 2021 received the last response. 2022 </p> 2023 </td> 2024</tr> 2025<tr> 2026<td> 2027 <p><code class="varname">lame</code></p> 2028 </td> 2029<td> 2030 <p> 2031 The number of lame servers the resolver detected 2032 at the <code class="varname">domain</code> zone. 2033 A server is detected to be lame either by an 2034 invalid response or as a result of lookup in 2035 BIND9's address database (ADB), where lame 2036 servers are cached. 2037 </p> 2038 </td> 2039</tr> 2040<tr> 2041<td> 2042 <p><code class="varname">neterr</code></p> 2043 </td> 2044<td> 2045 <p> 2046 The number of erroneous results that the 2047 resolver encountered in sending queries 2048 at the <code class="varname">domain</code> zone. 2049 One common case is the remote server is 2050 unreachable and the resolver receives an ICMP 2051 unreachable error message. 2052 </p> 2053 </td> 2054</tr> 2055<tr> 2056<td> 2057 <p><code class="varname">badresp</code></p> 2058 </td> 2059<td> 2060 <p> 2061 The number of unexpected responses (other than 2062 <code class="varname">lame</code>) to queries sent by the 2063 resolver at the <code class="varname">domain</code> zone. 2064 </p> 2065 </td> 2066</tr> 2067<tr> 2068<td> 2069 <p><code class="varname">adberr</code></p> 2070 </td> 2071<td> 2072 <p> 2073 Failures in finding remote server addresses 2074 of the <code class="varname">domain</code> zone in the ADB. 2075 One common case of this is that the remote 2076 server's name does not have any address records. 2077 </p> 2078 </td> 2079</tr> 2080<tr> 2081<td> 2082 <p><code class="varname">findfail</code></p> 2083 </td> 2084<td> 2085 <p> 2086 Failures of resolving remote server addresses. 2087 This is a total number of failures throughout 2088 the resolution process. 2089 </p> 2090 </td> 2091</tr> 2092<tr> 2093<td> 2094 <p><code class="varname">valfail</code></p> 2095 </td> 2096<td> 2097 <p> 2098 Failures of DNSSEC validation. 2099 Validation failures are counted throughout 2100 the resolution process (not limited to 2101 the <code class="varname">domain</code> zone), but should 2102 only happen in <code class="varname">domain</code>. 2103 </p> 2104 </td> 2105</tr> 2106</tbody> 2107</table></div> 2108<p> 2109 At the debug levels of 3 or higher, the same messages 2110 as those at the debug 1 level are logged for other errors 2111 than SERVFAIL. 2112 Note that negative responses such as NXDOMAIN are not 2113 regarded as errors here. 2114 </p> 2115<p> 2116 At the debug levels of 4 or higher, the same messages 2117 as those at the debug 2 level are logged for other errors 2118 than SERVFAIL. 2119 Unlike the above case of level 3, messages are logged for 2120 negative responses. 2121 This is because any unexpected results can be difficult to 2122 debug in the recursion case. 2123 </p> 2124</div> 2125</div> 2126<div class="sect2" lang="en"> 2127<div class="titlepage"><div><div><h3 class="title"> 2128<a name="id2577252"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> 2129<p> 2130 This is the grammar of the <span><strong class="command">lwres</strong></span> 2131 statement in the <code class="filename">named.conf</code> file: 2132 </p> 2133<pre class="programlisting"><span><strong class="command">lwres</strong></span> { 2134 [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; 2135 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 2136 [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>] 2137 [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>] 2138 [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>] 2139}; 2140</pre> 2141</div> 2142<div class="sect2" lang="en"> 2143<div class="titlepage"><div><div><h3 class="title"> 2144<a name="id2577336"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> 2145<p> 2146 The <span><strong class="command">lwres</strong></span> statement configures the 2147 name 2148 server to also act as a lightweight resolver server. (See 2149 <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple 2150 <span><strong class="command">lwres</strong></span> statements configuring 2151 lightweight resolver servers with different properties. 2152 </p> 2153<p> 2154 The <span><strong class="command">listen-on</strong></span> statement specifies a 2155 list of 2156 IPv4 addresses (and ports) that this instance of a lightweight 2157 resolver daemon 2158 should accept requests on. If no port is specified, port 921 is 2159 used. 2160 If this statement is omitted, requests will be accepted on 2161 127.0.0.1, 2162 port 921. 2163 </p> 2164<p> 2165 The <span><strong class="command">view</strong></span> statement binds this 2166 instance of a 2167 lightweight resolver daemon to a view in the DNS namespace, so that 2168 the 2169 response will be constructed in the same manner as a normal DNS 2170 query 2171 matching this view. If this statement is omitted, the default view 2172 is 2173 used, and if there is no default view, an error is triggered. 2174 </p> 2175<p> 2176 The <span><strong class="command">search</strong></span> statement is equivalent to 2177 the 2178 <span><strong class="command">search</strong></span> statement in 2179 <code class="filename">/etc/resolv.conf</code>. It provides a 2180 list of domains 2181 which are appended to relative names in queries. 2182 </p> 2183<p> 2184 The <span><strong class="command">ndots</strong></span> statement is equivalent to 2185 the 2186 <span><strong class="command">ndots</strong></span> statement in 2187 <code class="filename">/etc/resolv.conf</code>. It indicates the 2188 minimum 2189 number of dots in a relative domain name that should result in an 2190 exact match lookup before search path elements are appended. 2191 </p> 2192</div> 2193<div class="sect2" lang="en"> 2194<div class="titlepage"><div><div><h3 class="title"> 2195<a name="id2577400"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> 2196<pre class="programlisting"> 2197<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | 2198 <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; 2199</pre> 2200</div> 2201<div class="sect2" lang="en"> 2202<div class="titlepage"><div><div><h3 class="title"> 2203<a name="id2577517"></a><span><strong class="command">masters</strong></span> Statement Definition and 2204 Usage</h3></div></div></div> 2205<p><span><strong class="command">masters</strong></span> 2206 lists allow for a common set of masters to be easily used by 2207 multiple stub and slave zones in their <span><strong class="command">masters</strong></span> 2208 or <span><strong class="command">also-notify</strong></span> lists. 2209 </p> 2210</div> 2211<div class="sect2" lang="en"> 2212<div class="titlepage"><div><div><h3 class="title"> 2213<a name="id2577539"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> 2214<p> 2215 This is the grammar of the <span><strong class="command">options</strong></span> 2216 statement in the <code class="filename">named.conf</code> file: 2217 </p> 2218<pre class="programlisting"><span><strong class="command">options</strong></span> { 2219 [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>] 2220 [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>] 2221 [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>] 2222 [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>] 2223 [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>] 2224 [<span class="optional"> geoip-directory <em class="replaceable"><code>path_name</code></em>; </span>] 2225 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] 2226 [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>] 2227 [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>] 2228 [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>] 2229 [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>] 2230 [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>] 2231 [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>] 2232 [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>] 2233 [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>] 2234 [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>] 2235 [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>] 2236 [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>] 2237 [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>] 2238 [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>] 2239 [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2240 [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>] 2241 [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>] 2242 [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>] 2243 [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>] 2244 [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] 2245 [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2246 [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2247 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>] 2248 [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2249 [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2250 [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2251 [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2252 [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2253 [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>] 2254 [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2255 [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2256 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>] 2257 [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2258 [<span class="optional"> request-sit <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2259 [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2260 [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2261 [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2262 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2263 [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>] 2264 [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2265 [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>] 2266 [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | 2267 <em class="replaceable"><code>no</code></em> | 2268 <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>] 2269 [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>] 2270 [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2271 [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>] 2272 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 2273 [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { 2274 ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] | 2275 <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>]) ; 2276 ... }; </span>] 2277 [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> ) 2278 ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 2279 [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 2280 [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 2281 [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2282 [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2283 [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 2284 [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 2285 [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2286 [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 2287 [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>] 2288 [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2289 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2290 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2291 [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2292 [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2293 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2294 [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2295 [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2296 [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2297 [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2298 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2299 [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>] 2300 [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2301 [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] 2302 [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>] 2303 [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2304 [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2305 [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2306 [<span class="optional"> no-case-compress { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2307 [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] 2308 [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] 2309 [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] 2310 [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] 2311 [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2312 [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] 2313{ <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2314 [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) 2315 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 2316 [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] | 2317 [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 2318 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) 2319 [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2320 [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) 2321 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 2322 [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] | 2323 [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 2324 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) 2325 [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2326 [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2327 [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>] 2328 [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>] 2329 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>] 2330 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>] 2331 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>] 2332 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>] 2333 [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>] 2334 [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>] 2335 [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>] 2336 [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>] 2337 [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>] 2338 [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>] 2339 [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>] 2340 [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>] 2341 [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>] 2342 [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>] 2343 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2344 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2345 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2346 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2347 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2348 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] 2349 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2350 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 2351 [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2352 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> 2353 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; 2354 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>] 2355 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] 2356 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] 2357 [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] 2358 [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>] 2359 [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>] 2360 [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>] 2361 [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] 2362 [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>] 2363 [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>] 2364 [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>] 2365 [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>]; 2366 [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>]; 2367 [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] }; 2368 [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>] 2369 [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>] 2370 [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>] 2371 [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>] 2372 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] 2373 [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] 2374 [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] 2375 [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] 2376 [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>] 2377 [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2378 [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2379 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2380 [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2381 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 2382 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 2383 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 2384 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 2385 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>] 2386 [<span class="optional"> dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; 2387 [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2388 [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2389 [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>] 2390 [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] 2391 [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2392 [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>] 2393 [<span class="optional"> filter-aaaa-on-v6 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>] 2394 [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2395 [<span class="optional"> dns64 <em class="replaceable"><code>ipv6-prefix</code></em> { 2396 [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2397 [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2398 [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 2399 [<span class="optional"> suffix IPv6-address; </span>] 2400 [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2401 [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>] 2402 }; </span>]; 2403 [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>] 2404 [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>] 2405 [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>] 2406 [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>] 2407 [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>] 2408 [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>] 2409 [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>] 2410 [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2411 [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; 2412 [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>] 2413 [<span class="optional"> disable-ds-digests <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>digest_type</code></em>; 2414 [<span class="optional"> <em class="replaceable"><code>digest_type</code></em>; </span>] }; </span>] 2415 [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2416 [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] 2417 [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] 2418 [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] 2419 [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] 2420 [<span class="optional"> max-recursion-depth <em class="replaceable"><code>number</code></em> ; </span>] 2421 [<span class="optional"> max-recursion-queries <em class="replaceable"><code>number</code></em> ; </span>] 2422 [<span class="optional"> masterfile-format 2423 (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>] 2424 [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>] 2425 [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>] 2426 [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2427 [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>] 2428 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2429 [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2430 [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>] 2431 [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>] 2432 [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>] 2433 [<span class="optional"> prefetch <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] 2434 2435 [<span class="optional"> rate-limit { 2436 [<span class="optional"> responses-per-second <em class="replaceable"><code>number</code></em> ; </span>] 2437 [<span class="optional"> referrals-per-second <em class="replaceable"><code>number</code></em> ; </span>] 2438 [<span class="optional"> nodata-per-second <em class="replaceable"><code>number</code></em> ; </span>] 2439 [<span class="optional"> nxdomains-per-second <em class="replaceable"><code>number</code></em> ; </span>] 2440 [<span class="optional"> errors-per-second <em class="replaceable"><code>number</code></em> ; </span>] 2441 [<span class="optional"> all-per-second <em class="replaceable"><code>number</code></em> ; </span>] 2442 [<span class="optional"> window <em class="replaceable"><code>number</code></em> ; </span>] 2443 [<span class="optional"> log-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 2444 [<span class="optional"> qps-scale <em class="replaceable"><code>number</code></em> ; </span>] 2445 [<span class="optional"> ipv4-prefix-length <em class="replaceable"><code>number</code></em> ; </span>] 2446 [<span class="optional"> ipv6-prefix-length <em class="replaceable"><code>number</code></em> ; </span>] 2447 [<span class="optional"> slip <em class="replaceable"><code>number</code></em> ; </span>] 2448 [<span class="optional"> exempt-clients { <em class="replaceable"><code>address_match_list</code></em> } ; </span>] 2449 [<span class="optional"> max-table-size <em class="replaceable"><code>number</code></em> ; </span>] 2450 [<span class="optional"> min-table-size <em class="replaceable"><code>number</code></em> ; </span>] 2451 } ; </span>] 2452 [<span class="optional"> response-policy { 2453 zone <em class="replaceable"><code>zone_name</code></em> 2454 [<span class="optional"> policy <em class="replaceable"><code>(given | disabled | passthru | drop | 2455 nxdomain | nodata | cname domain</code></em>) </span>] 2456 [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] 2457 [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] 2458 ; [<span class="optional">...</span>] 2459 } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] 2460 [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] 2461 [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] 2462 [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>] 2463 [<span class="optional"> qname-wait-recurse <em class="replaceable"><code>yes_or_no</code></em> </span>] 2464 ; </span>] 2465}; 2466</pre> 2467</div> 2468<div class="sect2" lang="en"> 2469<div class="titlepage"><div><div><h3 class="title"> 2470<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and 2471 Usage</h3></div></div></div> 2472<p> 2473 The <span><strong class="command">options</strong></span> statement sets up global 2474 options 2475 to be used by <acronym class="acronym">BIND</acronym>. This statement 2476 may appear only 2477 once in a configuration file. If there is no <span><strong class="command">options</strong></span> 2478 statement, an options block with each option set to its default will 2479 be used. 2480 </p> 2481<div class="variablelist"><dl> 2482<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt> 2483<dd> 2484<p> 2485 Allows multiple views to share a single cache 2486 database. 2487 Each view has its own cache database by default, but 2488 if multiple views have the same operational policy 2489 for name resolution and caching, those views can 2490 share a single cache to save memory and possibly 2491 improve resolution efficiency by using this option. 2492 </p> 2493<p> 2494 The <span><strong class="command">attach-cache</strong></span> option 2495 may also be specified in <span><strong class="command">view</strong></span> 2496 statements, in which case it overrides the 2497 global <span><strong class="command">attach-cache</strong></span> option. 2498 </p> 2499<p> 2500 The <em class="replaceable"><code>cache_name</code></em> specifies 2501 the cache to be shared. 2502 When the <span><strong class="command">named</strong></span> server configures 2503 views which are supposed to share a cache, it 2504 creates a cache with the specified name for the 2505 first view of these sharing views. 2506 The rest of the views will simply refer to the 2507 already created cache. 2508 </p> 2509<p> 2510 One common configuration to share a cache would be to 2511 allow all views to share a single cache. 2512 This can be done by specifying 2513 the <span><strong class="command">attach-cache</strong></span> as a global 2514 option with an arbitrary name. 2515 </p> 2516<p> 2517 Another possible operation is to allow a subset of 2518 all views to share a cache while the others to 2519 retain their own caches. 2520 For example, if there are three views A, B, and C, 2521 and only A and B should share a cache, specify the 2522 <span><strong class="command">attach-cache</strong></span> option as a view A (or 2523 B)'s option, referring to the other view name: 2524 </p> 2525<pre class="programlisting"> 2526 view "A" { 2527 // this view has its own cache 2528 ... 2529 }; 2530 view "B" { 2531 // this view refers to A's cache 2532 attach-cache "A"; 2533 }; 2534 view "C" { 2535 // this view has its own cache 2536 ... 2537 }; 2538</pre> 2539<p> 2540 Views that share a cache must have the same policy 2541 on configurable parameters that may affect caching. 2542 The current implementation requires the following 2543 configurable options be consistent among these 2544 views: 2545 <span><strong class="command">check-names</strong></span>, 2546 <span><strong class="command">cleaning-interval</strong></span>, 2547 <span><strong class="command">dnssec-accept-expired</strong></span>, 2548 <span><strong class="command">dnssec-validation</strong></span>, 2549 <span><strong class="command">max-cache-ttl</strong></span>, 2550 <span><strong class="command">max-ncache-ttl</strong></span>, 2551 <span><strong class="command">max-cache-size</strong></span>, and 2552 <span><strong class="command">zero-no-soa-ttl</strong></span>. 2553 </p> 2554<p> 2555 Note that there may be other parameters that may 2556 cause confusion if they are inconsistent for 2557 different views that share a single cache. 2558 For example, if these views define different sets of 2559 forwarders that can return different answers for the 2560 same question, sharing the answer does not make 2561 sense or could even be harmful. 2562 It is administrator's responsibility to ensure 2563 configuration differences in different views do 2564 not cause disruption with a shared cache. 2565 </p> 2566</dd> 2567<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt> 2568<dd><p> 2569 The working directory of the server. 2570 Any non-absolute pathnames in the configuration file will be 2571 taken 2572 as relative to this directory. The default location for most 2573 server 2574 output files (e.g. <code class="filename">named.run</code>) 2575 is this directory. 2576 If a directory is not specified, the working directory 2577 defaults to `<code class="filename">.</code>', the directory from 2578 which the server 2579 was started. The directory specified should be an absolute 2580 path. 2581 </p></dd> 2582<dt><span class="term"><span><strong class="command">geoip-directory</strong></span></span></dt> 2583<dd><p> 2584 Specifies the directory containing GeoIP 2585 <code class="filename">.dat</code> database files for GeoIP 2586 initialization. By default, this option is unset 2587 and the GeoIP support will use libGeoIP's 2588 built-in directory. 2589 (For details, see <a href="Bv9ARM.ch06.html#acl" title="acl Statement Definition and 2590 Usage">the section called “<span><strong class="command">acl</strong></span> Statement Definition and 2591 Usage”</a> about the 2592 <span><strong class="command">geoip</strong></span> ACL.) 2593 </p></dd> 2594<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> 2595<dd><p> 2596 When performing dynamic update of secure zones, the 2597 directory where the public and private DNSSEC key files 2598 should be found, if different than the current working 2599 directory. (Note that this option has no effect on the 2600 paths for files containing non-DNSSEC keys such as 2601 <code class="filename">bind.keys</code>, 2602 <code class="filename">rndc.key</code> or 2603 <code class="filename">session.key</code>.) 2604 </p></dd> 2605<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt> 2606<dd> 2607<p> 2608 Specifies the directory in which to store the files that 2609 track managed DNSSEC keys. By default, this is the working 2610 directory. 2611 </p> 2612<p> 2613 If <span><strong class="command">named</strong></span> is not configured to use views, 2614 then managed keys for the server will be tracked in a single 2615 file called <code class="filename">managed-keys.bind</code>. 2616 Otherwise, managed keys will be tracked in separate files, 2617 one file per view; each file name will be the SHA256 hash 2618 of the view name, followed by the extension 2619 <code class="filename">.mkeys</code>. 2620 </p> 2621</dd> 2622<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt> 2623<dd><p> 2624 <span class="emphasis"><em>This option is obsolete.</em></span> It 2625 was used in <acronym class="acronym">BIND</acronym> 8 to specify 2626 the pathname to the <span><strong class="command">named-xfer</strong></span> 2627 program. In <acronym class="acronym">BIND</acronym> 9, no separate 2628 <span><strong class="command">named-xfer</strong></span> program is needed; 2629 its functionality is built into the name server. 2630 </p></dd> 2631<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt> 2632<dd><p> 2633 The KRB5 keytab file to use for GSS-TSIG updates. If 2634 this option is set and tkey-gssapi-credential is not 2635 set, then updates will be allowed with any key 2636 matching a principal in the specified keytab. 2637 </p></dd> 2638<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt> 2639<dd><p> 2640 The security credential with which the server should 2641 authenticate keys requested by the GSS-TSIG protocol. 2642 Currently only Kerberos 5 authentication is available 2643 and the credential is a Kerberos principal which the 2644 server can acquire through the default system key 2645 file, normally <code class="filename">/etc/krb5.keytab</code>. 2646 The location keytab file can be overridden using the 2647 tkey-gssapi-keytab option. Normally this principal is 2648 of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>". 2649 To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must 2650 also be set if a specific keytab is not set with 2651 tkey-gssapi-keytab. 2652 </p></dd> 2653<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt> 2654<dd><p> 2655 The domain appended to the names of all shared keys 2656 generated with <span><strong class="command">TKEY</strong></span>. When a 2657 client requests a <span><strong class="command">TKEY</strong></span> exchange, 2658 it may or may not specify the desired name for the 2659 key. If present, the name of the shared key will 2660 be <code class="varname">client specified part</code> + 2661 <code class="varname">tkey-domain</code>. Otherwise, the 2662 name of the shared key will be <code class="varname">random hex 2663 digits</code> + <code class="varname">tkey-domain</code>. 2664 In most cases, the <span><strong class="command">domainname</strong></span> 2665 should be the server's domain name, or an otherwise 2666 non-existent subdomain like 2667 "_tkey.<code class="varname">domainname</code>". If you are 2668 using GSS-TSIG, this variable must be defined, unless 2669 you specify a specific keytab using tkey-gssapi-keytab. 2670 </p></dd> 2671<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt> 2672<dd><p> 2673 The Diffie-Hellman key used by the server 2674 to generate shared keys with clients using the Diffie-Hellman 2675 mode 2676 of <span><strong class="command">TKEY</strong></span>. The server must be 2677 able to load the 2678 public and private keys from files in the working directory. 2679 In 2680 most cases, the keyname should be the server's host name. 2681 </p></dd> 2682<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt> 2683<dd><p> 2684 This is for testing only. Do not use. 2685 </p></dd> 2686<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt> 2687<dd><p> 2688 The pathname of the file the server dumps 2689 the database to when instructed to do so with 2690 <span><strong class="command">rndc dumpdb</strong></span>. 2691 If not specified, the default is <code class="filename">named_dump.db</code>. 2692 </p></dd> 2693<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt> 2694<dd><p> 2695 The pathname of the file the server writes memory 2696 usage statistics to on exit. If not specified, 2697 the default is <code class="filename">named.memstats</code>. 2698 </p></dd> 2699<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> 2700<dd><p> 2701 The pathname of the file the server writes its process ID 2702 in. If not specified, the default is 2703 <code class="filename">/var/run/named/named.pid</code>. 2704 The PID file is used by programs that want to send signals to 2705 the running 2706 name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the 2707 use of a PID file — no file will be written and any 2708 existing one will be removed. Note that <span><strong class="command">none</strong></span> 2709 is a keyword, not a filename, and therefore is not enclosed 2710 in 2711 double quotes. 2712 </p></dd> 2713<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt> 2714<dd><p> 2715 The pathname of the file the server dumps 2716 the queries that are currently recursing when instructed 2717 to do so with <span><strong class="command">rndc recursing</strong></span>. 2718 If not specified, the default is <code class="filename">named.recursing</code>. 2719 </p></dd> 2720<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt> 2721<dd><p> 2722 The pathname of the file the server appends statistics 2723 to when instructed to do so using <span><strong class="command">rndc stats</strong></span>. 2724 If not specified, the default is <code class="filename">named.stats</code> in the 2725 server's current directory. The format of the file is 2726 described 2727 in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. 2728 </p></dd> 2729<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt> 2730<dd><p> 2731 The pathname of a file to override the built-in trusted 2732 keys provided by <span><strong class="command">named</strong></span>. 2733 See the discussion of <span><strong class="command">dnssec-lookaside</strong></span> 2734 and <span><strong class="command">dnssec-validation</strong></span> for details. 2735 If not specified, the default is 2736 <code class="filename">/etc/bind.keys</code>. 2737 </p></dd> 2738<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt> 2739<dd><p> 2740 The pathname of the file the server dumps 2741 security roots to when instructed to do so with 2742 <span><strong class="command">rndc secroots</strong></span>. 2743 If not specified, the default is 2744 <code class="filename">named.secroots</code>. 2745 </p></dd> 2746<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt> 2747<dd><p> 2748 The pathname of the file into which to write a TSIG 2749 session key generated by <span><strong class="command">named</strong></span> for use by 2750 <span><strong class="command">nsupdate -l</strong></span>. If not specified, the 2751 default is <code class="filename">/var/run/named/session.key</code>. 2752 (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in 2753 particular the discussion of the 2754 <span><strong class="command">update-policy</strong></span> statement's 2755 <strong class="userinput"><code>local</code></strong> option for more 2756 information about this feature.) 2757 </p></dd> 2758<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt> 2759<dd><p> 2760 The key name to use for the TSIG session key. 2761 If not specified, the default is "local-ddns". 2762 </p></dd> 2763<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt> 2764<dd><p> 2765 The algorithm to use for the TSIG session key. 2766 Valid values are hmac-sha1, hmac-sha224, hmac-sha256, 2767 hmac-sha384, hmac-sha512 and hmac-md5. If not 2768 specified, the default is hmac-sha256. 2769 </p></dd> 2770<dt><span class="term"><span><strong class="command">port</strong></span></span></dt> 2771<dd><p> 2772 The UDP/TCP port number the server uses for 2773 receiving and sending DNS protocol traffic. 2774 The default is 53. This option is mainly intended for server 2775 testing; 2776 a server using a port other than 53 will not be able to 2777 communicate with 2778 the global DNS. 2779 </p></dd> 2780<dt><span class="term"><span><strong class="command">dscp</strong></span></span></dt> 2781<dd><p> 2782 The global Differentiated Services Code Point (DSCP) 2783 value to classify outgoing DNS traffic on operating 2784 systems that support DSCP. Valid values are 0 through 63. 2785 It is not configured by default. 2786 </p></dd> 2787<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt> 2788<dd><p> 2789 The source of entropy to be used by the server. Entropy is 2790 primarily needed 2791 for DNSSEC operations, such as TKEY transactions and dynamic 2792 update of signed 2793 zones. This options specifies the device (or file) from which 2794 to read 2795 entropy. If this is a file, operations requiring entropy will 2796 fail when the 2797 file has been exhausted. If not specified, the default value 2798 is 2799 <code class="filename">/dev/random</code> 2800 (or equivalent) when present, and none otherwise. The 2801 <span><strong class="command">random-device</strong></span> option takes 2802 effect during 2803 the initial configuration load at server startup time and 2804 is ignored on subsequent reloads. 2805 </p></dd> 2806<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt> 2807<dd><p> 2808 If specified, the listed type (A or AAAA) will be emitted 2809 before other glue 2810 in the additional section of a query response. 2811 The default is not to prefer any type (NONE). 2812 </p></dd> 2813<dt> 2814<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span> 2815</dt> 2816<dd> 2817<p> 2818 Turn on enforcement of delegation-only in TLDs 2819 (top level domains) and root zones with an optional 2820 exclude list. 2821 </p> 2822<p> 2823 DS queries are expected to be made to and be answered by 2824 delegation only zones. Such queries and responses are 2825 treated as an exception to delegation-only processing 2826 and are not converted to NXDOMAIN responses provided 2827 a CNAME is not discovered at the query name. 2828 </p> 2829<p> 2830 If a delegation only zone server also serves a child 2831 zone it is not always possible to determine whether 2832 an answer comes from the delegation only zone or the 2833 child zone. SOA NS and DNSKEY records are apex 2834 only records and a matching response that contains 2835 these records or DS is treated as coming from a 2836 child zone. RRSIG records are also examined to see 2837 if they are signed by a child zone or not. The 2838 authority section is also examined to see if there 2839 is evidence that the answer is from the child zone. 2840 Answers that are determined to be from a child zone 2841 are not converted to NXDOMAIN responses. Despite 2842 all these checks there is still a possibility of 2843 false negatives when a child zone is being served. 2844 </p> 2845<p> 2846 Similarly false positives can arise from empty nodes 2847 (no records at the name) in the delegation only zone 2848 when the query type is not ANY. 2849 </p> 2850<p> 2851 Note some TLDs are not delegation only (e.g. "DE", "LV", 2852 "US" and "MUSEUM"). This list is not exhaustive. 2853 </p> 2854<pre class="programlisting"> 2855options { 2856 root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; 2857}; 2858</pre> 2859</dd> 2860<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt> 2861<dd> 2862<p> 2863 Disable the specified DNSSEC algorithms at and below the 2864 specified name. 2865 Multiple <span><strong class="command">disable-algorithms</strong></span> 2866 statements are allowed. 2867 Only the best match <span><strong class="command">disable-algorithms</strong></span> 2868 clause will be used to determine which algorithms are used. 2869 </p> 2870<p> 2871 If all supported algorithms are disabled, the zones covered 2872 by the <span><strong class="command">disable-algorithms</strong></span> will be treated 2873 as insecure. 2874 </p> 2875</dd> 2876<dt><span class="term"><span><strong class="command">disable-ds-digests</strong></span></span></dt> 2877<dd> 2878<p> 2879 Disable the specified DS/DLV digest types at and below the 2880 specified name. 2881 Multiple <span><strong class="command">disable-ds-digests</strong></span> 2882 statements are allowed. 2883 Only the best match <span><strong class="command">disable-ds-digests</strong></span> 2884 clause will be used to determine which digest types are used. 2885 </p> 2886<p> 2887 If all supported digest types are disabled, the zones covered 2888 by the <span><strong class="command">disable-ds-digests</strong></span> will be treated 2889 as insecure. 2890 </p> 2891</dd> 2892<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt> 2893<dd> 2894<p> 2895 When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the 2896 validator with an alternate method to validate DNSKEY 2897 records at the top of a zone. When a DNSKEY is at or 2898 below a domain specified by the deepest 2899 <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC 2900 validation has left the key untrusted, the trust-anchor 2901 will be appended to the key name and a DLV record will be 2902 looked up to see if it can validate the key. If the DLV 2903 record validates a DNSKEY (similarly to the way a DS 2904 record does) the DNSKEY RRset is deemed to be trusted. 2905 </p> 2906<p> 2907 If <span><strong class="command">dnssec-lookaside</strong></span> is set to 2908 <strong class="userinput"><code>auto</code></strong>, then built-in default 2909 values for the DLV domain and trust anchor will be 2910 used, along with a built-in key for validation. 2911 </p> 2912<p> 2913 If <span><strong class="command">dnssec-lookaside</strong></span> is set to 2914 <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside 2915 is not used. 2916 </p> 2917<p> 2918 The default DLV key is stored in the file 2919 <code class="filename">bind.keys</code>; 2920 <span><strong class="command">named</strong></span> will load that key at 2921 startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to 2922 <code class="constant">auto</code>. A copy of the file is 2923 installed along with <acronym class="acronym">BIND</acronym> 9, and is 2924 current as of the release date. If the DLV key expires, a 2925 new copy of <code class="filename">bind.keys</code> can be downloaded 2926 from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>. 2927 </p> 2928<p> 2929 (To prevent problems if <code class="filename">bind.keys</code> is 2930 not found, the current key is also compiled in to 2931 <span><strong class="command">named</strong></span>. Relying on this is not 2932 recommended, however, as it requires <span><strong class="command">named</strong></span> 2933 to be recompiled with a new key when the DLV key expires.) 2934 </p> 2935<p> 2936 NOTE: <span><strong class="command">named</strong></span> only loads certain specific 2937 keys from <code class="filename">bind.keys</code>: those for the 2938 DLV zone and for the DNS root zone. The file cannot be 2939 used to store keys for other zones. 2940 </p> 2941</dd> 2942<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt> 2943<dd><p> 2944 Specify hierarchies which must be or may not be secure 2945 (signed and validated). If <strong class="userinput"><code>yes</code></strong>, 2946 then <span><strong class="command">named</strong></span> will only accept answers if 2947 they are secure. If <strong class="userinput"><code>no</code></strong>, then normal 2948 DNSSEC validation applies allowing for insecure answers to 2949 be accepted. The specified domain must be under a 2950 <span><strong class="command">trusted-keys</strong></span> or 2951 <span><strong class="command">managed-keys</strong></span> statement, or 2952 <span><strong class="command">dnssec-lookaside</strong></span> must be active. 2953 </p></dd> 2954<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt> 2955<dd> 2956<p> 2957 This directive instructs <span><strong class="command">named</strong></span> to 2958 return mapped IPv4 addresses to AAAA queries when 2959 there are no AAAA records. It is intended to be 2960 used in conjunction with a NAT64. Each 2961 <span><strong class="command">dns64</strong></span> defines one DNS64 prefix. 2962 Multiple DNS64 prefixes can be defined. 2963 </p> 2964<p> 2965 Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, 2966 64 and 96 as per RFC 6052. 2967 </p> 2968<p> 2969 Additionally a reverse IP6.ARPA zone will be created for 2970 the prefix to provide a mapping from the IP6.ARPA names 2971 to the corresponding IN-ADDR.ARPA names using synthesized 2972 CNAMEs. <span><strong class="command">dns64-server</strong></span> and 2973 <span><strong class="command">dns64-contact</strong></span> can be used to specify 2974 the name of the server and contact for the zones. These 2975 are settable at the view / options level. These are 2976 not settable on a per-prefix basis. 2977 </p> 2978<p> 2979 Each <span><strong class="command">dns64</strong></span> supports an optional 2980 <span><strong class="command">clients</strong></span> ACL that determines which 2981 clients are affected by this directive. If not defined, 2982 it defaults to <strong class="userinput"><code>any;</code></strong>. 2983 </p> 2984<p> 2985 Each <span><strong class="command">dns64</strong></span> supports an optional 2986 <span><strong class="command">mapped</strong></span> ACL that selects which 2987 IPv4 addresses are to be mapped in the corresponding 2988 A RRset. If not defined it defaults to 2989 <strong class="userinput"><code>any;</code></strong>. 2990 </p> 2991<p> 2992 Normally, DNS64 won't apply to a domain name that 2993 owns one or more AAAA records; these records will 2994 simply be returned. The optional 2995 <span><strong class="command">exclude</strong></span> ACL allows specification 2996 of a list of IPv6 addresses that will be ignored 2997 if they appear in a domain name's AAAA records, and 2998 DNS64 will be applied to any A records the domain 2999 name owns. If not defined, <span><strong class="command">exclude</strong></span> 3000 defaults to none. 3001 </p> 3002<p> 3003 A optional <span><strong class="command">suffix</strong></span> can also 3004 be defined to set the bits trailing the mapped 3005 IPv4 address bits. By default these bits are 3006 set to <strong class="userinput"><code>::</code></strong>. The bits 3007 matching the prefix and mapped IPv4 address 3008 must be zero. 3009 </p> 3010<p> 3011 If <span><strong class="command">recursive-only</strong></span> is set to 3012 <span><strong class="command">yes</strong></span> the DNS64 synthesis will 3013 only happen for recursive queries. The default 3014 is <span><strong class="command">no</strong></span>. 