1 2This is a summary of the named.conf options supported by 3this version of BIND 9. 4 5acl <string> { <address_match_element>; ... }; // may occur multiple times 6 7controls { 8 inet ( <ipv4_address> | <ipv6_address> | 9 * ) [ port ( <integer> | * ) ] allow 10 { <address_match_element>; ... } [ 11 keys { <string>; ... } ] [ read-only 12 <boolean> ]; // may occur multiple times 13 unix <quoted_string> perm <integer> 14 owner <integer> group <integer> [ 15 keys { <string>; ... } ] [ read-only 16 <boolean> ]; // may occur multiple times 17}; // may occur multiple times 18 19dlz <string> { 20 database <string>; 21 search <boolean>; 22}; // may occur multiple times 23 24dnssec-policy <string> { 25 dnskey-ttl <duration>; 26 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime 27 <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; 28 max-zone-ttl <duration>; 29 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ 30 salt-length <integer> ]; 31 parent-ds-ttl <duration>; 32 parent-propagation-delay <duration>; 33 publish-safety <duration>; 34 purge-keys <duration>; 35 retire-safety <duration>; 36 signatures-refresh <duration>; 37 signatures-validity <duration>; 38 signatures-validity-dnskey <duration>; 39 zone-propagation-delay <duration>; 40}; // may occur multiple times 41 42dyndb <string> <quoted_string> { 43 <unspecified-text> }; // may occur multiple times 44 45key <string> { 46 algorithm <string>; 47 secret <string>; 48}; // may occur multiple times 49 50logging { 51 category <string> { <string>; ... }; // may occur multiple times 52 channel <string> { 53 buffered <boolean>; 54 file <quoted_string> [ versions ( unlimited | <integer> ) ] 55 [ size <size> ] [ suffix ( increment | timestamp ) ]; 56 null; 57 print-category <boolean>; 58 print-severity <boolean>; 59 print-time ( iso8601 | iso8601-utc | local | <boolean> ); 60 severity <log_severity>; 61 stderr; 62 syslog [ <syslog_facility> ]; 63 }; // may occur multiple times 64}; 65 66managed-keys { <string> ( static-key 67 | initial-key | static-ds | 68 initial-ds ) <integer> <integer> 69 <integer> <quoted_string>; ... }; // may occur multiple times, deprecated 70 71masters <string> [ port <integer> ] [ dscp 72 <integer> ] { ( <remote-servers> | 73 <ipv4_address> [ port <integer> ] | 74 <ipv6_address> [ port <integer> ] ) [ key 75 <string> ]; ... }; // may occur multiple times 76 77options { 78 allow-new-zones <boolean>; 79 allow-notify { <address_match_element>; ... }; 80 allow-query { <address_match_element>; ... }; 81 allow-query-cache { <address_match_element>; ... }; 82 allow-query-cache-on { <address_match_element>; ... }; 83 allow-query-on { <address_match_element>; ... }; 84 allow-recursion { <address_match_element>; ... }; 85 allow-recursion-on { <address_match_element>; ... }; 86 allow-transfer { <address_match_element>; ... }; 87 allow-update { <address_match_element>; ... }; 88 allow-update-forwarding { <address_match_element>; ... }; 89 also-notify [ port <integer> ] [ dscp <integer> ] { ( 90 <remote-servers> | <ipv4_address> [ port <integer> ] | 91 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 92 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 93 ] [ dscp <integer> ]; 94 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 95 * ) ] [ dscp <integer> ]; 96 answer-cookie <boolean>; 97 attach-cache <string>; 98 auth-nxdomain <boolean>; // default changed 99 auto-dnssec ( allow | maintain | off ); 100 automatic-interface-scan <boolean>; 101 avoid-v4-udp-ports { <portrange>; ... }; 102 avoid-v6-udp-ports { <portrange>; ... }; 103 bindkeys-file <quoted_string>; 104 blackhole { <address_match_element>; ... }; 105 cache-file <quoted_string>; // deprecated 106 catalog-zones { zone <string> [ default-masters [ port <integer> ] 107 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 108 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 109 <string> ]; ... } ] [ zone-directory <quoted_string> ] [ 110 in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; 111 check-dup-records ( fail | warn | ignore ); 112 check-integrity <boolean>; 113 check-mx ( fail | warn | ignore ); 114 check-mx-cname ( fail | warn | ignore ); 115 check-names ( primary | master | 116 secondary | slave | response ) ( 117 fail | warn | ignore ); // may occur multiple times 118 check-sibling <boolean>; 119 check-spf ( warn | ignore ); 120 check-srv-cname ( fail | warn | ignore ); 121 check-wildcard <boolean>; 122 clients-per-query <integer>; 123 cookie-algorithm ( aes | siphash24 ); 124 cookie-secret <string>; // may occur multiple times 125 coresize ( default | unlimited | <sizeval> ); 126 datasize ( default | unlimited | <sizeval> ); 127 deny-answer-addresses { <address_match_element>; ... } [ 128 except-from { <string>; ... } ]; 129 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 130 } ]; 131 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 132 directory <quoted_string>; 133 disable-algorithms <string> { <string>; 134 ... }; // may occur multiple times 135 disable-ds-digests <string> { <string>; 136 ... }; // may occur multiple times 137 disable-empty-zone <string>; // may occur multiple times 138 dns64 <netprefix> { 139 break-dnssec <boolean>; 140 clients { <address_match_element>; ... }; 141 exclude { <address_match_element>; ... }; 142 mapped { <address_match_element>; ... }; 143 recursive-only <boolean>; 144 suffix <ipv6_address>; 145 }; // may occur multiple times 146 dns64-contact <string>; 147 dns64-server <string>; 148 dnskey-sig-validity <integer>; 149 dnsrps-enable <boolean>; // not configured 150 dnsrps-options { <unspecified-text> }; // not configured 151 dnssec-accept-expired <boolean>; 152 dnssec-dnskey-kskonly <boolean>; 153 dnssec-loadkeys-interval <integer>; 154 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 155 dnssec-policy <string>; 156 dnssec-secure-to-insecure <boolean>; 157 dnssec-update-mode ( maintain | no-resign ); 158 dnssec-validation ( yes | no | auto ); 159 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 160 ( query | response ) ]; ... }; 161 dnstap-identity ( <quoted_string> | none | hostname ); 162 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | 163 <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( 164 increment | timestamp ) ]; 165 dnstap-version ( <quoted_string> | none ); 166 dscp <integer>; 167 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 168 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 169 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 170 <integer> ] [ dscp <integer> ] ); ... }; 171 dump-file <quoted_string>; 172 edns-udp-size <integer>; 173 empty-contact <string>; 174 empty-server <string>; 175 empty-zones-enable <boolean>; 176 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 177 fetches-per-server <integer> [ ( drop | fail ) ]; 178 fetches-per-zone <integer> [ ( drop | fail ) ]; 179 files ( default | unlimited | <sizeval> ); 180 flush-zones-on-shutdown <boolean>; 181 forward ( first | only ); 182 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 183 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 184 fstrm-set-buffer-hint <integer>; 185 fstrm-set-flush-timeout <integer>; 186 fstrm-set-input-queue-size <integer>; 187 fstrm-set-output-notify-threshold <integer>; 188 fstrm-set-output-queue-model ( mpsc | spsc ); 189 fstrm-set-output-queue-size <integer>; 190 fstrm-set-reopen-interval <duration>; 191 geoip-directory ( <quoted_string> | none ); 192 glue-cache <boolean>; 193 heartbeat-interval <integer>; 194 hostname ( <quoted_string> | none ); 195 interface-interval <duration>; 196 ixfr-from-differences ( primary | master | secondary | slave | 197 <boolean> ); 198 keep-response-order { <address_match_element>; ... }; 199 key-directory <quoted_string>; 200 lame-ttl <duration>; 201 listen-on [ port <integer> ] [ dscp 202 <integer> ] { 203 <address_match_element>; ... }; // may occur multiple times 204 listen-on-v6 [ port <integer> ] [ dscp 205 <integer> ] { 206 <address_match_element>; ... }; // may occur multiple times 207 lmdb-mapsize <sizeval>; 208 lock-file ( <quoted_string> | none ); 209 managed-keys-directory <quoted_string>; 210 masterfile-format ( map | raw | text ); 211 masterfile-style ( full | relative ); 212 match-mapped-addresses <boolean>; 213 