3015 </p> 3016<p> 3017 If <span><strong class="command">break-dnssec</strong></span> is set to 3018 <span><strong class="command">yes</strong></span> the DNS64 synthesis will 3019 happen even if the result, if validated, would 3020 cause a DNSSEC validation failure. If this option 3021 is set to <span><strong class="command">no</strong></span> (the default), the DO 3022 is set on the incoming query, and there are RRSIGs on 3023 the applicable records, then synthesis will not happen. 3024 </p> 3025<pre class="programlisting"> 3026 acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; 3027 3028 dns64 64:FF9B::/96 { 3029 clients { any; }; 3030 mapped { !rfc1918; any; }; 3031 exclude { 64:FF9B::/96; ::ffff:0000:0000/96; }; 3032 suffix ::; 3033 }; 3034</pre> 3035</dd> 3036<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> 3037<dd> 3038<p> 3039 If this option is set to its default value of 3040 <code class="literal">maintain</code> in a zone of type 3041 <code class="literal">master</code> which is DNSSEC-signed 3042 and configured to allow dynamic updates (see 3043 <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and 3044 if <span><strong class="command">named</strong></span> has access to the 3045 private signing key(s) for the zone, then 3046 <span><strong class="command">named</strong></span> will automatically sign all new 3047 or changed records and maintain signatures for the zone 3048 by regenerating RRSIG records whenever they approach 3049 their expiration date. 3050 </p> 3051<p> 3052 If the option is changed to <code class="literal">no-resign</code>, 3053 then <span><strong class="command">named</strong></span> will sign all new or 3054 changed records, but scheduled maintenance of 3055 signatures is disabled. 3056 </p> 3057<p> 3058 With either of these settings, <span><strong class="command">named</strong></span> 3059 will reject updates to a DNSSEC-signed zone when the 3060 signing keys are inactive or unavailable to 3061 <span><strong class="command">named</strong></span>. (A planned third option, 3062 <code class="literal">external</code>, will disable all automatic 3063 signing and allow DNSSEC data to be submitted into a zone 3064 via dynamic update; this is not yet implemented.) 3065 </p> 3066</dd> 3067<dt><span class="term"><span><strong class="command">max-zone-ttl</strong></span></span></dt> 3068<dd> 3069<p> 3070 Specifies a maximum permissible TTL value. 3071 When loading a zone file using a 3072 <code class="option">masterfile-format</code> of 3073 <code class="constant">text</code> or <code class="constant">raw</code>, 3074 any record encountered with a TTL higher than 3075 <code class="option">max-zone-ttl</code> will cause the zone to 3076 be rejected. 3077 </p> 3078<p> 3079 This is useful in DNSSEC-signed zones because when 3080 rolling to a new DNSKEY, the old key needs to remain 3081 available until RRSIG records have expired from 3082 caches. The<code class="option">max-zone-ttl</code> option guarantees 3083 that the largest TTL in the zone will be no higher 3084 the set value. 3085 </p> 3086<p> 3087 (NOTE: Because <code class="constant">map</code>-format files 3088 load directly into memory, this option cannot be 3089 used with them.) 3090 </p> 3091</dd> 3092<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> 3093<dd> 3094<p> 3095 If <strong class="userinput"><code>full</code></strong>, the server will collect 3096 statistical data on all zones (unless specifically 3097 turned off on a per-zone basis by specifying 3098 <span><strong class="command">zone-statistics terse</strong></span> or 3099 <span><strong class="command">zone-statistics none</strong></span> 3100 in the <span><strong class="command">zone</strong></span> statement). 3101 The default is <strong class="userinput"><code>terse</code></strong>, providing 3102 minimal statistics on zones (including name and 3103 current serial number, but not query type 3104 counters). 3105 </p> 3106<p> 3107 These statistics may be accessed via the 3108 <span><strong class="command">statistics-channel</strong></span> or 3109 using <span><strong class="command">rndc stats</strong></span>, which 3110 will dump them to the file listed 3111 in the <span><strong class="command">statistics-file</strong></span>. See 3112 also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. 3113 </p> 3114<p> 3115 For backward compatibility with earlier versions 3116 of BIND 9, the <span><strong class="command">zone-statistics</strong></span> 3117 option can also accept <strong class="userinput"><code>yes</code></strong> 3118 or <strong class="userinput"><code>no</code></strong>; <strong class="userinput"><code>yes</code></strong> 3119 has the same meaning as <strong class="userinput"><code>full</code></strong>. 3120 As of <acronym class="acronym">BIND</acronym> 9.10, 3121 <strong class="userinput"><code>no</code></strong> has the same meaning 3122 as <strong class="userinput"><code>none</code></strong>; previously, it 3123 was the same as <strong class="userinput"><code>terse</code></strong>. 3124 </p> 3125</dd> 3126</dl></div> 3127<div class="sect3" lang="en"> 3128<div class="titlepage"><div><div><h4 class="title"> 3129<a name="boolean_options"></a>Boolean Options</h4></div></div></div> 3130<div class="variablelist"><dl> 3131<dt><span class="term"><span><strong class="command">automatic-interface-scan</strong></span></span></dt> 3132<dd> 3133<p> 3134 If <strong class="userinput"><code>yes</code></strong> and supported by the OS, 3135 automatically rescan network interfaces when the interface 3136 addresses are added or removed. The default is 3137 <strong class="userinput"><code>yes</code></strong>. 3138 </p> 3139<p> 3140 Currently the OS needs to support routing sockets for 3141 <span><strong class="command">automatic-interface-scan</strong></span> to be 3142 supported. 3143 </p> 3144</dd> 3145<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt> 3146<dd><p> 3147 If <strong class="userinput"><code>yes</code></strong>, then zones can be 3148 added at runtime via <span><strong class="command">rndc addzone</strong></span> 3149 or deleted via <span><strong class="command">rndc delzone</strong></span>. 3150 The default is <strong class="userinput"><code>no</code></strong>. 3151 </p></dd> 3152<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt> 3153<dd><p> 3154 If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit 3155 is always set on NXDOMAIN responses, even if the server is 3156 not actually 3157 authoritative. The default is <strong class="userinput"><code>no</code></strong>; 3158 this is 3159 a change from <acronym class="acronym">BIND</acronym> 8. If you 3160 are using very old DNS software, you 3161 may need to set it to <strong class="userinput"><code>yes</code></strong>. 3162 </p></dd> 3163<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt> 3164<dd><p> 3165 This option was used in <acronym class="acronym">BIND</acronym> 3166 8 to enable checking 3167 for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs 3168 the checks. 3169 </p></dd> 3170<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt> 3171<dd><p> 3172 Write memory statistics to the file specified by 3173 <span><strong class="command">memstatistics-file</strong></span> at exit. 3174 The default is <strong class="userinput"><code>no</code></strong> unless 3175 '-m record' is specified on the command line in 3176 which case it is <strong class="userinput"><code>yes</code></strong>. 3177 </p></dd> 3178<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> 3179<dd> 3180<p> 3181 If <strong class="userinput"><code>yes</code></strong>, then the 3182 server treats all zones as if they are doing zone transfers 3183 across 3184 a dial-on-demand dialup link, which can be brought up by 3185 traffic 3186 originating from this server. This has different effects 3187 according 3188 to zone type and concentrates the zone maintenance so that 3189 it all 3190 happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and 3191 hopefully during the one call. It also suppresses some of 3192 the normal 3193 zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>. 3194 </p> 3195<p> 3196 The <span><strong class="command">dialup</strong></span> option 3197 may also be specified in the <span><strong class="command">view</strong></span> and 3198 <span><strong class="command">zone</strong></span> statements, 3199 in which case it overrides the global <span><strong class="command">dialup</strong></span> 3200 option. 3201 </p> 3202<p> 3203 If the zone is a master zone, then the server will send out a 3204 NOTIFY 3205 request to all the slaves (default). This should trigger the 3206 zone serial 3207 number check in the slave (providing it supports NOTIFY) 3208 allowing the slave 3209 to verify the zone while the connection is active. 3210 The set of servers to which NOTIFY is sent can be controlled 3211 by 3212 <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>. 3213 </p> 3214<p> 3215 If the 3216 zone is a slave or stub zone, then the server will suppress 3217 the regular 3218 "zone up to date" (refresh) queries and only perform them 3219 when the 3220 <span><strong class="command">heartbeat-interval</strong></span> expires in 3221 addition to sending 3222 NOTIFY requests. 3223 </p> 3224<p> 3225 Finer control can be achieved by using 3226 <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY 3227 messages, 3228 <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY 3229 messages and 3230 suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong> 3231 which suppresses normal refresh processing and sends refresh 3232 queries 3233 when the <span><strong class="command">heartbeat-interval</strong></span> 3234 expires, and 3235 <strong class="userinput"><code>passive</code></strong> which just disables normal 3236 refresh 3237 processing. 3238 </p> 3239<div class="informaltable"><table border="1"> 3240<colgroup> 3241<col> 3242<col> 3243<col> 3244<col> 3245</colgroup> 3246<tbody> 3247<tr> 3248<td> 3249 <p> 3250 dialup mode 3251 </p> 3252 </td> 3253<td> 3254 <p> 3255 normal refresh 3256 </p> 3257 </td> 3258<td> 3259 <p> 3260 heart-beat refresh 3261 </p> 3262 </td> 3263<td> 3264 <p> 3265 heart-beat notify 3266 </p> 3267 </td> 3268</tr> 3269<tr> 3270<td> 3271 <p><span><strong class="command">no</strong></span> (default)</p> 3272 </td> 3273<td> 3274 <p> 3275 yes 3276 </p> 3277 </td> 3278<td> 3279 <p> 3280 no 3281 </p> 3282 </td> 3283<td> 3284 <p> 3285 no 3286 </p> 3287 </td> 3288</tr> 3289<tr> 3290<td> 3291 <p><span><strong class="command">yes</strong></span></p> 3292 </td> 3293<td> 3294 <p> 3295 no 3296 </p> 3297 </td> 3298<td> 3299 <p> 3300 yes 3301 </p> 3302 </td> 3303<td> 3304 <p> 3305 yes 3306 </p> 3307 </td> 3308</tr> 3309<tr> 3310<td> 3311 <p><span><strong class="command">notify</strong></span></p> 3312 </td> 3313<td> 3314 <p> 3315 yes 3316 </p> 3317 </td> 3318<td> 3319 <p> 3320 no 3321 </p> 3322 </td> 3323<td> 3324 <p> 3325 yes 3326 </p> 3327 </td> 3328</tr> 3329<tr> 3330<td> 3331 <p><span><strong class="command">refresh</strong></span></p> 3332 </td> 3333<td> 3334 <p> 3335 no 3336 </p> 3337 </td> 3338<td> 3339 <p> 3340 yes 3341 </p> 3342 </td> 3343<td> 3344 <p> 3345 no 3346 </p> 3347 </td> 3348</tr> 3349<tr> 3350<td> 3351 <p><span><strong class="command">passive</strong></span></p> 3352 </td> 3353<td> 3354 <p> 3355 no 3356 </p> 3357 </td> 3358<td> 3359 <p> 3360 no 3361 </p> 3362 </td> 3363<td> 3364 <p> 3365 no 3366 </p> 3367 </td> 3368</tr> 3369<tr> 3370<td> 3371 <p><span><strong class="command">notify-passive</strong></span></p> 3372 </td> 3373<td> 3374 <p> 3375 no 3376 </p> 3377 </td> 3378<td> 3379 <p> 3380 no 3381 </p> 3382 </td> 3383<td> 3384 <p> 3385 yes 3386 </p> 3387 </td> 3388</tr> 3389</tbody> 3390</table></div> 3391<p> 3392 Note that normal NOTIFY processing is not affected by 3393 <span><strong class="command">dialup</strong></span>. 3394 </p> 3395</dd> 3396<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt> 3397<dd><p> 3398 In <acronym class="acronym">BIND</acronym> 8, this option 3399 enabled simulating the obsolete DNS query type 3400 IQUERY. <acronym class="acronym">BIND</acronym> 9 never does 3401 IQUERY simulation. 3402 </p></dd> 3403<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt> 3404<dd><p> 3405 This option is obsolete. 3406 In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> 3407 caused the server to attempt to fetch glue resource records 3408 it 3409 didn't have when constructing the additional 3410 data section of a response. This is now considered a bad 3411 idea 3412 and BIND 9 never does it. 3413 </p></dd> 3414<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt> 3415<dd><p> 3416 When the nameserver exits due receiving SIGTERM, 3417 flush or do not flush any pending zone writes. The default 3418 is 3419 <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. 3420 </p></dd> 3421<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt> 3422<dd><p> 3423 This option was incorrectly implemented 3424 in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9. 3425 To achieve the intended effect 3426 of 3427 <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify 3428 the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> 3429 and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. 3430 </p></dd> 3431<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt> 3432<dd><p> 3433 In BIND 8, this enables keeping of 3434 statistics for every host that the name server interacts 3435 with. 3436 Not implemented in BIND 9. 3437 </p></dd> 3438<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt> 3439<dd><p> 3440 <span class="emphasis"><em>This option is obsolete</em></span>. 3441 It was used in <acronym class="acronym">BIND</acronym> 8 to 3442 determine whether a transaction log was 3443 kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction 3444 log whenever possible. If you need to disable outgoing 3445 incremental zone 3446 transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. 3447 </p></dd> 3448<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt> 3449<dd><p> 3450 If <strong class="userinput"><code>yes</code></strong>, then when generating 3451 responses the server will only add records to the authority 3452 and additional data sections when they are required (e.g. 3453 delegations, negative responses). This may improve the 3454 performance of the server. 3455 The default is <strong class="userinput"><code>no</code></strong>. 3456 </p></dd> 3457<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt> 3458<dd><p> 3459 This option was used in <acronym class="acronym">BIND</acronym> 8 to allow 3460 a domain name to have multiple CNAME records in violation of 3461 the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards 3462 always strictly enforces the CNAME rules both in master 3463 files and dynamic updates. 3464 </p></dd> 3465<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> 3466<dd> 3467<p> 3468 If <strong class="userinput"><code>yes</code></strong> (the default), 3469 DNS NOTIFY messages are sent when a zone the server is 3470 authoritative for 3471 changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are 3472 sent to the 3473 servers listed in the zone's NS records (except the master 3474 server identified 3475 in the SOA MNAME field), and to any servers listed in the 3476 <span><strong class="command">also-notify</strong></span> option. 3477 </p> 3478<p> 3479 If <strong class="userinput"><code>master-only</code></strong>, notifies are only 3480 sent 3481 for master zones. 3482 If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only 3483 to 3484 servers explicitly listed using <span><strong class="command">also-notify</strong></span>. 3485 If <strong class="userinput"><code>no</code></strong>, no notifies are sent. 3486 </p> 3487<p> 3488 The <span><strong class="command">notify</strong></span> option may also be 3489 specified in the <span><strong class="command">zone</strong></span> 3490 statement, 3491 in which case it overrides the <span><strong class="command">options notify</strong></span> statement. 3492 It would only be necessary to turn off this option if it 3493 caused slaves 3494 to crash. 3495 </p> 3496</dd> 3497<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> 3498<dd><p> 3499 If <strong class="userinput"><code>yes</code></strong> do not check the nameservers 3500 in the NS RRset against the SOA MNAME. Normally a NOTIFY 3501 message is not sent to the SOA MNAME (SOA ORIGIN) as it is 3502 supposed to contain the name of the ultimate master. 3503 Sometimes, however, a slave is listed as the SOA MNAME in 3504 hidden master configurations and in that case you would 3505 want the ultimate master to still send NOTIFY messages to 3506 all the nameservers listed in the NS RRset. 3507 </p></dd> 3508<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt> 3509<dd><p> 3510 If <strong class="userinput"><code>yes</code></strong>, and a 3511 DNS query requests recursion, then the server will attempt 3512 to do 3513 all the work required to answer the query. If recursion is 3514 off 3515 and the server does not already know the answer, it will 3516 return a 3517 referral response. The default is 3518 <strong class="userinput"><code>yes</code></strong>. 3519 Note that setting <span><strong class="command">recursion no</strong></span> does not prevent 3520 clients from getting data from the server's cache; it only 3521 prevents new data from being cached as an effect of client 3522 queries. 3523 Caching may still occur as an effect the server's internal 3524 operation, such as NOTIFY address lookups. 3525 See also <span><strong class="command">fetch-glue</strong></span> above. 3526 </p></dd> 3527<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt> 3528<dd><p> 3529 If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0) 3530 NSID (Name Server Identifier) option is sent with all 3531 queries to authoritative name servers during iterative 3532 resolution. If the authoritative server returns an NSID 3533 option in its response, then its contents are logged in 3534 the <span><strong class="command">resolver</strong></span> category at level 3535 <span><strong class="command">info</strong></span>. 3536 The default is <strong class="userinput"><code>no</code></strong>. 3537 </p></dd> 3538<dt><span class="term"><span><strong class="command">request-sit</strong></span></span></dt> 3539<dd><p> 3540 If <strong class="userinput"><code>yes</code></strong>, then a SIT (Source 3541 Identity Token) EDNS option is sent along with 3542 the query. If the resolver has previously talked 3543 to the server, the SIT returned in the previous 3544 transaction is sent. This is used by the server 3545 to determine whether the resolver has talked to 3546 it before. A resolver sending the correct SIT is 3547 assumed not to be an off-path attacker sending a 3548 spoofed-source query; the query is therefore 3549 unlikely to be part of a reflection/amplification 3550 attack, so resolvers sending a correct SIT option 3551 are not subject to response rate limiting (RRL). 3552 Resolvers which do not send a correct SIT option 3553 may be limited to receiving smaller responses via 3554 the <span><strong class="command">nosit-udp-size</strong></span> option. 3555 </p></dd> 3556<dt><span class="term"><span><strong class="command">sit-secret</strong></span></span></dt> 3557<dd><p> 3558 If set, this is a shared secret used for generating 3559 and verifying Source Identity Token EDNS options 3560 within a anycast cluster. If not set the system 3561 will generate a random secret at startup. The 3562 shared secret is encoded as a hex string and needs 3563 to be 128 bits for AES128, 160 bits for SHA1 and 3564 256 bits for SHA256. 3565 </p></dd> 3566<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt> 3567<dd> 3568<p> 3569 Setting this to <strong class="userinput"><code>yes</code></strong> will 3570 cause the server to send NS records along with the SOA 3571 record for negative 3572 answers. The default is <strong class="userinput"><code>no</code></strong>. 3573 </p> 3574<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 3575<h3 class="title">Note</h3> 3576<p> 3577 Not yet implemented in <acronym class="acronym">BIND</acronym> 3578 9. 3579 </p> 3580</div> 3581</dd> 3582<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt> 3583<dd><p> 3584 <span class="emphasis"><em>This option is obsolete</em></span>. 3585 <acronym class="acronym">BIND</acronym> 9 always allocates query 3586 IDs from a pool. 3587 </p></dd> 3588<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> 3589<dd><p> 3590 <span class="emphasis"><em>This option is obsolete</em></span>. 3591 If you need to disable IXFR to a particular server or 3592 servers, see 3593 the information on the <span><strong class="command">provide-ixfr</strong></span> option 3594 in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and 3595 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and 3596 Usage”</a>. 3597 See also 3598 <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. 3599 </p></dd> 3600<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt> 3601<dd><p> 3602 See the description of 3603 <span><strong class="command">provide-ixfr</strong></span> in 3604 <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and 3605 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and 3606 Usage”</a>. 3607 </p></dd> 3608<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt> 3609<dd><p> 3610 See the description of 3611 <span><strong class="command">request-ixfr</strong></span> in 3612 <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and 3613 Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and 3614 Usage”</a>. 3615 </p></dd> 3616<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt> 3617<dd><p> 3618 This option was used in <acronym class="acronym">BIND</acronym> 3619 8 to make 3620 the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way 3621 as a space or tab character, 3622 to facilitate loading of zone files on a UNIX system that 3623 were generated 3624 on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>" 3625 and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines 3626 are always accepted, 3627 and the option is ignored. 3628 </p></dd> 3629<dt> 3630<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span> 3631</dt> 3632<dd> 3633<p> 3634 These options control the behavior of an authoritative 3635 server when 3636 answering queries which have additional data, or when 3637 following CNAME 3638 and DNAME chains. 3639 </p> 3640<p> 3641 When both of these options are set to <strong class="userinput"><code>yes</code></strong> 3642 (the default) and a 3643 query is being answered from authoritative data (a zone 3644 configured into the server), the additional data section of 3645 the 3646 reply will be filled in using data from other authoritative 3647 zones 3648 and from the cache. In some situations this is undesirable, 3649 such 3650 as when there is concern over the correctness of the cache, 3651 or 3652 in servers where slave zones may be added and modified by 3653 untrusted third parties. Also, avoiding 3654 the search for this additional data will speed up server 3655 operations 3656 at the possible expense of additional queries to resolve 3657 what would 3658 otherwise be provided in the additional section. 3659 </p> 3660<p> 3661 For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>, 3662 and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address 3663 records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well, 3664 if known, even though they are not in the example.com zone. 3665 Setting these options to <span><strong class="command">no</strong></span> 3666 disables this behavior and makes 3667 the server only search for additional data in the zone it 3668 answers from. 3669 </p> 3670<p> 3671 These options are intended for use in authoritative-only 3672 servers, or in authoritative-only views. Attempts to set 3673 them to <span><strong class="command">no</strong></span> without also 3674 specifying 3675 <span><strong class="command">recursion no</strong></span> will cause the 3676 server to 3677 ignore the options and log a warning message. 3678 </p> 3679<p> 3680 Specifying <span><strong class="command">additional-from-cache no</strong></span> actually 3681 disables the use of the cache not only for additional data 3682 lookups 3683 but also when looking up the answer. This is usually the 3684 desired 3685 behavior in an authoritative-only server where the 3686 correctness of 3687 the cached data is an issue. 3688 </p> 3689<p> 3690 When a name server is non-recursively queried for a name 3691 that is not 3692 below the apex of any served zone, it normally answers with 3693 an 3694 "upwards referral" to the root servers or the servers of 3695 some other 3696 known parent of the query name. Since the data in an 3697 upwards referral 3698 comes from the cache, the server will not be able to provide 3699 upwards 3700 referrals when <span><strong class="command">additional-from-cache no</strong></span> 3701 has been specified. Instead, it will respond to such 3702 queries 3703 with REFUSED. This should not cause any problems since 3704 upwards referrals are not required for the resolution 3705 process. 3706 </p> 3707</dd> 3708<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt> 3709<dd> 3710<p> 3711 If <strong class="userinput"><code>yes</code></strong>, then an 3712 IPv4-mapped IPv6 address will match any address match 3713 list entries that match the corresponding IPv4 address. 3714 </p> 3715<p> 3716 This option was introduced to work around a kernel quirk 3717 in some operating systems that causes IPv4 TCP 3718 connections, such as zone transfers, to be accepted on an 3719 IPv6 socket using mapped addresses. This caused address 3720 match lists designed for IPv4 to fail to match. However, 3721 <span><strong class="command">named</strong></span> now solves this problem 3722 internally. The use of this option is discouraged. 3723 </p> 3724</dd> 3725<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt> 3726<dd> 3727<p> 3728 This option is only available when 3729 <acronym class="acronym">BIND</acronym> 9 is compiled with the 3730 <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the 3731 "configure" command line. It is intended to help the 3732 transition from IPv4 to IPv6 by not giving IPv6 addresses 3733 to DNS clients unless they have connections to the IPv6 3734 Internet. This is not recommended unless absolutely 3735 necessary. The default is <strong class="userinput"><code>no</code></strong>. 3736 The <span><strong class="command">filter-aaaa-on-v4</strong></span> option 3737 may also be specified in <span><strong class="command">view</strong></span> statements 3738 to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span> 3739 option. 3740 </p> 3741<p> 3742 If <strong class="userinput"><code>yes</code></strong>, 3743 the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>, 3744 and if the response does not include DNSSEC signatures, 3745 then all AAAA records are deleted from the response. 3746 This filtering applies to all responses and not only 3747 authoritative responses. 3748 </p> 3749<p> 3750 If <strong class="userinput"><code>break-dnssec</code></strong>, 3751 then AAAA records are deleted even when DNSSEC is enabled. 3752 As suggested by the name, this makes the response not verify, 3753 because the DNSSEC protocol is designed detect deletions. 3754 </p> 3755<p> 3756 This mechanism can erroneously cause other servers to 3757 not give AAAA records to their clients. 3758 A recursing server with both IPv6 and IPv4 network connections 3759 that queries an authoritative server using this mechanism 3760 via IPv4 will be denied AAAA records even if its client is 3761 using IPv6. 3762 </p> 3763<p> 3764 This mechanism is applied to authoritative as well as 3765 non-authoritative records. 3766 A client using IPv4 that is not allowed recursion can 3767 erroneously be given AAAA records because the server is not 3768 allowed to check for A records. 3769 </p> 3770<p> 3771 Some AAAA records are given to IPv4 clients in glue records. 3772 IPv4 clients that are servers can then erroneously 3773 answer requests for AAAA records received via IPv4. 3774 </p> 3775</dd> 3776<dt><span class="term"><span><strong class="command">filter-aaaa-on-v6</strong></span></span></dt> 3777<dd><p> 3778 Identical to <span><strong class="command">filter-aaaa-on-v4</strong></span>, 3779 except it filters AAAA responses to queries from IPv6 3780 clients instead of IPv4 clients. To filter all 3781 responses, set both options to <strong class="userinput"><code>yes</code></strong>. 3782 </p></dd> 3783<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> 3784<dd> 3785<p> 3786 When <strong class="userinput"><code>yes</code></strong> and the server loads a new 3787 version of a master zone from its zone file or receives a 3788 new version of a slave file via zone transfer, it will 3789 compare the new version to the previous one and calculate 3790 a set of differences. The differences are then logged in 3791 the zone's journal file such that the changes can be 3792 transmitted to downstream slaves as an incremental zone 3793 transfer. 3794 </p> 3795<p> 3796 By allowing incremental zone transfers to be used for 3797 non-dynamic zones, this option saves bandwidth at the 3798 expense of increased CPU and memory consumption at the 3799 master. 3800 In particular, if the new version of a zone is completely 3801 different from the previous one, the set of differences 3802 will be of a size comparable to the combined size of the 3803 old and new zone version, and the server will need to 3804 temporarily allocate memory to hold this complete 3805 difference set. 3806 </p> 3807<p><span><strong class="command">ixfr-from-differences</strong></span> 3808 also accepts <span><strong class="command">master</strong></span> and 3809 <span><strong class="command">slave</strong></span> at the view and options 3810 levels which causes 3811 <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for 3812 all <span><strong class="command">master</strong></span> or 3813 <span><strong class="command">slave</strong></span> zones respectively. 3814 It is off by default. 3815 </p> 3816</dd> 3817<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> 3818<dd><p> 3819 This should be set when you have multiple masters for a zone 3820 and the 3821 addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will 3822 not log 3823 when the serial number on the master is less than what <span><strong class="command">named</strong></span> 3824 currently 3825 has. The default is <strong class="userinput"><code>no</code></strong>. 3826 </p></dd> 3827<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt> 3828<dd><p> 3829 Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>, 3830 <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC. 3831 The default is <strong class="userinput"><code>yes</code></strong>. 3832 </p></dd> 3833<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt> 3834<dd><p> 3835 Enable DNSSEC validation in <span><strong class="command">named</strong></span>. 3836 Note <span><strong class="command">dnssec-enable</strong></span> also needs to be 3837 set to <strong class="userinput"><code>yes</code></strong> to be effective. 3838 If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation 3839 is disabled. If set to <strong class="userinput"><code>auto</code></strong>, 3840 DNSSEC validation is enabled, and a default 3841 trust-anchor for the DNS root zone is used. If set to 3842 <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled, 3843 but a trust anchor must be manually configured using 3844 a <span><strong class="command">trusted-keys</strong></span> or 3845 <span><strong class="command">managed-keys</strong></span> statement. The default 3846 is <strong class="userinput"><code>yes</code></strong>. 3847 </p></dd> 3848<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt> 3849<dd><p> 3850 Accept expired signatures when verifying DNSSEC signatures. 3851 The default is <strong class="userinput"><code>no</code></strong>. 3852 Setting this option to <strong class="userinput"><code>yes</code></strong> 3853 leaves <span><strong class="command">named</strong></span> vulnerable to 3854 replay attacks. 3855 </p></dd> 3856<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt> 3857<dd><p> 3858 Specify whether query logging should be started when <span><strong class="command">named</strong></span> 3859 starts. 3860 If <span><strong class="command">querylog</strong></span> is not specified, 3861 then the query logging 3862 is determined by the presence of the logging category <span><strong class="command">queries</strong></span>. 3863 </p></dd> 3864<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> 3865<dd> 3866<p> 3867 This option is used to restrict the character set and syntax 3868 of 3869 certain domain names in master files and/or DNS responses 3870 received 3871 from the network. The default varies according to usage 3872 area. For 3873 <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. 3874 For <span><strong class="command">slave</strong></span> zones the default 3875 is <span><strong class="command">warn</strong></span>. 3876 For answers received from the network (<span><strong class="command">response</strong></span>) 3877 the default is <span><strong class="command">ignore</strong></span>. 3878 </p> 3879<p> 3880 The rules for legal hostnames and mail domains are derived 3881 from RFC 952 and RFC 821 as modified by RFC 1123. 3882 </p> 3883<p><span><strong class="command">check-names</strong></span> 3884 applies to the owner names of A, AAAA and MX records. 3885 It also applies to the domain names in the RDATA of NS, SOA, 3886 MX, and SRV records. 3887 It also applies to the RDATA of PTR records where the owner 3888 name indicated that it is a reverse lookup of a hostname 3889 (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). 3890 </p> 3891</dd> 3892<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt> 3893<dd><p> 3894 Check master zones for records that are treated as different 3895 by DNSSEC but are semantically equal in plain DNS. The 3896 default is to <span><strong class="command">warn</strong></span>. Other possible 3897 values are <span><strong class="command">fail</strong></span> and 3898 <span><strong class="command">ignore</strong></span>. 3899 </p></dd> 3900<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> 3901<dd><p> 3902 Check whether the MX record appears to refer to a IP address. 3903 The default is to <span><strong class="command">warn</strong></span>. Other possible 3904 values are <span><strong class="command">fail</strong></span> and 3905 <span><strong class="command">ignore</strong></span>. 3906 </p></dd> 3907<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> 3908<dd><p> 3909 This option is used to check for non-terminal wildcards. 3910 The use of non-terminal wildcards is almost always as a 3911 result of a failure 3912 to understand the wildcard matching algorithm (RFC 1034). 3913 This option 3914 affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check 3915 for non-terminal wildcards and issue a warning. 3916 </p></dd> 3917<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> 3918<dd> 3919<p> 3920 Perform post load zone integrity checks on master 3921 zones. This checks that MX and SRV records refer 3922 to address (A or AAAA) records and that glue 3923 address records exist for delegated zones. For 3924 MX and SRV records only in-zone hostnames are 3925 checked (for out-of-zone hostnames use 3926 <span><strong class="command">named-checkzone</strong></span>). 3927 For NS records only names below top of zone are 3928 checked (for out-of-zone names and glue consistency 3929 checks use <span><strong class="command">named-checkzone</strong></span>). 3930 The default is <span><strong class="command">yes</strong></span>. 3931 </p> 3932<p> 3933 The use of the SPF record for publishing Sender 3934 Policy Framework is deprecated as the migration 3935 from using TXT records to SPF records was abandoned. 3936 Enabling this option also checks that a TXT Sender 3937 Policy Framework record exists (starts with "v=spf1") 3938 if there is an SPF record. Warnings are emitted if the 3939 TXT record does not exist and can be suppressed with 3940 <span><strong class="command">check-spf</strong></span>. 3941 </p> 3942</dd> 3943<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt> 3944<dd><p> 3945 If <span><strong class="command">check-integrity</strong></span> is set then 3946 fail, warn or ignore MX records that refer 3947 to CNAMES. The default is to <span><strong class="command">warn</strong></span>. 3948 </p></dd> 3949<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt> 3950<dd><p> 3951 If <span><strong class="command">check-integrity</strong></span> is set then 3952 fail, warn or ignore SRV records that refer 3953 to CNAMES. The default is to <span><strong class="command">warn</strong></span>. 3954 </p></dd> 3955<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> 3956<dd><p> 3957 When performing integrity checks, also check that 3958 sibling glue exists. The default is <span><strong class="command">yes</strong></span>. 3959 </p></dd> 3960<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> 3961<dd><p> 3962 If <span><strong class="command">check-integrity</strong></span> is set then 3963 check that there is a TXT Sender Policy Framework 3964 record present (starts with "v=spf1") if there is an 3965 SPF record present. The default is 3966 <span><strong class="command">warn</strong></span>. 3967 </p></dd> 3968<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> 3969<dd><p> 3970 When returning authoritative negative responses to 3971 SOA queries set the TTL of the SOA record returned in 3972 the authority section to zero. 3973 The default is <span><strong class="command">yes</strong></span>. 3974 </p></dd> 3975<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt> 3976<dd><p> 3977 When caching a negative response to a SOA query 3978 set the TTL to zero. 3979 The default is <span><strong class="command">no</strong></span>. 3980 </p></dd> 3981<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> 3982<dd> 3983<p> 3984 When set to the default value of <code class="literal">yes</code>, 3985 check the KSK bit in each key to determine how the key 3986 should be used when generating RRSIGs for a secure zone. 3987 </p> 3988<p> 3989 Ordinarily, zone-signing keys (that is, keys without the 3990 KSK bit set) are used to sign the entire zone, while 3991 key-signing keys (keys with the KSK bit set) are only 3992 used to sign the DNSKEY RRset at the zone apex. 3993 However, if this option is set to <code class="literal">no</code>, 3994 then the KSK bit is ignored; KSKs are treated as if they 3995 were ZSKs and are used to sign the entire zone. This is 3996 similar to the <span><strong class="command">dnssec-signzone -z</strong></span> 3997 command line option. 3998 </p> 3999<p> 4000 When this option is set to <code class="literal">yes</code>, there 4001 must be at least two active keys for every algorithm 4002 represented in the DNSKEY RRset: at least one KSK and one 4003 ZSK per algorithm. If there is any algorithm for which 4004 this requirement is not met, this option will be ignored 4005 for that algorithm. 4006 </p> 4007</dd> 4008<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> 4009<dd> 4010<p> 4011 When this option and <span><strong class="command">update-check-ksk</strong></span> 4012 are both set to <code class="literal">yes</code>, only key-signing 4013 keys (that is, keys with the KSK bit set) will be used 4014 to sign the DNSKEY RRset at the zone apex. Zone-signing 4015 keys (keys without the KSK bit set) will be used to sign 4016 the remainder of the zone, but not the DNSKEY RRset. 4017 This is similar to the 4018 <span><strong class="command">dnssec-signzone -x</strong></span> command line option. 4019 </p> 4020<p> 4021 The default is <span><strong class="command">no</strong></span>. If 4022 <span><strong class="command">update-check-ksk</strong></span> is set to 4023 <code class="literal">no</code>, this option is ignored. 4024 </p> 4025</dd> 4026<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt> 4027<dd><p> 4028 When a zone is configured with <span><strong class="command">auto-dnssec 4029 maintain;</strong></span> its key repository must be checked 4030 periodically to see if any new keys have been added 4031 or any existing keys' timing metadata has been updated 4032 (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and 4033 <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The 4034 <span><strong class="command">dnssec-loadkeys-interval</strong></span> option 4035 sets the frequency of automatic repository checks, in 4036 minutes. The default is <code class="literal">60</code> (1 hour), 4037 the minimum is <code class="literal">1</code> (1 minute), and the 4038 maximum is <code class="literal">1440</code> (24 hours); any higher 4039 value is silently reduced. 4040 </p></dd> 4041<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> 4042<dd><p> 4043 Try to refresh the zone using TCP if UDP queries fail. 4044 For BIND 8 compatibility, the default is 4045 <span><strong class="command">yes</strong></span>. 4046 </p></dd> 4047<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> 4048<dd> 4049<p> 4050 Allow a dynamic zone to transition from secure to 4051 insecure (i.e., signed to unsigned) by deleting all 4052 of the DNSKEY records. The default is <span><strong class="command">no</strong></span>. 4053 If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset 4054 at the zone apex is deleted, all RRSIG and NSEC records 4055 will be removed from the zone as well. 4056 </p> 4057<p> 4058 If the zone uses NSEC3, then it is also necessary to 4059 delete the NSEC3PARAM RRset from the zone apex; this will 4060 cause the removal of all corresponding NSEC3 records. 4061 (It is expected that this requirement will be eliminated 4062 in a future release.) 4063 </p> 4064<p> 4065 Note that if a zone has been configured with 4066 <span><strong class="command">auto-dnssec maintain</strong></span> and the 4067 private keys remain accessible in the key repository, 4068 then the zone will be automatically signed again the 4069 next time <span><strong class="command">named</strong></span> is started. 4070 </p> 4071</dd> 4072</dl></div> 4073</div> 4074<div class="sect3" lang="en"> 4075<div class="titlepage"><div><div><h4 class="title"> 4076<a name="id2584144"></a>Forwarding</h4></div></div></div> 4077<p> 4078 The forwarding facility can be used to create a large site-wide 4079 cache on a few servers, reducing traffic over links to external 4080 name servers. It can also be used to allow queries by servers that 4081 do not have direct access to the Internet, but wish to look up 4082 exterior 4083 names anyway. Forwarding occurs only on those queries for which 4084 the server is not authoritative and does not have the answer in 4085 its cache. 4086 </p> 4087<div class="variablelist"><dl> 4088<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> 4089<dd><p> 4090 This option is only meaningful if the 4091 forwarders list is not empty. A value of <code class="varname">first</code>, 4092 the default, causes the server to query the forwarders 4093 first — and 4094 if that doesn't answer the question, the server will then 4095 look for 4096 the answer itself. If <code class="varname">only</code> is 4097 specified, the 4098 server will only query the forwarders. 4099 </p></dd> 4100<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> 4101<dd><p> 4102 Specifies the IP addresses to be used 4103 for forwarding. The default is the empty list (no 4104 forwarding). 4105 </p></dd> 4106</dl></div> 4107<p> 4108 Forwarding can also be configured on a per-domain basis, allowing 4109 for the global forwarding options to be overridden in a variety 4110 of ways. You can set particular domains to use different 4111 forwarders, 4112 or have a different <span><strong class="command">forward only/first</strong></span> behavior, 4113 or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone 4114 Statement Grammar">the section called “<span><strong class="command">zone</strong></span> 4115 Statement Grammar”</a>. 4116 </p> 4117</div> 4118<div class="sect3" lang="en"> 4119<div class="titlepage"><div><div><h4 class="title"> 4120<a name="id2584202"></a>Dual-stack Servers</h4></div></div></div> 4121<p> 4122 Dual-stack servers are used as servers of last resort to work 4123 around 4124 problems in reachability due the lack of support for either IPv4 4125 or IPv6 4126 on the host machine. 4127 </p> 4128<div class="variablelist"><dl> 4129<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt> 4130<dd><p> 4131 Specifies host names or addresses of machines with access to 4132 both IPv4 and IPv6 transports. If a hostname is used, the 4133 server must be able 4134 to resolve the name using only the transport it has. If the 4135 machine is dual 4136 stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless 4137 access to a transport has been disabled on the command line 4138 (e.g. <span><strong class="command">named -4</strong></span>). 4139 </p></dd> 4140</dl></div> 4141</div> 4142<div class="sect3" lang="en"> 4143<div class="titlepage"><div><div><h4 class="title"> 4144<a name="access_control"></a>Access Control</h4></div></div></div> 4145<p> 4146 Access to the server can be restricted based on the IP address 4147 of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for 4148 details on how to specify IP address lists. 4149 </p> 4150<div class="variablelist"><dl> 4151<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> 4152<dd><p> 4153 Specifies which hosts are allowed to 4154 notify this server, a slave, of zone changes in addition 4155 to the zone masters. 4156 <span><strong class="command">allow-notify</strong></span> may also be 4157 specified in the 4158 <span><strong class="command">zone</strong></span> statement, in which case 4159 it overrides the 4160 <span><strong class="command">options allow-notify</strong></span> 4161 statement. It is only meaningful 4162 for a slave zone. If not specified, the default is to 4163 process notify messages 4164 only from a zone's master. 4165 </p></dd> 4166<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> 4167<dd> 4168<p> 4169 Specifies which hosts are allowed to ask ordinary 4170 DNS questions. <span><strong class="command">allow-query</strong></span> may 4171 also be specified in the <span><strong class="command">zone</strong></span> 4172 statement, in which case it overrides the 4173 <span><strong class="command">options allow-query</strong></span> statement. 4174 If not specified, the default is to allow queries 4175 from all hosts. 4176 </p> 4177<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4178<h3 class="title">Note</h3> 4179<p> 4180 <span><strong class="command">allow-query-cache</strong></span> is now 4181 used to specify access to the cache. 4182 </p> 4183</div> 4184</dd> 4185<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> 4186<dd> 4187<p> 4188 Specifies which local addresses can accept ordinary 4189 DNS questions. This makes it possible, for instance, 4190 to allow queries on internal-facing interfaces but 4191 disallow them on external-facing ones, without 4192 necessarily knowing the internal network's addresses. 4193 </p> 4194<p> 4195 Note that <span><strong class="command">allow-query-on</strong></span> is only 4196 checked for queries that are permitted by 4197 <span><strong class="command">allow-query</strong></span>. A query must be 4198 allowed by both ACLs, or it will be refused. 4199 </p> 4200<p> 4201 <span><strong class="command">allow-query-on</strong></span> may 4202 also be specified in the <span><strong class="command">zone</strong></span> 4203 statement, in which case it overrides the 4204 <span><strong class="command">options allow-query-on</strong></span> statement. 4205 </p> 4206<p> 4207 If not specified, the default is to allow queries 4208 on all addresses. 4209 </p> 4210<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4211<h3 class="title">Note</h3> 4212<p> 4213 <span><strong class="command">allow-query-cache</strong></span> is 4214 used to specify access to the cache. 4215 </p> 4216</div> 4217</dd> 4218<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt> 4219<dd><p> 4220 Specifies which hosts are allowed to get answers 4221 from the cache. If <span><strong class="command">allow-query-cache</strong></span> 4222 is not set then <span><strong class="command">allow-recursion</strong></span> 4223 is used if set, otherwise <span><strong class="command">allow-query</strong></span> 4224 is used if set unless <span><strong class="command">recursion no;</strong></span> is 4225 set in which case <span><strong class="command">none;</strong></span> is used, 4226 otherwise the default (<span><strong class="command">localnets;</strong></span> 4227 <span><strong class="command">localhost;</strong></span>) is used. 4228 </p></dd> 4229<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt> 4230<dd><p> 4231 Specifies which local addresses can give answers 4232 from the cache. If not specified, the default is 4233 to allow cache queries on any address, 4234 <span><strong class="command">localnets</strong></span> and 4235 <span><strong class="command">localhost</strong></span>. 4236 </p></dd> 4237<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt> 4238<dd><p> 4239 Specifies which hosts are allowed to make recursive 4240 queries through this server. If 4241 <span><strong class="command">allow-recursion</strong></span> is not set 4242 then <span><strong class="command">allow-query-cache</strong></span> is 4243 used if set, otherwise <span><strong class="command">allow-query</strong></span> 4244 is used if set, otherwise the default 4245 (<span><strong class="command">localnets;</strong></span> 4246 <span><strong class="command">localhost;</strong></span>) is used. 4247 </p></dd> 4248<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt> 4249<dd><p> 4250 Specifies which local addresses can accept recursive 4251 queries. If not specified, the default is to allow 4252 recursive queries on all addresses. 4253 </p></dd> 4254<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> 4255<dd><p> 4256 Specifies which hosts are allowed to 4257 submit Dynamic DNS updates for master zones. The default is 4258 to deny 4259 updates from all hosts. Note that allowing updates based 4260 on the requestor's IP address is insecure; see 4261 <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. 4262 </p></dd> 4263<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> 4264<dd> 4265<p> 4266 Specifies which hosts are allowed to 4267 submit Dynamic DNS updates to slave zones to be forwarded to 4268 the 4269 master. The default is <strong class="userinput"><code>{ none; }</code></strong>, 4270 which 4271 means that no update forwarding will be performed. To 4272 enable 4273 update forwarding, specify 4274 <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>. 4275 Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or 4276 <strong class="userinput"><code>{ any; }</code></strong> is usually 4277 counterproductive, since 4278 the responsibility for update access control should rest 4279 with the 4280 master server, not the slaves. 4281 </p> 4282<p> 4283 Note that enabling the update forwarding feature on a slave 4284 server 4285 may expose master servers relying on insecure IP address 4286 based 4287 access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> 4288 for more details. 4289 </p> 4290</dd> 4291<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt> 4292<dd><p> 4293 This option was introduced for the smooth transition from 4294 AAAA 4295 to A6 and from "nibble labels" to binary labels. 4296 However, since both A6 and binary labels were then 4297 deprecated, 4298 this option was also deprecated. 4299 It is now ignored with some warning messages. 4300 </p></dd> 4301<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> 4302<dd><p> 4303 Specifies which hosts are allowed to 4304 receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may 4305 also be specified in the <span><strong class="command">zone</strong></span> 4306 statement, in which 4307 case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement. 4308 If not specified, the default is to allow transfers to all 4309 hosts. 4310 </p></dd> 4311<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt> 4312<dd><p> 4313 Specifies a list of addresses that the 4314 server will not accept queries from or use to resolve a 4315 query. Queries 4316 from these addresses will not be responded to. The default 4317 is <strong class="userinput"><code>none</code></strong>. 4318 </p></dd> 4319<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt> 4320<dd><p> 4321 Specifies a list of addresses to which 4322 <span><strong class="command">filter-aaaa-on-v4</strong></span> 4323 is applies. The default is <strong class="userinput"><code>any</code></strong>. 4324 </p></dd> 4325<dt><span class="term"><span><strong class="command">no-case-compress</strong></span></span></dt> 4326<dd> 4327<p> 4328 Specifies a list of addresses which require responses 4329 to use case-insensitive compression. This ACL can be 4330 used when <span><strong class="command">named</strong></span> needs to work with 4331 clients that do not comply with the requirement in RFC 4332 1034 to use case-insensitive name comparisons when 4333 checking for matching domain names. 4334 </p> 4335<p> 4336 If left undefined, the ACL defaults to 4337 <span><strong class="command">none</strong></span>: case-insensitive compression 4338 will be used for all clients. If the ACL is defined and 4339 matches a client, then case will be ignored when 4340 compressing domain names in DNS responses sent to that 4341 client. 4342 </p> 4343<p> 4344 This can result in slightly smaller responses: if 4345 a response contains the names "example.com" and 4346 "example.COM", case-insensitive compression would treat 4347 the second one as a duplicate. It also ensures 4348 that the case of the query name exactly matches the 4349 case of the owner names of returned records, rather 4350 than matching the case of the records entered in 4351 the zone file. This allows responses to exactly 4352 match the query, which is required by some clients 4353 due to incorrect use of case-sensitive comparisons. 4354 </p> 4355<p> 4356 Case-insensitive compression is <span class="emphasis"><em>always</em></span> 4357 used in AXFR and IXFR responses, regardless of whether 4358 the client matches this ACL. 4359 </p> 4360<p> 4361 There are circumstances in which <span><strong class="command">named</strong></span> 4362 will not preserve the case of owner names of records: 4363 if a zone file defines records of different types with 4364 the same name, but the capitalization of the name is 4365 different (e.g., "www.example.com/A" and 4366 "WWW.EXAMPLE.COM/AAAA"), then all responses for that 4367 name will use the <span class="emphasis"><em>first</em></span> version 4368 of the name that was used in the zone file. This 4369 limitation may be addressed in a future release. However, 4370 domain names specified in the rdata of resource records 4371 (i.e., records of type NS, MX, CNAME, etc) will always 4372 have their case preserved unless the client matches this 4373 ACL. 4374 </p> 4375</dd> 4376<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt> 4377<dd><p> 4378 The amount of time the resolver will spend attempting 4379 to resolve a recursive query before failing. The default 4380 and minimum is <code class="literal">10</code> and the maximum is 4381 <code class="literal">30</code>. Setting it to <code class="literal">0</code> 4382 will result in the default being used. 4383 </p></dd> 4384</dl></div> 4385</div> 4386<div class="sect3" lang="en"> 4387<div class="titlepage"><div><div><h4 class="title"> 4388<a name="id2584876"></a>Interfaces</h4></div></div></div> 4389<p> 4390 The interfaces and ports that the server will answer queries 4391 from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes 4392 an optional port and an <code class="varname">address_match_list</code> 4393 of IPv4 addresses. (IPv6 addresses are ignored, with a 4394 logged warning.) 4395 The server will listen on all interfaces allowed by the address 4396 match list. If a port is not specified, port 53 will be used. 4397 </p> 4398<p> 4399 Multiple <span><strong class="command">listen-on</strong></span> statements are 4400 allowed. 4401 For example, 4402 </p> 4403<pre class="programlisting">listen-on { 5.6.7.8; }; 4404listen-on port 1234 { !1.2.3.4; 1.2/16; }; 4405</pre> 4406<p> 4407 will enable the name server on port 53 for the IP address 4408 5.6.7.8, and on port 1234 of an address on the machine in net 4409 1.2 that is not 1.2.3.4. 4410 </p> 4411<p> 4412 If no <span><strong class="command">listen-on</strong></span> is specified, the 4413 server will listen on port 53 on all IPv4 interfaces. 4414 </p> 4415<p> 4416 The <span><strong class="command">listen-on-v6</strong></span> option is used to 4417 specify the interfaces and the ports on which the server will 4418 listen for incoming queries sent using IPv6. If not specified, 4419 the server will listen on port 53 on all IPv6 interfaces. 4420 </p> 4421<p> 4422 When </p> 4423<pre class="programlisting">{ any; }</pre> 4424<p> is 4425 specified 4426 as the <code class="varname">address_match_list</code> for the 4427 <span><strong class="command">listen-on-v6</strong></span> option, 4428 the server does not bind a separate socket to each IPv6 interface 4429 address as it does for IPv4 if the operating system has enough API 4430 support for IPv6 (specifically if it conforms to RFC 3493 and RFC 4431 3542). 4432 Instead, it listens on the IPv6 wildcard address. 4433 If the system only has incomplete API support for IPv6, however, 4434 the behavior is the same as that for IPv4. 4435 </p> 4436<p> 4437 A list of particular IPv6 addresses can also be specified, in 4438 which case 4439 the server listens on a separate socket for each specified 4440 address, 4441 regardless of whether the desired API is supported by the system. 4442 IPv4 addresses specified in <span><strong class="command">listen-on-v6</strong></span> 4443 will be ignored, with a logged warning. 4444 </p> 4445<p> 4446 Multiple <span><strong class="command">listen-on-v6</strong></span> options can 4447 be used. 4448 For example, 4449 </p> 4450<pre class="programlisting">listen-on-v6 { any; }; 4451listen-on-v6 port 1234 { !2001:db8::/32; any; }; 4452</pre> 4453<p> 4454 will enable the name server on port 53 for any IPv6 addresses 4455 (with a single wildcard socket), 4456 and on port 1234 of IPv6 addresses that is not in the prefix 4457 2001:db8::/32 (with separate sockets for each matched address.) 4458 </p> 4459<p> 4460 To make the server not listen on any IPv6 address, use 4461 </p> 4462<pre class="programlisting">listen-on-v6 { none; }; 4463</pre> 4464</div> 4465<div class="sect3" lang="en"> 4466<div class="titlepage"><div><div><h4 class="title"> 4467<a name="query_address"></a>Query Address</h4></div></div></div> 4468<p> 4469 If the server doesn't know the answer to a question, it will 4470 query other name servers. <span><strong class="command">query-source</strong></span> specifies 4471 the address and port used for such queries. For queries sent over 4472 IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option. 4473 If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted, 4474 a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) 4475 will be used. 4476 </p> 4477<p> 4478 If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted, 4479 a random port number from a pre-configured 4480 range is picked up and will be used for each query. 4481 The port range(s) is that specified in 4482 the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4) 4483 and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6) 4484 options, excluding the ranges specified in 4485 the <span><strong class="command">avoid-v4-udp-ports</strong></span> 4486 and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively. 4487 </p> 4488<p> 4489 The defaults of the <span><strong class="command">query-source</strong></span> and 4490 <span><strong class="command">query-source-v6</strong></span> options 4491 are: 4492 </p> 4493<pre class="programlisting">query-source address * port *; 4494query-source-v6 address * port *; 4495</pre> 4496<p> 4497 If <span><strong class="command">use-v4-udp-ports</strong></span> or 4498 <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified, 4499 <span><strong class="command">named</strong></span> will check if the operating 4500 system provides a programming interface to retrieve the 4501 system's default range for ephemeral ports. 4502 If such an interface is available, 4503 <span><strong class="command">named</strong></span> will use the corresponding system 4504 default range; otherwise, it will use its own defaults: 4505 </p> 4506<pre class="programlisting">use-v4-udp-ports { range 1024 65535; }; 4507use-v6-udp-ports { range 1024 65535; }; 4508</pre> 4509<p> 4510 Note: make sure the ranges be sufficiently large for 4511 security. A desirable size depends on various parameters, 4512 but we generally recommend it contain at least 16384 ports 4513 (14 bits of entropy). 4514 Note also that the system's default range when used may be 4515 too small for this purpose, and that the range may even be 4516 changed while <span><strong class="command">named</strong></span> is running; the new 4517 range will automatically be applied when <span><strong class="command">named</strong></span> 4518 is reloaded. 4519 It is encouraged to 4520 configure <span><strong class="command">use-v4-udp-ports</strong></span> and 4521 <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the 4522 ranges are sufficiently large and are reasonably 4523 independent from the ranges used by other applications. 4524 </p> 4525<p> 4526 Note: the operational configuration 4527 where <span><strong class="command">named</strong></span> runs may prohibit the use 4528 of some ports. For example, UNIX systems will not allow 4529 <span><strong class="command">named</strong></span> running without a root privilege 4530 to use ports less than 1024. 4531 If such ports are included in the specified (or detected) 4532 set of query ports, the corresponding query attempts will 4533 fail, resulting in resolution failures or delay. 4534 It is therefore important to configure the set of ports 4535 that can be safely used in the expected operational environment. 4536 </p> 4537<p> 4538 The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and 4539 <span><strong class="command">avoid-v6-udp-ports</strong></span> options 4540 are: 4541 </p> 4542<pre class="programlisting">avoid-v4-udp-ports {}; 4543avoid-v6-udp-ports {}; 4544</pre> 4545<p> 4546 Note: BIND 9.5.0 introduced 4547 the <span><strong class="command">use-queryport-pool</strong></span> 4548 option to support a pool of such random ports, but this 4549 option is now obsolete because reusing the same ports in 4550 the pool may not be sufficiently secure. 4551 For the same reason, it is generally strongly discouraged to 4552 specify a particular port for the 4553 <span><strong class="command">query-source</strong></span> or 4554 <span><strong class="command">query-source-v6</strong></span> options; 4555 it implicitly disables the use of randomized port numbers. 4556 </p> 4557<div class="variablelist"><dl> 4558<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt> 4559<dd><p> 4560 This option is obsolete. 4561 </p></dd> 4562<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt> 4563<dd><p> 4564 This option is obsolete. 4565 </p></dd> 4566<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt> 4567<dd><p> 4568 This option is obsolete. 4569 </p></dd> 4570</dl></div> 4571<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4572<h3 class="title">Note</h3> 4573<p> 4574 The address specified in the <span><strong class="command">query-source</strong></span> option 4575 is used for both UDP and TCP queries, but the port applies only 4576 to UDP queries. TCP queries always use a random 4577 unprivileged port. 4578 </p> 4579</div> 4580<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4581<h3 class="title">Note</h3> 4582<p> 4583 Solaris 2.5.1 and earlier does not support setting the source 4584 address for TCP sockets. 4585 </p> 4586</div> 4587<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4588<h3 class="title">Note</h3> 4589<p> 4590 See also <span><strong class="command">transfer-source</strong></span> and 4591 <span><strong class="command">notify-source</strong></span>. 4592 </p> 4593</div> 4594</div> 4595<div class="sect3" lang="en"> 4596<div class="titlepage"><div><div><h4 class="title"> 4597<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div> 4598<p> 4599 <acronym class="acronym">BIND</acronym> has mechanisms in place to 4600 facilitate zone transfers 4601 and set limits on the amount of load that transfers place on the 4602 system. The following options apply to zone transfers. 4603 </p> 4604<div class="variablelist"><dl> 4605<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> 4606<dd> 4607<p> 4608 Defines a global list of IP addresses of name servers 4609 that are also sent NOTIFY messages whenever a fresh copy of 4610 the 4611 zone is loaded, in addition to the servers listed in the 4612 zone's NS records. 4613 This helps to ensure that copies of the zones will 4614 quickly converge on stealth servers. 4615 Optionally, a port may be specified with each 4616 <span><strong class="command">also-notify</strong></span> address to send 4617 the notify messages to a port other than the 4618 default of 53. 4619 An optional TSIG key can also be specified with each 4620 address to cause the notify messages to be signed; this 4621 can be useful when sending notifies to multiple views. 4622 In place of explicit addresses, one or more named 4623 <span><strong class="command">masters</strong></span> lists can be used. 4624 </p> 4625<p> 4626 If an <span><strong class="command">also-notify</strong></span> list 4627 is given in a <span><strong class="command">zone</strong></span> statement, 4628 it will override 4629 the <span><strong class="command">options also-notify</strong></span> 4630 statement. When a <span><strong class="command">zone notify</strong></span> 4631 statement 4632 is set to <span><strong class="command">no</strong></span>, the IP 4633 addresses in the global <span><strong class="command">also-notify</strong></span> list will 4634 not be sent NOTIFY messages for that zone. The default is 4635 the empty 4636 list (no global notification list). 4637 </p> 4638</dd> 4639<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> 4640<dd><p> 4641 Inbound zone transfers running longer than 4642 this many minutes will be terminated. The default is 120 4643 minutes 4644 (2 hours). The maximum value is 28 days (40320 minutes). 4645 </p></dd> 4646<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> 4647<dd><p> 4648 Inbound zone transfers making no progress 4649 in this many minutes will be terminated. The default is 60 4650 minutes 4651 (1 hour). The maximum value is 28 days (40320 minutes). 4652 </p></dd> 4653<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> 4654<dd><p> 4655 Outbound zone transfers running longer than 4656 this many minutes will be terminated. The default is 120 4657 minutes 4658 (2 hours). The maximum value is 28 days (40320 minutes). 4659 </p></dd> 4660<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> 4661<dd><p> 4662 Outbound zone transfers making no progress 4663 in this many minutes will be terminated. The default is 60 4664 minutes (1 4665 hour). The maximum value is 28 days (40320 minutes). 4666 </p></dd> 4667<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt> 4668<dd> 4669<p> 4670 Slave servers will periodically query master 4671 servers to find out if zone serial numbers have 4672 changed. Each such query uses a minute amount of 4673 the slave server's network bandwidth. To limit 4674 the amount of bandwidth used, BIND 9 limits the 4675 rate at which queries are sent. The value of the 4676 <span><strong class="command">serial-query-rate</strong></span> option, an 4677 integer, is the maximum number of queries sent 4678 per second. The default is 20 per second. 4679 The lowest possible rate is one per second; when set 4680 to zero, it will be silently raised to one. 4681 </p> 4682<p> 4683 In addition to controlling the rate SOA refresh 4684 queries are issued at 4685 <span><strong class="command">serial-query-rate</strong></span> also controls 4686 the rate at which NOTIFY messages are sent from 4687 both master and slave zones. 4688 </p> 4689</dd> 4690<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt> 4691<dd><p> 4692 In BIND 8, the <span><strong class="command">serial-queries</strong></span> 4693 option 4694 set the maximum number of concurrent serial number queries 4695 allowed to be outstanding at any given time. 4696 BIND 9 does not limit the number of outstanding 4697 serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option. 4698 Instead, it limits the rate at which the queries are sent 4699 as defined using the <span><strong class="command">serial-query-rate</strong></span> option. 4700 </p></dd> 4701<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt> 4702<dd><p> 4703 Zone transfers can be sent using two different formats, 4704 <span><strong class="command">one-answer</strong></span> and 4705 <span><strong class="command">many-answers</strong></span>. 4706 The <span><strong class="command">transfer-format</strong></span> option is used 4707 on the master server to determine which format it sends. 4708 <span><strong class="command">one-answer</strong></span> uses one DNS message per 4709 resource record transferred. 4710 <span><strong class="command">many-answers</strong></span> packs as many resource 4711 records as possible into a message. 4712 <span><strong class="command">many-answers</strong></span> is more efficient, but is 4713 only supported by relatively new slave servers, 4714 such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 4715 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards. 4716 The <span><strong class="command">many-answers</strong></span> format is also supported by 4717 recent Microsoft Windows nameservers. 4718 The default is <span><strong class="command">many-answers</strong></span>. 4719 <span><strong class="command">transfer-format</strong></span> may be overridden on a 4720 per-server basis by using the <span><strong class="command">server</strong></span> 4721 statement. 4722 </p></dd> 4723<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt> 4724<dd><p> 4725 The maximum number of inbound zone transfers 4726 that can be running concurrently. The default value is <code class="literal">10</code>. 4727 Increasing <span><strong class="command">transfers-in</strong></span> may 4728 speed up the convergence 4729 of slave zones, but it also may increase the load on the 4730 local system. 4731 </p></dd> 4732<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt> 4733<dd><p> 4734 The maximum number of outbound zone transfers 4735 that can be running concurrently. Zone transfer requests in 4736 excess 4737 of the limit will be refused. The default value is <code class="literal">10</code>. 4738 </p></dd> 4739<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt> 4740<dd><p> 4741 The maximum number of inbound zone transfers 4742 that can be concurrently transferring from a given remote 4743 name server. 4744 The default value is <code class="literal">2</code>. 4745 Increasing <span><strong class="command">transfers-per-ns</strong></span> 4746 may 4747 speed up the convergence of slave zones, but it also may 4748 increase 4749 the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may 4750 be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase 4751 of the <span><strong class="command">server</strong></span> statement. 4752 </p></dd> 4753<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> 4754<dd> 4755<p><span><strong class="command">transfer-source</strong></span> 4756 determines which local address will be bound to IPv4 4757 TCP connections used to fetch zones transferred 4758 inbound by the server. It also determines the 4759 source IPv4 address, and optionally the UDP port, 4760 used for the refresh queries and forwarded dynamic 4761 updates. If not set, it defaults to a system 4762 controlled value which will usually be the address 4763 of the interface "closest to" the remote end. This 4764 address must appear in the remote end's 4765 <span><strong class="command">allow-transfer</strong></span> option for the 4766 zone being transferred, if one is specified. This 4767 statement sets the 4768 <span><strong class="command">transfer-source</strong></span> for all zones, 4769 but can be overridden on a per-view or per-zone 4770 basis by including a 4771 <span><strong class="command">transfer-source</strong></span> statement within 4772 the <span><strong class="command">view</strong></span> or 4773 <span><strong class="command">zone</strong></span> block in the configuration 4774 file. 4775 </p> 4776<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4777<h3 class="title">Note</h3> 4778<p> 4779 Solaris 2.5.1 and earlier does not support setting the 4780 source address for TCP sockets. 4781 </p> 4782</div> 4783</dd> 4784<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> 4785<dd><p> 4786 The same as <span><strong class="command">transfer-source</strong></span>, 4787 except zone transfers are performed using IPv6. 4788 </p></dd> 4789<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> 4790<dd> 4791<p> 4792 An alternate transfer source if the one listed in 4793 <span><strong class="command">transfer-source</strong></span> fails and 4794 <span><strong class="command">use-alt-transfer-source</strong></span> is 4795 set. 4796 </p> 4797<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4798<h3 class="title">Note</h3> 4799 If you do not wish the alternate transfer source 4800 to be used, you should set 4801 <span><strong class="command">use-alt-transfer-source</strong></span> 4802 appropriately and you should not depend upon 4803 getting an answer back to the first refresh 4804 query. 4805 </div> 4806</dd> 4807<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> 4808<dd><p> 4809 An alternate transfer source if the one listed in 4810 <span><strong class="command">transfer-source-v6</strong></span> fails and 4811 <span><strong class="command">use-alt-transfer-source</strong></span> is 4812 set. 4813 </p></dd> 4814<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> 4815<dd><p> 4816 Use the alternate transfer sources or not. If views are 4817 specified this defaults to <span><strong class="command">no</strong></span> 4818 otherwise it defaults to 4819 <span><strong class="command">yes</strong></span> (for BIND 8 4820 compatibility). 4821 </p></dd> 4822<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> 4823<dd> 4824<p><span><strong class="command">notify-source</strong></span> 4825 determines which local source address, and 4826 optionally UDP port, will be used to send NOTIFY 4827 messages. This address must appear in the slave 4828 server's <span><strong class="command">masters</strong></span> zone clause or 4829 in an <span><strong class="command">allow-notify</strong></span> clause. This 4830 statement sets the <span><strong class="command">notify-source</strong></span> 4831 for all zones, but can be overridden on a per-zone or 4832 per-view basis by including a 4833 <span><strong class="command">notify-source</strong></span> statement within 4834 the <span><strong class="command">zone</strong></span> or 4835 <span><strong class="command">view</strong></span> block in the configuration 4836 file. 4837 </p> 4838<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 4839<h3 class="title">Note</h3> 4840<p> 4841 Solaris 2.5.1 and earlier does not support setting the 4842 source address for TCP sockets. 4843 </p> 4844</div> 4845</dd> 4846<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> 4847<dd><p> 4848 Like <span><strong class="command">notify-source</strong></span>, 4849 but applies to notify messages sent to IPv6 addresses. 4850 </p></dd> 4851</dl></div> 4852</div> 4853<div class="sect3" lang="en"> 4854<div class="titlepage"><div><div><h4 class="title"> 4855<a name="id2586147"></a>UDP Port Lists</h4></div></div></div> 4856<p> 4857 <span><strong class="command">use-v4-udp-ports</strong></span>, 4858 <span><strong class="command">avoid-v4-udp-ports</strong></span>, 4859 <span><strong class="command">use-v6-udp-ports</strong></span>, and 4860 <span><strong class="command">avoid-v6-udp-ports</strong></span> 4861 specify a list of IPv4 and IPv6 UDP ports that will be 4862 used or not used as source ports for UDP messages. 4863 See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the 4864 available ports are determined. 4865 For example, with the following configuration 4866 </p> 4867<pre class="programlisting"> 4868use-v6-udp-ports { range 32768 65535; }; 4869avoid-v6-udp-ports { 40000; range 50000 60000; }; 4870</pre> 4871<p> 4872 UDP ports of IPv6 messages sent 4873 from <span><strong class="command">named</strong></span> will be in one 4874 of the following ranges: 32768 to 39999, 40001 to 49999, 4875 and 60001 to 65535. 4876 </p> 4877<p> 4878 <span><strong class="command">avoid-v4-udp-ports</strong></span> and 4879 <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used 4880 to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a 4881 port that is blocked by your firewall or a port that is 4882 used by other applications; 4883 if a query went out with a source port blocked by a 4884 firewall, the 4885 answer would not get by the firewall and the name server would 4886 have to query again. 4887 Note: the desired range can also be represented only with 4888 <span><strong class="command">use-v4-udp-ports</strong></span> and 4889 <span><strong class="command">use-v6-udp-ports</strong></span>, and the 4890 <span><strong class="command">avoid-</strong></span> options are redundant in that 4891 sense; they are provided for backward compatibility and 4892 to possibly simplify the port specification. 4893 </p> 4894</div> 4895<div class="sect3" lang="en"> 4896<div class="titlepage"><div><div><h4 class="title"> 4897<a name="id2586206"></a>Operating System Resource Limits</h4></div></div></div> 4898<p> 4899 The server's usage of many system resources can be limited. 4900 Scaled values are allowed when specifying resource limits. For 4901 example, <span><strong class="command">1G</strong></span> can be used instead of 4902 <span><strong class="command">1073741824</strong></span> to specify a limit of 4903 one 4904 gigabyte. <span><strong class="command">unlimited</strong></span> requests 4905 unlimited use, or the 4906 maximum available amount. <span><strong class="command">default</strong></span> 4907 uses the limit 4908 that was in force when the server was started. See the description 4909 of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. 4910 </p> 4911<p> 4912 The following options set operating system resource limits for 4913 the name server process. Some operating systems don't support 4914 some or 4915 any of the limits. On such systems, a warning will be issued if 4916 the 4917 unsupported limit is used. 4918 </p> 4919<div class="variablelist"><dl> 4920<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt> 4921<dd><p> 4922 The maximum size of a core dump. The default 4923 is <code class="literal">default</code>. 4924 </p></dd> 4925<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt> 4926<dd><p> 4927 The maximum amount of data memory the server 4928 may use. The default is <code class="literal">default</code>. 4929 This is a hard limit on server memory usage. 4930 If the server attempts to allocate memory in excess of this 4931 limit, the allocation will fail, which may in turn leave 4932 the server unable to perform DNS service. Therefore, 4933 this option is rarely useful as a way of limiting the 4934 amount of memory used by the server, but it can be used 4935 to raise an operating system data size limit that is 4936 too small by default. If you wish to limit the amount 4937 of memory used by the server, use the 4938 <span><strong class="command">max-cache-size</strong></span> and 4939 <span><strong class="command">recursive-clients</strong></span> 4940 options instead. 4941 </p></dd> 4942<dt><span class="term"><span><strong class="command">files</strong></span></span></dt> 4943<dd><p> 4944 The maximum number of files the server 4945 may have open concurrently. The default is <code class="literal">unlimited</code>. 4946 </p></dd> 4947<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt> 4948<dd><p> 4949 The maximum amount of stack memory the server 4950 may use. The default is <code class="literal">default</code>. 4951 </p></dd> 4952</dl></div> 4953</div> 4954<div class="sect3" lang="en"> 4955<div class="titlepage"><div><div><h4 class="title"> 4956<a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div> 4957<p> 4958 The following options set limits on the server's 4959 resource consumption that are enforced internally by the 4960 server rather than the operating system. 4961 </p> 4962<div class="variablelist"><dl> 4963<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt> 4964<dd><p> 4965 This option is obsolete; it is accepted 4966 and ignored for BIND 8 compatibility. The option 4967 <span><strong class="command">max-journal-size</strong></span> performs a 4968 similar function in BIND 9. 4969 </p></dd> 4970<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> 4971<dd><p> 4972 Sets a maximum size for each journal file 4973 (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file 4974 approaches 4975 the specified size, some of the oldest transactions in the 4976 journal 4977 will be automatically removed. The largest permitted 4978 value is 2 gigabytes. The default is 4979 <code class="literal">unlimited</code>, which also 4980 means 2 gigabytes. 4981 This may also be set on a per-zone basis. 4982 </p></dd> 4983<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> 4984<dd><p> 4985 In BIND 8, specifies the maximum number of host statistics 4986 entries to be kept. 4987 Not implemented in BIND 9. 4988 </p></dd> 4989<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt> 4990<dd><p> 4991 The maximum number of simultaneous recursive lookups 4992 the server will perform on behalf of clients. The default 4993 is 4994 <code class="literal">1000</code>. Because each recursing 4995 client uses a fair 4996 bit of memory, on the order of 20 kilobytes, the value of 4997 the 4998 <span><strong class="command">recursive-clients</strong></span> option may 4999 have to be decreased 5000 on hosts with limited memory. 5001 </p></dd> 5002<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt> 5003<dd><p> 5004 The maximum number of simultaneous client TCP 5005 connections that the server will accept. 5006 The default is <code class="literal">100</code>. 5007 </p></dd> 5008<dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt> 5009<dd> 5010<p> 5011 The number of file descriptors reserved for TCP, stdio, 5012 etc. This needs to be big enough to cover the number of 5013 interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as 5014 to provide room for outgoing TCP queries and incoming zone 5015 transfers. The default is <code class="literal">512</code>. 5016 The minimum value is <code class="literal">128</code> and the 5017 maximum value is <code class="literal">128</code> less than 5018 maxsockets (-S). This option may be removed in the future. 5019 </p> 5020<p> 5021 This option has little effect on Windows. 5022 </p> 5023</dd> 5024<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt> 5025<dd><p> 5026 The maximum amount of memory to use for the 5027 server's cache, in bytes. 5028 When the amount of data in the cache 5029 reaches this limit, the server will cause records to 5030 expire prematurely based on an LRU based strategy so 5031 that the limit is not exceeded. 5032 The keyword <strong class="userinput"><code>unlimited</code></strong>, 5033 or the value 0, will place no limit on cache size; 5034 records will be purged from the cache only when their 5035 TTLs expire. 5036 Any positive values less than 2MB will be ignored 5037 and reset to 2MB. 5038 In a server with multiple views, the limit applies 5039 separately to the cache of each view. 5040 The default is <strong class="userinput"><code>unlimited</code></strong>. 5041 </p></dd> 5042<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt> 5043<dd><p> 5044 The listen queue depth. The default and minimum is 10. 5045 If the kernel supports the accept filter "dataready" this 5046 also controls how 5047 many TCP connections that will be queued in kernel space 5048 waiting for 5049 some data before being passed to accept. Nonzero values 5050 less than 10 will be silently raised. A value of 0 may also 5051 be used; on most platforms this sets the listen queue 5052 length to a system-defined default value. 5053 </p></dd> 5054</dl></div> 5055</div> 5056<div class="sect3" lang="en"> 5057<div class="titlepage"><div><div><h4 class="title"> 5058<a name="id2586632"></a>Periodic Task Intervals</h4></div></div></div> 5059<div class="variablelist"><dl> 5060<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> 5061<dd><p> 5062 This interval is effectively obsolete. Previously, 5063 the server would remove expired resource records 5064 from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes. 5065 <acronym class="acronym">BIND</acronym> 9 now manages cache 5066 memory in a more sophisticated manner and does not 5067 rely on the periodic cleaning any more. 5068 Specifying this option therefore has no effect on 5069 the server's behavior. 5070 </p></dd> 5071<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt> 5072<dd><p> 5073 The server will perform zone maintenance tasks 5074 for all zones marked as <span><strong class="command">dialup</strong></span> whenever this 5075 interval expires. The default is 60 minutes. Reasonable 5076 values are up 5077 to 1 day (1440 minutes). The maximum value is 28 days 5078 (40320 minutes). 5079 If set to 0, no zone maintenance for these zones will occur. 5080 </p></dd> 5081<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt> 5082<dd><p> 5083 The server will scan the network interface list 5084 every <span><strong class="command">interface-interval</strong></span> 5085 minutes. The default 5086 is 60 minutes. The maximum value is 28 days (40320 minutes). 5087 If set to 0, interface scanning will only occur when 5088 the configuration file is loaded. After the scan, the 5089 server will 5090 begin listening for queries on any newly discovered 5091 interfaces (provided they are allowed by the 5092 <span><strong class="command">listen-on</strong></span> configuration), and 5093 will 5094 stop listening on interfaces that have gone away. 5095 </p></dd> 5096<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt> 5097<dd> 5098<p> 5099 Name server statistics will be logged 5100 every <span><strong class="command">statistics-interval</strong></span> 5101 minutes. The default is 5102 60. The maximum value is 28 days (40320 minutes). 5103 If set to 0, no statistics will be logged. 5104 </p> 5105<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 5106<h3 class="title">Note</h3> 5107<p> 5108 Not yet implemented in 5109 <acronym class="acronym">BIND</acronym> 9. 5110 </p> 5111</div> 5112</dd> 5113</dl></div> 5114</div> 5115<div class="sect3" lang="en"> 5116<div class="titlepage"><div><div><h4 class="title"> 5117<a name="topology"></a>Topology</h4></div></div></div> 5118<p> 5119 All other things being equal, when the server chooses a name 5120 server 5121 to query from a list of name servers, it prefers the one that is 5122 topologically closest to itself. The <span><strong class="command">topology</strong></span> statement 5123 takes an <span><strong class="command">address_match_list</strong></span> and 5124 interprets it 5125 in a special way. Each top-level list element is assigned a 5126 distance. 5127 Non-negated elements get a distance based on their position in the 5128 list, where the closer the match is to the start of the list, the 5129 shorter the distance is between it and the server. A negated match 5130 will be assigned the maximum distance from the server. If there 5131 is no match, the address will get a distance which is further than 5132 any non-negated list element, and closer than any negated element. 5133 For example, 5134 </p> 5135<pre class="programlisting">topology { 5136 10/8; 5137 !1.2.3/24; 5138 { 1.2/16; 3/8; }; 5139};</pre> 5140<p> 5141 will prefer servers on network 10 the most, followed by hosts 5142 on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the 5143 exception of hosts on network 1.2.3 (netmask 255.255.255.0), which 5144 is preferred least of all. 5145 </p> 5146<p> 5147 The default topology is 5148 </p> 5149<pre class="programlisting"> topology { localhost; localnets; }; 5150</pre> 5151<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 5152<h3 class="title">Note</h3> 5153<p> 5154 The <span><strong class="command">topology</strong></span> option 5155 is not implemented in <acronym class="acronym">BIND</acronym> 9. 5156 </p> 5157</div> 5158</div> 5159<div class="sect3" lang="en"> 5160<div class="titlepage"><div><div><h4 class="title"> 5161<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div> 5162<p> 5163 The response to a DNS query may consist of multiple resource 5164 records (RRs) forming a resource records set (RRset). 5165 The name server will normally return the 5166 RRs within the RRset in an indeterminate order 5167 (but see the <span><strong class="command">rrset-order</strong></span> 5168 statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). 5169 The client resolver code should rearrange the RRs as appropriate, 5170 that is, using any addresses on the local net in preference to 5171 other addresses. 5172 However, not all resolvers can do this or are correctly 5173 configured. 5174 When a client is using a local server, the sorting can be performed 5175 in the server, based on the client's address. This only requires 5176 configuring the name servers, not all the clients. 5177 </p> 5178<p> 5179 The <span><strong class="command">sortlist</strong></span> statement (see below) 5180 takes 5181 an <span><strong class="command">address_match_list</strong></span> and 5182 interprets it even 5183 more specifically than the <span><strong class="command">topology</strong></span> 5184 statement 5185 does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). 5186 Each top level statement in the <span><strong class="command">sortlist</strong></span> must 5187 itself be an explicit <span><strong class="command">address_match_list</strong></span> with 5188 one or two elements. The first element (which may be an IP 5189 address, 5190 an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>) 5191 of each top level list is checked against the source address of 5192 the query until a match is found. 5193 </p> 5194<p> 5195 Once the source address of the query has been matched, if 5196 the top level statement contains only one element, the actual 5197 primitive 5198 element that matched the source address is used to select the 5199 address 5200 in the response to move to the beginning of the response. If the 5201 statement is a list of two elements, then the second element is 5202 treated the same as the <span><strong class="command">address_match_list</strong></span> in 5203 a <span><strong class="command">topology</strong></span> statement. Each top 5204 level element 5205 is assigned a distance and the address in the response with the 5206 minimum 5207 distance is moved to the beginning of the response. 5208 </p> 5209<p> 5210 In the following example, any queries received from any of 5211 the addresses of the host itself will get responses preferring 5212 addresses 5213 on any of the locally connected networks. Next most preferred are 5214 addresses 5215 on the 192.168.1/24 network, and after that either the 5216 192.168.2/24 5217 or 5218 192.168.3/24 network with no preference shown between these two 5219 networks. Queries received from a host on the 192.168.1/24 network 5220 will prefer other addresses on that network to the 192.168.2/24 5221 and 5222 192.168.3/24 networks. Queries received from a host on the 5223 192.168.4/24 5224 or the 192.168.5/24 network will only prefer other addresses on 5225 their directly connected networks. 5226 </p> 5227<pre class="programlisting">sortlist { 5228 // IF the local host 5229 // THEN first fit on the following nets 5230 { localhost; 5231 { localnets; 5232 192.168.1/24; 5233 { 192.168.2/24; 192.168.3/24; }; }; }; 5234 // IF on class C 192.168.1 THEN use .1, or .2 or .3 5235 { 192.168.1/24; 5236 { 192.168.1/24; 5237 { 192.168.2/24; 192.168.3/24; }; }; }; 5238 // IF on class C 192.168.2 THEN use .2, or .1 or .3 5239 { 192.168.2/24; 5240 { 192.168.2/24; 5241 { 192.168.1/24; 192.168.3/24; }; }; }; 5242 // IF on class C 192.168.3 THEN use .3, or .1 or .2 5243 { 192.168.3/24; 5244 { 192.168.3/24; 5245 { 192.168.1/24; 192.168.2/24; }; }; }; 5246 // IF .4 or .5 THEN prefer that net 5247 { { 192.168.4/24; 192.168.5/24; }; 5248 }; 5249};</pre> 5250<p> 5251 The following example will give reasonable behavior for the 5252 local host and hosts on directly connected networks. It is similar 5253 to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent 5254 to queries from the local host will favor any of the directly 5255 connected 5256 networks. Responses sent to queries from any other hosts on a 5257 directly 5258 connected network will prefer addresses on that same network. 5259 Responses 5260 to other queries will not be sorted. 5261 </p> 5262<pre class="programlisting">sortlist { 5263 { localhost; localnets; }; 5264 { localnets; }; 5265}; 5266</pre> 5267</div> 5268<div class="sect3" lang="en"> 5269<div class="titlepage"><div><div><h4 class="title"> 5270<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div> 5271<p> 5272 When multiple records are returned in an answer it may be 5273 useful to configure the order of the records placed into the 5274 response. 5275 The <span><strong class="command">rrset-order</strong></span> statement permits 5276 configuration 5277 of the ordering of the records in a multiple record response. 