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 214 max-cache-ttl <duration>; 215 max-clients-per-query <integer>; 216 max-ixfr-ratio ( unlimited | <percentage> ); 217 max-journal-size ( default | unlimited | <sizeval> ); 218 max-ncache-ttl <duration>; 219 max-records <integer>; 220 max-recursion-depth <integer>; 221 max-recursion-queries <integer>; 222 max-refresh-time <integer>; 223 max-retry-time <integer>; 224 max-rsa-exponent-size <integer>; 225 max-stale-ttl <duration>; 226 max-transfer-idle-in <integer>; 227 max-transfer-idle-out <integer>; 228 max-transfer-time-in <integer>; 229 max-transfer-time-out <integer>; 230 max-udp-size <integer>; 231 max-zone-ttl ( unlimited | <duration> ); 232 memstatistics <boolean>; 233 memstatistics-file <quoted_string>; 234 message-compression <boolean>; 235 min-cache-ttl <duration>; 236 min-ncache-ttl <duration>; 237 min-refresh-time <integer>; 238 min-retry-time <integer>; 239 minimal-any <boolean>; 240 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 241 multi-master <boolean>; 242 new-zones-directory <quoted_string>; 243 no-case-compress { <address_match_element>; ... }; 244 nocookie-udp-size <integer>; 245 notify ( explicit | master-only | primary-only | <boolean> ); 246 notify-delay <integer>; 247 notify-rate <integer>; 248 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 249 dscp <integer> ]; 250 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 251 [ dscp <integer> ]; 252 notify-to-soa <boolean>; 253 nta-lifetime <duration>; 254 nta-recheck <duration>; 255 nxdomain-redirect <string>; 256 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 257 dscp <integer> ]; 258 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 259 ] [ dscp <integer> ]; 260 pid-file ( <quoted_string> | none ); 261 port <integer>; 262 preferred-glue <string>; 263 prefetch <integer> [ <integer> ]; 264 provide-ixfr <boolean>; 265 qname-minimization ( strict | relaxed | disabled | off ); 266 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 267 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 268 port ( <integer> | * ) ) ) [ dscp <integer> ]; 269 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 270 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 271 port ( <integer> | * ) ) ) [ dscp <integer> ]; 272 querylog <boolean>; 273 random-device ( <quoted_string> | none ); 274 rate-limit { 275 all-per-second <integer>; 276 errors-per-second <integer>; 277 exempt-clients { <address_match_element>; ... }; 278 ipv4-prefix-length <integer>; 279 ipv6-prefix-length <integer>; 280 log-only <boolean>; 281 max-table-size <integer>; 282 min-table-size <integer>; 283 nodata-per-second <integer>; 284 nxdomains-per-second <integer>; 285 qps-scale <integer>; 286 referrals-per-second <integer>; 287 responses-per-second <integer>; 288 slip <integer>; 289 window <integer>; 290 }; 291 recursing-file <quoted_string>; 292 recursion <boolean>; 293 recursive-clients <integer>; 294 request-expire <boolean>; 295 request-ixfr <boolean>; 296 request-nsid <boolean>; 297 require-server-cookie <boolean>; 298 reserved-sockets <integer>; 299 resolver-nonbackoff-tries <integer>; 300 resolver-query-timeout <integer>; 301 resolver-retry-interval <integer>; 302 response-padding { <address_match_element>; ... } block-size 303 <integer>; 304 response-policy { zone <string> [ add-soa <boolean> ] [ log 305 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 306 <duration> ] [ policy ( cname | disabled | drop | given | no-op 307 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 308 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 309 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 310 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 311 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 312 nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] 313 [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 314 nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ 315 dnsrps-options { <unspecified-text> } ]; 316 root-delegation-only [ exclude { <string>; ... } ]; 317 root-key-sentinel <boolean>; 318 rrset-order { [ class <string> ] [ type <string> ] [ name 319 <quoted_string> ] <string> <string>; ... }; 320 secroots-file <quoted_string>; 321 send-cookie <boolean>; 322 serial-query-rate <integer>; 323 serial-update-method ( date | increment | unixtime ); 324 server-id ( <quoted_string> | none | hostname ); 325 servfail-ttl <duration>; 326 session-keyalg <string>; 327 session-keyfile ( <quoted_string> | none ); 328 session-keyname <string>; 329 sig-signing-nodes <integer>; 330 sig-signing-signatures <integer>; 331 sig-signing-type <integer>; 332 sig-validity-interval <integer> [ <integer> ]; 333 sortlist { <address_match_element>; ... }; 334 stacksize ( default | unlimited | <sizeval> ); 335 stale-answer-client-timeout ( disabled | off | <integer> ); 336 stale-answer-enable <boolean>; 337 stale-answer-ttl <duration>; 338 stale-cache-enable <boolean>; 339 stale-refresh-time <duration>; 340 startup-notify-rate <integer>; 341 statistics-file <quoted_string>; 342 synth-from-dnssec <boolean>; 343 tcp-advertised-timeout <integer>; 344 tcp-clients <integer>; 345 tcp-idle-timeout <integer>; 346 tcp-initial-timeout <integer>; 347 tcp-keepalive-timeout <integer>; 348 tcp-listen-queue <integer>; 349 tkey-dhkey <quoted_string> <integer>; 350 tkey-domain <quoted_string>; 351 tkey-gssapi-credential <quoted_string>; 352 tkey-gssapi-keytab <quoted_string>; 353 transfer-format ( many-answers | one-answer ); 354 transfer-message-size <integer>; 355 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 356 dscp <integer> ]; 357 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 358 ] [ dscp <integer> ]; 359 transfers-in <integer>; 360 transfers-out <integer>; 361 transfers-per-ns <integer>; 362 trust-anchor-telemetry <boolean>; // experimental 363 try-tcp-refresh <boolean>; 364 update-check-ksk <boolean>; 365 use-alt-transfer-source <boolean>; 366 use-v4-udp-ports { <portrange>; ... }; 367 use-v6-udp-ports { <portrange>; ... }; 368 v6-bias <integer>; 369 validate-except { <string>; ... }; 370 version ( <quoted_string> | none ); 371 zero-no-soa-ttl <boolean>; 372 zero-no-soa-ttl-cache <boolean>; 373 zone-statistics ( full | terse | none | <boolean> ); 374}; 375 376parental-agents <string> [ port <integer> ] [ 377 dscp <integer> ] { ( <remote-servers> | 378 <ipv4_address> [ port <integer> ] | 379 <ipv6_address> [ port <integer> ] ) [ key 380 <string> ]; ... }; // may occur multiple times 381 382plugin ( query ) <string> [ { <unspecified-text> 383 } ]; // may occur multiple times 384 385primaries <string> [ port <integer> ] [ dscp 386 <integer> ] { ( <remote-servers> | 387 <ipv4_address> [ port <integer> ] | 388 <ipv6_address> [ port <integer> ] ) [ key 389 <string> ]; ... }; // may occur multiple times 390 391server <netprefix> { 392 bogus <boolean>; 393 edns <boolean>; 394 edns-udp-size <integer>; 395 edns-version <integer>; 396 keys <server_key>; 397 max-udp-size <integer>; 398 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 399 dscp <integer> ]; 400 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 401 [ dscp <integer> ]; 402 padding <integer>; 403 provide-ixfr <boolean>; 404 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 405 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 406 port ( <integer> | * ) ) ) [ dscp <integer> ]; 407 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 408 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 409 port ( <integer> | * ) ) ) [ dscp <integer> ]; 410 request-expire <boolean>; 411 request-ixfr <boolean>; 412 request-nsid <boolean>; 413 send-cookie <boolean>; 414 tcp-keepalive <boolean>; 415 tcp-only <boolean>; 416 transfer-format ( many-answers | one-answer ); 417 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 418 dscp <integer> ]; 419 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 420 ] [ dscp <integer> ]; 421 transfers <integer>; 422}; // may occur multiple times 423 424statistics-channels { 425 inet ( <ipv4_address> | <ipv6_address> | 426 * ) [ port ( <integer> | * ) ] [ 427 allow { <address_match_element>; ... 