5278 See also the <span><strong class="command">sortlist</strong></span> statement, 5279 <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>. 5280 </p> 5281<p> 5282 An <span><strong class="command">order_spec</strong></span> is defined as 5283 follows: 5284 </p> 5285<p> 5286 [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>] 5287 [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>] 5288 [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>] 5289 order <em class="replaceable"><code>ordering</code></em> 5290 </p> 5291<p> 5292 If no class is specified, the default is <span><strong class="command">ANY</strong></span>. 5293 If no type is specified, the default is <span><strong class="command">ANY</strong></span>. 5294 If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk). 5295 </p> 5296<p> 5297 The legal values for <span><strong class="command">ordering</strong></span> are: 5298 </p> 5299<div class="informaltable"><table border="1"> 5300<colgroup> 5301<col> 5302<col> 5303</colgroup> 5304<tbody> 5305<tr> 5306<td> 5307 <p><span><strong class="command">fixed</strong></span></p> 5308 </td> 5309<td> 5310 <p> 5311 Records are returned in the order they 5312 are defined in the zone file. 5313 </p> 5314 </td> 5315</tr> 5316<tr> 5317<td> 5318 <p><span><strong class="command">random</strong></span></p> 5319 </td> 5320<td> 5321 <p> 5322 Records are returned in some random order. 5323 </p> 5324 </td> 5325</tr> 5326<tr> 5327<td> 5328 <p><span><strong class="command">cyclic</strong></span></p> 5329 </td> 5330<td> 5331 <p> 5332 Records are returned in a cyclic round-robin order. 5333 </p> 5334 <p> 5335 If <acronym class="acronym">BIND</acronym> is configured with the 5336 "--enable-fixed-rrset" option at compile time, then 5337 the initial ordering of the RRset will match the 5338 one specified in the zone file. 5339 </p> 5340 </td> 5341</tr> 5342</tbody> 5343</table></div> 5344<p> 5345 For example: 5346 </p> 5347<pre class="programlisting">rrset-order { 5348 class IN type A name "host.example.com" order random; 5349 order cyclic; 5350}; 5351</pre> 5352<p> 5353 will cause any responses for type A records in class IN that 5354 have "<code class="literal">host.example.com</code>" as a 5355 suffix, to always be returned 5356 in random order. All other records are returned in cyclic order. 5357 </p> 5358<p> 5359 If multiple <span><strong class="command">rrset-order</strong></span> statements 5360 appear, they are not combined — the last one applies. 5361 </p> 5362<p> 5363 By default, all records are returned in random order. 5364 </p> 5365<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 5366<h3 class="title">Note</h3> 5367<p> 5368 In this release of <acronym class="acronym">BIND</acronym> 9, the 5369 <span><strong class="command">rrset-order</strong></span> statement does not support 5370 "fixed" ordering by default. Fixed ordering can be enabled 5371 at compile time by specifying "--enable-fixed-rrset" on 5372 the "configure" command line. 5373 </p> 5374</div> 5375</div> 5376<div class="sect3" lang="en"> 5377<div class="titlepage"><div><div><h4 class="title"> 5378<a name="tuning"></a>Tuning</h4></div></div></div> 5379<div class="variablelist"><dl> 5380<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt> 5381<dd> 5382<p> 5383 Sets the number of seconds to cache a 5384 lame server indication. 0 disables caching. (This is 5385 <span class="bold"><strong>NOT</strong></span> recommended.) 5386 The default is <code class="literal">600</code> (10 minutes) and the 5387 maximum value is 5388 <code class="literal">1800</code> (30 minutes). 5389 </p> 5390<p> 5391 Lame-ttl also controls the amount of time DNSSEC 5392 validation failures are cached. There is a minimum 5393 of 30 seconds applied to bad cache entries if the 5394 lame-ttl is set to less than 30 seconds. 5395 </p> 5396</dd> 5397<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt> 5398<dd><p> 5399 To reduce network traffic and increase performance, 5400 the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is 5401 used to set a maximum retention time for these answers in 5402 the server 5403 in seconds. The default 5404 <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). 5405 <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 5406 7 days and will 5407 be silently truncated to 7 days if set to a greater value. 5408 </p></dd> 5409<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt> 5410<dd><p> 5411 Sets the maximum time for which the server will 5412 cache ordinary (positive) answers. The default is 5413 one week (7 days). 5414 A value of zero may cause all queries to return 5415 SERVFAIL, because of lost caches of intermediate 5416 RRsets (such as NS and glue AAAA/A records) in the 5417 resolution process. 5418 </p></dd> 5419<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt> 5420<dd> 5421<p> 5422 The minimum number of root servers that 5423 is required for a request for the root servers to be 5424 accepted. The default 5425 is <strong class="userinput"><code>2</code></strong>. 5426 </p> 5427<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 5428<h3 class="title">Note</h3> 5429<p> 5430 Not implemented in <acronym class="acronym">BIND</acronym> 9. 5431 </p> 5432</div> 5433</dd> 5434<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> 5435<dd> 5436<p> 5437 Specifies the number of days into the future when 5438 DNSSEC signatures automatically generated as a 5439 result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There 5440 is an optional second field which specifies how 5441 long before expiry that the signatures will be 5442 regenerated. If not specified, the signatures will 5443 be regenerated at 1/4 of base interval. The second 5444 field is specified in days if the base interval is 5445 greater than 7 days otherwise it is specified in hours. 5446 The default base interval is <code class="literal">30</code> days 5447 giving a re-signing interval of 7 1/2 days. The maximum 5448 values are 10 years (3660 days). 5449 </p> 5450<p> 5451 The signature inception time is unconditionally 5452 set to one hour before the current time to allow 5453 for a limited amount of clock skew. 5454 </p> 5455<p> 5456 The <span><strong class="command">sig-validity-interval</strong></span> 5457 should be, at least, several multiples of the SOA 5458 expire interval to allow for reasonable interaction 5459 between the various timer and expiry dates. 5460 </p> 5461</dd> 5462<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> 5463<dd><p> 5464 Specify the maximum number of nodes to be 5465 examined in each quantum when signing a zone with 5466 a new DNSKEY. The default is 5467 <code class="literal">100</code>. 5468 </p></dd> 5469<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> 5470<dd><p> 5471 Specify a threshold number of signatures that 5472 will terminate processing a quantum when signing 5473 a zone with a new DNSKEY. The default is 5474 <code class="literal">10</code>. 5475 </p></dd> 5476<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> 5477<dd> 5478<p> 5479 Specify a private RDATA type to be used when generating 5480 signing state records. The default is 5481 <code class="literal">65534</code>. 5482 </p> 5483<p> 5484 It is expected that this parameter may be removed 5485 in a future version once there is a standard type. 5486 </p> 5487<p> 5488 Signing state records are used to internally by 5489 <span><strong class="command">named</strong></span> to track the current state of 5490 a zone-signing process, i.e., whether it is still active 5491 or has been completed. The records can be inspected 5492 using the command 5493 <span><strong class="command">rndc signing -list <em class="replaceable"><code>zone</code></em></strong></span>. 5494 Once <span><strong class="command">named</strong></span> has finished signing 5495 a zone with a particular key, the signing state 5496 record associated with that key can be removed from 5497 the zone by running 5498 <span><strong class="command">rndc signing -clear <em class="replaceable"><code>keyid/algorithm</code></em> <em class="replaceable"><code>zone</code></em></strong></span>. 5499 To clear all of the completed signing state 5500 records for a zone, use 5501 <span><strong class="command">rndc signing -clear all <em class="replaceable"><code>zone</code></em></strong></span>. 5502 </p> 5503</dd> 5504<dt> 5505<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> 5506</dt> 5507<dd> 5508<p> 5509 These options control the server's behavior on refreshing a 5510 zone 5511 (querying for SOA changes) or retrying failed transfers. 5512 Usually the SOA values for the zone are used, but these 5513 values 5514 are set by the master, giving slave server administrators 5515 little 5516 control over their contents. 5517 </p> 5518<p> 5519 These options allow the administrator to set a minimum and 5520 maximum 5521 refresh and retry time either per-zone, per-view, or 5522 globally. 5523 These options are valid for slave and stub zones, 5524 and clamp the SOA refresh and retry times to the specified 5525 values. 5526 </p> 5527<p> 5528 The following defaults apply. 5529 <span><strong class="command">min-refresh-time</strong></span> 300 seconds, 5530 <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds 5531 (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds, 5532 and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds 5533 (2 weeks). 5534 </p> 5535</dd> 5536<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt> 5537<dd> 5538<p> 5539 Sets the maximum advertised EDNS UDP buffer size in 5540 bytes, to control the size of packets received from 5541 authoritative servers in response to recursive queries. 5542 Valid values are 512 to 4096 (values outside this range 5543 will be silently adjusted to the nearest value within 5544 it). The default value is 4096. 5545 </p> 5546<p> 5547 The usual reason for setting 5548 <span><strong class="command">edns-udp-size</strong></span> to a non-default value 5549 is to get UDP answers to pass through broken firewalls 5550 that block fragmented packets and/or block UDP DNS 5551 packets that are greater than 512 bytes. 5552 </p> 5553<p> 5554 When <span><strong class="command">named</strong></span> first queries a remote 5555 server, it will advertise a UDP buffer size of 512, as 5556 this has the greatest chance of success on the first try. 5557 </p> 5558<p> 5559 If the initial response times out, <span><strong class="command">named</strong></span> 5560 will try again with plain DNS, and if that is successful, 5561 it will be taken as evidence that the server does not 5562 support EDNS. After enough failures using EDNS and 5563 successes using plain DNS, <span><strong class="command">named</strong></span> 5564 will default to plain DNS for future communications 5565 with that server. (Periodically, <span><strong class="command">named</strong></span> 5566 will send an EDNS query to see if the situation has 5567 improved.) 5568 </p> 5569<p> 5570 However, if the initial query is successful with 5571 EDNS advertising a buffer size of 512, then 5572 <span><strong class="command">named</strong></span> will advertise progressively 5573 larger buffer sizes on successive queries, until 5574 responses begin timing out or 5575 <span><strong class="command">edns-udp-size</strong></span> is reached. 5576 </p> 5577<p> 5578 The default buffer sizes used by <span><strong class="command">named</strong></span> 5579 are 512, 1232, 1432, and 4096, but never exceeding 5580 <span><strong class="command">edns-udp-size</strong></span>. (The values 1232 and 5581 1432 are chosen to allow for an IPv4/IPv6 encapsulated 5582 UDP message to be sent without fragmentation at the 5583 minimum MTU sizes for Ethernet and IPv6 networks.) 5584 </p> 5585</dd> 5586<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt> 5587<dd> 5588<p> 5589 Sets the maximum EDNS UDP message size 5590 <span><strong class="command">named</strong></span> will send in bytes. 5591 Valid values are 512 to 4096 (values outside this 5592 range will be silently adjusted to the nearest 5593 value within it). The default value is 4096. 5594 </p> 5595<p> 5596 This value applies to responses sent by a server; to 5597 set the advertised buffer size in queries, see 5598 <span><strong class="command">edns-udp-size</strong></span>. 5599 </p> 5600<p> 5601 The usual reason for setting 5602 <span><strong class="command">max-udp-size</strong></span> to a non-default 5603 value is to get UDP answers to pass through broken 5604 firewalls that block fragmented packets and/or 5605 block UDP packets that are greater than 512 bytes. 5606 This is independent of the advertised receive 5607 buffer (<span><strong class="command">edns-udp-size</strong></span>). 5608 </p> 5609<p> 5610 Setting this to a low value will encourage additional 5611 TCP traffic to the nameserver. 5612 </p> 5613</dd> 5614<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> 5615<dd> 5616<p>Specifies 5617 the file format of zone files (see 5618 <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). 5619 The default value is <code class="constant">text</code>, which is the 5620 standard textual representation, except for slave zones, 5621 in which the default value is <code class="constant">raw</code>. 5622 Files in other formats than <code class="constant">text</code> are 5623 typically expected to be generated by the 5624 <span><strong class="command">named-compilezone</strong></span> tool, or dumped by 5625 <span><strong class="command">named</strong></span>. 5626 </p> 5627<p> 5628 Note that when a zone file in a different format than 5629 <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span> 5630 may omit some of the checks which would be performed for a 5631 file in the <code class="constant">text</code> format. In particular, 5632 <span><strong class="command">check-names</strong></span> checks do not apply 5633 for the <code class="constant">raw</code> format. This means 5634 a zone file in the <code class="constant">raw</code> format 5635 must be generated with the same check level as that 5636 specified in the <span><strong class="command">named</strong></span> configuration 5637 file. Also, <code class="constant">map</code> format files are 5638 loaded directly into memory via memory mapping, with only 5639 minimal checking. 5640 </p> 5641<p> 5642 This statement sets the 5643 <span><strong class="command">masterfile-format</strong></span> for all zones, 5644 but can be overridden on a per-zone or per-view basis 5645 by including a <span><strong class="command">masterfile-format</strong></span> 5646 statement within the <span><strong class="command">zone</strong></span> or 5647 <span><strong class="command">view</strong></span> block in the configuration 5648 file. 5649 </p> 5650</dd> 5651<dt> 5652<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span> 5653</dt> 5654<dd> 5655<p>These set the 5656 initial value (minimum) and maximum number of recursive 5657 simultaneous clients for any given query 5658 (<qname,qtype,qclass>) that the server will accept 5659 before dropping additional clients. 5660 <span><strong class="command">named</strong></span> will attempt to 5661 self tune this value and changes will be logged. The 5662 default values are 10 and 100. 5663 </p> 5664<p> 5665 This value should reflect how many queries come in for 5666 a given name in the time it takes to resolve that name. 5667 If the number of queries exceed this value, <span><strong class="command">named</strong></span> will 5668 assume that it is dealing with a non-responsive zone 5669 and will drop additional queries. If it gets a response 5670 after dropping queries, it will raise the estimate. The 5671 estimate will then be lowered in 20 minutes if it has 5672 remained unchanged. 5673 </p> 5674<p> 5675 If <span><strong class="command">clients-per-query</strong></span> is set to zero, 5676 then there is no limit on the number of clients per query 5677 and no queries will be dropped. 5678 </p> 5679<p> 5680 If <span><strong class="command">max-clients-per-query</strong></span> is set to zero, 5681 then there is no upper bound other than imposed by 5682 <span><strong class="command">recursive-clients</strong></span>. 5683 </p> 5684</dd> 5685<dt> 5686<a name="max-recursion-depth"></a><span class="term"><span><strong class="command">max-recursion-depth</strong></span></span> 5687</dt> 5688<dd><p> 5689 Sets the maximum number of levels of recursion 5690 that are permitted at any one time while servicing 5691 a recursive query. Resolving a name may require 5692 looking up a name server address, which in turn 5693 requires resolving another name, etc; if the number 5694 of indirections exceeds this value, the recursive 5695 query is terminated and returns SERVFAIL. The 5696 default is 7. 5697 </p></dd> 5698<dt> 5699<a name="max-recursion-queries"></a><span class="term"><span><strong class="command">max-recursion-queries</strong></span></span> 5700</dt> 5701<dd><p> 5702 Sets the maximum number of iterative queries that 5703 may be sent while servicing a recursive query. 5704 If more queries are sent, the recursive query 5705 is terminated and returns SERVFAIL. Queries to 5706 look up top level comains such as "com" and "net" 5707 and the DNS root zone are exempt from this limitation. 5708 The default is 75. 5709 </p></dd> 5710<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> 5711<dd> 5712<p> 5713 The delay, in seconds, between sending sets of notify 5714 messages for a zone. The default is five (5) seconds. 5715 </p> 5716<p> 5717 The overall rate that NOTIFY messages are sent for all 5718 zones is controlled by <span><strong class="command">serial-query-rate</strong></span>. 5719 </p> 5720</dd> 5721<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt> 5722<dd><p> 5723 The maximum RSA exponent size, in bits, that will 5724 be accepted when validating. Valid values are 35 5725 to 4096 bits. The default zero (0) is also accepted 5726 and is equivalent to 4096. 5727 </p></dd> 5728<dt><span class="term"><span><strong class="command">prefetch</strong></span></span></dt> 5729<dd> 5730<p> 5731 When a query is received for cached data which 5732 is to expire shortly, <span><strong class="command">named</strong></span> can 5733 refresh the data from the authoritative server 5734 immediately, ensuring that the cache always has an 5735 answer available. 5736 </p> 5737<p> 5738 The <code class="option">prefetch</code> specifies the 5739 "trigger" TTL value at which prefetch of the current 5740 query will take place: when a cache record with a 5741 lower TTL value is encountered during query processing, 5742 it will be refreshed. Valid trigger TTL values are 1 to 5743 10 seconds. Values larger than 10 seconds will be silently 5744 reduced to 10. 5745 Setting a trigger TTL to zero (0) causes 5746 prefetch to be disabled. 5747 The default trigger TTL is <code class="literal">2</code>. 5748 </p> 5749<p> 5750 An optional second argument specifies the "eligibility" 5751 TTL: the smallest <span class="emphasis"><em>original</em></span> 5752 TTL value that will be accepted for a record to be 5753 eligible for prefetching. The eligibility TTL must 5754 be at least six seconds longer than the trigger TTL; 5755 if it isn't, <span><strong class="command">named</strong></span> will silently 5756 adjust it upward. 5757 The default eligibility TTL is <code class="literal">9</code>. 5758 </p> 5759</dd> 5760</dl></div> 5761</div> 5762<div class="sect3" lang="en"> 5763<div class="titlepage"><div><div><h4 class="title"> 5764<a name="builtin"></a>Built-in server information zones</h4></div></div></div> 5765<p> 5766 The server provides some helpful diagnostic information 5767 through a number of built-in zones under the 5768 pseudo-top-level-domain <code class="literal">bind</code> in the 5769 <span><strong class="command">CHAOS</strong></span> class. These zones are part 5770 of a 5771 built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of 5772 class 5773 <span><strong class="command">CHAOS</strong></span> which is separate from the 5774 default view of class <span><strong class="command">IN</strong></span>. Most global 5775 configuration options (<span><strong class="command">allow-query</strong></span>, 5776 etc) will apply to this view, but some are locally 5777 overridden: <span><strong class="command">notify</strong></span>, 5778 <span><strong class="command">recursion</strong></span> and 5779 <span><strong class="command">allow-new-zones</strong></span> are 5780 always set to <strong class="userinput"><code>no</code></strong>, and 5781 <span><strong class="command">rate-limit</strong></span> is set to allow 5782 three responses per second. 5783 </p> 5784<p> 5785 If you need to disable these zones, use the options 5786 below, or hide the built-in <span><strong class="command">CHAOS</strong></span> 5787 view by 5788 defining an explicit view of class <span><strong class="command">CHAOS</strong></span> 5789 that matches all clients. 5790 </p> 5791<div class="variablelist"><dl> 5792<dt><span class="term"><span><strong class="command">version</strong></span></span></dt> 5793<dd><p> 5794 The version the server should report 5795 via a query of the name <code class="literal">version.bind</code> 5796 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. 5797 The default is the real version number of this server. 5798 Specifying <span><strong class="command">version none</strong></span> 5799 disables processing of the queries. 5800 </p></dd> 5801<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt> 5802<dd><p> 5803 The hostname the server should report via a query of 5804 the name <code class="filename">hostname.bind</code> 5805 with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. 5806 This defaults to the hostname of the machine hosting the 5807 name server as 5808 found by the gethostname() function. The primary purpose of such queries 5809 is to 5810 identify which of a group of anycast servers is actually 5811 answering your queries. Specifying <span><strong class="command">hostname none;</strong></span> 5812 disables processing of the queries. 5813 </p></dd> 5814<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt> 5815<dd><p> 5816 The ID the server should report when receiving a Name 5817 Server Identifier (NSID) query, or a query of the name 5818 <code class="filename">ID.SERVER</code> with type 5819 <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. 5820 The primary purpose of such queries is to 5821 identify which of a group of anycast servers is actually 5822 answering your queries. Specifying <span><strong class="command">server-id none;</strong></span> 5823 disables processing of the queries. 5824 Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to 5825 use the hostname as found by the gethostname() function. 5826 The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>. 5827 </p></dd> 5828</dl></div> 5829</div> 5830<div class="sect3" lang="en"> 5831<div class="titlepage"><div><div><h4 class="title"> 5832<a name="empty"></a>Built-in Empty Zones</h4></div></div></div> 5833<p> 5834 Named has some built-in empty zones (SOA and NS records only). 5835 These are for zones that should normally be answered locally 5836 and which queries should not be sent to the Internet's root 5837 servers. The official servers which cover these namespaces 5838 return NXDOMAIN responses to these queries. In particular, 5839 these cover the reverse namespaces for addresses from 5840 RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the 5841 reverse namespace for IPv6 local address (locally assigned), 5842 IPv6 link local addresses, the IPv6 loopback address and the 5843 IPv6 unknown address. 5844 </p> 5845<p> 5846 Named will attempt to determine if a built-in zone already exists 5847 or is active (covered by a forward-only forwarding declaration) 5848 and will not create an empty zone in that case. 5849 </p> 5850<p> 5851 The current list of empty zones is: 5852 </p> 5853<div class="itemizedlist"><ul type="disc"> 5854<li>10.IN-ADDR.ARPA</li> 5855<li>16.172.IN-ADDR.ARPA</li> 5856<li>17.172.IN-ADDR.ARPA</li> 5857<li>18.172.IN-ADDR.ARPA</li> 5858<li>19.172.IN-ADDR.ARPA</li> 5859<li>20.172.IN-ADDR.ARPA</li> 5860<li>21.172.IN-ADDR.ARPA</li> 5861<li>22.172.IN-ADDR.ARPA</li> 5862<li>23.172.IN-ADDR.ARPA</li> 5863<li>24.172.IN-ADDR.ARPA</li> 5864<li>25.172.IN-ADDR.ARPA</li> 5865<li>26.172.IN-ADDR.ARPA</li> 5866<li>27.172.IN-ADDR.ARPA</li> 5867<li>28.172.IN-ADDR.ARPA</li> 5868<li>29.172.IN-ADDR.ARPA</li> 5869<li>30.172.IN-ADDR.ARPA</li> 5870<li>31.172.IN-ADDR.ARPA</li> 5871<li>168.192.IN-ADDR.ARPA</li> 5872<li>64.100.IN-ADDR.ARPA</li> 5873<li>65.100.IN-ADDR.ARPA</li> 5874<li>66.100.IN-ADDR.ARPA</li> 5875<li>67.100.IN-ADDR.ARPA</li> 5876<li>68.100.IN-ADDR.ARPA</li> 5877<li>69.100.IN-ADDR.ARPA</li> 5878<li>70.100.IN-ADDR.ARPA</li> 5879<li>71.100.IN-ADDR.ARPA</li> 5880<li>72.100.IN-ADDR.ARPA</li> 5881<li>73.100.IN-ADDR.ARPA</li> 5882<li>74.100.IN-ADDR.ARPA</li> 5883<li>75.100.IN-ADDR.ARPA</li> 5884<li>76.100.IN-ADDR.ARPA</li> 5885<li>77.100.IN-ADDR.ARPA</li> 5886<li>78.100.IN-ADDR.ARPA</li> 5887<li>79.100.IN-ADDR.ARPA</li> 5888<li>80.100.IN-ADDR.ARPA</li> 5889<li>81.100.IN-ADDR.ARPA</li> 5890<li>82.100.IN-ADDR.ARPA</li> 5891<li>83.100.IN-ADDR.ARPA</li> 5892<li>84.100.IN-ADDR.ARPA</li> 5893<li>85.100.IN-ADDR.ARPA</li> 5894<li>86.100.IN-ADDR.ARPA</li> 5895<li>87.100.IN-ADDR.ARPA</li> 5896<li>88.100.IN-ADDR.ARPA</li> 5897<li>89.100.IN-ADDR.ARPA</li> 5898<li>90.100.IN-ADDR.ARPA</li> 5899<li>91.100.IN-ADDR.ARPA</li> 5900<li>92.100.IN-ADDR.ARPA</li> 5901<li>93.100.IN-ADDR.ARPA</li> 5902<li>94.100.IN-ADDR.ARPA</li> 5903<li>95.100.IN-ADDR.ARPA</li> 5904<li>96.100.IN-ADDR.ARPA</li> 5905<li>97.100.IN-ADDR.ARPA</li> 5906<li>98.100.IN-ADDR.ARPA</li> 5907<li>99.100.IN-ADDR.ARPA</li> 5908<li>100.100.IN-ADDR.ARPA</li> 5909<li>101.100.IN-ADDR.ARPA</li> 5910<li>102.100.IN-ADDR.ARPA</li> 5911<li>103.100.IN-ADDR.ARPA</li> 5912<li>104.100.IN-ADDR.ARPA</li> 5913<li>105.100.IN-ADDR.ARPA</li> 5914<li>106.100.IN-ADDR.ARPA</li> 5915<li>107.100.IN-ADDR.ARPA</li> 5916<li>108.100.IN-ADDR.ARPA</li> 5917<li>109.100.IN-ADDR.ARPA</li> 5918<li>110.100.IN-ADDR.ARPA</li> 5919<li>111.100.IN-ADDR.ARPA</li> 5920<li>112.100.IN-ADDR.ARPA</li> 5921<li>113.100.IN-ADDR.ARPA</li> 5922<li>114.100.IN-ADDR.ARPA</li> 5923<li>115.100.IN-ADDR.ARPA</li> 5924<li>116.100.IN-ADDR.ARPA</li> 5925<li>117.100.IN-ADDR.ARPA</li> 5926<li>118.100.IN-ADDR.ARPA</li> 5927<li>119.100.IN-ADDR.ARPA</li> 5928<li>120.100.IN-ADDR.ARPA</li> 5929<li>121.100.IN-ADDR.ARPA</li> 5930<li>122.100.IN-ADDR.ARPA</li> 5931<li>123.100.IN-ADDR.ARPA</li> 5932<li>124.100.IN-ADDR.ARPA</li> 5933<li>125.100.IN-ADDR.ARPA</li> 5934<li>126.100.IN-ADDR.ARPA</li> 5935<li>127.100.IN-ADDR.ARPA</li> 5936<li>0.IN-ADDR.ARPA</li> 5937<li>127.IN-ADDR.ARPA</li> 5938<li>254.169.IN-ADDR.ARPA</li> 5939<li>2.0.192.IN-ADDR.ARPA</li> 5940<li>100.51.198.IN-ADDR.ARPA</li> 5941<li>113.0.203.IN-ADDR.ARPA</li> 5942<li>255.255.255.255.IN-ADDR.ARPA</li> 5943<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> 5944<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> 5945<li>8.B.D.0.1.0.0.2.IP6.ARPA</li> 5946<li>D.F.IP6.ARPA</li> 5947<li>8.E.F.IP6.ARPA</li> 5948<li>9.E.F.IP6.ARPA</li> 5949<li>A.E.F.IP6.ARPA</li> 5950<li>B.E.F.IP6.ARPA</li> 5951</ul></div> 5952<p> 5953 </p> 5954<p> 5955 Empty zones are settable at the view level and only apply to 5956 views of class IN. Disabled empty zones are only inherited 5957 from options if there are no disabled empty zones specified 5958 at the view level. To override the options list of disabled 5959 zones, you can disable the root zone at the view level, for example: 5960</p> 5961<pre class="programlisting"> 5962 disable-empty-zone "."; 5963</pre> 5964<p> 5965 </p> 5966<p> 5967 If you are using the address ranges covered here, you should 5968 already have reverse zones covering the addresses you use. 5969 In practice this appears to not be the case with many queries 5970 being made to the infrastructure servers for names in these 5971 spaces. So many in fact that sacrificial servers were needed 5972 to be deployed to channel the query load away from the 5973 infrastructure servers. 5974 </p> 5975<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 5976<h3 class="title">Note</h3> 5977 The real parent servers for these zones should disable all 5978 empty zone under the parent zone they serve. For the real 5979 root servers, this is all built-in empty zones. This will 5980 enable them to return referrals to deeper in the tree. 5981 </div> 5982<div class="variablelist"><dl> 5983<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt> 5984<dd><p> 5985 Specify what server name will appear in the returned 5986 SOA record for empty zones. If none is specified, then 5987 the zone's name will be used. 5988 </p></dd> 5989<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt> 5990<dd><p> 5991 Specify what contact name will appear in the returned 5992 SOA record for empty zones. If none is specified, then 5993 "." will be used. 5994 </p></dd> 5995<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt> 5996<dd><p> 5997 Enable or disable all empty zones. By default, they 5998 are enabled. 5999 </p></dd> 6000<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt> 6001<dd><p> 6002 Disable individual empty zones. By default, none are 6003 disabled. This option can be specified multiple times. 6004 </p></dd> 6005</dl></div> 6006</div> 6007<div class="sect3" lang="en"> 6008<div class="titlepage"><div><div><h4 class="title"> 6009<a name="acache"></a>Additional Section Caching</h4></div></div></div> 6010<p> 6011 The additional section cache, also called <span><strong class="command">acache</strong></span>, 6012 is an internal cache to improve the response performance of BIND 9. 6013 When additional section caching is enabled, BIND 9 will 6014 cache an internal short-cut to the additional section content for 6015 each answer RR. 6016 Note that <span><strong class="command">acache</strong></span> is an internal caching 6017 mechanism of BIND 9, and is not related to the DNS caching 6018 server function. 6019 </p> 6020<p> 6021 Additional section caching does not change the 6022 response content (except the RRsets ordering of the additional 6023 section, see below), but can improve the response performance 6024 significantly. 6025 It is particularly effective when BIND 9 acts as an authoritative 6026 server for a zone that has many delegations with many glue RRs. 6027 </p> 6028<p> 6029 In order to obtain the maximum performance improvement 6030 from additional section caching, setting 6031 <span><strong class="command">additional-from-cache</strong></span> 6032 to <span><strong class="command">no</strong></span> is recommended, since the current 6033 implementation of <span><strong class="command">acache</strong></span> 6034 does not short-cut of additional section information from the 6035 DNS cache data. 6036 </p> 6037<p> 6038 One obvious disadvantage of <span><strong class="command">acache</strong></span> is 6039 that it requires much more 6040 memory for the internal cached data. 6041 Thus, if the response performance does not matter and memory 6042 consumption is much more critical, the 6043 <span><strong class="command">acache</strong></span> mechanism can be 6044 disabled by setting <span><strong class="command">acache-enable</strong></span> to 6045 <span><strong class="command">no</strong></span>. 6046 It is also possible to specify the upper limit of memory 6047 consumption 6048 for acache by using <span><strong class="command">max-acache-size</strong></span>. 6049 </p> 6050<p> 6051 Additional section caching also has a minor effect on the 6052 RRset ordering in the additional section. 6053 Without <span><strong class="command">acache</strong></span>, 6054 <span><strong class="command">cyclic</strong></span> order is effective for the additional 6055 section as well as the answer and authority sections. 6056 However, additional section caching fixes the ordering when it 6057 first caches an RRset for the additional section, and the same 6058 ordering will be kept in succeeding responses, regardless of the 6059 setting of <span><strong class="command">rrset-order</strong></span>. 6060 The effect of this should be minor, however, since an 6061 RRset in the additional section 6062 typically only contains a small number of RRs (and in many cases 6063 it only contains a single RR), in which case the 6064 ordering does not matter much. 6065 </p> 6066<p> 6067 The following is a summary of options related to 6068 <span><strong class="command">acache</strong></span>. 6069 </p> 6070<div class="variablelist"><dl> 6071<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt> 6072<dd><p> 6073 If <span><strong class="command">yes</strong></span>, additional section caching is 6074 enabled. The default value is <span><strong class="command">no</strong></span>. 6075 </p></dd> 6076<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt> 6077<dd><p> 6078 The server will remove stale cache entries, based on an LRU 6079 based 6080 algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes. 6081 The default is 60 minutes. 6082 If set to 0, no periodic cleaning will occur. 6083 </p></dd> 6084<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt> 6085<dd><p> 6086 The maximum amount of memory in bytes to use for the server's acache. 6087 When the amount of data in the acache reaches this limit, 6088 the server 6089 will clean more aggressively so that the limit is not 6090 exceeded. 6091 In a server with multiple views, the limit applies 6092 separately to the 6093 acache of each view. 6094 The default is <code class="literal">16M</code>. 6095 </p></dd> 6096</dl></div> 6097</div> 6098<div class="sect3" lang="en"> 6099<div class="titlepage"><div><div><h4 class="title"> 6100<a name="id2589422"></a>Content Filtering</h4></div></div></div> 6101<p> 6102 <acronym class="acronym">BIND</acronym> 9 provides the ability to filter 6103 out DNS responses from external DNS servers containing 6104 certain types of data in the answer section. 6105 Specifically, it can reject address (A or AAAA) records if 6106 the corresponding IPv4 or IPv6 addresses match the given 6107 <code class="varname">address_match_list</code> of the 6108 <span><strong class="command">deny-answer-addresses</strong></span> option. 6109 It can also reject CNAME or DNAME records if the "alias" 6110 name (i.e., the CNAME alias or the substituted query name 6111 due to DNAME) matches the 6112 given <code class="varname">namelist</code> of the 6113 <span><strong class="command">deny-answer-aliases</strong></span> option, where 6114 "match" means the alias name is a subdomain of one of 6115 the <code class="varname">name_list</code> elements. 6116 If the optional <code class="varname">namelist</code> is specified 6117 with <span><strong class="command">except-from</strong></span>, records whose query name 6118 matches the list will be accepted regardless of the filter 6119 setting. 6120 Likewise, if the alias name is a subdomain of the 6121 corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span> 6122 filter will not apply; 6123 for example, even if "example.com" is specified for 6124 <span><strong class="command">deny-answer-aliases</strong></span>, 6125 </p> 6126<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre> 6127<p> 6128 returned by an "example.com" server will be accepted. 6129 </p> 6130<p> 6131 In the <code class="varname">address_match_list</code> of the 6132 <span><strong class="command">deny-answer-addresses</strong></span> option, only 6133 <code class="varname">ip_addr</code> 6134 and <code class="varname">ip_prefix</code> 6135 are meaningful; 6136 any <code class="varname">key_id</code> will be silently ignored. 6137 </p> 6138<p> 6139 If a response message is rejected due to the filtering, 6140 the entire message is discarded without being cached, and 6141 a SERVFAIL error will be returned to the client. 6142 </p> 6143<p> 6144 This filtering is intended to prevent "DNS rebinding attacks," in 6145 which an attacker, in response to a query for a domain name the 6146 attacker controls, returns an IP address within your own network or 6147 an alias name within your own domain. 6148 A naive web browser or script could then serve as an 6149 unintended proxy, allowing the attacker 6150 to get access to an internal node of your local network 6151 that couldn't be externally accessed otherwise. 6152 See the paper available at 6153 <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top"> 6154 http://portal.acm.org/citation.cfm?id=1315245.1315298 6155 </a> 6156 for more details about the attacks. 6157 </p> 6158<p> 6159 For example, if you own a domain named "example.net" and 6160 your internal network uses an IPv4 prefix 192.0.2.0/24, 6161 you might specify the following rules: 6162 </p> 6163<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; }; 6164deny-answer-aliases { "example.net"; }; 6165</pre> 6166<p> 6167 If an external attacker lets a web browser in your local 6168 network look up an IPv4 address of "attacker.example.com", 6169 the attacker's DNS server would return a response like this: 6170 </p> 6171<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre> 6172<p> 6173 in the answer section. 6174 Since the rdata of this record (the IPv4 address) matches 6175 the specified prefix 192.0.2.0/24, this response will be 6176 ignored. 6177 </p> 6178<p> 6179 On the other hand, if the browser looks up a legitimate 6180 internal web server "www.example.net" and the 6181 following response is returned to 6182 the <acronym class="acronym">BIND</acronym> 9 server 6183 </p> 6184<pre class="programlisting">www.example.net. A 192.0.2.2</pre> 6185<p> 6186 it will be accepted since the owner name "www.example.net" 6187 matches the <span><strong class="command">except-from</strong></span> element, 6188 "example.net". 6189 </p> 6190<p> 6191 Note that this is not really an attack on the DNS per se. 6192 In fact, there is nothing wrong for an "external" name to 6193 be mapped to your "internal" IP address or domain name 6194 from the DNS point of view. 6195 It might actually be provided for a legitimate purpose, 6196 such as for debugging. 6197 As long as the mapping is provided by the correct owner, 6198 it is not possible or does not make sense to detect 6199 whether the intent of the mapping is legitimate or not 6200 within the DNS. 6201 The "rebinding" attack must primarily be protected at the 6202 application that uses the DNS. 6203 For a large site, however, it may be difficult to protect 6204 all possible applications at once. 6205 This filtering feature is provided only to help such an 6206 operational environment; 6207 it is generally discouraged to turn it on unless you are 6208 very sure you have no other choice and the attack is a 6209 real threat for your applications. 6210 </p> 6211<p> 6212 Care should be particularly taken if you want to use this 6213 option for addresses within 127.0.0.0/8. 6214 These addresses are obviously "internal", but many 6215 applications conventionally rely on a DNS mapping from 6216 some name to such an address. 6217 Filtering out DNS records containing this address 6218 spuriously can break such applications. 6219 </p> 6220</div> 6221<div class="sect3" lang="en"> 6222<div class="titlepage"><div><div><h4 class="title"> 6223<a name="id2589548"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> 6224<p> 6225 <acronym class="acronym">BIND</acronym> 9 includes a limited 6226 mechanism to modify DNS responses for requests 6227 analogous to email anti-spam DNS blacklists. 6228 Responses can be changed to deny the existence of domains (NXDOMAIN), 6229 deny the existence of IP addresses for domains (NODATA), 6230 or contain other IP addresses or data. 6231 </p> 6232<p> 6233 Response policy zones are named in the 6234 <span><strong class="command">response-policy</strong></span> option for the view or among the 6235 global options if there is no response-policy option for the view. 6236 Response policy zones are ordinary DNS zones containing RRsets 6237 that can be queried normally if allowed. 6238 It is usually best to restrict those queries with something like 6239 <span><strong class="command">allow-query { localhost; };</strong></span>. 6240 </p> 6241<p> 6242 A <span><strong class="command">response-policy</strong></span> option can support 6243 multiple policy zones. To maximize performance, a radix 6244 tree is used to quickly identify response policy zones 6245 containing triggers that match the current query. This 6246 imposes an upper limit of 32 on the number of policy zones 6247 in a single <span><strong class="command">response-policy</strong></span> option; more 6248 than that is a configuration error. 6249 </p> 6250<p> 6251 Five policy triggers can be encoded in RPZ records. 6252 </p> 6253<div class="variablelist"><dl> 6254<dt><span class="term"><span><strong class="command">RPZ-CLIENT-IP</strong></span></span></dt> 6255<dd> 6256<p> 6257 IP records are triggered by the IP address of the 6258 DNS client. 6259 Client IP address triggers are encoded in records that have 6260 owner names that are subdomains of 6261 <span><strong class="command">rpz-client-ip</strong></span> relativized to the 6262 policy zone origin name 6263 and encode an address or address block. 6264 IPv4 addresses are represented as 6265 <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>. 6266 The IPv4 prefix length must be between 1 and 32. 6267 All four bytes, B4, B3, B2, and B1, must be present. 6268 B4 is the decimal value of the least significant byte of the 6269 IPv4 address as in IN-ADDR.ARPA. 6270 </p> 6271<p> 6272 IPv6 addresses are encoded in a format similar 6273 to the standard IPv6 text representation, 6274 <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>. 6275 Each of W8,...,W1 is a one to four digit hexadecimal number 6276 representing 16 bits of the IPv6 address as in the standard 6277 text representation of IPv6 addresses, 6278 but reversed as in IN-ADDR.ARPA. 6279 All 8 words must be present except when one set of consecutive 6280 zero words is replaced with <strong class="userinput"><code>.zz.</code></strong> 6281 analogous to double colons (::) in standard IPv6 text 6282 encodings. 6283 The IPv6 prefix length must be between 64 and 128. 6284 </p> 6285</dd> 6286<dt><span class="term"><span><strong class="command">QNAME</strong></span></span></dt> 6287<dd><p> 6288 QNAME policy records are triggered by query names of 6289 requests and targets of CNAME records resolved to generate 6290 the response. 6291 The owner name of a QNAME policy record is 6292 the query name relativized to the policy zone. 6293 </p></dd> 6294<dt><span class="term"><span><strong class="command">RPZ-IP</strong></span></span></dt> 6295<dd><p> 6296 IP triggers are IP addresses in an 6297 A or AAAA record in the ANSWER section of a response. 6298 They are encoded like client-IP triggers except as 6299 subdomains of <span><strong class="command">rpz-ip</strong></span>. 6300 </p></dd> 6301<dt><span class="term"><span><strong class="command">RPZ-NSDNAME</strong></span></span></dt> 6302<dd><p> 6303 NSDNAME triggers match names of authoritative servers 6304 for the query name, a parent of the query name, a CNAME for 6305 query name, or a parent of a CNAME. 6306 They are encoded as subdomains of 6307 <span><strong class="command">rpz-nsdname</strong></span> relativized 6308 to the RPZ origin name. 6309 NSIP triggers match IP addresses in A and 6310 AAAA RRsets for domains that can be checked against NSDNAME 6311 policy records. 6312 </p></dd> 6313<dt><span class="term"><span><strong class="command">RPZ-NSIP</strong></span></span></dt> 6314<dd><p> 6315 NSIP triggers are encoded like IP triggers except as 6316 subdomains of <span><strong class="command">rpz-nsip</strong></span>. 6317 NSDNAME and NSIP triggers are checked only for names with at 6318 least <span><strong class="command">min-ns-dots</strong></span> dots. 6319 The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to 6320 exclude top level domains. 6321 </p></dd> 6322</dl></div> 6323<p> 6324 </p> 6325<p> 6326 The query response is checked against all response policy zones, 6327 so two or more policy records can be triggered by a response. 6328 Because DNS responses are rewritten according to at most one 6329 policy record, a single record encoding an action (other than 6330 <span><strong class="command">DISABLED</strong></span> actions) must be chosen. 6331 Triggers or the records that encode them are chosen for the 6332 rewriting in the following order: 6333 </p> 6334<div class="orderedlist"><ol type="1"> 6335<li>Choose the triggered record in the zone that appears 6336 first in the <span><strong class="command">response-policy</strong></span> option. 6337 </li> 6338<li>Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP 6339 triggers in a single zone. 6340 </li> 6341<li>Among NSDNAME triggers, prefer the 6342 trigger that matches the smallest name under the DNSSEC ordering. 6343 </li> 6344<li>Among IP or NSIP triggers, prefer the trigger 6345 with the longest prefix. 6346 </li> 6347<li>Among triggers with the same prefix length, 6348 prefer the IP or NSIP trigger that matches 6349 the smallest IP address. 6350 </li> 6351</ol></div> 6352<p> 6353 </p> 6354<p> 6355 When the processing of a response is restarted to resolve 6356 DNAME or CNAME records and a policy record set has 6357 not been triggered, 6358 all response policy zones are again consulted for the 6359 DNAME or CNAME names and addresses. 6360 </p> 6361<p> 6362 RPZ record sets are any types of DNS record except 6363 DNAME or DNSSEC that encode actions or responses to 6364 individual queries. 6365 Any of the policies can be used with any of the triggers. 6366 For example, while the <span><strong class="command">TCP-only</strong></span> policy is 6367 commonly used with <span><strong class="command">client-IP</strong></span> triggers, 6368 it cn be used with any type of trigger to force the use of 6369 TCP for responses with owner names in a zone. 6370 </p> 6371<div class="variablelist"><dl> 6372<dt><span class="term"><span><strong class="command">PASSTHRU</strong></span></span></dt> 6373<dd><p> 6374 The whitelist policy is specified 6375 by a CNAME whose target is <span><strong class="command">rpz-passthru</strong></span>. 6376 It causes the response to not be rewritten 6377 and is most often used to "poke holes" in policies for 6378 CIDR blocks. 6379 </p></dd> 6380<dt><span class="term"><span><strong class="command">DROP</strong></span></span></dt> 6381<dd><p> 6382 The blacklist policy is specified 6383 by a CNAME whose target is <span><strong class="command">rpz-drop</strong></span>. 6384 It causes the response to be discarded. 6385 Nothing is sent to the DNS client. 6386 </p></dd> 6387<dt><span class="term"><span><strong class="command">TCP-Only</strong></span></span></dt> 6388<dd><p> 6389 The "slip" policy is specified 6390 by a CNAME whose target is <span><strong class="command">rpz-tcp-only</strong></span>. 6391 It changes UDP responses to short, truncated DNS responses 6392 that require the DNS client to try again with TCP. 6393 It is used to mitigate distributed DNS reflection attacks. 6394 </p></dd> 6395<dt><span class="term"><span><strong class="command">NXDOMAIN</strong></span></span></dt> 6396<dd><p> 6397 The domain undefined response is encoded 6398 by a CNAME whose target is the root domain (.) 6399 </p></dd> 6400<dt><span class="term"><span><strong class="command">NODATA</strong></span></span></dt> 6401<dd><p> 6402 The empty set of resource records is specified by 6403 CNAME whose target is the wildcard top-level 6404 domain (*.). 6405 It rewrites the response to NODATA or ANCOUNT=1. 6406 </p></dd> 6407<dt><span class="term"><span><strong class="command">Local Data</strong></span></span></dt> 6408<dd> 6409<p> 6410 A set of ordinary DNS records can be used to answer queries. 6411 Queries for record types not the set are answered with 6412 NODATA. 6413 </p> 6414<p> 6415 A special form of local data is a CNAME whose target is a 6416 wildcard such as *.example.com. 6417 It is used as if were an ordinary CNAME after the astrisk (*) 6418 has been replaced with the query name. 6419 The purpose for this special form is query logging in the 6420 walled garden's authority DNS server. 6421 </p> 6422</dd> 6423</dl></div> 6424<p> 6425 </p> 6426<p> 6427 All of the actions specified in all of the individual records 6428 in a policy zone 6429 can be overridden with a <span><strong class="command">policy</strong></span> clause in the 6430 <span><strong class="command">response-policy</strong></span> option. 6431 An organization using a policy zone provided by another 6432 organization might use this mechanism to redirect domains 6433 to its own walled garden. 6434 </p> 6435<div class="variablelist"><dl> 6436<dt><span class="term"><span><strong class="command">GIVEN</strong></span></span></dt> 6437<dd><p>The placeholder policy says "do not override but 6438 perform the action specified in the zone." 6439 </p></dd> 6440<dt><span class="term"><span><strong class="command">DISABLED</strong></span></span></dt> 6441<dd><p> 6442 The testing override policy causes policy zone records to do 6443 nothing but log what they would have done if the 6444 policy zone were not disabled. 6445 The response to the DNS query will be written (or not) 6446 according to any triggered policy records that are not 6447 disabled. 6448 Disabled policy zones should appear first, 6449 because they will often not be logged 6450 if a higher precedence trigger is found first. 6451 </p></dd> 6452<dt> 6453<span class="term"><span><strong class="command">PASSTHRU</strong></span>, </span><span class="term"><span><strong class="command">DROP</strong></span>, </span><span class="term"><span><strong class="command">TCP-Only</strong></span>, </span><span class="term"><span><strong class="command">NXDOMAIN</strong></span>, </span><span class="term"><span><strong class="command">NODATA</strong></span></span> 6454</dt> 6455<dd><p> 6456 override with the corresponding per-record policy. 6457 </p></dd> 6458<dt><span class="term"><span><strong class="command">CNAME domain</strong></span></span></dt> 6459<dd><p> 6460 causes all RPZ policy records to act as if they were 6461 "cname domain" records. 6462 </p></dd> 6463</dl></div> 6464<p> 6465 </p> 6466<p> 6467 By default, the actions encoded in a response policy zone 6468 are applied only to queries that ask for recursion (RD=1). 6469 That default can be changed for a single policy zone or 6470 all response policy zones in a view 6471 with a <span><strong class="command">recursive-only no</strong></span> clause. 6472 This feature is useful for serving the same zone files 6473 both inside and outside an RFC 1918 cloud and using RPZ to 6474 delete answers that would otherwise contain RFC 1918 values 6475 on the externally visible name server or view. 6476 </p> 6477<p> 6478 Also by default, RPZ actions are applied only to DNS requests 6479 that either do not request DNSSEC metadata (DO=0) or when no 6480 DNSSEC records are available for request name in the original 6481 zone (not the response policy zone). This default can be 6482 changed for all response policy zones in a view with a 6483 <span><strong class="command">break-dnssec yes</strong></span> clause. In that case, RPZ 6484 actions are applied regardless of DNSSEC. The name of the 6485 clause option reflects the fact that results rewritten by RPZ 6486 actions cannot verify. 6487 </p> 6488<p> 6489 No DNS records are needed for a QNAME or Client-IP trigger. 6490 The name or IP address itself is sufficient, 6491 so in principle the query name need not be recursively resolved. 6492 However, not resolving the requested 6493 name can leak the fact that response policy rewriting is in use 6494 and that the name is listed in a policy zone to operators of 6495 servers for listed names. To prevent that information leak, by 6496 default any recursion needed for a request is done before any 6497 policy triggers are considered. Because listed domains often 6498 have slow authoritative servers, this default behavior can cost 6499 significant time. 6500 The <span><strong class="command">qname-wait-recurse no</strong></span> option 6501 overrides that default behavior when recursion cannot 6502 change a non-error response. 6503 The option does not affect QNAME or client-IP triggers 6504 in policy zones listed 6505 after other zones containing IP, NSIP and NSDNAME triggers, because 6506 those may depend on the A, AAAA, and NS records that would be 6507 found during recursive resolution. It also does not affect 6508 DNSSEC requests (DO=1) unless <span><strong class="command">break-dnssec yes</strong></span> 6509 is in use, because the response would depend on whether or not 6510 RRSIG records were found during resolution. 6511 Using this option can cause error responses such as SERVFAIL to 6512 appear to be rewritten, since no recursion is being done to 6513 discover problems at the authoritative server. 6514 </p> 6515<p> 6516 The TTL of a record modified by RPZ policies is set from the 6517 TTL of the relevant record in policy zone. It is then limited 6518 to a maximum value. 6519 The <span><strong class="command">max-policy-ttl</strong></span> clause changes that 6520 maximum from its default of 5. 6521 </p> 6522<p> 6523 For example, you might use this option statement 6524 </p> 6525<pre class="programlisting"> response-policy { zone "badlist"; };</pre> 6526<p> 6527 and this zone statement 6528 </p> 6529<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre> 6530<p> 6531 with this zone file 6532 </p> 6533<pre class="programlisting">$TTL 1H 6534@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) 6535 NS LOCALHOST. 6536 6537; QNAME policy records. There are no periods (.) after the owner names. 6538nxdomain.domain.com CNAME . ; NXDOMAIN policy 6539*.nxdomain.domain.com CNAME . ; NXDOMAIN policy 6540nodata.domain.com CNAME *. ; NODATA policy 6541*.nodata.domain.com CNAME *. ; NODATA policy 6542bad.domain.com A 10.0.0.1 ; redirect to a walled garden 6543 AAAA 2001:2::1 6544bzone.domain.com CNAME garden.example.com. 6545 6546; do not rewrite (PASSTHRU) OK.DOMAIN.COM 6547ok.domain.com CNAME rpz-passthru. 6548 6549; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com 6550*.bzone.domain.com CNAME *.garden.example.com. 6551 6552 6553; IP policy records that rewrite all responses containing A records in 127/8 6554; except 127.0.0.1 65558.0.0.0.127.rpz-ip CNAME . 655632.1.0.0.127.rpz-ip CNAME rpz-passthru. 6557 6558; NSDNAME and NSIP policy records 6559ns.domain.com.rpz-nsdname CNAME . 656048.zz.2.2001.rpz-nsip CNAME . 6561 6562; blacklist and whitelist some DNS clients 6563112.zz.2001.rpz-client-ip CNAME rpz-drop. 65648.0.0.0.127.rpz-client-ip CNAME rpz-drop. 6565 6566; force some DNS clients and responses in the example.com zone to TCP 656716.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. 6568example.com CNAME rpz-tcp-only. 6569*.example.com CNAME rpz-tcp-only. 6570 6571</pre> 6572<p> 6573 RPZ can affect server performance. 6574 Each configured response policy zone requires the server to 6575 perform one to four additional database lookups before a 6576 query can be answered. 6577 For example, a DNS server with four policy zones, each with all 6578 four kinds of response triggers, QNAME, IP, NSIP, and 6579 NSDNAME, requires a total of 17 times as many database 6580 lookups as a similar DNS server with no response policy zones. 6581 A <acronym class="acronym">BIND9</acronym> server with adequate memory and one 6582 response policy zone with QNAME and IP triggers might achieve a 6583 maximum queries-per-second rate about 20% lower. 6584 A server with four response policy zones with QNAME and IP 6585 triggers might have a maximum QPS rate about 50% lower. 6586 </p> 6587<p> 6588 Responses rewritten by RPZ are counted in the 6589 <span><strong class="command">RPZRewrites</strong></span> statistics. 6590 </p> 6591</div> 6592<div class="sect3" lang="en"> 6593<div class="titlepage"><div><div><h4 class="title"> 6594<a name="id2590393"></a>Response Rate Limiting</h4></div></div></div> 6595<p> 6596 Excessive almost identical UDP <span class="emphasis"><em>responses</em></span> 6597 can be controlled by configuring a 6598 <span><strong class="command">rate-limit</strong></span> clause in an 6599 <span><strong class="command">options</strong></span> or <span><strong class="command">view</strong></span> statement. 6600 This mechanism keeps authoritative BIND 9 from being used 6601 in amplifying reflection denial of service (DoS) attacks. 6602 Short truncated (TC=1) responses can be sent to provide 6603 rate-limited responses to legitimate clients within 6604 a range of forged, attacked IP addresses. 6605 Legitimate clients react to dropped or truncated response 6606 by retrying with UDP or with TCP respectively. 6607 </p> 6608<p> 6609 This mechanism is intended for authoritative DNS servers. 6610 It can be used on recursive servers but can slow 6611 applications such as SMTP servers (mail receivers) and 6612 HTTP clients (web browsers) that repeatedly request the 6613 same domains. 6614 When possible, closing "open" recursive servers is better. 6615 </p> 6616<p> 6617 Response rate limiting uses a "credit" or "token bucket" scheme. 6618 Each combination of identical response and client 6619 has a conceptual account that earns a specified number 6620 of credits every second. 6621 A prospective response debits its account by one. 6622 Responses are dropped or truncated 6623 while the account is negative. 6624 Responses are tracked within a rolling window of time 6625 which defaults to 15 seconds, but can be configured with 6626 the <span><strong class="command">window</strong></span> option to any value from 6627 1 to 3600 seconds (1 hour). 6628 The account cannot become more positive than 6629 the per-second limit 6630 or more negative than <span><strong class="command">window</strong></span> 6631 times the per-second limit. 6632 When the specified number of credits for a class of 6633 responses is set to 0, those responses are not rate limited. 6634 </p> 6635<p> 6636 The notions of "identical response" and "DNS client" 6637 for rate limiting are not simplistic. 6638 All responses to an address block are counted as if to a 6639 single client. 6640 The prefix lengths of addresses blocks are 6641 specified with <span><strong class="command">ipv4-prefix-length</strong></span> (default 24) 6642 and <span><strong class="command">ipv6-prefix-length</strong></span> (default 56). 6643 </p> 6644<p> 6645 All non-empty responses for a valid domain name (qname) 6646 and record type (qtype) are identical and have a limit specified 6647 with <span><strong class="command">responses-per-second</strong></span> 6648 (default 0 or no limit). 6649 All empty (NODATA) responses for a valid domain, 6650 regardless of query type, are identical. 6651 Responses in the NODATA class are limited by 6652 <span><strong class="command">nodata-per-second</strong></span> 6653 (default <span><strong class="command">responses-per-second</strong></span>). 6654 Requests for any and all undefined subdomains of a given 6655 valid domain result in NXDOMAIN errors, and are identical 6656 regardless of query type. 6657 They are limited by <span><strong class="command">nxdomains-per-second</strong></span> 6658 (default base <span><strong class="command">responses-per-second</strong></span>). 6659 This controls some attacks using random names, but 6660 can be relaxed or turned off (set to 0) 6661 on servers that expect many legitimate 6662 NXDOMAIN responses, such as from anti-spam blacklists. 6663 Referrals or delegations to the server of a given 6664 domain are identical and are limited by 6665 <span><strong class="command">referrals-per-second</strong></span> 6666 (default <span><strong class="command">responses-per-second</strong></span>). 6667 </p> 6668<p> 6669 Responses generated from local wildcards are counted and limited 6670 as if they were for the parent domain name. 6671 This controls flooding using random.wild.example.com. 6672 </p> 6673<p> 6674 All requests that result in DNS errors other 6675 than NXDOMAIN, such as SERVFAIL and FORMERR, are identical 6676 regardless of requested name (qname) or record type (qtype). 6677 This controls attacks using invalid requests or distant, 6678 broken authoritative servers. 6679 By default the limit on errors is the same as the 6680 <span><strong class="command">responses-per-second</strong></span> value, 6681 but it can be set separately with 6682 <span><strong class="command">errors-per-second</strong></span>. 6683 </p> 6684<p> 6685 Many attacks using DNS involve UDP requests with forged source 6686 addresses. 6687 Rate limiting prevents the use of BIND 9 to flood a network 6688 with responses to requests with forged source addresses, 6689 but could let a third party block responses to legitimate requests. 6690 There is a mechanism that can answer some legitimate 6691 requests from a client whose address is being forged in a flood. 6692 Setting <span><strong class="command">slip</strong></span> to 2 (its default) causes every 6693 other UDP request to be answered with a small truncated (TC=1) 6694 response. 6695 The small size and reduced frequency, and so lack of 6696 amplification, of "slipped" responses make them unattractive 6697 for reflection DoS attacks. 6698 <span><strong class="command">slip</strong></span> must be between 0 and 10. 6699 A value of 0 does not "slip": 6700 no truncated responses are sent due to rate limiting, 6701 all responses are dropped. 6702 A value of 1 causes every response to slip; 6703 values between 2 and 10 cause every n'th response to slip. 6704 Some error responses including REFUSED and SERVFAIL 6705 cannot be replaced with truncated responses and are instead 6706 leaked at the <span><strong class="command">slip</strong></span> rate. 6707 </p> 6708<p> 6709 (NOTE: Dropped responses from an authoritative server may 6710 reduce the difficulty of a third party successfully forging 6711 a response to a recursive resolver. The best security 6712 against forged responses is for authoritative operators 6713 to sign their zones using DNSSEC and for resolver operators 6714 to validate the responses. When this is not an option, 6715 operators who are more concerned with response integrity 6716 than with flood mitigation may consider setting 6717 <span><strong class="command">slip</strong></span> to 1, causing all rate-limited 6718 responses to be truncated rather than dropped. This reduces 6719 the effectiveness of rate-limiting against reflection attacks.) 6720 </p> 6721<p> 6722 When the approximate query per second rate exceeds 6723 the <span><strong class="command">qps-scale</strong></span> value, 6724 then the <span><strong class="command">responses-per-second</strong></span>, 6725 <span><strong class="command">errors-per-second</strong></span>, 6726 <span><strong class="command">nxdomains-per-second</strong></span> and 6727 <span><strong class="command">all-per-second</strong></span> values are reduced by the 6728 ratio of the current rate to the <span><strong class="command">qps-scale</strong></span> value. 6729 This feature can tighten defenses during attacks. 6730 For example, with 6731 <span><strong class="command">qps-scale 250; responses-per-second 20;</strong></span> and 6732 a total query rate of 1000 queries/second for all queries from 6733 all DNS clients including via TCP, 6734 then the effective responses/second limit changes to 6735 (250/1000)*20 or 5. 6736 Responses sent via TCP are not limited 6737 but are counted to compute the query per second rate. 6738 </p> 6739<p> 6740 Communities of DNS clients can be given their own parameters or no 6741 rate limiting by putting 6742 <span><strong class="command">rate-limit</strong></span> statements in <span><strong class="command">view</strong></span> 6743 statements instead of the global <span><strong class="command">option</strong></span> 6744 statement. 6745 A <span><strong class="command">rate-limit</strong></span> statement in a view replaces, 6746 rather than supplementing, a <span><strong class="command">rate-limit</strong></span> 6747 statement among the main options. 6748 DNS clients within a view can be exempted from rate limits 6749 with the <span><strong class="command">exempt-clients</strong></span> clause. 6750 </p> 6751<p> 6752 UDP responses of all kinds can be limited with the 6753 <span><strong class="command">all-per-second</strong></span> phrase. 6754 This rate limiting is unlike the rate limiting provided by 6755 <span><strong class="command">responses-per-second</strong></span>, 6756 <span><strong class="command">errors-per-second</strong></span>, and 6757 <span><strong class="command">nxdomains-per-second</strong></span> on a DNS server 6758 which are often invisible to the victim of a DNS reflection attack. 6759 Unless the forged requests of the attack are the same as the 6760 legitimate requests of the victim, the victim's requests are 6761 not affected. 6762 Responses affected by an <span><strong class="command">all-per-second</strong></span> limit 6763 are always dropped; the <span><strong class="command">slip</strong></span> value has no 6764 effect. 6765 An <span><strong class="command">all-per-second</strong></span> limit should be 6766 at least 4 times as large as the other limits, 6767 because single DNS clients often send bursts of legitimate 6768 requests. 6769 For example, the receipt of a single mail message can prompt 6770 requests from an SMTP server for NS, PTR, A, and AAAA records 6771 as the incoming SMTP/TCP/IP connection is considered. 6772 The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF 6773 records as it considers the STMP <span><strong class="command">Mail From</strong></span> 6774 command. 6775 Web browsers often repeatedly resolve the same names that 6776 are repeated in HTML <IMG> tags in a page. 6777 <span><strong class="command">All-per-second</strong></span> is similar to the 6778 rate limiting offered by firewalls but often inferior. 6779 Attacks that justify ignoring the 6780 contents of DNS responses are likely to be attacks on the 6781 DNS server itself. 6782 They usually should be discarded before the DNS server 6783 spends resources making TCP connections or parsing DNS requests, 6784 but that rate limiting must be done before the 6785 DNS server sees the requests. 6786 </p> 6787<p> 6788 The maximum size of the table used to track requests and 6789 rate limit responses is set with <span><strong class="command">max-table-size</strong></span>. 6790 Each entry in the table is between 40 and 80 bytes. 6791 The table needs approximately as many entries as the number 6792 of requests received per second. 6793 The default is 20,000. 6794 To reduce the cold start of growing the table, 6795 <span><strong class="command">min-table-size</strong></span> (default 500) 6796 can set the minimum table size. 6797 Enable <span><strong class="command">rate-limit</strong></span> category logging to monitor 6798 expansions of the table and inform 6799 choices for the initial and maximum table size. 6800 </p> 6801<p> 6802 Use <span><strong class="command">log-only yes</strong></span> to test rate limiting parameters 6803 without actually dropping any requests. 6804 </p> 6805<p> 6806 Responses dropped by rate limits are included in the 6807 <span><strong class="command">RateDropped</strong></span> and <span><strong class="command">QryDropped</strong></span> 6808 statistics. 6809 Responses that truncated by rate limits are included in 6810 <span><strong class="command">RateSlipped</strong></span> and <span><strong class="command">RespTruncated</strong></span>. 6811 </p> 6812</div> 6813</div> 6814<div class="sect2" lang="en"> 6815<div class="titlepage"><div><div><h3 class="title"> 6816<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div> 6817<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { 6818 [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 6819 [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 6820 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 6821 [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 6822 [<span class="optional"> request-sit <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 6823 [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 6824 [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>] 6825 [<span class="optional"> nosit-udp-size <em class="replaceable"><code>number</code></em> ; </span>] 6826 [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>] 6827 [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>] 6828 [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>] 6829 [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>] 6830 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 6831 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 6832 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 6833 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 6834 [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 6835 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 6836 [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 6837 [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 6838 [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] 6839 [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>] 6840 [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>] 6841}; 6842</pre> 6843</div> 6844<div class="sect2" lang="en"> 6845<div class="titlepage"><div><div><h3 class="title"> 6846<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and 6847 Usage</h3></div></div></div> 6848<p> 6849 The <span><strong class="command">server</strong></span> statement defines 6850 characteristics 6851 to be associated with a remote name server. If a prefix length is 6852 specified, then a range of servers is covered. Only the most 6853 specific 6854 server clause applies regardless of the order in 6855 <code class="filename">named.conf</code>. 6856 </p> 6857<p> 6858 The <span><strong class="command">server</strong></span> statement can occur at 6859 the top level of the 6860 configuration file or inside a <span><strong class="command">view</strong></span> 6861 statement. 6862 If a <span><strong class="command">view</strong></span> statement contains 6863 one or more <span><strong class="command">server</strong></span> statements, only 6864 those 6865 apply to the view and any top-level ones are ignored. 6866 If a view contains no <span><strong class="command">server</strong></span> 6867 statements, 6868 any top-level <span><strong class="command">server</strong></span> statements are 6869 used as 6870 defaults. 6871 </p> 6872<p> 6873 If you discover that a remote server is giving out bad data, 6874 marking it as bogus will prevent further queries to it. The 6875 default 6876 value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>. 6877 </p> 6878<p> 6879 The <span><strong class="command">provide-ixfr</strong></span> clause determines 6880 whether 6881 the local server, acting as master, will respond with an 6882 incremental 6883 zone transfer when the given remote server, a slave, requests it. 6884 If set to <span><strong class="command">yes</strong></span>, incremental transfer 6885 will be provided 6886 whenever possible. If set to <span><strong class="command">no</strong></span>, 6887 all transfers 6888 to the remote server will be non-incremental. If not set, the 6889 value 6890 of the <span><strong class="command">provide-ixfr</strong></span> option in the 6891 view or 6892 global options block is used as a default. 6893 </p> 6894<p> 6895 The <span><strong class="command">request-ixfr</strong></span> clause determines 6896 whether 6897 the local server, acting as a slave, will request incremental zone 6898 transfers from the given remote server, a master. If not set, the 6899 value of the <span><strong class="command">request-ixfr</strong></span> option in 6900 the view or global options block is used as a default. It may 6901 also be set in the zone block and, if set there, it will 6902 override the global or view setting for that zone. 6903 </p> 6904<p> 6905 IXFR requests to servers that do not support IXFR will 6906 automatically 6907 fall back to AXFR. Therefore, there is no need to manually list 6908 which servers support IXFR and which ones do not; the global 6909 default 6910 of <span><strong class="command">yes</strong></span> should always work. 6911 The purpose of the <span><strong class="command">provide-ixfr</strong></span> and 6912 <span><strong class="command">request-ixfr</strong></span> clauses is 6913 to make it possible to disable the use of IXFR even when both 6914 master 6915 and slave claim to support it, for example if one of the servers 6916 is buggy and crashes or corrupts data when IXFR is used. 6917 </p> 6918<p> 6919 The <span><strong class="command">edns</strong></span> clause determines whether 6920 the local server will attempt to use EDNS when communicating 6921 with the remote server. The default is <span><strong class="command">yes</strong></span>. 6922 </p> 6923<p> 6924 The <span><strong class="command">edns-udp-size</strong></span> option sets the 6925 EDNS UDP size that is advertised by <span><strong class="command">named</strong></span> 6926 when querying the remote server. Valid values are 512 6927 to 4096 bytes (values outside this range will be silently 6928 adjusted to the nearest value within it). This option 6929 is useful when you wish to advertise a different value 6930 to this server than the value you advertise globally, 6931 for example, when there is a firewall at the remote 6932 site that is blocking large replies. (Note: Currently, 6933 this sets a single UDP size for all packets sent to the 6934 server; <span><strong class="command">named</strong></span> will not deviate from 6935 this value. This differs from the behavior of 6936 <span><strong class="command">edns-udp-size</strong></span> in <span><strong class="command">options</strong></span> 6937 or <span><strong class="command">view</strong></span> statements, where it specifies 6938 a maximum value. The <span><strong class="command">server</strong></span> statement 6939 behavior may be brought into conformance with the 6940 <span><strong class="command">options/view</strong></span> behavior in future releases.) 6941 </p> 6942<p> 6943 The <span><strong class="command">max-udp-size</strong></span> option sets the 6944 maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid 6945 values are 512 to 4096 bytes (values outside this range will 6946 be silently adjusted). This option is useful when you 6947 know that there is a firewall that is blocking large 6948 replies from <span><strong class="command">named</strong></span>. 6949 </p> 6950<p> 6951 The <span><strong class="command">nosit-udp-size</strong></span> option sets the 6952 maximum size of UDP responses that will be sent to 6953 queries without a valid source identity token. The command 6954 <span><strong class="command">max-udp-size</strong></span> option may further limit 6955 the response size. 6956 </p> 6957<p> 6958 The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>, 6959 uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs 6960 as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is 6961 more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> 6962 8.x, and patched versions of <acronym class="acronym">BIND</acronym> 6963 4.9.5. You can specify which method 6964 to use for a server with the <span><strong class="command">transfer-format</strong></span> option. 6965 If <span><strong class="command">transfer-format</strong></span> is not 6966 specified, the <span><strong class="command">transfer-format</strong></span> 6967 specified 6968 by the <span><strong class="command">options</strong></span> statement will be 6969 used. 6970 </p> 6971<p><span><strong class="command">transfers</strong></span> 6972 is used to limit the number of concurrent inbound zone 6973 transfers from the specified server. If no 6974 <span><strong class="command">transfers</strong></span> clause is specified, the 6975 limit is set according to the 6976 <span><strong class="command">transfers-per-ns</strong></span> option. 6977 </p> 6978<p> 6979 The <span><strong class="command">keys</strong></span> clause identifies a 6980 <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement, 6981 to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) 6982 when talking to the remote server. 6983 When a request is sent to the remote server, a request signature 6984 will be generated using the key specified here and appended to the 6985 message. A request originating from the remote server is not 6986 required 6987 to be signed by this key. 6988 </p> 6989<p> 6990 Although the grammar of the <span><strong class="command">keys</strong></span> 6991 clause 6992 allows for multiple keys, only a single key per server is 6993 currently 6994 supported. 6995 </p> 6996<p> 6997 The <span><strong class="command">transfer-source</strong></span> and 6998 <span><strong class="command">transfer-source-v6</strong></span> clauses specify 6999 the IPv4 and IPv6 source 7000 address to be used for zone transfer with the remote server, 7001 respectively. 7002 For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can 7003 be specified. 7004 Similarly, for an IPv6 remote server, only 7005 <span><strong class="command">transfer-source-v6</strong></span> can be 7006 specified. 7007 For more details, see the description of 7008 <span><strong class="command">transfer-source</strong></span> and 7009 <span><strong class="command">transfer-source-v6</strong></span> in 7010 <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 7011 </p> 7012<p> 7013 The <span><strong class="command">notify-source</strong></span> and 7014 <span><strong class="command">notify-source-v6</strong></span> clauses specify the 7015 IPv4 and IPv6 source address to be used for notify 7016 messages sent to remote servers, respectively. For an 7017 IPv4 remote server, only <span><strong class="command">notify-source</strong></span> 7018 can be specified. Similarly, for an IPv6 remote server, 7019 only <span><strong class="command">notify-source-v6</strong></span> can be specified. 7020 </p> 7021<p> 7022 The <span><strong class="command">query-source</strong></span> and 7023 <span><strong class="command">query-source-v6</strong></span> clauses specify the 7024 IPv4 and IPv6 source address to be used for queries 7025 sent to remote servers, respectively. For an IPv4 7026 remote server, only <span><strong class="command">query-source</strong></span> can 7027 be specified. Similarly, for an IPv6 remote server, 7028 only <span><strong class="command">query-source-v6</strong></span> can be specified. 7029 </p> 7030<p> 7031 The <span><strong class="command">request-nsid</strong></span> clause determines 7032 whether the local server will add a NSID EDNS option 7033 to requests sent to the server. This overrides 7034 <span><strong class="command">request-nsid</strong></span> set at the view or 7035 option level. 7036 </p> 7037<p> 7038 The <span><strong class="command">request-sit</strong></span> clause determines 7039 whether the local server will add a SIT EDNS option 7040 to requests sent to the server. This overrides 7041 <span><strong class="command">request-sit</strong></span> set at the view or 7042 option level. Named may determine that SIT is not 7043 supported by the remote server and not add a SIT 7044 EDNS option to requests. 7045 </p> 7046</div> 7047<div class="sect2" lang="en"> 7048<div class="titlepage"><div><div><h3 class="title"> 7049<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div> 7050<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> { 7051 [ inet ( ip_addr | * ) [ port ip_port ] 7052 [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ] 7053 [ inet ...; ] 7054}; 7055</pre> 7056</div> 7057<div class="sect2" lang="en"> 7058<div class="titlepage"><div><div><h3 class="title"> 7059<a name="id2591758"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and 7060 Usage</h3></div></div></div> 7061<p> 7062 The <span><strong class="command">statistics-channels</strong></span> statement 7063 declares communication channels to be used by system 7064 administrators to get access to statistics information of 7065 the name server. 7066 </p> 7067<p> 7068 This statement intends to be flexible to support multiple 7069 communication protocols in the future, but currently only 7070 HTTP access is supported. 7071 It requires that BIND 9 be compiled with libxml2 and/or 7072 json-c (also known as libjson0); the 7073 <span><strong class="command">statistics-channels</strong></span> statement is 7074 still accepted even if it is built without the library, 7075 but any HTTP access will fail with an error. 7076 </p> 7077<p> 7078 An <span><strong class="command">inet</strong></span> control channel is a TCP socket 7079 listening at the specified <span><strong class="command">ip_port</strong></span> on the 7080 specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 7081 address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> 7082 (asterisk) is 7083 interpreted as the IPv4 wildcard address; connections will be 7084 accepted on any of the system's IPv4 addresses. 7085 To listen on the IPv6 wildcard address, 7086 use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. 7087 </p> 7088<p> 7089 If no port is specified, port 80 is used for HTTP channels. 7090 The asterisk "<code class="literal">*</code>" cannot be used for 7091 <span><strong class="command">ip_port</strong></span>. 7092 </p> 7093<p> 7094 The attempt of opening a statistics channel is 7095 restricted by the optional <span><strong class="command">allow</strong></span> clause. 7096 Connections to the statistics channel are permitted based on the 7097 <span><strong class="command">address_match_list</strong></span>. 7098 If no <span><strong class="command">allow</strong></span> clause is present, 7099 <span><strong class="command">named</strong></span> accepts connection 7100 attempts from any address; since the statistics may 7101 contain sensitive internal information, it is highly 7102 recommended to restrict the source of connection requests 7103 appropriately. 7104 </p> 7105<p> 7106 If no <span><strong class="command">statistics-channels</strong></span> statement is present, 7107 <span><strong class="command">named</strong></span> will not open any communication channels. 7108 </p> 7109<p> 7110 The statistics are available in various formats and views 7111 depending on the URI used to access them. For example, if 7112 the statistics channel is configured to listen on 127.0.0.1 7113 port 8888, then the statistics are accessible in XML format at 7114 <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or 7115 <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is 7116 included which can format the XML statistics into tables 7117 when viewed with a stylesheet-capable browser, and into 7118 charts and graphs using the Google Charts API when using a 7119 javascript-capable browser. 7120 </p> 7121<p> 7122 Applications that depend on a particular XML schema 7123 can request 7124 <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 7125 of the statistics XML schema or 7126 <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. 7127 If the requested schema is supported by the server, then 7128 it will respond; if not, it will return a "page not found" 7129 error. 7130 </p> 7131<p> 7132 Broken-out subsets of the statistics can be viewed at 7133 <a href="http://127.0.0.1:8888/xml/v3/status" target="_top">http://127.0.0.1:8888/xml/v3/status</a> 7134 (server uptime and last reconfiguration time), 7135 <a href="http://127.0.0.1:8888/xml/v3/server" target="_top">http://127.0.0.1:8888/xml/v3/server</a> 7136 (server and resolver statistics), 7137 <a href="http://127.0.0.1:8888/xml/v3/zones" target="_top">http://127.0.0.1:8888/xml/v3/zones</a> 7138 (zone statistics), 7139 <a href="http://127.0.0.1:8888/xml/v3/net" target="_top">http://127.0.0.1:8888/xml/v3/net</a> 7140 (network status and socket statistics), 7141 <a href="http://127.0.0.1:8888/xml/v3/mem" target="_top">http://127.0.0.1:8888/xml/v3/mem</a> 7142 (memory manager statistics), 7143 <a href="http://127.0.0.1:8888/xml/v3/tasks" target="_top">http://127.0.0.1:8888/xml/v3/tasks</a> 7144 (task manager statistics). 7145 </p> 7146<p> 7147 The full set of statistics can also be read in JSON format at 7148 <a href="http://127.0.0.1:8888/json" target="_top">http://127.0.0.1:8888/json</a>, 7149 with the broken-out subsets at 7150 <a href="http://127.0.0.1:8888/json/v1/status" target="_top">http://127.0.0.1:8888/json/v1/status</a> 7151 (server uptime and last reconfiguration time), 7152 <a href="http://127.0.0.1:8888/json/v1/server" target="_top">http://127.0.0.1:8888/json/v1/server</a> 7153 (server and resolver statistics), 7154 <a href="http://127.0.0.1:8888/json/v1/zones" target="_top">http://127.0.0.1:8888/json/v1/zones</a> 7155 (zone statistics), 7156 <a href="http://127.0.0.1:8888/json/v1/net" target="_top">http://127.0.0.1:8888/json/v1/net</a> 7157 (network status and socket statistics), 7158 <a href="http://127.0.0.1:8888/json/v1/mem" target="_top">http://127.0.0.1:8888/json/v1/mem</a> 7159 (memory manager statistics), 7160 <a href="http://127.0.0.1:8888/json/v1/tasks" target="_top">http://127.0.0.1:8888/json/v1/tasks</a> 7161 (task manager statistics). 7162 </p> 7163</div> 7164<div class="sect2" lang="en"> 7165<div class="titlepage"><div><div><h3 class="title"> 7166<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> 7167<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> { 7168 <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; 7169 [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] 7170}; 7171</pre> 7172</div> 7173<div class="sect2" lang="en"> 7174<div class="titlepage"><div><div><h3 class="title"> 7175<a name="id2592176"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition 7176 and Usage</h3></div></div></div> 7177<p> 7178 The <span><strong class="command">trusted-keys</strong></span> statement defines 7179 DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the 7180 public key for a non-authoritative zone is known, but 7181 cannot be securely obtained through DNS, either because 7182 it is the DNS root zone or because its parent zone is 7183 unsigned. Once a key has been configured as a trusted 7184 key, it is treated as if it had been validated and 7185 proven secure. The resolver attempts DNSSEC validation 7186 on all DNS data in subdomains of a security root. 7187 </p> 7188<p> 7189 All keys (and corresponding zones) listed in 7190 <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless 7191 of what parent zones say. Similarly for all keys listed in 7192 <span><strong class="command">trusted-keys</strong></span> only those keys are 7193 used to validate the DNSKEY RRset. The parent's DS RRset 7194 will not be used. 7195 </p> 7196<p> 7197 The <span><strong class="command">trusted-keys</strong></span> statement can contain 7198 multiple key entries, each consisting of the key's 7199 domain name, flags, protocol, algorithm, and the Base-64 7200 representation of the key data. 7201 Spaces, tabs, newlines and carriage returns are ignored 7202 in the key data, so the configuration may be split up into 7203 multiple lines. 7204 </p> 7205<p> 7206 <span><strong class="command">trusted-keys</strong></span> may be set at the top level 7207 of <code class="filename">named.conf</code> or within a view. If it is 7208 set in both places, they are additive: keys defined at the top 7209 level are inherited by all views, but keys defined in a view 7210 are only used within that view. 7211 </p> 7212</div> 7213<div class="sect2" lang="en"> 7214<div class="titlepage"><div><div><h3 class="title"> 7215<a name="id2592222"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> 7216<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> { 7217 <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; 7218 [<span class="optional"> <em class="replaceable"><code>name</code></em> initial-key <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>] 7219}; 7220</pre> 7221</div> 7222<div class="sect2" lang="en"> 7223<div class="titlepage"><div><div><h3 class="title"> 7224<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition 7225 and Usage</h3></div></div></div> 7226<p> 7227 The <span><strong class="command">managed-keys</strong></span> statement, like 7228 <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC 7229 security roots. The difference is that 7230 <span><strong class="command">managed-keys</strong></span> can be kept up to date 7231 automatically, without intervention from the resolver 7232 operator. 7233 </p> 7234<p> 7235 Suppose, for example, that a zone's key-signing 7236 key was compromised, and the zone owner had to revoke and 7237 replace the key. A resolver which had the old key in a 7238 <span><strong class="command">trusted-keys</strong></span> statement would be 7239 unable to validate this zone any longer; it would 7240 reply with a SERVFAIL response code. This would 7241 continue until the resolver operator had updated the 7242 <span><strong class="command">trusted-keys</strong></span> statement with the new key. 7243 </p> 7244<p> 7245 If, however, the zone were listed in a 7246 <span><strong class="command">managed-keys</strong></span> statement instead, then the 7247 zone owner could add a "stand-by" key to the zone in advance. 7248 <span><strong class="command">named</strong></span> would store the stand-by key, and 7249 when the original key was revoked, <span><strong class="command">named</strong></span> 7250 would be able to transition smoothly to the new key. It would 7251 also recognize that the old key had been revoked, and cease 7252 using that key to validate answers, minimizing the damage that 7253 the compromised key could do. 7254 </p> 7255<p> 7256 A <span><strong class="command">managed-keys</strong></span> statement contains a list of 7257 the keys to be managed, along with information about how the 7258 keys are to be initialized for the first time. The only 7259 initialization method currently supported (as of 7260 <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>. 7261 This means the <span><strong class="command">managed-keys</strong></span> statement must 7262 contain a copy of the initializing key. (Future releases may 7263 allow keys to be initialized by other methods, eliminating this 7264 requirement.) 7265 </p> 7266<p> 7267 Consequently, a <span><strong class="command">managed-keys</strong></span> statement 7268 appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing 7269 in the presence of the second field, containing the keyword 7270 <code class="literal">initial-key</code>. The difference is, whereas the 7271 keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be 7272 trusted until they are removed from 7273 <code class="filename">named.conf</code>, an initializing key listed 7274 in a <span><strong class="command">managed-keys</strong></span> statement is only trusted 7275 <span class="emphasis"><em>once</em></span>: for as long as it takes to load the 7276 managed key database and start the RFC 5011 key maintenance 7277 process. 7278 </p> 7279<p> 7280 The first time <span><strong class="command">named</strong></span> runs with a managed key 7281 configured in <code class="filename">named.conf</code>, it fetches the 7282 DNSKEY RRset directly from the zone apex, and validates it 7283 using the key specified in the <span><strong class="command">managed-keys</strong></span> 7284 statement. If the DNSKEY RRset is validly signed, then it is 7285 used as the basis for a new managed keys database. 7286 </p> 7287<p> 7288 From that point on, whenever <span><strong class="command">named</strong></span> runs, it 7289 sees the <span><strong class="command">managed-keys</strong></span> statement, checks to 7290 make sure RFC 5011 key maintenance has already been initialized 7291 for the specified domain, and if so, it simply moves on. The 7292 key specified in the <span><strong class="command">managed-keys</strong></span> is not 7293 used to validate answers; it has been superseded by the key or 7294 keys stored in the managed keys database. 7295 </p> 7296<p> 7297 The next time <span><strong class="command">named</strong></span> runs after a name 7298 has been <span class="emphasis"><em>removed</em></span> from the 7299 <span><strong class="command">managed-keys</strong></span> statement, the corresponding 7300 zone will be removed from the managed keys database, 7301 and RFC 5011 key maintenance will no longer be used for that 7302 domain. 7303 </p> 7304<p> 7305 <span><strong class="command">named</strong></span> only maintains a single managed keys 7306 database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>, 7307 <span><strong class="command">managed-keys</strong></span> may only be set at the top 7308 level of <code class="filename">named.conf</code>, not within a view. 7309 </p> 7310<p> 7311 In the current implementation, the managed keys database is 7312 stored as a master-format zone file called 7313 <code class="filename">managed-keys.bind</code>. When the key database 7314 is changed, the zone is updated. As with any other dynamic 7315 zone, changes will be written into a journal file, 7316 <code class="filename">managed-keys.bind.jnl</code>. They are committed 7317 to the master file as soon as possible afterward; in the case 7318 of the managed key database, this will usually occur within 30 7319 seconds. So, whenever <span><strong class="command">named</strong></span> is using 7320 automatic key maintenance, those two files can be expected to 7321 exist in the working directory. (For this reason among others, 7322 the working directory should be always be writable by 7323 <span><strong class="command">named</strong></span>.) 7324 </p> 7325<p> 7326 If the <span><strong class="command">dnssec-validation</strong></span> option is 7327 set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span> 7328 will automatically initialize a managed key for the 7329 root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span> 7330 option is set to <strong class="userinput"><code>auto</code></strong>, 7331 <span><strong class="command">named</strong></span> will automatically initialize 7332 a managed key for the zone <code class="literal">dlv.isc.org</code>. 7333 In both cases, the key that is used to initialize the key 7334 maintenance process is built into <span><strong class="command">named</strong></span>, 7335 and can be overridden from <span><strong class="command">bindkeys-file</strong></span>. 7336 </p> 7337</div> 7338<div class="sect2" lang="en"> 7339<div class="titlepage"><div><div><h3 class="title"> 7340<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div> 7341<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em> 7342 [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7343 match-clients { <em class="replaceable"><code>address_match_list</code></em> }; 7344 match-destinations { <em class="replaceable"><code>address_match_list</code></em> }; 7345 match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ; 7346 [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>] 7347 [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>] 7348}; 7349</pre> 7350</div> 7351<div class="sect2" lang="en"> 7352<div class="titlepage"><div><div><h3 class="title"> 7353<a name="id2592589"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> 7354<p> 7355 The <span><strong class="command">view</strong></span> statement is a powerful 7356 feature 7357 of <acronym class="acronym">BIND</acronym> 9 that lets a name server 7358 answer a DNS query differently 7359 depending on who is asking. It is particularly useful for 7360 implementing 7361 split DNS setups without having to run multiple servers. 7362 </p> 7363<p> 7364 Each <span><strong class="command">view</strong></span> statement defines a view 7365 of the 7366 DNS namespace that will be seen by a subset of clients. A client 7367 matches 7368 a view if its source IP address matches the 7369 <code class="varname">address_match_list</code> of the view's 7370 <span><strong class="command">match-clients</strong></span> clause and its 7371 destination IP address matches 7372 the <code class="varname">address_match_list</code> of the 7373 view's 7374 <span><strong class="command">match-destinations</strong></span> clause. If not 7375 specified, both 7376 <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> 7377 default to matching all addresses. In addition to checking IP 7378 addresses 7379 <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> 7380 can also take <span><strong class="command">keys</strong></span> which provide an 7381 mechanism for the 7382 client to select the view. A view can also be specified 7383 as <span><strong class="command">match-recursive-only</strong></span>, which 7384 means that only recursive 7385 requests from matching clients will match that view. 7386 The order of the <span><strong class="command">view</strong></span> statements is 7387 significant — 7388 a client request will be resolved in the context of the first 7389 <span><strong class="command">view</strong></span> that it matches. 7390 </p> 7391<p> 7392 Zones defined within a <span><strong class="command">view</strong></span> 7393 statement will 7394 only be accessible to clients that match the <span><strong class="command">view</strong></span>. 7395 By defining a zone of the same name in multiple views, different 7396 zone data can be given to different clients, for example, 7397 "internal" 7398 and "external" clients in a split DNS setup. 7399 </p> 7400<p> 7401 Many of the options given in the <span><strong class="command">options</strong></span> statement 7402 can also be used within a <span><strong class="command">view</strong></span> 7403 statement, and then 7404 apply only when resolving queries with that view. When no 7405 view-specific 7406 value is given, the value in the <span><strong class="command">options</strong></span> statement 7407 is used as a default. Also, zone options can have default values 7408 specified 7409 in the <span><strong class="command">view</strong></span> statement; these 7410 view-specific defaults 7411 take precedence over those in the <span><strong class="command">options</strong></span> statement. 7412 </p> 7413<p> 7414 Views are class specific. If no class is given, class IN 7415 is assumed. Note that all non-IN views must contain a hint zone, 7416 since only the IN class has compiled-in default hints. 7417 </p> 7418<p> 7419 If there are no <span><strong class="command">view</strong></span> statements in 7420 the config 7421 file, a default view that matches any client is automatically 7422 created 7423 in class IN. Any <span><strong class="command">zone</strong></span> statements 7424 specified on 7425 the top level of the configuration file are considered to be part 7426 of 7427 this default view, and the <span><strong class="command">options</strong></span> 7428 statement will 7429 apply to the default view. If any explicit <span><strong class="command">view</strong></span> 7430 statements are present, all <span><strong class="command">zone</strong></span> 7431 statements must 7432 occur inside <span><strong class="command">view</strong></span> statements. 7433 </p> 7434<p> 7435 Here is an example of a typical split DNS setup implemented 7436 using <span><strong class="command">view</strong></span> statements: 7437 </p> 7438<pre class="programlisting">view "internal" { 7439 // This should match our internal networks. 7440 match-clients { 10.0.0.0/8; }; 7441 7442 // Provide recursive service to internal 7443 // clients only. 7444 recursion yes; 7445 7446 // Provide a complete view of the example.com 7447 // zone including addresses of internal hosts. 7448 zone "example.com" { 7449 type master; 7450 file "example-internal.db"; 7451 }; 7452}; 7453 7454view "external" { 7455 // Match all clients not matched by the 7456 // previous view. 7457 match-clients { any; }; 7458 7459 // Refuse recursive service to external clients. 7460 recursion no; 7461 7462 // Provide a restricted view of the example.com 7463 // zone containing only publicly accessible hosts. 7464 zone "example.com" { 7465 type master; 7466 file "example-external.db"; 7467 }; 7468}; 7469</pre> 7470</div> 7471<div class="sect2" lang="en"> 7472<div class="titlepage"><div><div><h3 class="title"> 7473<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span> 7474 Statement Grammar</h3></div></div></div> 7475<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7476 type master; 7477 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7478 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7479 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7480 [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7481 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7482 [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7483 [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] 7484 [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>] 7485 [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; 7486 [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 7487 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] 7488 [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] 7489 [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7490 [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] 7491 [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7492 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] 7493 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] 7494 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>] 7495 [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>] 7496 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] 7497 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] 7498 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 7499 [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] 7500 [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7501 [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] 7502 [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7503 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7504 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] 7505 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] 7506 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] 7507 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>] 7508 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] 7509 [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7510 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] 7511 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7512 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7513 [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] 7514 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] 7515 [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] 7516 [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] 7517 [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] 7518 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] 7519 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 7520 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 7521 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 7522 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 7523 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] 7524 [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] 7525 [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7526 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7527 [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>] 7528 [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>] 7529}; 7530 7531zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7532 type slave; 7533 [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7534 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7535 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7536 [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7537 [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7538 [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>] 7539 [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7540 [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7541 [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] 7542 [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7543 [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7544 [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> 7545 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] 7546 [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] 7547 [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] 7548 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] 7549 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] 7550 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] 7551 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>] 7552 [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>] 7553 [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] 7554 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] 7555 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 7556 [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] 7557 [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7558 [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] 7559 [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7560 [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> 7561 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] 7562 [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] 7563 [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] 7564 [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] 7565 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] 7566 [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] 7567 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] 7568 [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] 7569 [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>] 7570 [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] 7571 [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7572 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] 7573 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7574 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7575 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7576 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) 7577 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] 7578 [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7579 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7580 [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7581 [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7582 [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] 7583 [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] 7584 [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] 7585 [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] 7586 [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] 7587 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] 7588 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 7589 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 7590 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 7591 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 7592 [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] 7593 [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] 7594 [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7595 [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7596 [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7597}; 7598 7599zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7600 type hint; 7601 file <em class="replaceable"><code>string</code></em> ; 7602 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7603 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented. 7604}; 7605 7606zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7607 type stub; 7608 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7609 [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7610 [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] 7611 [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] 7612 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7613 [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] 7614 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>] 7615 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] 7616 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 7617 [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> 7618 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] 7619 [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] 7620 [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] 7621 [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] 7622 [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] 7623 [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] 7624 [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7625 [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) 7626 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7627 [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7628 [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) 7629 [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; </span>] 7630 [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] 7631 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7632 [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] 7633 [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 7634 [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] 7635 [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 7636 [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] 7637 [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7638}; 7639 7640zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7641 type static-stub; 7642 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7643 [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>] 7644 [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>] 7645 [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7646}; 7647 7648zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7649 type forward; 7650 [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] 7651 [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">dscp <em class="replaceable"><code>ip_dscp</code></em></span>] ; ... </span>] }; </span>] 7652 [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] 7653}; 7654 7655zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7656 type redirect; 7657 file <em class="replaceable"><code>string</code></em> ; 7658 [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>|<code class="constant">map</code>) ; </span>] 7659 [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] 7660 [<span class="optional"> max-zone-ttl <em class="replaceable"><code>number</code></em> ; </span>] 7661}; 7662 7663zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7664 type delegation-only; 7665}; 7666 7667zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { 7668 [<span class="optional"> in-view <em class="replaceable"><code>string</code></em> ; </span>] 7669}; 7670 7671</pre> 7672</div> 7673<div class="sect2" lang="en"> 7674<div class="titlepage"><div><div><h3 class="title"> 7675<a name="id2594602"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> 7676<div class="sect3" lang="en"> 7677<div class="titlepage"><div><div><h4 class="title"> 7678<a name="id2594610"></a>Zone Types</h4></div></div></div> 7679<div class="informaltable"><table border="1"> 7680<colgroup> 7681<col> 7682<col> 7683</colgroup> 7684<tbody> 7685<tr> 7686<td> 7687 <p> 7688 <code class="varname">master</code> 7689 </p> 7690 </td> 7691<td> 7692 <p> 7693 The server has a master copy of the data 7694 for the zone and will be able to provide authoritative 7695 answers for 7696 it. 7697 </p> 7698 </td> 7699</tr> 7700<tr> 7701<td> 7702 <p> 7703 <code class="varname">slave</code> 7704 </p> 7705 </td> 7706<td> 7707 <p> 7708 A slave zone is a replica of a master 7709 zone. The <span><strong class="command">masters</strong></span> list 7710 specifies one or more IP addresses 7711 of master servers that the slave contacts to update 7712 its copy of the zone. 7713 Masters list elements can also be names of other 7714 masters lists. 7715 By default, transfers are made from port 53 on the 7716 servers; this can 7717 be changed for all servers by specifying a port number 7718 before the 7719 list of IP addresses, or on a per-server basis after 7720 the IP address. 7721 Authentication to the master can also be done with 7722 per-server TSIG keys. 7723 If a file is specified, then the 7724 replica will be written to this file whenever the zone 7725 is changed, 7726 and reloaded from this file on a server restart. Use 7727 of a file is 7728 recommended, since it often speeds server startup and 7729 eliminates 7730 a needless waste of bandwidth. Note that for large 7731 numbers (in the 7732 tens or hundreds of thousands) of zones per server, it 7733 is best to 7734 use a two-level naming scheme for zone filenames. For 7735 example, 7736 a slave server for the zone <code class="literal">example.com</code> might place 7737 the zone contents into a file called 7738 <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is 7739 just the first two letters of the zone name. (Most 7740 operating systems 7741 behave very slowly if you put 100000 files into 7742 a single directory.) 7743 </p> 7744 </td> 7745</tr> 7746<tr> 7747<td> 7748 <p> 7749 <code class="varname">stub</code> 7750 </p> 7751 </td> 7752<td> 7753 <p> 7754 A stub zone is similar to a slave zone, 7755 except that it replicates only the NS records of a 7756 master zone instead 7757 of the entire zone. Stub zones are not a standard part 7758 of the DNS; 7759 they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation. 7760 </p> 7761 7762 <p> 7763 Stub zones can be used to eliminate the need for glue 7764 NS record 7765 in a parent zone at the expense of maintaining a stub 7766 zone entry and 7767 a set of name server addresses in <code class="filename">named.conf</code>. 7768 This usage is not recommended for new configurations, 7769 and BIND 9 7770 supports it only in a limited way. 7771 In <acronym class="acronym">BIND</acronym> 4/8, zone 7772 transfers of a parent zone 7773 included the NS records from stub children of that 7774 zone. This meant 7775 that, in some cases, users could get away with 7776 configuring child stubs 7777 only in the master server for the parent zone. <acronym class="acronym">BIND</acronym> 7778 9 never mixes together zone data from different zones 7779 in this 7780 way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent 7781 zone has child stub zones configured, all the slave 7782 servers for the 7783 parent zone also need to have the same child stub 7784 zones 7785 configured. 7786 </p> 7787 7788 <p> 7789 Stub zones can also be used as a way of forcing the 7790 resolution 7791 of a given domain to use a particular set of 7792 authoritative servers. 7793 For example, the caching name servers on a private 7794 network using 7795 RFC1918 addressing may be configured with stub zones 7796 for 7797 <code class="literal">10.in-addr.arpa</code> 7798 to use a set of internal name servers as the 7799 authoritative 7800 servers for that domain. 7801 </p> 7802 </td> 7803</tr> 7804<tr> 7805<td> 7806 <p> 7807 <code class="varname">static-stub</code> 7808 </p> 7809 </td> 7810<td> 7811 <p> 7812 A static-stub zone is similar to a stub zone 7813 with the following exceptions: 7814 the zone data is statically configured, rather 7815 than transferred from a master server; 7816 when recursion is necessary for a query that 7817 matches a static-stub zone, the locally 7818 configured data (nameserver names and glue addresses) 7819 is always used even if different authoritative 7820 information is cached. 7821 </p> 7822 <p> 7823 Zone data is configured via the 7824 <span><strong class="command">server-addresses</strong></span> and 7825 <span><strong class="command">server-names</strong></span> zone options. 7826 </p> 7827 <p> 7828 The zone data is maintained in the form of NS 7829 and (if necessary) glue A or AAAA RRs 7830 internally, which can be seen by dumping zone 7831 databases by <span><strong class="command">rndc dumpdb -all</strong></span>. 7832 The configured RRs are considered local configuration 7833 parameters rather than public data. 7834 Non recursive queries (i.e., those with the RD 7835 bit off) to a static-stub zone are therefore 7836 prohibited and will be responded with REFUSED. 7837 </p> 7838 <p> 7839 Since the data is statically configured, no 7840 zone maintenance action takes place for a static-stub 7841 zone. 7842 For example, there is no periodic refresh 7843 attempt, and an incoming notify message 7844 will be rejected with an rcode of NOTAUTH. 7845 </p> 7846 <p> 7847 Each static-stub zone is configured with 7848 internally generated NS and (if necessary) 7849 glue A or AAAA RRs 7850 </p> 7851 </td> 7852</tr> 7853<tr> 7854<td> 7855 <p> 7856 <code class="varname">forward</code> 7857 </p> 7858 </td> 7859<td> 7860 <p> 7861 A "forward zone" is a way to configure 7862 forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement 7863 of type <span><strong class="command">forward</strong></span> can 7864 contain a <span><strong class="command">forward</strong></span> 7865 and/or <span><strong class="command">forwarders</strong></span> 7866 statement, 7867 which will apply to queries within the domain given by 7868 the zone 7869 name. If no <span><strong class="command">forwarders</strong></span> 7870 statement is present or 7871 an empty list for <span><strong class="command">forwarders</strong></span> is given, then no 7872 forwarding will be done for the domain, canceling the 7873 effects of 7874 any forwarders in the <span><strong class="command">options</strong></span> statement. Thus 7875 if you want to use this type of zone to change the 7876 behavior of the 7877 global <span><strong class="command">forward</strong></span> option 7878 (that is, "forward first" 7879 to, then "forward only", or vice versa, but want to 7880 use the same 7881 servers as set globally) you need to re-specify the 7882 global forwarders. 7883 </p> 7884 </td> 7885</tr> 7886<tr> 7887<td> 7888 <p> 7889 <code class="varname">hint</code> 7890 </p> 7891 </td> 7892<td> 7893 <p> 7894 The initial set of root name servers is 7895 specified using a "hint zone". When the server starts 7896 up, it uses 7897 the root hints to find a root name server and get the 7898 most recent 7899 list of root name servers. If no hint zone is 7900 specified for class 7901 IN, the server uses a compiled-in default set of root 7902 servers hints. 7903 Classes other than IN have no built-in defaults hints. 7904 </p> 7905 </td> 7906</tr> 7907<tr> 7908<td> 7909 <p> 7910 <code class="varname">redirect</code> 7911 </p> 7912 </td> 7913<td> 7914 <p> 7915 Redirect zones are used to provide answers to 7916 queries when normal resolution would result in 7917 NXDOMAIN being returned. 7918 Only one redirect zone is supported 7919 per view. <span><strong class="command">allow-query</strong></span> can be 7920 used to restrict which clients see these answers. 7921 </p> 7922 <p> 7923 If the client has requested DNSSEC records (DO=1) and 7924 the NXDOMAIN response is signed then no substitution 7925 will occur. 7926 </p> 7927 <p> 7928 To redirect all NXDOMAIN responses to 7929 100.100.100.2 and 7930 2001:ffff:ffff::100.100.100.2, one would 7931 configure a type redirect zone named ".", 7932 with the zone file containing wildcard records 7933 that point to the desired addresses: 7934 <code class="literal">"*. IN A 100.100.100.2"</code> 7935 and 7936 <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>. 7937 </p> 7938 <p> 7939 To redirect all Spanish names (under .ES) one 7940 would use similar entries but with the names 7941 "*.ES." instead of "*.". To redirect all 7942 commercial Spanish names (under COM.ES) one 7943 would use wildcard entries called "*.COM.ES.". 7944 </p> 7945 <p> 7946 Note that the redirect zone supports all 7947 possible types; it is not limited to A and 7948 AAAA records. 7949 </p> 7950 <p> 7951 Because redirect zones are not referenced 7952 directly by name, they are not kept in the 7953 zone lookup table with normal master and slave 7954 zones. Consequently, it is not currently possible 7955 to use 7956 <span><strong class="command">rndc reload 7957 <em class="replaceable"><code>zonename</code></em></strong></span> 7958 to reload a redirect zone. However, when using 7959 <span><strong class="command">rndc reload</strong></span> without specifying 7960 a zone name, redirect zones will be reloaded along 7961 with other zones. 7962 </p> 7963 </td> 7964</tr> 7965<tr> 7966<td> 7967 <p> 7968 <code class="varname">delegation-only</code> 7969 </p> 7970 </td> 7971<td> 7972 <p> 7973 This is used to enforce the delegation-only 7974 status of infrastructure zones (e.g. COM, 7975 NET, ORG). Any answer that is received 7976 without an explicit or implicit delegation 7977 in the authority section will be treated 7978 as NXDOMAIN. This does not apply to the 7979 zone apex. This should not be applied to 7980 leaf zones. 7981 </p> 7982 <p> 7983 <code class="varname">delegation-only</code> has no 7984 effect on answers received from forwarders. 7985 </p> 7986 <p> 7987 See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. 7988 </p> 7989 </td> 7990</tr> 7991</tbody> 7992</table></div> 7993</div> 7994<div class="sect3" lang="en"> 7995<div class="titlepage"><div><div><h4 class="title"> 7996<a name="id2595218"></a>Class</h4></div></div></div> 7997<p> 7998 The zone's name may optionally be followed by a class. If 7999 a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), 8000 is assumed. This is correct for the vast majority of cases. 8001 </p> 8002<p> 8003 The <code class="literal">hesiod</code> class is 8004 named for an information service from MIT's Project Athena. It 8005 is 8006 used to share information about various systems databases, such 8007 as users, groups, printers and so on. The keyword 8008 <code class="literal">HS</code> is 8009 a synonym for hesiod. 8010 </p> 8011<p> 8012 Another MIT development is Chaosnet, a LAN protocol created 8013 in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class. 8014 </p> 8015</div> 8016<div class="sect3" lang="en"> 8017<div class="titlepage"><div><div><h4 class="title"> 8018<a name="id2595456"></a>Zone Options</h4></div></div></div> 8019<div class="variablelist"><dl> 8020<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> 8021<dd><p> 8022 See the description of 8023 <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. 8024 </p></dd> 8025<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> 8026<dd><p> 8027 See the description of 8028 <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. 8029 </p></dd> 8030<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> 8031<dd><p> 8032 See the description of 8033 <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. 8034 </p></dd> 8035<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> 8036<dd><p> 8037 See the description of <span><strong class="command">allow-transfer</strong></span> 8038 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. 8039 </p></dd> 8040<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> 8041<dd><p> 8042 See the description of <span><strong class="command">allow-update</strong></span> 8043 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. 8044 </p></dd> 8045<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt> 8046<dd><p> 8047 Specifies a "Simple Secure Update" policy. See 8048 <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. 8049 </p></dd> 8050<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> 8051<dd><p> 8052 See the description of <span><strong class="command">allow-update-forwarding</strong></span> 8053 in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. 8054 </p></dd> 8055<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> 8056<dd><p> 8057 Only meaningful if <span><strong class="command">notify</strong></span> 8058 is 8059 active for this zone. The set of machines that will 8060 receive a 8061 <code class="literal">DNS NOTIFY</code> message 8062 for this zone is made up of all the listed name servers 8063 (other than 8064 the primary master) for the zone plus any IP addresses 8065 specified 8066 with <span><strong class="command">also-notify</strong></span>. A port 8067 may be specified 8068 with each <span><strong class="command">also-notify</strong></span> 8069 address to send the notify 8070 messages to a port other than the default of 53. 8071 A TSIG key may also be specified to cause the 8072 <code class="literal">NOTIFY</code> to be signed by the 8073 given key. 8074 <span><strong class="command">also-notify</strong></span> is not 8075 meaningful for stub zones. 8076 The default is the empty list. 8077 </p></dd> 8078<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> 8079<dd><p> 8080 This option is used to restrict the character set and 8081 syntax of 8082 certain domain names in master files and/or DNS responses 8083 received from the 8084 network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span> 8085 zones the default is <span><strong class="command">warn</strong></span>. 8086 It is not implemented for <span><strong class="command">hint</strong></span> zones. 8087 </p></dd> 8088<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> 8089<dd><p> 8090 See the description of 8091 <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8092 </p></dd> 8093<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> 8094<dd><p> 8095 See the description of 8096 <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8097 </p></dd> 8098<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> 8099<dd><p> 8100 See the description of 8101 <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8102 </p></dd> 8103<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> 8104<dd><p> 8105 See the description of 8106 <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8107 </p></dd> 8108<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> 8109<dd><p> 8110 See the description of 8111 <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8112 </p></dd> 8113<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> 8114<dd><p> 8115 See the description of 8116 <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8117 </p></dd> 8118<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> 8119<dd><p> 8120 See the description of 8121 <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8122 </p></dd> 8123<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> 8124<dd><p> 8125 See the description of 8126 <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and 8127 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and 8128 Usage”</a>. 8129 </p></dd> 8130<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> 8131<dd><p> 8132 See the description of 8133 <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8134 </p></dd> 8135<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> 8136<dd><p> 8137 See the description of 8138 <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8139 </p></dd> 8140<dt><span class="term"><span><strong class="command">database</strong></span></span></dt> 8141<dd> 8142<p> 8143 Specify the type of database to be used for storing the 8144 zone data. The string following the <span><strong class="command">database</strong></span> keyword 8145 is interpreted as a list of whitespace-delimited words. 8146 The first word 8147 identifies the database type, and any subsequent words are 8148 passed 8149 as arguments to the database to be interpreted in a way 8150 specific 8151 to the database type. 8152 </p> 8153<p> 8154 The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's 8155 native in-memory 8156 red-black-tree database. This database does not take 8157 arguments. 8158 </p> 8159<p> 8160 Other values are possible if additional database drivers 8161 have been linked into the server. Some sample drivers are 8162 included 8163 with the distribution but none are linked in by default. 8164 </p> 8165</dd> 8166<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> 8167<dd><p> 8168 See the description of 8169 <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8170 </p></dd> 8171<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt> 8172<dd> 8173<p> 8174 The flag only applies to forward, hint and stub 8175 zones. If set to <strong class="userinput"><code>yes</code></strong>, 8176 then the zone will also be treated as if it is 8177 also a delegation-only type zone. 8178 </p> 8179<p> 8180 See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. 8181 </p> 8182</dd> 8183<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> 8184<dd><p> 8185 Only meaningful if the zone has a forwarders 8186 list. The <span><strong class="command">only</strong></span> value causes 8187 the lookup to fail 8188 after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would 8189 allow a normal lookup to be tried. 8190 </p></dd> 8191<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> 8192<dd><p> 8193 Used to override the list of global forwarders. 8194 If it is not specified in a zone of type <span><strong class="command">forward</strong></span>, 8195 no forwarding is done for the zone and the global options are 8196 not used. 8197 </p></dd> 8198<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt> 8199<dd><p> 8200 Was used in <acronym class="acronym">BIND</acronym> 8 to 8201 specify the name 8202 of the transaction log (journal) file for dynamic update 8203 and IXFR. 8204 <acronym class="acronym">BIND</acronym> 9 ignores the option 8205 and constructs the name of the journal 8206 file by appending "<code class="filename">.jnl</code>" 8207 to the name of the 8208 zone file. 8209 </p></dd> 8210<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt> 8211<dd><p> 8212 Was an undocumented option in <acronym class="acronym">BIND</acronym> 8. 8213 Ignored in <acronym class="acronym">BIND</acronym> 9. 8214 </p></dd> 8215<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt> 8216<dd><p> 8217 Allow the default journal's filename to be overridden. 8218 The default is the zone's filename with "<code class="filename">.jnl</code>" appended. 8219 This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones. 8220 </p></dd> 8221<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> 8222<dd><p> 8223 See the description of 8224 <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>. 8225 </p></dd> 8226<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> 8227<dd><p> 8228 See the description of 8229 <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8230 </p></dd> 8231<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> 8232<dd><p> 8233 See the description of 8234 <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8235 </p></dd> 8236<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> 8237<dd><p> 8238 See the description of 8239 <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8240 </p></dd> 8241<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> 8242<dd><p> 8243 See the description of 8244 <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8245 </p></dd> 8246<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> 8247<dd><p> 8248 See the description of 8249 <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8250 </p></dd> 8251<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> 8252<dd><p> 8253 See the description of 8254 <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8255 </p></dd> 8256<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> 8257<dd><p> 8258 See the description of 8259 <span><strong class="command">notify-to-soa</strong></span> in 8260 <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8261 </p></dd> 8262<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt> 8263<dd><p> 8264 In <acronym class="acronym">BIND</acronym> 8, this option was 8265 intended for specifying 8266 a public zone key for verification of signatures in DNSSEC 8267 signed 8268 zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures 8269 on load and ignores the option. 8270 </p></dd> 8271<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> 8272<dd><p> 8273 If <strong class="userinput"><code>yes</code></strong>, the server will keep 8274 statistical 8275 information for this zone, which can be dumped to the 8276 <span><strong class="command">statistics-file</strong></span> defined in 8277 the server options. 8278 </p></dd> 8279<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt> 8280<dd> 8281<p> 8282 Only meaningful for static-stub zones. 8283 This is a list of IP addresses to which queries 8284 should be sent in recursive resolution for the 8285 zone. 8286 A non empty list for this option will internally 8287 configure the apex NS RR with associated glue A or 8288 AAAA RRs. 8289 </p> 8290<p> 8291 For example, if "example.com" is configured as a 8292 static-stub zone with 192.0.2.1 and 2001:db8::1234 8293 in a <span><strong class="command">server-addresses</strong></span> option, 8294 the following RRs will be internally configured. 8295 </p> 8296<pre class="programlisting">example.com. NS example.com. 8297example.com. A 192.0.2.1 8298example.com. AAAA 2001:db8::1234</pre> 8299<p> 8300 These records are internally used to resolve 8301 names under the static-stub zone. 8302 For instance, if the server receives a query for 8303 "www.example.com" with the RD bit on, the server 8304 will initiate recursive resolution and send 8305 queries to 192.0.2.1 and/or 2001:db8::1234. 8306 </p> 8307</dd> 8308<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt> 8309<dd> 8310<p> 8311 Only meaningful for static-stub zones. 8312 This is a list of domain names of nameservers that 8313 act as authoritative servers of the static-stub 8314 zone. 8315 These names will be resolved to IP addresses when 8316 <span><strong class="command">named</strong></span> needs to send queries to 8317 these servers. 8318 To make this supplemental resolution successful, 8319 these names must not be a subdomain of the origin 8320 name of static-stub zone. 8321 That is, when "example.net" is the origin of a 8322 static-stub zone, "ns.example" and 8323 "master.example.com" can be specified in the 8324 <span><strong class="command">server-names</strong></span> option, but 8325 "ns.example.net" cannot, and will be rejected by 8326 the configuration parser. 8327 </p> 8328<p> 8329 A non empty list for this option will internally 8330 configure the apex NS RR with the specified names. 8331 For example, if "example.com" is configured as a 8332 static-stub zone with "ns1.example.net" and 8333 "ns2.example.net" 8334 in a <span><strong class="command">server-names</strong></span> option, 8335 the following RRs will be internally configured. 8336 </p> 8337<pre class="programlisting">example.com. NS ns1.example.net. 8338example.com. NS ns2.example.net. 8339</pre> 8340<p> 8341 These records are internally used to resolve 8342 names under the static-stub zone. 8343 For instance, if the server receives a query for 8344 "www.example.com" with the RD bit on, the server 8345 initiate recursive resolution, 8346 resolve "ns1.example.net" and/or 8347 "ns2.example.net" to IP addresses, and then send 8348 queries to (one or more of) these addresses. 8349 </p> 8350</dd> 8351<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> 8352<dd><p> 8353 See the description of 8354 <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8355 </p></dd> 8356<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> 8357<dd><p> 8358 See the description of 8359 <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8360 </p></dd> 8361<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> 8362<dd><p> 8363 See the description of 8364 <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8365 </p></dd> 8366<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> 8367<dd><p> 8368 See the description of 8369 <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8370 </p></dd> 8371<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> 8372<dd><p> 8373 See the description of 8374 <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8375 </p></dd> 8376<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> 8377<dd><p> 8378 See the description of 8379 <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8380 </p></dd> 8381<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> 8382<dd><p> 8383 See the description of 8384 <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8385 </p></dd> 8386<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> 8387<dd><p> 8388 See the description of 8389 <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8390 </p></dd> 8391<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> 8392<dd><p> 8393 See the description of 8394 <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8395 </p></dd> 8396<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> 8397<dd><p> 8398 See the description of 8399 <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8400 </p></dd> 8401<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> 8402<dd><p> 8403 See the description of 8404 <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. 8405 </p></dd> 8406<dt> 8407<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> 8408</dt> 8409<dd><p> 8410 See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8411 </p></dd> 8412<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> 8413<dd><p> 8414 See the description of 8415 <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8416 (Note that the <span><strong class="command">ixfr-from-differences</strong></span> 8417 <strong class="userinput"><code>master</code></strong> and 8418 <strong class="userinput"><code>slave</code></strong> choices are not 8419 available at the zone level.) 8420 </p></dd> 8421<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> 8422<dd><p> 8423 See the description of 8424 <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and 8425 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and 8426 Usage”</a>. 8427 </p></dd> 8428<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt> 8429<dd> 8430<p> 8431 Zones configured for dynamic DNS may also use this 8432 option to allow varying levels of automatic DNSSEC key 8433 management. There are three possible settings: 8434 </p> 8435<p> 8436 <span><strong class="command">auto-dnssec allow;</strong></span> permits 8437 keys to be updated and the zone fully re-signed 8438 whenever the user issues the command <span><strong class="command">rndc sign 8439 <em class="replaceable"><code>zonename</code></em></strong></span>. 8440 </p> 8441<p> 8442 <span><strong class="command">auto-dnssec maintain;</strong></span> includes the 8443 above, but also automatically adjusts the zone's DNSSEC 8444 keys on schedule, according to the keys' timing metadata 8445 (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and 8446 <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command 8447 <span><strong class="command">rndc sign 8448 <em class="replaceable"><code>zonename</code></em></strong></span> causes 8449 <span><strong class="command">named</strong></span> to load keys from the key 8450 repository and sign the zone with all keys that are 8451 active. 8452 <span><strong class="command">rndc loadkeys 8453 <em class="replaceable"><code>zonename</code></em></strong></span> causes 8454 <span><strong class="command">named</strong></span> to load keys from the key 8455 repository and schedule key maintenance events to occur 8456 in the future, but it does not sign the full zone 8457 immediately. Note: once keys have been loaded for a 8458 zone the first time, the repository will be searched 8459 for changes periodically, regardless of whether 8460 <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck 8461 interval is defined by 8462 <span><strong class="command">dnssec-loadkeys-interval</strong></span>.) 8463 </p> 8464<p> 8465 The default setting is <span><strong class="command">auto-dnssec off</strong></span>. 8466 </p> 8467</dd> 8468<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt> 8469<dd> 8470<p> 8471 Zones configured for dynamic DNS may use this 8472 option to set the update method that will be used for 8473 the zone serial number in the SOA record. 8474 </p> 8475<p> 8476 With the default setting of 8477 <span><strong class="command">serial-update-method increment;</strong></span>, the 8478 SOA serial number will be incremented by one each time 8479 the zone is updated. 8480 </p> 8481<p> 8482 When set to 8483 <span><strong class="command">serial-update-method unixtime;</strong></span>, the 8484 SOA serial number will be set to the number of seconds 8485 since the UNIX epoch, unless the serial number is 8486 already greater than or equal to that value, in which 8487 case it is simply incremented by one. 8488 </p> 8489</dd> 8490<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt> 8491<dd><p> 8492 If <code class="literal">yes</code>, this enables 8493 "bump in the wire" signing of a zone, where a 8494 unsigned zone is transferred in or loaded from 8495 disk and a signed version of the zone is served, 8496 with possibly, a different serial number. This 8497 behaviour is disabled by default. 8498 </p></dd> 8499<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> 8500<dd><p> 8501 See the description of <span><strong class="command">multi-master</strong></span> in 8502 <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8503 </p></dd> 8504<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> 8505<dd><p> 8506 See the description of <span><strong class="command">masterfile-format</strong></span> 8507 in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. 8508 </p></dd> 8509<dt><span class="term"><span><strong class="command">max-zone-ttl</strong></span></span></dt> 8510<dd><p> 8511 See the description of <span><strong class="command">max-zone-ttl</strong></span> 8512 in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and 8513 Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and 8514 Usage”</a>. 8515 </p></dd> 8516<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> 8517<dd><p> 8518 See the description of 8519 <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. 8520 </p></dd> 8521</dl></div> 8522</div> 8523<div class="sect3" lang="en"> 8524<div class="titlepage"><div><div><h4 class="title"> 8525<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div> 8526<p><acronym class="acronym">BIND</acronym> 9 supports two alternative 8527 methods of granting clients the right to perform 8528 dynamic updates to a zone, configured by the 8529 <span><strong class="command">allow-update</strong></span> and 8530 <span><strong class="command">update-policy</strong></span> option, respectively. 8531 </p> 8532<p> 8533 The <span><strong class="command">allow-update</strong></span> clause works the 8534 same way as in previous versions of <acronym class="acronym">BIND</acronym>. 8535 It grants given clients the permission to update any 8536 record of any name in the zone. 8537 </p> 8538<p> 8539 The <span><strong class="command">update-policy</strong></span> clause 8540 allows more fine-grained control over what updates are 8541 allowed. A set of rules is specified, where each rule 8542 either grants or denies permissions for one or more 8543 names to be updated by one or more identities. If 8544 the dynamic update request message is signed (that is, 8545 it includes either a TSIG or SIG(0) record), the 8546 identity of the signer can be determined. 8547 </p> 8548<p> 8549 Rules are specified in the <span><strong class="command">update-policy</strong></span> 8550 zone option, and are only meaningful for master zones. 8551 When the <span><strong class="command">update-policy</strong></span> statement 8552 is present, it is a configuration error for the 8553 <span><strong class="command">allow-update</strong></span> statement to be 8554 present. The <span><strong class="command">update-policy</strong></span> statement 8555 only examines the signer of a message; the source 8556 address is not relevant. 8557 </p> 8558<p> 8559 There is a pre-defined <span><strong class="command">update-policy</strong></span> 8560 rule which can be switched on with the command 8561 <span><strong class="command">update-policy local;</strong></span>. 8562 Switching on this rule in a zone causes 8563 <span><strong class="command">named</strong></span> to generate a TSIG session 8564 key and place it in a file, and to allow that key 8565 to update the zone. (By default, the file is 8566 <code class="filename">/var/run/named/session.key</code>, the key 8567 name is "local-ddns" and the key algorithm is HMAC-SHA256, 8568 but these values are configurable with the 8569 <span><strong class="command">session-keyfile</strong></span>, 8570 <span><strong class="command">session-keyname</strong></span> and 8571 <span><strong class="command">session-keyalg</strong></span> options, respectively). 8572 </p> 8573<p> 8574 A client running on the local system, and with appropriate 8575 permissions, may read that file and use the key to sign update 8576 requests. The zone's update policy will be set to allow that 8577 key to change any record within the zone. Assuming the 8578 key name is "local-ddns", this policy is equivalent to: 8579 </p> 8580<pre class="programlisting">update-policy { grant local-ddns zonesub any; }; 8581 </pre> 8582<p> 8583 The command <span><strong class="command">nsupdate -l</strong></span> sends update 8584 requests to localhost, and signs them using the session key. 8585 </p> 8586<p> 8587 Other rule definitions look like this: 8588 </p> 8589<pre class="programlisting"> 8590( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] 8591</pre> 8592<p> 8593 Each rule grants or denies privileges. Once a message has 8594 successfully matched a rule, the operation is immediately 8595 granted or denied and no further rules are examined. A rule 8596 is matched when the signer matches the identity field, the 8597 name matches the name field in accordance with the nametype 8598 field, and the type matches the types specified in the type 8599 field. 8600 </p> 8601<p> 8602 No signer is required for <em class="replaceable"><code>tcp-self</code></em> 8603 or <em class="replaceable"><code>6to4-self</code></em> however the standard 8604 reverse mapping / prefix conversion must match the identity 8605 field. 8606 </p> 8607<p> 8608 The identity field specifies a name or a wildcard 8609 name. Normally, this is the name of the TSIG or 8610 SIG(0) key used to sign the update request. When a 8611 TKEY exchange has been used to create a shared secret, 8612 the identity of the shared secret is the same as the 8613 identity of the key used to authenticate the TKEY 8614 exchange. TKEY is also the negotiation method used 8615 by GSS-TSIG, which establishes an identity that is 8616 the Kerberos principal of the client, such as 8617 <strong class="userinput"><code>"user@host.domain"</code></strong>. When the 8618 <em class="replaceable"><code>identity</code></em> field specifies 8619 a wildcard name, it is subject to DNS wildcard 8620 expansion, so the rule will apply to multiple identities. 8621 The <em class="replaceable"><code>identity</code></em> field must 8622 contain a fully-qualified domain name. 8623 </p> 8624<p> 8625 For nametypes <code class="varname">krb5-self</code>, 8626 <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>, 8627 and <code class="varname">ms-subdomain</code> the 8628 <em class="replaceable"><code>identity</code></em> field specifies 8629 the Windows or Kerberos realm of the machine belongs to. 8630 </p> 8631<p> 8632 The <em class="replaceable"><code>nametype</code></em> field has 13 8633 values: 8634 <code class="varname">name</code>, <code class="varname">subdomain</code>, 8635 <code class="varname">wildcard</code>, <code class="varname">self</code>, 8636 <code class="varname">selfsub</code>, <code class="varname">selfwild</code>, 8637 <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>, 8638 <code class="varname">krb5-subdomain</code>, 8639 <code class="varname">ms-subdomain</code>, 8640 <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>, 8641 <code class="varname">zonesub</code>, and <code class="varname">external</code>. 8642 </p> 8643<div class="informaltable"><table border="1"> 8644<colgroup> 8645<col> 8646<col> 8647</colgroup> 8648<tbody> 8649<tr> 8650<td> 8651 <p> 8652 <code class="varname">name</code> 8653 </p> 8654 </td> 8655<td> 8656 <p> 8657 Exact-match semantics. This rule matches 8658 when the name being updated is identical 8659 to the contents of the 8660 <em class="replaceable"><code>name</code></em> field. 8661 </p> 8662 </td> 8663</tr> 8664<tr> 8665<td> 8666 <p> 8667 <code class="varname">subdomain</code> 8668 </p> 8669 </td> 8670<td> 8671 <p> 8672 This rule matches when the name being updated 8673 is a subdomain of, or identical to, the 8674 contents of the <em class="replaceable"><code>name</code></em> 8675 field. 8676 </p> 8677 </td> 8678</tr> 8679<tr> 8680<td> 8681 <p> 8682 <code class="varname">zonesub</code> 8683 </p> 8684 </td> 8685<td> 8686 <p> 8687 This rule is similar to subdomain, except that 8688 it matches when the name being updated is a 8689 subdomain of the zone in which the 8690 <span><strong class="command">update-policy</strong></span> statement 8691 appears. This obviates the need to type the zone 8692 name twice, and enables the use of a standard 8693 <span><strong class="command">update-policy</strong></span> statement in 8694 multiple zones without modification. 8695 </p> 8696 <p> 8697 When this rule is used, the 8698 <em class="replaceable"><code>name</code></em> field is omitted. 8699 </p> 8700 </td> 8701</tr> 8702<tr> 8703<td> 8704 <p> 8705 <code class="varname">wildcard</code> 8706 </p> 8707 </td> 8708<td> 8709 <p> 8710 The <em class="replaceable"><code>name</code></em> field 8711 is subject to DNS wildcard expansion, and 8712 this rule matches when the name being updated 8713 name is a valid expansion of the wildcard. 8714 </p> 8715 </td> 8716</tr> 8717<tr> 8718<td> 8719 <p> 8720 <code class="varname">self</code> 8721 </p> 8722 </td> 8723<td> 8724 <p> 8725 This rule matches when the name being updated 8726 matches the contents of the 8727 <em class="replaceable"><code>identity</code></em> field. 8728 The <em class="replaceable"><code>name</code></em> field 8729 is ignored, but should be the same as the 8730 <em class="replaceable"><code>identity</code></em> field. 8731 The <code class="varname">self</code> nametype is 8732 most useful when allowing using one key per 8733 name to update, where the key has the same 8734 name as the name to be updated. The 8735 <em class="replaceable"><code>identity</code></em> would 8736 be specified as <code class="constant">*</code> (an asterisk) in 8737 this case. 8738 </p> 8739 </td> 8740</tr> 8741<tr> 8742<td> 8743 <p> 8744 <code class="varname">selfsub</code> 8745 </p> 8746 </td> 8747<td> 8748 <p> 8749 This rule is similar to <code class="varname">self</code> 8750 except that subdomains of <code class="varname">self</code> 8751 can also be updated. 8752 </p> 8753 </td> 8754</tr> 8755<tr> 8756<td> 8757 <p> 8758 <code class="varname">selfwild</code> 8759 </p> 8760 </td> 8761<td> 8762 <p> 8763 This rule is similar to <code class="varname">self</code> 8764 except that only subdomains of 8765 <code class="varname">self</code> can be updated. 8766 </p> 8767 </td> 8768</tr> 8769<tr> 8770<td> 8771 <p> 8772 <code class="varname">ms-self</code> 8773 </p> 8774 </td> 8775<td> 8776 <p> 8777 This rule takes a Windows machine principal 8778 (machine$@REALM) for machine in REALM and 8779 and converts it machine.realm allowing the machine 8780 to update machine.realm. The REALM to be matched 8781 is specified in the <em class="replaceable"><code>identity</code></em> 8782 field. 8783 </p> 8784 </td> 8785</tr> 8786<tr> 8787<td> 8788 <p> 8789 <code class="varname">ms-subdomain</code> 8790 </p> 8791 </td> 8792<td> 8793 <p> 8794 This rule takes a Windows machine principal 8795 (machine$@REALM) for machine in REALM and 8796 converts it to machine.realm allowing the machine 8797 to update subdomains of machine.realm. The REALM 8798 to be matched is specified in the 8799 <em class="replaceable"><code>identity</code></em> field. 8800 </p> 8801 </td> 8802</tr> 8803<tr> 8804<td> 8805 <p> 8806 <code class="varname">krb5-self</code> 8807 </p> 8808 </td> 8809<td> 8810 <p> 8811 This rule takes a Kerberos machine principal 8812 (host/machine@REALM) for machine in REALM and 8813 and converts it machine.realm allowing the machine 8814 to update machine.realm. The REALM to be matched 8815 is specified in the <em class="replaceable"><code>identity</code></em> 8816 field. 8817 </p> 8818 </td> 8819</tr> 8820<tr> 8821<td> 8822 <p> 8823 <code class="varname">krb5-subdomain</code> 8824 </p> 8825 </td> 8826<td> 8827 <p> 8828 This rule takes a Kerberos machine principal 8829 (host/machine@REALM) for machine in REALM and 8830 converts it to machine.realm allowing the machine 8831 to update subdomains of machine.realm. The REALM 8832 to be matched is specified in the 8833 <em class="replaceable"><code>identity</code></em> field. 8834 </p> 8835 </td> 8836</tr> 8837<tr> 8838<td> 8839 <p> 8840 <code class="varname">tcp-self</code> 8841 </p> 8842 </td> 8843<td> 8844 <p> 8845 Allow updates that have been sent via TCP and 8846 for which the standard mapping from the initiating 8847 IP address into the IN-ADDR.ARPA and IP6.ARPA 8848 namespaces match the name to be updated. 8849 </p> 8850 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 8851<h3 class="title">Note</h3> 8852 It is theoretically possible to spoof these TCP 8853 sessions. 8854 </div> 8855 </td> 8856</tr> 8857<tr> 8858<td> 8859 <p> 8860 <code class="varname">6to4-self</code> 8861 </p> 8862 </td> 8863<td> 8864 <p> 8865 Allow the 6to4 prefix to be update by any TCP 8866 connection from the 6to4 network or from the 8867 corresponding IPv4 address. This is intended 8868 to allow NS or DNAME RRsets to be added to the 8869 reverse tree. 8870 </p> 8871 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 8872<h3 class="title">Note</h3> 8873 It is theoretically possible to spoof these TCP 8874 sessions. 8875 </div> 8876 </td> 8877</tr> 8878<tr> 8879<td> 8880 <p> 8881 <code class="varname">external</code> 8882 </p> 8883 </td> 8884<td> 8885 <p> 8886 This rule allows <span><strong class="command">named</strong></span> 8887 to defer the decision of whether to allow a 8888 given update to an external daemon. 8889 </p> 8890 <p> 8891 The method of communicating with the daemon is 8892 specified in the <em class="replaceable"><code>identity</code></em> 8893 field, the format of which is 8894 "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>", 8895 where <em class="replaceable"><code>path</code></em> is the location 8896 of a UNIX-domain socket. (Currently, "local" is the 8897 only supported mechanism.) 8898 </p> 8899 <p> 8900 Requests to the external daemon are sent over the 8901 UNIX-domain socket as datagrams with the following 8902 format: 8903 </p> 8904 <pre class="programlisting"> 8905 Protocol version number (4 bytes, network byte order, currently 1) 8906 Request length (4 bytes, network byte order) 8907 Signer (null-terminated string) 8908 Name (null-terminated string) 8909 TCP source address (null-terminated string) 8910 Rdata type (null-terminated string) 8911 Key (null-terminated string) 8912 TKEY token length (4 bytes, network byte order) 8913 TKEY token (remainder of packet)</pre> 8914 <p> 8915 The daemon replies with a four-byte value in 8916 network byte order, containing either 0 or 1; 0 8917 indicates that the specified update is not 8918 permitted, and 1 indicates that it is. 8919 </p> 8920 </td> 8921</tr> 8922</tbody> 8923</table></div> 8924<p> 8925 In all cases, the <em class="replaceable"><code>name</code></em> 8926 field must specify a fully-qualified domain name. 8927 </p> 8928<p> 8929 If no types are explicitly specified, this rule matches 8930 all types except RRSIG, NS, SOA, NSEC and NSEC3. Types 8931 may be specified by name, including "ANY" (ANY matches 8932 all types except NSEC and NSEC3, which can never be 8933 updated). Note that when an attempt is made to delete 8934 all records associated with a name, the rules are 8935 checked for each existing record type. 8936 </p> 8937</div> 8938<div class="sect3" lang="en"> 8939<div class="titlepage"><div><div><h4 class="title"> 8940<a name="id2598241"></a>Multiple views</h4></div></div></div> 8941<p> 8942 When multiple views are in use, a zone may be 8943 referenced by more than one of them. Often, the views 8944 will contain different zones with the same name, allowing 8945 different clients to receive different answers for the same 8946 queries. At times, however, it is desirable for multiple 8947 views to contain identical zones. The 8948 <span><strong class="command">in-view</strong></span> zone option provides an efficient 8949 way to do this: it allows a view to reference a zone that 8950 was defined in a previously configured view. Example: 8951 </p> 8952<pre class="programlisting"> 8953view internal { 8954 match-clients { 10/8; }; 8955 8956 zone example.com { 8957 type master; 8958 file "example-external.db"; 8959 }; 8960}; 8961 8962view external { 8963 match-clients { any; }; 8964 8965 zone example.com { 8966 in-view internal; 8967 }; 8968}; 8969 </pre> 8970<p> 8971 An <span><strong class="command">in-view</strong></span> option cannot refer to a view 8972 that is configured later in the configuration file. 8973 </p> 8974<p> 8975 A <span><strong class="command">zone</strong></span> statement which uses the 8976 <span><strong class="command">in-view</strong></span> option may not use any other 8977 options with the exception of <span><strong class="command">forward</strong></span> 8978 and <span><strong class="command">forwarders</strong></span>. (These options control 8979 the behavior of the containing view, rather than changing 8980 the zone object itself.) 8981 </p> 8982<p> 8983 An <span><strong class="command">in-view</strong></span> zone cannot be used as a 8984 response policy zone. 8985 </p> 8986</div> 8987</div> 8988</div> 8989<div class="sect1" lang="en"> 8990<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 8991<a name="id2598289"></a>Zone File</h2></div></div></div> 8992<div class="sect2" lang="en"> 8993<div class="titlepage"><div><div><h3 class="title"> 8994<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> 8995<p> 8996 This section, largely borrowed from RFC 1034, describes the 8997 concept of a Resource Record (RR) and explains when each is used. 8998 Since the publication of RFC 1034, several new RRs have been 8999 identified 9000 and implemented in the DNS. These are also included. 9001 </p> 9002<div class="sect3" lang="en"> 9003<div class="titlepage"><div><div><h4 class="title"> 9004<a name="id2598375"></a>Resource Records</h4></div></div></div> 9005<p> 9006 A domain name identifies a node. Each node has a set of 9007 resource information, which may be empty. The set of resource 9008 information associated with a particular name is composed of 9009 separate RRs. The order of RRs in a set is not significant and 9010 need not be preserved by name servers, resolvers, or other 9011 parts of the DNS. However, sorting of multiple RRs is 9012 permitted for optimization purposes, for example, to specify 9013 that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. 9014 </p> 9015<p> 9016 The components of a Resource Record are: 9017 </p> 9018<div class="informaltable"><table border="1"> 9019<colgroup> 9020<col> 9021<col> 9022</colgroup> 9023<tbody> 9024<tr> 9025<td> 9026 <p> 9027 owner name 9028 </p> 9029 </td> 9030<td> 9031 <p> 9032 The domain name where the RR is found. 9033 </p> 9034 </td> 9035</tr> 9036<tr> 9037<td> 9038 <p> 9039 type 9040 </p> 9041 </td> 9042<td> 9043 <p> 9044 An encoded 16-bit value that specifies 9045 the type of the resource record. 9046 </p> 9047 </td> 9048</tr> 9049<tr> 9050<td> 9051 <p> 9052 TTL 9053 </p> 9054 </td> 9055<td> 9056 <p> 9057 The time-to-live of the RR. This field 9058 is a 32-bit integer in units of seconds, and is 9059 primarily used by 9060 resolvers when they cache RRs. The TTL describes how 9061 long a RR can 9062 be cached before it should be discarded. 9063 </p> 9064 </td> 9065</tr> 9066<tr> 9067<td> 9068 <p> 9069 class 9070 </p> 9071 </td> 9072<td> 9073 <p> 9074 An encoded 16-bit value that identifies 9075 a protocol family or instance of a protocol. 9076 </p> 9077 </td> 9078</tr> 9079<tr> 9080<td> 9081 <p> 9082 RDATA 9083 </p> 9084 </td> 9085<td> 9086 <p> 9087 The resource data. The format of the 9088 data is type (and sometimes class) specific. 9089 </p> 9090 </td> 9091</tr> 9092</tbody> 9093</table></div> 9094<p> 9095 The following are <span class="emphasis"><em>types</em></span> of valid RRs: 9096 </p> 9097<div class="informaltable"><table border="1"> 9098<colgroup> 9099<col> 9100<col> 9101</colgroup> 9102<tbody> 9103<tr> 9104<td> 9105 <p> 9106 A 9107 </p> 9108 </td> 9109<td> 9110 <p> 9111 A host address. In the IN class, this is a 9112 32-bit IP address. Described in RFC 1035. 9113 </p> 9114 </td> 9115</tr> 9116<tr> 9117<td> 9118 <p> 9119 AAAA 9120 </p> 9121 </td> 9122<td> 9123 <p> 9124 IPv6 address. Described in RFC 1886. 9125 </p> 9126 </td> 9127</tr> 9128<tr> 9129<td> 9130 <p> 9131 A6 9132 </p> 9133 </td> 9134<td> 9135 <p> 9136 IPv6 address. This can be a partial 9137 address (a suffix) and an indirection to the name 9138 where the rest of the 9139 address (the prefix) can be found. Experimental. 9140 Described in RFC 2874. 9141 </p> 9142 </td> 9143</tr> 9144<tr> 9145<td> 9146 <p> 9147 AFSDB 9148 </p> 9149 </td> 9150<td> 9151 <p> 9152 Location of AFS database servers. 9153 Experimental. Described in RFC 1183. 9154 </p> 9155 </td> 9156</tr> 9157<tr> 9158<td> 9159 <p> 9160 APL 9161 </p> 9162 </td> 9163<td> 9164 <p> 9165 Address prefix list. Experimental. 9166 Described in RFC 3123. 9167 </p> 9168 </td> 9169</tr> 9170<tr> 9171<td> 9172 <p> 9173 CERT 9174 </p> 9175 </td> 9176<td> 9177 <p> 9178 Holds a digital certificate. 9179 Described in RFC 2538. 9180 </p> 9181 </td> 9182</tr> 9183<tr> 9184<td> 9185 <p> 9186 CNAME 9187 </p> 9188 </td> 9189<td> 9190 <p> 9191 Identifies the canonical name of an alias. 9192 Described in RFC 1035. 9193 </p> 9194 </td> 9195</tr> 9196<tr> 9197<td> 9198 <p> 9199 DHCID 9200 </p> 9201 </td> 9202<td> 9203 <p> 9204 Is used for identifying which DHCP client is 9205 associated with this name. Described in RFC 4701. 9206 </p> 9207 </td> 9208</tr> 9209<tr> 9210<td> 9211 <p> 9212 DNAME 9213 </p> 9214 </td> 9215<td> 9216 <p> 9217 Replaces the domain name specified with 9218 another name to be looked up, effectively aliasing an 9219 entire 9220 subtree of the domain name space rather than a single 9221 record 9222 as in the case of the CNAME RR. 9223 Described in RFC 2672. 9224 </p> 9225 </td> 9226</tr> 9227<tr> 9228<td> 9229 <p> 9230 DNSKEY 9231 </p> 9232 </td> 9233<td> 9234 <p> 9235 Stores a public key associated with a signed 9236 DNS zone. Described in RFC 4034. 9237 </p> 9238 </td> 9239</tr> 9240<tr> 9241<td> 9242 <p> 9243 DS 9244 </p> 9245 </td> 9246<td> 9247 <p> 9248 Stores the hash of a public key associated with a 9249 signed DNS zone. Described in RFC 4034. 9250 </p> 9251 </td> 9252</tr> 9253<tr> 9254<td> 9255 <p> 9256 GPOS 9257 </p> 9258 </td> 9259<td> 9260 <p> 9261 Specifies the global position. Superseded by LOC. 9262 </p> 9263 </td> 9264</tr> 9265<tr> 9266<td> 9267 <p> 9268 HINFO 9269 </p> 9270 </td> 9271<td> 9272 <p> 9273 Identifies the CPU and OS used by a host. 9274 Described in RFC 1035. 9275 </p> 9276 </td> 9277</tr> 9278<tr> 9279<td> 9280 <p> 9281 IPSECKEY 9282 </p> 9283 </td> 9284<td> 9285 <p> 9286 Provides a method for storing IPsec keying material in 9287 DNS. Described in RFC 4025. 9288 </p> 9289 </td> 9290</tr> 9291<tr> 9292<td> 9293 <p> 9294 ISDN 9295 </p> 9296 </td> 9297<td> 9298 <p> 9299 Representation of ISDN addresses. 9300 Experimental. Described in RFC 1183. 9301 </p> 9302 </td> 9303</tr> 9304<tr> 9305<td> 9306 <p> 9307 KEY 9308 </p> 9309 </td> 9310<td> 9311 <p> 9312 Stores a public key associated with a 9313 DNS name. Used in original DNSSEC; replaced 9314 by DNSKEY in DNSSECbis, but still used with 9315 SIG(0). Described in RFCs 2535 and 2931. 9316 </p> 9317 </td> 9318</tr> 9319<tr> 9320<td> 9321 <p> 9322 KX 9323 </p> 9324 </td> 9325<td> 9326 <p> 9327 Identifies a key exchanger for this 9328 DNS name. Described in RFC 2230. 9329 </p> 9330 </td> 9331</tr> 9332<tr> 9333<td> 9334 <p> 9335 LOC 9336 </p> 9337 </td> 9338<td> 9339 <p> 9340 For storing GPS info. Described in RFC 1876. 9341 Experimental. 9342 </p> 9343 </td> 9344</tr> 9345<tr> 9346<td> 9347 <p> 9348 MX 9349 </p> 9350 </td> 9351<td> 9352 <p> 9353 Identifies a mail exchange for the domain with 9354 a 16-bit preference value (lower is better) 9355 followed by the host name of the mail exchange. 9356 Described in RFC 974, RFC 1035. 9357 </p> 9358 </td> 9359</tr> 9360<tr> 9361<td> 9362 <p> 9363 NAPTR 9364 </p> 9365 </td> 9366<td> 9367 <p> 9368 Name authority pointer. Described in RFC 2915. 9369 </p> 9370 </td> 9371</tr> 9372<tr> 9373<td> 9374 <p> 9375 NSAP 9376 </p> 9377 </td> 9378<td> 9379 <p> 9380 A network service access point. 9381 Described in RFC 1706. 9382 </p> 9383 </td> 9384</tr> 9385<tr> 9386<td> 9387 <p> 9388 NS 9389 </p> 9390 </td> 9391<td> 9392 <p> 9393 The authoritative name server for the 9394 domain. Described in RFC 1035. 9395 </p> 9396 </td> 9397</tr> 9398<tr> 9399<td> 9400 <p> 9401 NSEC 9402 </p> 9403 </td> 9404<td> 9405 <p> 9406 Used in DNSSECbis to securely indicate that 9407 RRs with an owner name in a certain name interval do 9408 not exist in 9409 a zone and indicate what RR types are present for an 9410 existing name. 9411 Described in RFC 4034. 9412 </p> 9413 </td> 9414</tr> 9415<tr> 9416<td> 9417 <p> 9418 NSEC3 9419 </p> 9420 </td> 9421<td> 9422 <p> 9423 Used in DNSSECbis to securely indicate that 9424 RRs with an owner name in a certain name 9425 interval do not exist in a zone and indicate 9426 what RR types are present for an existing 9427 name. NSEC3 differs from NSEC in that it 9428 prevents zone enumeration but is more 9429 computationally expensive on both the server 9430 and the client than NSEC. Described in RFC 9431 5155. 9432 </p> 9433 </td> 9434</tr> 9435<tr> 9436<td> 9437 <p> 9438 NSEC3PARAM 9439 </p> 9440 </td> 9441<td> 9442 <p> 9443 Used in DNSSECbis to tell the authoritative 9444 server which NSEC3 chains are available to use. 9445 Described in RFC 5155. 9446 </p> 9447 </td> 9448</tr> 9449<tr> 9450<td> 9451 <p> 9452 NXT 9453 </p> 9454 </td> 9455<td> 9456 <p> 9457 Used in DNSSEC to securely indicate that 9458 RRs with an owner name in a certain name interval do 9459 not exist in 9460 a zone and indicate what RR types are present for an 9461 existing name. 9462 Used in original DNSSEC; replaced by NSEC in 9463 DNSSECbis. 9464 Described in RFC 2535. 9465 </p> 9466 </td> 9467</tr> 9468<tr> 9469<td> 9470 <p> 9471 PTR 9472 </p> 9473 </td> 9474<td> 9475 <p> 9476 A pointer to another part of the domain 9477 name space. Described in RFC 1035. 9478 </p> 9479 </td> 9480</tr> 9481<tr> 9482<td> 9483 <p> 9484 PX 9485 </p> 9486 </td> 9487<td> 9488 <p> 9489 Provides mappings between RFC 822 and X.400 9490 addresses. Described in RFC 2163. 9491 </p> 9492 </td> 9493</tr> 9494<tr> 9495<td> 9496 <p> 9497 RP 9498 </p> 9499 </td> 9500<td> 9501 <p> 9502 Information on persons responsible 9503 for the domain. Experimental. Described in RFC 1183. 9504 </p> 9505 </td> 9506</tr> 9507<tr> 9508<td> 9509 <p> 9510 RRSIG 9511 </p> 9512 </td> 9513<td> 9514 <p> 9515 Contains DNSSECbis signature data. Described 9516 in RFC 4034. 9517 </p> 9518 </td> 9519</tr> 9520<tr> 9521<td> 9522 <p> 9523 RT 9524 </p> 9525 </td> 9526<td> 9527 <p> 9528 Route-through binding for hosts that 9529 do not have their own direct wide area network 9530 addresses. 9531 Experimental. Described in RFC 1183. 9532 </p> 9533 </td> 9534</tr> 9535<tr> 9536<td> 9537 <p> 9538 SIG 9539 </p> 9540 </td> 9541<td> 9542 <p> 9543 Contains DNSSEC signature data. Used in 9544 original DNSSEC; replaced by RRSIG in 9545 DNSSECbis, but still used for SIG(0). 9546 Described in RFCs 2535 and 2931. 9547 </p> 9548 </td> 9549</tr> 9550<tr> 9551<td> 9552 <p> 9553 SOA 9554 </p> 9555 </td> 9556<td> 9557 <p> 9558 Identifies the start of a zone of authority. 9559 Described in RFC 1035. 9560 </p> 9561 </td> 9562</tr> 9563<tr> 9564<td> 9565 <p> 9566 SPF 9567 </p> 9568 </td> 9569<td> 9570 <p> 9571 Contains the Sender Policy Framework information 9572 for a given email domain. Described in RFC 4408. 9573 </p> 9574 </td> 9575</tr> 9576<tr> 9577<td> 9578 <p> 9579 SRV 9580 </p> 9581 </td> 9582<td> 9583 <p> 9584 Information about well known network 9585 services (replaces WKS). Described in RFC 2782. 9586 </p> 9587 </td> 9588</tr> 9589<tr> 9590<td> 9591 <p> 9592 SSHFP 9593 </p> 9594 </td> 9595<td> 9596 <p> 9597 Provides a way to securely publish a secure shell key's 9598 fingerprint. Described in RFC 4255. 9599 </p> 9600 </td> 9601</tr> 9602<tr> 9603<td> 9604 <p> 9605 TXT 9606 </p> 9607 </td> 9608<td> 9609 <p> 9610 Text records. Described in RFC 1035. 9611 </p> 9612 </td> 9613</tr> 9614<tr> 9615<td> 9616 <p> 9617 WKS 9618 </p> 9619 </td> 9620<td> 9621 <p> 9622 Information about which well known 9623 network services, such as SMTP, that a domain 9624 supports. Historical. 9625 </p> 9626 </td> 9627</tr> 9628<tr> 9629<td> 9630 <p> 9631 X25 9632 </p> 9633 </td> 9634<td> 9635 <p> 9636 Representation of X.25 network addresses. 9637 Experimental. Described in RFC 1183. 9638 </p> 9639 </td> 9640</tr> 9641</tbody> 9642</table></div> 9643<p> 9644 The following <span class="emphasis"><em>classes</em></span> of resource records 9645 are currently valid in the DNS: 9646 </p> 9647<div class="informaltable"><table border="1"> 9648<colgroup> 9649<col> 9650<col> 9651</colgroup> 9652<tbody> 9653<tr> 9654<td> 9655 <p> 9656 IN 9657 </p> 9658 </td> 9659<td> 9660 <p> 9661 The Internet. 9662 </p> 9663 </td> 9664</tr> 9665<tr> 9666<td> 9667 <p> 9668 CH 9669 </p> 9670 </td> 9671<td> 9672 <p> 9673 Chaosnet, a LAN protocol created at MIT in the 9674 mid-1970s. 9675 Rarely used for its historical purpose, but reused for 9676 BIND's 9677 built-in server information zones, e.g., 9678 <code class="literal">version.bind</code>. 9679 </p> 9680 </td> 9681</tr> 9682<tr> 9683<td> 9684 <p> 9685 HS 9686 </p> 9687 </td> 9688<td> 9689 <p> 9690 Hesiod, an information service 9691 developed by MIT's Project Athena. It is used to share 9692 information 9693 about various systems databases, such as users, 9694 groups, printers 9695 and so on. 9696 </p> 9697 </td> 9698</tr> 9699</tbody> 9700</table></div> 9701<p> 9702 The owner name is often implicit, rather than forming an 9703 integral 9704 part of the RR. For example, many name servers internally form 9705 tree 9706 or hash structures for the name space, and chain RRs off nodes. 9707 The remaining RR parts are the fixed header (type, class, TTL) 9708 which is consistent for all RRs, and a variable part (RDATA) 9709 that 9710 fits the needs of the resource being described. 9711 </p> 9712<p> 9713 The meaning of the TTL field is a time limit on how long an 9714 RR can be kept in a cache. This limit does not apply to 9715 authoritative 9716 data in zones; it is also timed out, but by the refreshing 9717 policies 9718 for the zone. The TTL is assigned by the administrator for the 9719 zone where the data originates. While short TTLs can be used to 9720 minimize caching, and a zero TTL prohibits caching, the 9721 realities 9722 of Internet performance suggest that these times should be on 9723 the 9724 order of days for the typical host. If a change can be 9725 anticipated, 9726 the TTL can be reduced prior to the change to minimize 9727 inconsistency 9728 during the change, and then increased back to its former value 9729 following 9730 the change. 9731 </p> 9732<p> 9733 The data in the RDATA section of RRs is carried as a combination 9734 of binary strings and domain names. The domain names are 9735 frequently 9736 used as "pointers" to other data in the DNS. 9737 </p> 9738</div> 9739<div class="sect3" lang="en"> 9740<div class="titlepage"><div><div><h4 class="title"> 9741<a name="id2599998"></a>Textual expression of RRs</h4></div></div></div> 9742<p> 9743 RRs are represented in binary form in the packets of the DNS 9744 protocol, and are usually represented in highly encoded form 9745 when 9746 stored in a name server or resolver. In the examples provided 9747 in 9748 RFC 1034, a style similar to that used in master files was 9749 employed 9750 in order to show the contents of RRs. In this format, most RRs 9751 are shown on a single line, although continuation lines are 9752 possible 9753 using parentheses. 9754 </p> 9755<p> 9756 The start of the line gives the owner of the RR. If a line 9757 begins with a blank, then the owner is assumed to be the same as 9758 that of the previous RR. Blank lines are often included for 9759 readability. 9760 </p> 9761<p> 9762 Following the owner, we list the TTL, type, and class of the 9763 RR. Class and type use the mnemonics defined above, and TTL is 9764 an integer before the type field. In order to avoid ambiguity 9765 in 9766 parsing, type and class mnemonics are disjoint, TTLs are 9767 integers, 9768 and the type mnemonic is always last. The IN class and TTL 9769 values 9770 are often omitted from examples in the interests of clarity. 9771 </p> 9772<p> 9773 The resource data or RDATA section of the RR are given using 9774 knowledge of the typical representation for the data. 9775 </p> 9776<p> 9777 For example, we might show the RRs carried in a message as: 9778 </p> 9779<div class="informaltable"><table border="1"> 9780<colgroup> 9781<col> 9782<col> 9783<col> 9784</colgroup> 9785<tbody> 9786<tr> 9787<td> 9788 <p> 9789 <code class="literal">ISI.EDU.</code> 9790 </p> 9791 </td> 9792<td> 9793 <p> 9794 <code class="literal">MX</code> 9795 </p> 9796 </td> 9797<td> 9798 <p> 9799 <code class="literal">10 VENERA.ISI.EDU.</code> 9800 </p> 9801 </td> 9802</tr> 9803<tr> 9804<td> 9805 <p></p> 9806 </td> 9807<td> 9808 <p> 9809 <code class="literal">MX</code> 9810 </p> 9811 </td> 9812<td> 9813 <p> 9814 <code class="literal">10 VAXA.ISI.EDU</code> 9815 </p> 9816 </td> 9817</tr> 9818<tr> 9819<td> 9820 <p> 9821 <code class="literal">VENERA.ISI.EDU</code> 9822 </p> 9823 </td> 9824<td> 9825 <p> 9826 <code class="literal">A</code> 9827 </p> 9828 </td> 9829<td> 9830 <p> 9831 <code class="literal">128.9.0.32</code> 9832 </p> 9833 </td> 9834</tr> 9835<tr> 9836<td> 9837 <p></p> 9838 </td> 9839<td> 9840 <p> 9841 <code class="literal">A</code> 9842 </p> 9843 </td> 9844<td> 9845 <p> 9846 <code class="literal">10.1.0.52</code> 9847 </p> 9848 </td> 9849</tr> 9850<tr> 9851<td> 9852 <p> 9853 <code class="literal">VAXA.ISI.EDU</code> 9854 </p> 9855 </td> 9856<td> 9857 <p> 9858 <code class="literal">A</code> 9859 </p> 9860 </td> 9861<td> 9862 <p> 9863 <code class="literal">10.2.0.27</code> 9864 </p> 9865 </td> 9866</tr> 9867<tr> 9868<td> 9869 <p></p> 9870 </td> 9871<td> 9872 <p> 9873 <code class="literal">A</code> 9874 </p> 9875 </td> 9876<td> 9877 <p> 9878 <code class="literal">128.9.0.33</code> 9879 </p> 9880 </td> 9881</tr> 9882</tbody> 9883</table></div> 9884<p> 9885 The MX RRs have an RDATA section which consists of a 16-bit 9886 number followed by a domain name. The address RRs use a 9887 standard 9888 IP address format to contain a 32-bit internet address. 9889 </p> 9890<p> 9891 The above example shows six RRs, with two RRs at each of three 9892 domain names. 9893 </p> 9894<p> 9895 Similarly we might see: 9896 </p> 9897<div class="informaltable"><table border="1"> 9898<colgroup> 9899<col> 9900<col> 9901<col> 9902</colgroup> 9903<tbody> 9904<tr> 9905<td> 9906 <p> 9907 <code class="literal">XX.LCS.MIT.EDU.</code> 9908 </p> 9909 </td> 9910<td> 9911 <p> 9912 <code class="literal">IN A</code> 9913 </p> 9914 </td> 9915<td> 9916 <p> 9917 <code class="literal">10.0.0.44</code> 9918 </p> 9919 </td> 9920</tr> 9921<tr> 9922<td>�</td> 9923<td> 9924 <p> 9925 <code class="literal">CH A</code> 9926 </p> 9927 </td> 9928<td> 9929 <p> 9930 <code class="literal">MIT.EDU. 2420</code> 9931 </p> 9932 </td> 9933</tr> 9934</tbody> 9935</table></div> 9936<p> 9937 This example shows two addresses for 9938 <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class. 9939 </p> 9940</div> 9941</div> 9942<div class="sect2" lang="en"> 9943<div class="titlepage"><div><div><h3 class="title"> 9944<a name="id2600587"></a>Discussion of MX Records</h3></div></div></div> 9945<p> 9946 As described above, domain servers store information as a 9947 series of resource records, each of which contains a particular 9948 piece of information about a given domain name (which is usually, 9949 but not always, a host). The simplest way to think of a RR is as 9950 a typed pair of data, a domain name matched with a relevant datum, 9951 and stored with some additional type information to help systems 9952 determine when the RR is relevant. 9953 </p> 9954<p> 9955 MX records are used to control delivery of email. The data 9956 specified in the record is a priority and a domain name. The 9957 priority 9958 controls the order in which email delivery is attempted, with the 9959 lowest number first. If two priorities are the same, a server is 9960 chosen randomly. If no servers at a given priority are responding, 9961 the mail transport agent will fall back to the next largest 9962 priority. 9963 Priority numbers do not have any absolute meaning — they are 9964 relevant 9965 only respective to other MX records for that domain name. The 9966 domain 9967 name given is the machine to which the mail will be delivered. 9968 It <span class="emphasis"><em>must</em></span> have an associated address record 9969 (A or AAAA) — CNAME is not sufficient. 9970 </p> 9971<p> 9972 For a given domain, if there is both a CNAME record and an 9973 MX record, the MX record is in error, and will be ignored. 9974 Instead, 9975 the mail will be delivered to the server specified in the MX 9976 record 9977 pointed to by the CNAME. 9978 For example: 9979 </p> 9980<div class="informaltable"><table border="1"> 9981<colgroup> 9982<col> 9983<col> 9984<col> 9985<col> 9986<col> 9987</colgroup> 9988<tbody> 9989<tr> 9990<td> 9991 <p> 9992 <code class="literal">example.com.</code> 9993 </p> 9994 </td> 9995<td> 9996 <p> 9997 <code class="literal">IN</code> 9998 </p> 9999 </td> 10000<td> 10001 <p> 10002 <code class="literal">MX</code> 10003 </p> 10004 </td> 10005<td> 10006 <p> 10007 <code class="literal">10</code> 10008 </p> 10009 </td> 10010<td> 10011 <p> 10012 <code class="literal">mail.example.com.</code> 10013 </p> 10014 </td> 10015</tr> 10016<tr> 10017<td> 10018 <p></p> 10019 </td> 10020<td> 10021 <p> 10022 <code class="literal">IN</code> 10023 </p> 10024 </td> 10025<td> 10026 <p> 10027 <code class="literal">MX</code> 10028 </p> 10029 </td> 10030<td> 10031 <p> 10032 <code class="literal">10</code> 10033 </p> 10034 </td> 10035<td> 10036 <p> 10037 <code class="literal">mail2.example.com.</code> 10038 </p> 10039 </td> 10040</tr> 10041<tr> 10042<td> 10043 <p></p> 10044 </td> 10045<td> 10046 <p> 10047 <code class="literal">IN</code> 10048 </p> 10049 </td> 10050<td> 10051 <p> 10052 <code class="literal">MX</code> 10053 </p> 10054 </td> 10055<td> 10056 <p> 10057 <code class="literal">20</code> 10058 </p> 10059 </td> 10060<td> 10061 <p> 10062 <code class="literal">mail.backup.org.</code> 10063 </p> 10064 </td> 10065</tr> 10066<tr> 10067<td> 10068 <p> 10069 <code class="literal">mail.example.com.</code> 10070 </p> 10071 </td> 10072<td> 10073 <p> 10074 <code class="literal">IN</code> 10075 </p> 10076 </td> 10077<td> 10078 <p> 10079 <code class="literal">A</code> 10080 </p> 10081 </td> 10082<td> 10083 <p> 10084 <code class="literal">10.0.0.1</code> 10085 </p> 10086 </td> 10087<td> 10088 <p></p> 10089 </td> 10090</tr> 10091<tr> 10092<td> 10093 <p> 10094 <code class="literal">mail2.example.com.</code> 10095 </p> 10096 </td> 10097<td> 10098 <p> 10099 <code class="literal">IN</code> 10100 </p> 10101 </td> 10102<td> 10103 <p> 10104 <code class="literal">A</code> 10105 </p> 10106 </td> 10107<td> 10108 <p> 10109 <code class="literal">10.0.0.2</code> 10110 </p> 10111 </td> 10112<td> 10113 <p></p> 10114 </td> 10115</tr> 10116</tbody> 10117</table></div> 10118<p> 10119 Mail delivery will be attempted to <code class="literal">mail.example.com</code> and 10120 <code class="literal">mail2.example.com</code> (in 10121 any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will 10122 be attempted. 10123 </p> 10124</div> 10125<div class="sect2" lang="en"> 10126<div class="titlepage"><div><div><h3 class="title"> 10127<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div> 10128<p> 10129 The time-to-live of the RR field is a 32-bit integer represented 10130 in units of seconds, and is primarily used by resolvers when they 10131 cache RRs. The TTL describes how long a RR can be cached before it 10132 should be discarded. The following three types of TTL are 10133 currently 10134 used in a zone file. 10135 </p> 10136<div class="informaltable"><table border="1"> 10137<colgroup> 10138<col> 10139<col> 10140</colgroup> 10141<tbody> 10142<tr> 10143<td> 10144 <p> 10145 SOA 10146 </p> 10147 </td> 10148<td> 10149 <p> 10150 The last field in the SOA is the negative 10151 caching TTL. This controls how long other servers will 10152 cache no-such-domain 10153 (NXDOMAIN) responses from you. 10154 </p> 10155 <p> 10156 The maximum time for 10157 negative caching is 3 hours (3h). 10158 </p> 10159 </td> 10160</tr> 10161<tr> 10162<td> 10163 <p> 10164 $TTL 10165 </p> 10166 </td> 10167<td> 10168 <p> 10169 The $TTL directive at the top of the 10170 zone file (before the SOA) gives a default TTL for every 10171 RR without 10172 a specific TTL set. 10173 </p> 10174 </td> 10175</tr> 10176<tr> 10177<td> 10178 <p> 10179 RR TTLs 10180 </p> 10181 </td> 10182<td> 10183 <p> 10184 Each RR can have a TTL as the second 10185 field in the RR, which will control how long other 10186 servers can cache it. 10187 </p> 10188 </td> 10189</tr> 10190</tbody> 10191</table></div> 10192<p> 10193 All of these TTLs default to units of seconds, though units 10194 can be explicitly specified, for example, <code class="literal">1h30m</code>. 10195 </p> 10196</div> 10197<div class="sect2" lang="en"> 10198<div class="titlepage"><div><div><h3 class="title"> 10199<a name="id2601134"></a>Inverse Mapping in IPv4</h3></div></div></div> 10200<p> 10201 Reverse name resolution (that is, translation from IP address 10202 to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain 10203 and PTR records. Entries in the in-addr.arpa domain are made in 10204 least-to-most significant order, read left to right. This is the 10205 opposite order to the way IP addresses are usually written. Thus, 10206 a machine with an IP address of 10.1.2.3 would have a 10207 corresponding 10208 in-addr.arpa name of 10209 3.2.1.10.in-addr.arpa. This name should have a PTR resource record 10210 whose data field is the name of the machine or, optionally, 10211 multiple 10212 PTR records if the machine has more than one name. For example, 10213 in the [<span class="optional">example.com</span>] domain: 10214 </p> 10215<div class="informaltable"><table border="1"> 10216<colgroup> 10217<col> 10218<col> 10219</colgroup> 10220<tbody> 10221<tr> 10222<td> 10223 <p> 10224 <code class="literal">$ORIGIN</code> 10225 </p> 10226 </td> 10227<td> 10228 <p> 10229 <code class="literal">2.1.10.in-addr.arpa</code> 10230 </p> 10231 </td> 10232</tr> 10233<tr> 10234<td> 10235 <p> 10236 <code class="literal">3</code> 10237 </p> 10238 </td> 10239<td> 10240 <p> 10241 <code class="literal">IN PTR foo.example.com.</code> 10242 </p> 10243 </td> 10244</tr> 10245</tbody> 10246</table></div> 10247<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 10248<h3 class="title">Note</h3> 10249<p> 10250 The <span><strong class="command">$ORIGIN</strong></span> lines in the examples 10251 are for providing context to the examples only — they do not 10252 necessarily 10253 appear in the actual usage. They are only used here to indicate 10254 that the example is relative to the listed origin. 10255 </p> 10256</div> 10257</div> 10258<div class="sect2" lang="en"> 10259<div class="titlepage"><div><div><h3 class="title"> 10260<a name="id2601261"></a>Other Zone File Directives</h3></div></div></div> 10261<p> 10262 The Master File Format was initially defined in RFC 1035 and 10263 has subsequently been extended. While the Master File Format 10264 itself 10265 is class independent all records in a Master File must be of the 10266 same 10267 class. 10268 </p> 10269<p> 10270 Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>, 10271 and <span><strong class="command">$TTL.</strong></span> 10272 </p> 10273<div class="sect3" lang="en"> 10274<div class="titlepage"><div><div><h4 class="title"> 10275<a name="id2601284"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> 10276<p> 10277 When used in the label (or name) field, the asperand or 10278 at-sign (@) symbol represents the current origin. 10279 At the start of the zone file, it is the 10280 <<code class="varname">zone_name</code>> (followed by 10281 trailing dot). 10282 </p> 10283</div> 10284<div class="sect3" lang="en"> 10285<div class="titlepage"><div><div><h4 class="title"> 10286<a name="id2601300"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> 10287<p> 10288 Syntax: <span><strong class="command">$ORIGIN</strong></span> 10289 <em class="replaceable"><code>domain-name</code></em> 10290 [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] 10291 </p> 10292<p><span><strong class="command">$ORIGIN</strong></span> 10293 sets the domain name that will be appended to any 10294 unqualified records. When a zone is first read in there 10295 is an implicit <span><strong class="command">$ORIGIN</strong></span> 10296 <<code class="varname">zone_name</code>><span><strong class="command">.</strong></span> 10297 (followed by trailing dot). 10298 The current <span><strong class="command">$ORIGIN</strong></span> is appended to 10299 the domain specified in the <span><strong class="command">$ORIGIN</strong></span> 10300 argument if it is not absolute. 10301 </p> 10302<pre class="programlisting"> 10303$ORIGIN example.com. 10304WWW CNAME MAIN-SERVER 10305</pre> 10306<p> 10307 is equivalent to 10308 </p> 10309<pre class="programlisting"> 10310WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. 10311</pre> 10312</div> 10313<div class="sect3" lang="en"> 10314<div class="titlepage"><div><div><h4 class="title"> 10315<a name="id2601429"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> 10316<p> 10317 Syntax: <span><strong class="command">$INCLUDE</strong></span> 10318 <em class="replaceable"><code>filename</code></em> 10319 [<span class="optional"> 10320<em class="replaceable"><code>origin</code></em> </span>] 10321 [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>] 10322 </p> 10323<p> 10324 Read and process the file <code class="filename">filename</code> as 10325 if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is 10326 specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set 10327 to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is 10328 used. 10329 </p> 10330<p> 10331 The origin and the current domain name 10332 revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once 10333 the file has been read. 10334 </p> 10335<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 10336<h3 class="title">Note</h3> 10337<p> 10338 RFC 1035 specifies that the current origin should be restored 10339 after 10340 an <span><strong class="command">$INCLUDE</strong></span>, but it is silent 10341 on whether the current 10342 domain name should also be restored. BIND 9 restores both of 10343 them. 10344 This could be construed as a deviation from RFC 1035, a 10345 feature, or both. 10346 </p> 10347</div> 10348</div> 10349<div class="sect3" lang="en"> 10350<div class="titlepage"><div><div><h4 class="title"> 10351<a name="id2601498"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> 10352<p> 10353 Syntax: <span><strong class="command">$TTL</strong></span> 10354 <em class="replaceable"><code>default-ttl</code></em> 10355 [<span class="optional"> 10356<em class="replaceable"><code>comment</code></em> </span>] 10357 </p> 10358<p> 10359 Set the default Time To Live (TTL) for subsequent records 10360 with undefined TTLs. Valid TTLs are of the range 0-2147483647 10361 seconds. 10362 </p> 10363<p><span><strong class="command">$TTL</strong></span> 10364 is defined in RFC 2308. 10365 </p> 10366</div> 10367</div> 10368<div class="sect2" lang="en"> 10369<div class="titlepage"><div><div><h3 class="title"> 10370<a name="id2601534"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> 10371<p> 10372 Syntax: <span><strong class="command">$GENERATE</strong></span> 10373 <em class="replaceable"><code>range</code></em> 10374 <em class="replaceable"><code>lhs</code></em> 10375 [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] 10376 [<span class="optional"><em class="replaceable"><code>class</code></em></span>] 10377 <em class="replaceable"><code>type</code></em> 10378 <em class="replaceable"><code>rhs</code></em> 10379 [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] 10380 </p> 10381<p><span><strong class="command">$GENERATE</strong></span> 10382 is used to create a series of resource records that only 10383 differ from each other by an 10384 iterator. <span><strong class="command">$GENERATE</strong></span> can be used to 10385 easily generate the sets of records required to support 10386 sub /24 reverse delegations described in RFC 2317: 10387 Classless IN-ADDR.ARPA delegation. 10388 </p> 10389<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA. 10390$GENERATE 1-2 @ NS SERVER$.EXAMPLE. 10391$GENERATE 1-127 $ CNAME $.0</pre> 10392<p> 10393 is equivalent to 10394 </p> 10395<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE. 103960.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. 103971.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. 103982.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. 10399... 10400127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. 10401</pre> 10402<p> 10403 Generate a set of A and MX records. Note the MX's right hand 10404 side is a quoted string. The quotes will be stripped when the 10405 right hand side is processed. 10406 </p> 10407<pre class="programlisting"> 10408$ORIGIN EXAMPLE. 10409$GENERATE 1-127 HOST-$ A 1.2.3.$ 10410$GENERATE 1-127 HOST-$ MX "0 ."</pre> 10411<p> 10412 is equivalent to 10413 </p> 10414<pre class="programlisting">HOST-1.EXAMPLE. A 1.2.3.1 10415HOST-1.EXAMPLE. MX 0 . 10416HOST-2.EXAMPLE. A 1.2.3.2 10417HOST-2.EXAMPLE. MX 0 . 10418HOST-3.EXAMPLE. A 1.2.3.3 10419HOST-3.EXAMPLE. MX 0 . 10420... 10421HOST-127.EXAMPLE. A 1.2.3.127 10422HOST-127.EXAMPLE. MX 0 . 10423</pre> 10424<div class="informaltable"><table border="1"> 10425<colgroup> 10426<col> 10427<col> 10428</colgroup> 10429<tbody> 10430<tr> 10431<td> 10432 <p><span><strong class="command">range</strong></span></p> 10433 </td> 10434<td> 10435 <p> 10436 This can be one of two forms: start-stop 10437 or start-stop/step. If the first form is used, then step 10438 is set to 1. start, stop and step must be positive 10439 integers between 0 and (2^31)-1. start must not be 10440 larger than stop. 10441 </p> 10442 </td> 10443</tr> 10444<tr> 10445<td> 10446 <p><span><strong class="command">lhs</strong></span></p> 10447 </td> 10448<td> 10449 <p>This 10450 describes the owner name of the resource records 10451 to be created. Any single <span><strong class="command">$</strong></span> 10452 (dollar sign) 10453 symbols within the <span><strong class="command">lhs</strong></span> string 10454 are replaced by the iterator value. 10455 10456 To get a $ in the output, you need to escape the 10457 <span><strong class="command">$</strong></span> using a backslash 10458 <span><strong class="command">\</strong></span>, 10459 e.g. <span><strong class="command">\$</strong></span>. The 10460 <span><strong class="command">$</strong></span> may optionally be followed 10461 by modifiers which change the offset from the 10462 iterator, field width and base. 10463 10464 Modifiers are introduced by a 10465 <span><strong class="command">{</strong></span> (left brace) immediately following the 10466 <span><strong class="command">$</strong></span> as 10467 <span><strong class="command">${offset[,width[,base]]}</strong></span>. 10468 For example, <span><strong class="command">${-20,3,d}</strong></span> 10469 subtracts 20 from the current value, prints the 10470 result as a decimal in a zero-padded field of 10471 width 3. 10472 10473 Available output forms are decimal 10474 (<span><strong class="command">d</strong></span>), octal 10475 (<span><strong class="command">o</strong></span>), hexadecimal 10476 (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> 10477 for uppercase) and nibble 10478 (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\ 10479 for uppercase). The default modifier is 10480 <span><strong class="command">${0,0,d}</strong></span>. If the 10481 <span><strong class="command">lhs</strong></span> is not absolute, the 10482 current <span><strong class="command">$ORIGIN</strong></span> is appended 10483 to the name. 10484 </p> 10485 <p> 10486 In nibble mode the value will be treated as 10487 if it was a reversed hexadecimal string 10488 with each hexadecimal digit as a separate 10489 label. The width field includes the label 10490 separator. 10491 </p> 10492 <p> 10493 For compatibility with earlier versions, 10494 <span><strong class="command">$$</strong></span> is still recognized as 10495 indicating a literal $ in the output. 10496 </p> 10497 </td> 10498</tr> 10499<tr> 10500<td> 10501 <p><span><strong class="command">ttl</strong></span></p> 10502 </td> 10503<td> 10504 <p> 10505 Specifies the time-to-live of the generated records. If 10506 not specified this will be inherited using the 10507 normal TTL inheritance rules. 10508 </p> 10509 <p><span><strong class="command">class</strong></span> 10510 and <span><strong class="command">ttl</strong></span> can be 10511 entered in either order. 10512 </p> 10513 </td> 10514</tr> 10515<tr> 10516<td> 10517 <p><span><strong class="command">class</strong></span></p> 10518 </td> 10519<td> 10520 <p> 10521 Specifies the class of the generated records. 10522 This must match the zone class if it is 10523 specified. 10524 </p> 10525 <p><span><strong class="command">class</strong></span> 10526 and <span><strong class="command">ttl</strong></span> can be 10527 entered in either order. 10528 </p> 10529 </td> 10530</tr> 10531<tr> 10532<td> 10533 <p><span><strong class="command">type</strong></span></p> 10534 </td> 10535<td> 10536 <p> 10537 Any valid type. 10538 </p> 10539 </td> 10540</tr> 10541<tr> 10542<td> 10543 <p><span><strong class="command">rhs</strong></span></p> 10544 </td> 10545<td> 10546 <p> 10547 <span><strong class="command">rhs</strong></span>, optionally, quoted string. 10548 </p> 10549 </td> 10550</tr> 10551</tbody> 10552</table></div> 10553<p> 10554 The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension 10555 and not part of the standard zone file format. 10556 </p> 10557<p> 10558 BIND 8 does not support the optional TTL and CLASS fields. 10559 </p> 10560</div> 10561<div class="sect2" lang="en"> 10562<div class="titlepage"><div><div><h3 class="title"> 10563<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div> 10564<p> 10565 In addition to the standard textual format, BIND 9 10566 supports the ability to read or dump to zone files in 10567 other formats. 10568 </p> 10569<p> 10570 The <code class="constant">raw</code> format is 10571 a binary representation of zone data in a manner similar 10572 to that used in zone transfers. Since it does not require 10573 parsing text, load time is significantly reduced. 10574 </p> 10575<p> 10576 An even faster alternative is the <code class="constant">map</code> 10577 format, which is an image of a <acronym class="acronym">BIND</acronym> 9 10578 in-memory zone database; it is capable of being loaded 10579 directly into memory via the <span><strong class="command">mmap()</strong></span> 10580 function; the zone can begin serving queries almost 10581 immediately. 10582 </p> 10583<p> 10584 For a primary server, a zone file in 10585 <code class="constant">raw</code> or <code class="constant">map</code> 10586 format is expected to be generated from a textual zone 10587 file by the <span><strong class="command">named-compilezone</strong></span> command. 10588 For a secondary server or for a dynamic zone, it is automatically 10589 generated (if this format is specified by the 10590 <span><strong class="command">masterfile-format</strong></span> option) when 10591 <span><strong class="command">named</strong></span> dumps the zone contents after 10592 zone transfer or when applying prior updates. 10593 </p> 10594<p> 10595 If a zone file in a binary format needs manual modification, 10596 it first must be converted to a textual form by the 10597 <span><strong class="command">named-compilezone</strong></span> command. All 10598 necessary modification should go to the text file, which 10599 should then be converted to the binary form by the 10600 <span><strong class="command">named-compilezone</strong></span> command again. 10601 </p> 10602<p> 10603 Note that <span><strong class="command">map</strong></span> format is extremely 10604 architecture-specific. A <code class="constant">map</code> 10605 file <span class="emphasis"><em>cannot</em></span> be used on a system 10606 with different pointer size, endianness or data alignment 10607 than the system on which it was generated, and should in 10608 general be used only inside a single system. 10609 While <code class="constant">raw</code> format uses 10610 network byte order and avoids architecture-dependent 10611 data alignment so that it is as portable as 10612 possible, it is also primarily expected to be used 10613 inside the same single system. To export a 10614 zone file in either <code class="constant">raw</code> or 10615 <code class="constant">map</code> format, or make a 10616 portable backup of such a file, conversion to 10617 <code class="constant">text</code> format is recommended. 10618 </p> 10619</div> 10620</div> 10621<div class="sect1" lang="en"> 10622<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 10623<a name="statistics"></a>BIND9 Statistics</h2></div></div></div> 10624<p> 10625 <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics 10626 information and provides several interfaces for users to 10627 get access to the statistics. 10628 The available statistics include all statistics counters 10629 that were available in <acronym class="acronym">BIND</acronym> 8 and 10630 are meaningful in <acronym class="acronym">BIND</acronym> 9, 10631 and other information that is considered useful. 10632 </p> 10633<p> 10634 The statistics information is categorized into the following 10635 sections. 10636 </p> 10637<div class="informaltable"><table border="1"> 10638<colgroup> 10639<col> 10640<col> 10641</colgroup> 10642<tbody> 10643<tr> 10644<td> 10645 <p>Incoming Requests</p> 10646 </td> 10647<td> 10648 <p> 10649 The number of incoming DNS requests for each OPCODE. 10650 </p> 10651 </td> 10652</tr> 10653<tr> 10654<td> 10655 <p>Incoming Queries</p> 10656 </td> 10657<td> 10658 <p> 10659 The number of incoming queries for each RR type. 10660 </p> 10661 </td> 10662</tr> 10663<tr> 10664<td> 10665 <p>Outgoing Queries</p> 10666 </td> 10667<td> 10668 <p> 10669 The number of outgoing queries for each RR 10670 type sent from the internal resolver. 10671 Maintained per view. 10672 </p> 10673 </td> 10674</tr> 10675<tr> 10676<td> 10677 <p>Name Server Statistics</p> 10678 </td> 10679<td> 10680 <p> 10681 Statistics counters about incoming request processing. 10682 </p> 10683 </td> 10684</tr> 10685<tr> 10686<td> 10687 <p>Zone Maintenance Statistics</p> 10688 </td> 10689<td> 10690 <p> 10691 Statistics counters regarding zone maintenance 10692 operations such as zone transfers. 10693 </p> 10694 </td> 10695</tr> 10696<tr> 10697<td> 10698 <p>Resolver Statistics</p> 10699 </td> 10700<td> 10701 <p> 10702 Statistics counters about name resolution 10703 performed in the internal resolver. 10704 Maintained per view. 10705 </p> 10706 </td> 10707</tr> 10708<tr> 10709<td> 10710 <p>Cache DB RRsets</p> 10711 </td> 10712<td> 10713 <p> 10714 The number of RRsets per RR type and nonexistent 10715 names stored in the cache database. 10716 If the exclamation mark (!) is printed for a RR 10717 type, it means that particular type of RRset is 10718 known to be nonexistent (this is also known as 10719 "NXRRSET"). If a hash mark (#) is present then 10720 the RRset is marked for garbage collection. 10721 Maintained per view. 10722 </p> 10723 </td> 10724</tr> 10725<tr> 10726<td> 10727 <p>Socket I/O Statistics</p> 10728 </td> 10729<td> 10730 <p> 10731 Statistics counters about network related events. 10732 </p> 10733 </td> 10734</tr> 10735</tbody> 10736</table></div> 10737<p> 10738 A subset of Name Server Statistics is collected and shown 10739 per zone for which the server has the authority when 10740 <span><strong class="command">zone-statistics</strong></span> is set to 10741 <strong class="userinput"><code>yes</code></strong>. 10742 These statistics counters are shown with their zone and view 10743 names. 10744 In some cases the view names are omitted for the default view. 10745 </p> 10746<p> 10747 There are currently two user interfaces to get access to the 10748 statistics. 10749 One is in the plain text format dumped to the file specified 10750 by the <span><strong class="command">statistics-file</strong></span> configuration option. 10751 The other is remotely accessible via a statistics channel 10752 when the <span><strong class="command">statistics-channels</strong></span> statement 10753 is specified in the configuration file 10754 (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.) 10755 </p> 10756<div class="sect3" lang="en"> 10757<div class="titlepage"><div><div><h4 class="title"> 10758<a name="statsfile"></a>The Statistics File</h4></div></div></div> 10759<p> 10760 The text format statistics dump begins with a line, like: 10761 </p> 10762<p> 10763 <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span> 10764 </p> 10765<p> 10766 The number in parentheses is a standard 10767 Unix-style timestamp, measured as seconds since January 1, 1970. 10768 10769 Following 10770 that line is a set of statistics information, which is categorized 10771 as described above. 10772 Each section begins with a line, like: 10773 </p> 10774<p> 10775 <span><strong class="command">++ Name Server Statistics ++</strong></span> 10776 </p> 10777<p> 10778 Each section consists of lines, each containing the statistics 10779 counter value followed by its textual description. 10780 See below for available counters. 10781 For brevity, counters that have a value of 0 are not shown 10782 in the statistics file. 10783 </p> 10784<p> 10785 The statistics dump ends with the line where the 10786 number is identical to the number in the beginning line; for example: 10787 </p> 10788<p> 10789 <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span> 10790 </p> 10791</div> 10792<div class="sect2" lang="en"> 10793<div class="titlepage"><div><div><h3 class="title"> 10794<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div> 10795<p> 10796 The following tables summarize statistics counters that 10797 <acronym class="acronym">BIND</acronym> 9 provides. 10798 For each row of the tables, the leftmost column is the 10799 abbreviated symbol name of that counter. 10800 These symbols are shown in the statistics information 10801 accessed via an HTTP statistics channel. 10802 The rightmost column gives the description of the counter, 10803 which is also shown in the statistics file 10804 (but, in this document, possibly with slight modification 10805 for better readability). 10806 Additional notes may also be provided in this column. 10807 When a middle column exists between these two columns, 10808 it gives the corresponding counter name of the 10809 <acronym class="acronym">BIND</acronym> 8 statistics, if applicable. 10810 </p> 10811<div class="sect3" lang="en"> 10812<div class="titlepage"><div><div><h4 class="title"> 10813<a name="id2602597"></a>Name Server Statistics Counters</h4></div></div></div> 10814<div class="informaltable"><table border="1"> 10815<colgroup> 10816<col> 10817<col> 10818<col> 10819</colgroup> 10820<tbody> 10821<tr> 10822<td> 10823 <p> 10824 <span class="emphasis"><em>Symbol</em></span> 10825 </p> 10826 </td> 10827<td> 10828 <p> 10829 <span class="emphasis"><em>BIND8 Symbol</em></span> 10830 </p> 10831 </td> 10832<td> 10833 <p> 10834 <span class="emphasis"><em>Description</em></span> 10835 </p> 10836 </td> 10837</tr> 10838<tr> 10839<td> 10840 <p><span><strong class="command">Requestv4</strong></span></p> 10841 </td> 10842<td> 10843 <p><span><strong class="command">RQ</strong></span></p> 10844 </td> 10845<td> 10846 <p> 10847 IPv4 requests received. 10848 Note: this also counts non query requests. 10849 </p> 10850 </td> 10851</tr> 10852<tr> 10853<td> 10854 <p><span><strong class="command">Requestv6</strong></span></p> 10855 </td> 10856<td> 10857 <p><span><strong class="command">RQ</strong></span></p> 10858 </td> 10859<td> 10860 <p> 10861 IPv6 requests received. 10862 Note: this also counts non query requests. 10863 </p> 10864 </td> 10865</tr> 10866<tr> 10867<td> 10868 <p><span><strong class="command">ReqEdns0</strong></span></p> 10869 </td> 10870<td> 10871 <p><span><strong class="command"></strong></span></p> 10872 </td> 10873<td> 10874 <p> 10875 Requests with EDNS(0) received. 10876 </p> 10877 </td> 10878</tr> 10879<tr> 10880<td> 10881 <p><span><strong class="command">ReqBadEDNSVer</strong></span></p> 10882 </td> 10883<td> 10884 <p><span><strong class="command"></strong></span></p> 10885 </td> 10886<td> 10887 <p> 10888 Requests with unsupported EDNS version received. 10889 </p> 10890 </td> 10891</tr> 10892<tr> 10893<td> 10894 <p><span><strong class="command">ReqTSIG</strong></span></p> 10895 </td> 10896<td> 10897 <p><span><strong class="command"></strong></span></p> 10898 </td> 10899<td> 10900 <p> 10901 Requests with TSIG received. 10902 </p> 10903 </td> 10904</tr> 10905<tr> 10906<td> 10907 <p><span><strong class="command">ReqSIG0</strong></span></p> 10908 </td> 10909<td> 10910 <p><span><strong class="command"></strong></span></p> 10911 </td> 10912<td> 10913 <p> 10914 Requests with SIG(0) received. 10915 </p> 10916 </td> 10917</tr> 10918<tr> 10919<td> 10920 <p><span><strong class="command">ReqBadSIG</strong></span></p> 10921 </td> 10922<td> 10923 <p><span><strong class="command"></strong></span></p> 10924 </td> 10925<td> 10926 <p> 10927 Requests with invalid (TSIG or SIG(0)) signature. 10928 </p> 10929 </td> 10930</tr> 10931<tr> 10932<td> 10933 <p><span><strong class="command">ReqTCP</strong></span></p> 10934 </td> 10935<td> 10936 <p><span><strong class="command">RTCP</strong></span></p> 10937 </td> 10938<td> 10939 <p> 10940 TCP requests received. 10941 </p> 10942 </td> 10943</tr> 10944<tr> 10945<td> 10946 <p><span><strong class="command">AuthQryRej</strong></span></p> 10947 </td> 10948<td> 10949 <p><span><strong class="command">RUQ</strong></span></p> 10950 </td> 10951<td> 10952 <p> 10953 Authoritative (non recursive) queries rejected. 10954 </p> 10955 </td> 10956</tr> 10957<tr> 10958<td> 10959 <p><span><strong class="command">RecQryRej</strong></span></p> 10960 </td> 10961<td> 10962 <p><span><strong class="command">RURQ</strong></span></p> 10963 </td> 10964<td> 10965 <p> 10966 Recursive queries rejected. 10967 </p> 10968 </td> 10969</tr> 10970<tr> 10971<td> 10972 <p><span><strong class="command">XfrRej</strong></span></p> 10973 </td> 10974<td> 10975 <p><span><strong class="command">RUXFR</strong></span></p> 10976 </td> 10977<td> 10978 <p> 10979 Zone transfer requests rejected. 10980 </p> 10981 </td> 10982</tr> 10983<tr> 10984<td> 10985 <p><span><strong class="command">UpdateRej</strong></span></p> 10986 </td> 10987<td> 10988 <p><span><strong class="command">RUUpd</strong></span></p> 10989 </td> 10990<td> 10991 <p> 10992 Dynamic update requests rejected. 10993 </p> 10994 </td> 10995</tr> 10996<tr> 10997<td> 10998 <p><span><strong class="command">Response</strong></span></p> 10999 </td> 11000<td> 11001 <p><span><strong class="command">SAns</strong></span></p> 11002 </td> 11003<td> 11004 <p> 11005 Responses sent. 11006 </p> 11007 </td> 11008</tr> 11009<tr> 11010<td> 11011 <p><span><strong class="command">RespTruncated</strong></span></p> 11012 </td> 11013<td> 11014 <p><span><strong class="command"></strong></span></p> 11015 </td> 11016<td> 11017 <p> 11018 Truncated responses sent. 11019 </p> 11020 </td> 11021</tr> 11022<tr> 11023<td> 11024 <p><span><strong class="command">RespEDNS0</strong></span></p> 11025 </td> 11026<td> 11027 <p><span><strong class="command"></strong></span></p> 11028 </td> 11029<td> 11030 <p> 11031 Responses with EDNS(0) sent. 11032 </p> 11033 </td> 11034</tr> 11035<tr> 11036<td> 11037 <p><span><strong class="command">RespTSIG</strong></span></p> 11038 </td> 11039<td> 11040 <p><span><strong class="command"></strong></span></p> 11041 </td> 11042<td> 11043 <p> 11044 Responses with TSIG sent. 11045 </p> 11046 </td> 11047</tr> 11048<tr> 11049<td> 11050 <p><span><strong class="command">RespSIG0</strong></span></p> 11051 </td> 11052<td> 11053 <p><span><strong class="command"></strong></span></p> 11054 </td> 11055<td> 11056 <p> 11057 Responses with SIG(0) sent. 11058 </p> 11059 </td> 11060</tr> 11061<tr> 11062<td> 11063 <p><span><strong class="command">QrySuccess</strong></span></p> 11064 </td> 11065<td> 11066 <p><span><strong class="command"></strong></span></p> 11067 </td> 11068<td> 11069 <p> 11070 Queries resulted in a successful answer. 11071 This means the query which returns a NOERROR response 11072 with at least one answer RR. 11073 This corresponds to the 11074 <span><strong class="command">success</strong></span> counter 11075 of previous versions of 11076 <acronym class="acronym">BIND</acronym> 9. 11077 </p> 11078 </td> 11079</tr> 11080<tr> 11081<td> 11082 <p><span><strong class="command">QryAuthAns</strong></span></p> 11083 </td> 11084<td> 11085 <p><span><strong class="command"></strong></span></p> 11086 </td> 11087<td> 11088 <p> 11089 Queries resulted in authoritative answer. 11090 </p> 11091 </td> 11092</tr> 11093<tr> 11094<td> 11095 <p><span><strong class="command">QryNoauthAns</strong></span></p> 11096 </td> 11097<td> 11098 <p><span><strong class="command">SNaAns</strong></span></p> 11099 </td> 11100<td> 11101 <p> 11102 Queries resulted in non authoritative answer. 11103 </p> 11104 </td> 11105</tr> 11106<tr> 11107<td> 11108 <p><span><strong class="command">QryReferral</strong></span></p> 11109 </td> 11110<td> 11111 <p><span><strong class="command"></strong></span></p> 11112 </td> 11113<td> 11114 <p> 11115 Queries resulted in referral answer. 11116 This corresponds to the 11117 <span><strong class="command">referral</strong></span> counter 11118 of previous versions of 11119 <acronym class="acronym">BIND</acronym> 9. 11120 </p> 11121 </td> 11122</tr> 11123<tr> 11124<td> 11125 <p><span><strong class="command">QryNxrrset</strong></span></p> 11126 </td> 11127<td> 11128 <p><span><strong class="command"></strong></span></p> 11129 </td> 11130<td> 11131 <p> 11132 Queries resulted in NOERROR responses with no data. 11133 This corresponds to the 11134 <span><strong class="command">nxrrset</strong></span> counter 11135 of previous versions of 11136 <acronym class="acronym">BIND</acronym> 9. 11137 </p> 11138 </td> 11139</tr> 11140<tr> 11141<td> 11142 <p><span><strong class="command">QrySERVFAIL</strong></span></p> 11143 </td> 11144<td> 11145 <p><span><strong class="command">SFail</strong></span></p> 11146 </td> 11147<td> 11148 <p> 11149 Queries resulted in SERVFAIL. 11150 </p> 11151 </td> 11152</tr> 11153<tr> 11154<td> 11155 <p><span><strong class="command">QryFORMERR</strong></span></p> 11156 </td> 11157<td> 11158 <p><span><strong class="command">SFErr</strong></span></p> 11159 </td> 11160<td> 11161 <p> 11162 Queries resulted in FORMERR. 11163 </p> 11164 </td> 11165</tr> 11166<tr> 11167<td> 11168 <p><span><strong class="command">QryNXDOMAIN</strong></span></p> 11169 </td> 11170<td> 11171 <p><span><strong class="command">SNXD</strong></span></p> 11172 </td> 11173<td> 11174 <p> 11175 Queries resulted in NXDOMAIN. 11176 This corresponds to the 11177 <span><strong class="command">nxdomain</strong></span> counter 11178 of previous versions of 11179 <acronym class="acronym">BIND</acronym> 9. 11180 </p> 11181 </td> 11182</tr> 11183<tr> 11184<td> 11185 <p><span><strong class="command">QryRecursion</strong></span></p> 11186 </td> 11187<td> 11188 <p><span><strong class="command">RFwdQ</strong></span></p> 11189 </td> 11190<td> 11191 <p> 11192 Queries which caused the server 11193 to perform recursion in order to find the final answer. 11194 This corresponds to the 11195 <span><strong class="command">recursion</strong></span> counter 11196 of previous versions of 11197 <acronym class="acronym">BIND</acronym> 9. 11198 </p> 11199 </td> 11200</tr> 11201<tr> 11202<td> 11203 <p><span><strong class="command">QryDuplicate</strong></span></p> 11204 </td> 11205<td> 11206 <p><span><strong class="command">RDupQ</strong></span></p> 11207 </td> 11208<td> 11209 <p> 11210 Queries which the server attempted to 11211 recurse but discovered an existing query with the same 11212 IP address, port, query ID, name, type and class 11213 already being processed. 11214 This corresponds to the 11215 <span><strong class="command">duplicate</strong></span> counter 11216 of previous versions of 11217 <acronym class="acronym">BIND</acronym> 9. 11218 </p> 11219 </td> 11220</tr> 11221<tr> 11222<td> 11223 <p><span><strong class="command">QryDropped</strong></span></p> 11224 </td> 11225<td> 11226 <p><span><strong class="command"></strong></span></p> 11227 </td> 11228<td> 11229 <p> 11230 Recursive queries for which the server 11231 discovered an excessive number of existing 11232 recursive queries for the same name, type and 11233 class and were subsequently dropped. 11234 This is the number of dropped queries due to 11235 the reason explained with the 11236 <span><strong class="command">clients-per-query</strong></span> 11237 and 11238 <span><strong class="command">max-clients-per-query</strong></span> 11239 options 11240 (see the description about 11241 <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.) 11242 This corresponds to the 11243 <span><strong class="command">dropped</strong></span> counter 11244 of previous versions of 11245 <acronym class="acronym">BIND</acronym> 9. 11246 </p> 11247 </td> 11248</tr> 11249<tr> 11250<td> 11251 <p><span><strong class="command">QryFailure</strong></span></p> 11252 </td> 11253<td> 11254 <p><span><strong class="command"></strong></span></p> 11255 </td> 11256<td> 11257 <p> 11258 Other query failures. 11259 This corresponds to the 11260 <span><strong class="command">failure</strong></span> counter 11261 of previous versions of 11262 <acronym class="acronym">BIND</acronym> 9. 11263 Note: this counter is provided mainly for 11264 backward compatibility with the previous versions. 11265 Normally a more fine-grained counters such as 11266 <span><strong class="command">AuthQryRej</strong></span> and 11267 <span><strong class="command">RecQryRej</strong></span> 11268 that would also fall into this counter are provided, 11269 and so this counter would not be of much 11270 interest in practice. 11271 </p> 11272 </td> 11273</tr> 11274<tr> 11275<td> 11276 <p><span><strong class="command">XfrReqDone</strong></span></p> 11277 </td> 11278<td> 11279 <p><span><strong class="command"></strong></span></p> 11280 </td> 11281<td> 11282 <p> 11283 Requested zone transfers completed. 11284 </p> 11285 </td> 11286</tr> 11287<tr> 11288<td> 11289 <p><span><strong class="command">UpdateReqFwd</strong></span></p> 11290 </td> 11291<td> 11292 <p><span><strong class="command"></strong></span></p> 11293 </td> 11294<td> 11295 <p> 11296 Update requests forwarded. 11297 </p> 11298 </td> 11299</tr> 11300<tr> 11301<td> 11302 <p><span><strong class="command">UpdateRespFwd</strong></span></p> 11303 </td> 11304<td> 11305 <p><span><strong class="command"></strong></span></p> 11306 </td> 11307<td> 11308 <p> 11309 Update responses forwarded. 11310 </p> 11311 </td> 11312</tr> 11313<tr> 11314<td> 11315 <p><span><strong class="command">UpdateFwdFail</strong></span></p> 11316 </td> 11317<td> 11318 <p><span><strong class="command"></strong></span></p> 11319 </td> 11320<td> 11321 <p> 11322 Dynamic update forward failed. 11323 </p> 11324 </td> 11325</tr> 11326<tr> 11327<td> 11328 <p><span><strong class="command">UpdateDone</strong></span></p> 11329 </td> 11330<td> 11331 <p><span><strong class="command"></strong></span></p> 11332 </td> 11333<td> 11334 <p> 11335 Dynamic updates completed. 11336 </p> 11337 </td> 11338</tr> 11339<tr> 11340<td> 11341 <p><span><strong class="command">UpdateFail</strong></span></p> 11342 </td> 11343<td> 11344 <p><span><strong class="command"></strong></span></p> 11345 </td> 11346<td> 11347 <p> 11348 Dynamic updates failed. 11349 </p> 11350 </td> 11351</tr> 11352<tr> 11353<td> 11354 <p><span><strong class="command">UpdateBadPrereq</strong></span></p> 11355 </td> 11356<td> 11357 <p><span><strong class="command"></strong></span></p> 11358 </td> 11359<td> 11360 <p> 11361 Dynamic updates rejected due to prerequisite failure. 11362 </p> 11363 </td> 11364</tr> 11365<tr> 11366<td> 11367 <p><span><strong class="command">RateDropped</strong></span></p> 11368 </td> 11369<td> 11370 <p><span><strong class="command"></strong></span></p> 11371 </td> 11372<td> 11373 <p> 11374 Responses dropped by rate limits. 11375 </p> 11376 </td> 11377</tr> 11378<tr> 11379<td> 11380 <p><span><strong class="command">RateSlipped</strong></span></p> 11381 </td> 11382<td> 11383 <p><span><strong class="command"></strong></span></p> 11384 </td> 11385<td> 11386 <p> 11387 Responses truncated by rate limits. 11388 </p> 11389 </td> 11390</tr> 11391<tr> 11392<td> 11393 <p><span><strong class="command">RPZRewrites</strong></span></p> 11394 </td> 11395<td> 11396 <p><span><strong class="command"></strong></span></p> 11397 </td> 11398<td> 11399 <p> 11400 Response policy zone rewrites. 11401 </p> 11402 </td> 11403</tr> 11404</tbody> 11405</table></div> 11406</div> 11407<div class="sect3" lang="en"> 11408<div class="titlepage"><div><div><h4 class="title"> 11409<a name="id2604302"></a>Zone Maintenance Statistics Counters</h4></div></div></div> 11410<div class="informaltable"><table border="1"> 11411<colgroup> 11412<col> 11413<col> 11414</colgroup> 11415<tbody> 11416<tr> 11417<td> 11418 <p> 11419 <span class="emphasis"><em>Symbol</em></span> 11420 </p> 11421 </td> 11422<td> 11423 <p> 11424 <span class="emphasis"><em>Description</em></span> 11425 </p> 11426 </td> 11427</tr> 11428<tr> 11429<td> 11430 <p><span><strong class="command">NotifyOutv4</strong></span></p> 11431 </td> 11432<td> 11433 <p> 11434 IPv4 notifies sent. 11435 </p> 11436 </td> 11437</tr> 11438<tr> 11439<td> 11440 <p><span><strong class="command">NotifyOutv6</strong></span></p> 11441 </td> 11442<td> 11443 <p> 11444 IPv6 notifies sent. 11445 </p> 11446 </td> 11447</tr> 11448<tr> 11449<td> 11450 <p><span><strong class="command">NotifyInv4</strong></span></p> 11451 </td> 11452<td> 11453 <p> 11454 IPv4 notifies received. 11455 </p> 11456 </td> 11457</tr> 11458<tr> 11459<td> 11460 <p><span><strong class="command">NotifyInv6</strong></span></p> 11461 </td> 11462<td> 11463 <p> 11464 IPv6 notifies received. 11465 </p> 11466 </td> 11467</tr> 11468<tr> 11469<td> 11470 <p><span><strong class="command">NotifyRej</strong></span></p> 11471 </td> 11472<td> 11473 <p> 11474 Incoming notifies rejected. 11475 </p> 11476 </td> 11477</tr> 11478<tr> 11479<td> 11480 <p><span><strong class="command">SOAOutv4</strong></span></p> 11481 </td> 11482<td> 11483 <p> 11484 IPv4 SOA queries sent. 11485 </p> 11486 </td> 11487</tr> 11488<tr> 11489<td> 11490 <p><span><strong class="command">SOAOutv6</strong></span></p> 11491 </td> 11492<td> 11493 <p> 11494 IPv6 SOA queries sent. 11495 </p> 11496 </td> 11497</tr> 11498<tr> 11499<td> 11500 <p><span><strong class="command">AXFRReqv4</strong></span></p> 11501 </td> 11502<td> 11503 <p> 11504 IPv4 AXFR requested. 11505 </p> 11506 </td> 11507</tr> 11508<tr> 11509<td> 11510 <p><span><strong class="command">AXFRReqv6</strong></span></p> 11511 </td> 11512<td> 11513 <p> 11514 IPv6 AXFR requested. 11515 </p> 11516 </td> 11517</tr> 11518<tr> 11519<td> 11520 <p><span><strong class="command">IXFRReqv4</strong></span></p> 11521 </td> 11522<td> 11523 <p> 11524 IPv4 IXFR requested. 11525 </p> 11526 </td> 11527</tr> 11528<tr> 11529<td> 11530 <p><span><strong class="command">IXFRReqv6</strong></span></p> 11531 </td> 11532<td> 11533 <p> 11534 IPv6 IXFR requested. 11535 </p> 11536 </td> 11537</tr> 11538<tr> 11539<td> 11540 <p><span><strong class="command">XfrSuccess</strong></span></p> 11541 </td> 11542<td> 11543 <p> 11544 Zone transfer requests succeeded. 11545 </p> 11546 </td> 11547</tr> 11548<tr> 11549<td> 11550 <p><span><strong class="command">XfrFail</strong></span></p> 11551 </td> 11552<td> 11553 <p> 11554 Zone transfer requests failed. 11555 </p> 11556 </td> 11557</tr> 11558</tbody> 11559</table></div> 11560</div> 11561<div class="sect3" lang="en"> 11562<div class="titlepage"><div><div><h4 class="title"> 11563<a name="id2604685"></a>Resolver Statistics Counters</h4></div></div></div> 11564<div class="informaltable"><table border="1"> 11565<colgroup> 11566<col> 11567<col> 11568<col> 11569</colgroup> 11570<tbody> 11571<tr> 11572<td> 11573 <p> 11574 <span class="emphasis"><em>Symbol</em></span> 11575 </p> 11576 </td> 11577<td> 11578 <p> 11579 <span class="emphasis"><em>BIND8 Symbol</em></span> 11580 </p> 11581 </td> 11582<td> 11583 <p> 11584 <span class="emphasis"><em>Description</em></span> 11585 </p> 11586 </td> 11587</tr> 11588<tr> 11589<td> 11590 <p><span><strong class="command">Queryv4</strong></span></p> 11591 </td> 11592<td> 11593 <p><span><strong class="command">SFwdQ</strong></span></p> 11594 </td> 11595<td> 11596 <p> 11597 IPv4 queries sent. 11598 </p> 11599 </td> 11600</tr> 11601<tr> 11602<td> 11603 <p><span><strong class="command">Queryv6</strong></span></p> 11604 </td> 11605<td> 11606 <p><span><strong class="command">SFwdQ</strong></span></p> 11607 </td> 11608<td> 11609 <p> 11610 IPv6 queries sent. 11611 </p> 11612 </td> 11613</tr> 11614<tr> 11615<td> 11616 <p><span><strong class="command">Responsev4</strong></span></p> 11617 </td> 11618<td> 11619 <p><span><strong class="command">RR</strong></span></p> 11620 </td> 11621<td> 11622 <p> 11623 IPv4 responses received. 11624 </p> 11625 </td> 11626</tr> 11627<tr> 11628<td> 11629 <p><span><strong class="command">Responsev6</strong></span></p> 11630 </td> 11631<td> 11632 <p><span><strong class="command">RR</strong></span></p> 11633 </td> 11634<td> 11635 <p> 11636 IPv6 responses received. 11637 </p> 11638 </td> 11639</tr> 11640<tr> 11641<td> 11642 <p><span><strong class="command">NXDOMAIN</strong></span></p> 11643 </td> 11644<td> 11645 <p><span><strong class="command">RNXD</strong></span></p> 11646 </td> 11647<td> 11648 <p> 11649 NXDOMAIN received. 11650 </p> 11651 </td> 11652</tr> 11653<tr> 11654<td> 11655 <p><span><strong class="command">SERVFAIL</strong></span></p> 11656 </td> 11657<td> 11658 <p><span><strong class="command">RFail</strong></span></p> 11659 </td> 11660<td> 11661 <p> 11662 SERVFAIL received. 11663 </p> 11664 </td> 11665</tr> 11666<tr> 11667<td> 11668 <p><span><strong class="command">FORMERR</strong></span></p> 11669 </td> 11670<td> 11671 <p><span><strong class="command">RFErr</strong></span></p> 11672 </td> 11673<td> 11674 <p> 11675 FORMERR received. 11676 </p> 11677 </td> 11678</tr> 11679<tr> 11680<td> 11681 <p><span><strong class="command">OtherError</strong></span></p> 11682 </td> 11683<td> 11684 <p><span><strong class="command">RErr</strong></span></p> 11685 </td> 11686<td> 11687 <p> 11688 Other errors received. 11689 </p> 11690 </td> 11691</tr> 11692<tr> 11693<td> 11694 <p><span><strong class="command">EDNS0Fail</strong></span></p> 11695 </td> 11696<td> 11697 <p><span><strong class="command"></strong></span></p> 11698 </td> 11699<td> 11700 <p> 11701 EDNS(0) query failures. 11702 </p> 11703 </td> 11704</tr> 11705<tr> 11706<td> 11707 <p><span><strong class="command">Mismatch</strong></span></p> 11708 </td> 11709<td> 11710 <p><span><strong class="command">RDupR</strong></span></p> 11711 </td> 11712<td> 11713 <p> 11714 Mismatch responses received. 11715 The DNS ID, response's source address, 11716 and/or the response's source port does not 11717 match what was expected. 11718 (The port must be 53 or as defined by 11719 the <span><strong class="command">port</strong></span> option.) 11720 This may be an indication of a cache 11721 poisoning attempt. 11722 </p> 11723 </td> 11724</tr> 11725<tr> 11726<td> 11727 <p><span><strong class="command">Truncated</strong></span></p> 11728 </td> 11729<td> 11730 <p><span><strong class="command"></strong></span></p> 11731 </td> 11732<td> 11733 <p> 11734 Truncated responses received. 11735 </p> 11736 </td> 11737</tr> 11738<tr> 11739<td> 11740 <p><span><strong class="command">Lame</strong></span></p> 11741 </td> 11742<td> 11743 <p><span><strong class="command">RLame</strong></span></p> 11744 </td> 11745<td> 11746 <p> 11747 Lame delegations received. 11748 </p> 11749 </td> 11750</tr> 11751<tr> 11752<td> 11753 <p><span><strong class="command">Retry</strong></span></p> 11754 </td> 11755<td> 11756 <p><span><strong class="command">SDupQ</strong></span></p> 11757 </td> 11758<td> 11759 <p> 11760 Query retries performed. 11761 </p> 11762 </td> 11763</tr> 11764<tr> 11765<td> 11766 <p><span><strong class="command">QueryAbort</strong></span></p> 11767 </td> 11768<td> 11769 <p><span><strong class="command"></strong></span></p> 11770 </td> 11771<td> 11772 <p> 11773 Queries aborted due to quota control. 11774 </p> 11775 </td> 11776</tr> 11777<tr> 11778<td> 11779 <p><span><strong class="command">QuerySockFail</strong></span></p> 11780 </td> 11781<td> 11782 <p><span><strong class="command"></strong></span></p> 11783 </td> 11784<td> 11785 <p> 11786 Failures in opening query sockets. 11787 One common reason for such failures is a 11788 failure of opening a new socket due to a 11789 limitation on file descriptors. 11790 </p> 11791 </td> 11792</tr> 11793<tr> 11794<td> 11795 <p><span><strong class="command">QueryTimeout</strong></span></p> 11796 </td> 11797<td> 11798 <p><span><strong class="command"></strong></span></p> 11799 </td> 11800<td> 11801 <p> 11802 Query timeouts. 11803 </p> 11804 </td> 11805</tr> 11806<tr> 11807<td> 11808 <p><span><strong class="command">GlueFetchv4</strong></span></p> 11809 </td> 11810<td> 11811 <p><span><strong class="command">SSysQ</strong></span></p> 11812 </td> 11813<td> 11814 <p> 11815 IPv4 NS address fetches invoked. 11816 </p> 11817 </td> 11818</tr> 11819<tr> 11820<td> 11821 <p><span><strong class="command">GlueFetchv6</strong></span></p> 11822 </td> 11823<td> 11824 <p><span><strong class="command">SSysQ</strong></span></p> 11825 </td> 11826<td> 11827 <p> 11828 IPv6 NS address fetches invoked. 11829 </p> 11830 </td> 11831</tr> 11832<tr> 11833<td> 11834 <p><span><strong class="command">GlueFetchv4Fail</strong></span></p> 11835 </td> 11836<td> 11837 <p><span><strong class="command"></strong></span></p> 11838 </td> 11839<td> 11840 <p> 11841 IPv4 NS address fetch failed. 11842 </p> 11843 </td> 11844</tr> 11845<tr> 11846<td> 11847 <p><span><strong class="command">GlueFetchv6Fail</strong></span></p> 11848 </td> 11849<td> 11850 <p><span><strong class="command"></strong></span></p> 11851 </td> 11852<td> 11853 <p> 11854 IPv6 NS address fetch failed. 11855 </p> 11856 </td> 11857</tr> 11858<tr> 11859<td> 11860 <p><span><strong class="command">ValAttempt</strong></span></p> 11861 </td> 11862<td> 11863 <p><span><strong class="command"></strong></span></p> 11864 </td> 11865<td> 11866 <p> 11867 DNSSEC validation attempted. 11868 </p> 11869 </td> 11870</tr> 11871<tr> 11872<td> 11873 <p><span><strong class="command">ValOk</strong></span></p> 11874 </td> 11875<td> 11876 <p><span><strong class="command"></strong></span></p> 11877 </td> 11878<td> 11879 <p> 11880 DNSSEC validation succeeded. 11881 </p> 11882 </td> 11883</tr> 11884<tr> 11885<td> 11886 <p><span><strong class="command">ValNegOk</strong></span></p> 11887 </td> 11888<td> 11889 <p><span><strong class="command"></strong></span></p> 11890 </td> 11891<td> 11892 <p> 11893 DNSSEC validation on negative information succeeded. 11894 </p> 11895 </td> 11896</tr> 11897<tr> 11898<td> 11899 <p><span><strong class="command">ValFail</strong></span></p> 11900 </td> 11901<td> 11902 <p><span><strong class="command"></strong></span></p> 11903 </td> 11904<td> 11905 <p> 11906 DNSSEC validation failed. 11907 </p> 11908 </td> 11909</tr> 11910<tr> 11911<td> 11912 <p><span><strong class="command">QryRTTnn</strong></span></p> 11913 </td> 11914<td> 11915 <p><span><strong class="command"></strong></span></p> 11916 </td> 11917<td> 11918 <p> 11919 Frequency table on round trip times (RTTs) of 11920 queries. 11921 Each <span><strong class="command">nn</strong></span> specifies the corresponding 11922 frequency. 11923 In the sequence of 11924 <span><strong class="command">nn_1</strong></span>, 11925 <span><strong class="command">nn_2</strong></span>, 11926 ..., 11927 <span><strong class="command">nn_m</strong></span>, 11928 the value of <span><strong class="command">nn_i</strong></span> is the 11929 number of queries whose RTTs are between 11930 <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and 11931 <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds. 11932 For the sake of convenience we define 11933 <span><strong class="command">nn_0</strong></span> to be 0. 11934 The last entry should be represented as 11935 <span><strong class="command">nn_m+</strong></span>, which means the 11936 number of queries whose RTTs are equal to or over 11937 <span><strong class="command">nn_m</strong></span> milliseconds. 11938 </p> 11939 </td> 11940</tr> 11941</tbody> 11942</table></div> 11943</div> 11944<div class="sect3" lang="en"> 11945<div class="titlepage"><div><div><h4 class="title"> 11946<a name="id2605707"></a>Socket I/O Statistics Counters</h4></div></div></div> 11947<p> 11948 Socket I/O statistics counters are defined per socket 11949 types, which are 11950 <span><strong class="command">UDP4</strong></span> (UDP/IPv4), 11951 <span><strong class="command">UDP6</strong></span> (UDP/IPv6), 11952 <span><strong class="command">TCP4</strong></span> (TCP/IPv4), 11953 <span><strong class="command">TCP6</strong></span> (TCP/IPv6), 11954 <span><strong class="command">Unix</strong></span> (Unix Domain), and 11955 <span><strong class="command">FDwatch</strong></span> (sockets opened outside the 11956 socket module). 11957 In the following table <span><strong class="command"><TYPE></strong></span> 11958 represents a socket type. 11959 Not all counters are available for all socket types; 11960 exceptions are noted in the description field. 11961 </p> 11962<div class="informaltable"><table border="1"> 11963<colgroup> 11964<col> 11965<col> 11966</colgroup> 11967<tbody> 11968<tr> 11969<td> 11970 <p> 11971 <span class="emphasis"><em>Symbol</em></span> 11972 </p> 11973 </td> 11974<td> 11975 <p> 11976 <span class="emphasis"><em>Description</em></span> 11977 </p> 11978 </td> 11979</tr> 11980<tr> 11981<td> 11982 <p><span><strong class="command"><TYPE>Open</strong></span></p> 11983 </td> 11984<td> 11985 <p> 11986 Sockets opened successfully. 11987 This counter is not applicable to the 11988 <span><strong class="command">FDwatch</strong></span> type. 11989 </p> 11990 </td> 11991</tr> 11992<tr> 11993<td> 11994 <p><span><strong class="command"><TYPE>OpenFail</strong></span></p> 11995 </td> 11996<td> 11997 <p> 11998 Failures of opening sockets. 11999 This counter is not applicable to the 12000 <span><strong class="command">FDwatch</strong></span> type. 12001 </p> 12002 </td> 12003</tr> 12004<tr> 12005<td> 12006 <p><span><strong class="command"><TYPE>Close</strong></span></p> 12007 </td> 12008<td> 12009 <p> 12010 Sockets closed. 12011 </p> 12012 </td> 12013</tr> 12014<tr> 12015<td> 12016 <p><span><strong class="command"><TYPE>BindFail</strong></span></p> 12017 </td> 12018<td> 12019 <p> 12020 Failures of binding sockets. 12021 </p> 12022 </td> 12023</tr> 12024<tr> 12025<td> 12026 <p><span><strong class="command"><TYPE>ConnFail</strong></span></p> 12027 </td> 12028<td> 12029 <p> 12030 Failures of connecting sockets. 12031 </p> 12032 </td> 12033</tr> 12034<tr> 12035<td> 12036 <p><span><strong class="command"><TYPE>Conn</strong></span></p> 12037 </td> 12038<td> 12039 <p> 12040 Connections established successfully. 12041 </p> 12042 </td> 12043</tr> 12044<tr> 12045<td> 12046 <p><span><strong class="command"><TYPE>AcceptFail</strong></span></p> 12047 </td> 12048<td> 12049 <p> 12050 Failures of accepting incoming connection requests. 12051 This counter is not applicable to the 12052 <span><strong class="command">UDP</strong></span> and 12053 <span><strong class="command">FDwatch</strong></span> types. 12054 </p> 12055 </td> 12056</tr> 12057<tr> 12058<td> 12059 <p><span><strong class="command"><TYPE>Accept</strong></span></p> 12060 </td> 12061<td> 12062 <p> 12063 Incoming connections successfully accepted. 12064 This counter is not applicable to the 12065 <span><strong class="command">UDP</strong></span> and 12066 <span><strong class="command">FDwatch</strong></span> types. 12067 </p> 12068 </td> 12069</tr> 12070<tr> 12071<td> 12072 <p><span><strong class="command"><TYPE>SendErr</strong></span></p> 12073 </td> 12074<td> 12075 <p> 12076 Errors in socket send operations. 12077 This counter corresponds 12078 to <span><strong class="command">SErr</strong></span> counter of 12079 <span><strong class="command">BIND</strong></span> 8. 12080 </p> 12081 </td> 12082</tr> 12083<tr> 12084<td> 12085 <p><span><strong class="command"><TYPE>RecvErr</strong></span></p> 12086 </td> 12087<td> 12088 <p> 12089 Errors in socket receive operations. 12090 This includes errors of send operations on a 12091 connected UDP socket notified by an ICMP error 12092 message. 12093 </p> 12094 </td> 12095</tr> 12096</tbody> 12097</table></div> 12098</div> 12099<div class="sect3" lang="en"> 12100<div class="titlepage"><div><div><h4 class="title"> 12101<a name="id2606149"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> 12102<p> 12103 Most statistics counters that were available 12104 in <span><strong class="command">BIND</strong></span> 8 are also supported in 12105 <span><strong class="command">BIND</strong></span> 9 as shown in the above tables. 12106 Here are notes about other counters that do not appear 12107 in these tables. 12108 </p> 12109<div class="variablelist"><dl> 12110<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt> 12111<dd><p> 12112 These counters are not supported 12113 because <span><strong class="command">BIND</strong></span> 9 does not adopt 12114 the notion of <span class="emphasis"><em>forwarding</em></span> 12115 as <span><strong class="command">BIND</strong></span> 8 did. 12116 </p></dd> 12117<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt> 12118<dd><p> 12119 This counter is accessible in the Incoming Queries section. 12120 </p></dd> 12121<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt> 12122<dd><p> 12123 This counter is accessible in the Incoming Requests section. 12124 </p></dd> 12125<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt> 12126<dd><p> 12127 This counter is not supported 12128 because <span><strong class="command">BIND</strong></span> 9 does not care 12129 about IP options in the first place. 12130 </p></dd> 12131</dl></div> 12132</div> 12133</div> 12134</div> 12135</div> 12136<div class="navfooter"> 12137<hr> 12138<table width="100%" summary="Navigation footer"> 12139<tr> 12140<td width="40%" align="left"> 12141<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a>�</td> 12142<td width="20%" align="center">�</td> 12143<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch07.html">Next</a> 12144</td> 12145</tr> 12146<tr> 12147<td width="40%" align="left" valign="top">Chapter�5.�The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver�</td> 12148<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 12149<td width="40%" align="right" valign="top">�Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</td> 12150</tr> 12151</table> 12152</div> 12153<p style="text-align: center;">BIND 9.10.2-P4</p> 12154</body> 12155</html> 12156