428 } ]; // may occur multiple times 429}; // may occur multiple times 430 431trust-anchors { <string> ( static-key | 432 initial-key | static-ds | initial-ds ) 433 <integer> <integer> <integer> 434 <quoted_string>; ... }; // may occur multiple times 435 436trusted-keys { <string> <integer> 437 <integer> <integer> 438 <quoted_string>; ... }; // may occur multiple times, deprecated 439 440view <string> [ <class> ] { 441 allow-new-zones <boolean>; 442 allow-notify { <address_match_element>; ... }; 443 allow-query { <address_match_element>; ... }; 444 allow-query-cache { <address_match_element>; ... }; 445 allow-query-cache-on { <address_match_element>; ... }; 446 allow-query-on { <address_match_element>; ... }; 447 allow-recursion { <address_match_element>; ... }; 448 allow-recursion-on { <address_match_element>; ... }; 449 allow-transfer { <address_match_element>; ... }; 450 allow-update { <address_match_element>; ... }; 451 allow-update-forwarding { <address_match_element>; ... }; 452 also-notify [ port <integer> ] [ dscp <integer> ] { ( 453 <remote-servers> | <ipv4_address> [ port <integer> ] | 454 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 455 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 456 ] [ dscp <integer> ]; 457 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 458 * ) ] [ dscp <integer> ]; 459 attach-cache <string>; 460 auth-nxdomain <boolean>; // default changed 461 auto-dnssec ( allow | maintain | off ); 462 cache-file <quoted_string>; // deprecated 463 catalog-zones { zone <string> [ default-masters [ port <integer> ] 464 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 465 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 466 <string> ]; ... } ] [ zone-directory <quoted_string> ] [ 467 in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; 468 check-dup-records ( fail | warn | ignore ); 469 check-integrity <boolean>; 470 check-mx ( fail | warn | ignore ); 471 check-mx-cname ( fail | warn | ignore ); 472 check-names ( primary | master | 473 secondary | slave | response ) ( 474 fail | warn | ignore ); // may occur multiple times 475 check-sibling <boolean>; 476 check-spf ( warn | ignore ); 477 check-srv-cname ( fail | warn | ignore ); 478 check-wildcard <boolean>; 479 clients-per-query <integer>; 480 deny-answer-addresses { <address_match_element>; ... } [ 481 except-from { <string>; ... } ]; 482 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 483 } ]; 484 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 485 disable-algorithms <string> { <string>; 486 ... }; // may occur multiple times 487 disable-ds-digests <string> { <string>; 488 ... }; // may occur multiple times 489 disable-empty-zone <string>; // may occur multiple times 490 dlz <string> { 491 database <string>; 492 search <boolean>; 493 }; // may occur multiple times 494 dns64 <netprefix> { 495 break-dnssec <boolean>; 496 clients { <address_match_element>; ... }; 497 exclude { <address_match_element>; ... }; 498 mapped { <address_match_element>; ... }; 499 recursive-only <boolean>; 500 suffix <ipv6_address>; 501 }; // may occur multiple times 502 dns64-contact <string>; 503 dns64-server <string>; 504 dnskey-sig-validity <integer>; 505 dnsrps-enable <boolean>; // not configured 506 dnsrps-options { <unspecified-text> }; // not configured 507 dnssec-accept-expired <boolean>; 508 dnssec-dnskey-kskonly <boolean>; 509 dnssec-loadkeys-interval <integer>; 510 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 511 dnssec-policy <string>; 512 dnssec-secure-to-insecure <boolean>; 513 dnssec-update-mode ( maintain | no-resign ); 514 dnssec-validation ( yes | no | auto ); 515 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 516 ( query | response ) ]; ... }; 517 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 518 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 519 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 520 <integer> ] [ dscp <integer> ] ); ... }; 521 dyndb <string> <quoted_string> { 522 <unspecified-text> }; // may occur multiple times 523 edns-udp-size <integer>; 524 empty-contact <string>; 525 empty-server <string>; 526 empty-zones-enable <boolean>; 527 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 528 fetches-per-server <integer> [ ( drop | fail ) ]; 529 fetches-per-zone <integer> [ ( drop | fail ) ]; 530 forward ( first | only ); 531 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 532 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 533 glue-cache <boolean>; 534 ixfr-from-differences ( primary | master | secondary | slave | 535 <boolean> ); 536 key <string> { 537 algorithm <string>; 538 secret <string>; 539 }; // may occur multiple times 540 key-directory <quoted_string>; 541 lame-ttl <duration>; 542 lmdb-mapsize <sizeval>; 543 managed-keys { <string> ( 544 static-key | initial-key 545 | static-ds | initial-ds 546 ) <integer> <integer> 547 <integer> 548 <quoted_string>; ... }; // may occur multiple times, deprecated 549 masterfile-format ( map | raw | text ); 550 masterfile-style ( full | relative ); 551 match-clients { <address_match_element>; ... }; 552 match-destinations { <address_match_element>; ... }; 553 match-recursive-only <boolean>; 554 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 555 max-cache-ttl <duration>; 556 max-clients-per-query <integer>; 557 max-ixfr-ratio ( unlimited | <percentage> ); 558 max-journal-size ( default | unlimited | <sizeval> ); 559 max-ncache-ttl <duration>; 560 max-records <integer>; 561 max-recursion-depth <integer>; 562 max-recursion-queries <integer>; 563 max-refresh-time <integer>; 564 max-retry-time <integer>; 565 max-stale-ttl <duration>; 566 max-transfer-idle-in <integer>; 567 max-transfer-idle-out <integer>; 568 max-transfer-time-in <integer>; 569 max-transfer-time-out <integer>; 570 max-udp-size <integer>; 571 max-zone-ttl ( unlimited | <duration> ); 572 message-compression <boolean>; 573 min-cache-ttl <duration>; 574 min-ncache-ttl <duration>; 575 min-refresh-time <integer>; 576 min-retry-time <integer>; 577 minimal-any <boolean>; 578 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 579 multi-master <boolean>; 580 new-zones-directory <quoted_string>; 581 no-case-compress { <address_match_element>; ... }; 582 nocookie-udp-size <integer>; 583 notify ( explicit | master-only | primary-only | <boolean> ); 584 notify-delay <integer>; 585 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 586 dscp <integer> ]; 587 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 588 [ dscp <integer> ]; 589 notify-to-soa <boolean>; 590 nta-lifetime <duration>; 591 nta-recheck <duration>; 592 nxdomain-redirect <string>; 593 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 594 dscp <integer> ]; 595 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 596 ] [ dscp <integer> ]; 597 plugin ( query ) <string> [ { 598 <unspecified-text> } ]; // may occur multiple times 599 preferred-glue <string>; 600 prefetch <integer> [ <integer> ]; 601 provide-ixfr <boolean>; 602 qname-minimization ( strict | relaxed | disabled | off ); 603 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 604 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 605 port ( <integer> | * ) ) ) [ dscp <integer> ]; 606 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 607 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 608 port ( <integer> | * ) ) ) [ dscp <integer> ]; 609 rate-limit { 610 all-per-second <integer>; 611 errors-per-second <integer>; 612 exempt-clients { <address_match_element>; ... }; 613 ipv4-prefix-length <integer>; 614 ipv6-prefix-length <integer>; 615 log-only <boolean>; 616 max-table-size <integer>; 617 min-table-size <integer>; 618 nodata-per-second <integer>; 619 nxdomains-per-second <integer>; 620 qps-scale <integer>; 621 referrals-per-second <integer>; 622 responses-per-second <integer>; 623 slip <integer>; 624 window <integer>; 625 }; 626 recursion <boolean>; 627 request-expire <boolean>; 628 request-ixfr <boolean>; 629 request-nsid <boolean>; 630 require-server-cookie <boolean>; 631 resolver-nonbackoff-tries <integer>; 632 resolver-query-timeout <integer>; 633 resolver-retry-interval <integer>; 634 response-padding { <address_match_element>; ... } block-size 635 <integer>; 636 response-policy { zone <string> [ add-soa <boolean> ] [ log 637 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 638 <duration> ] [ policy ( cname | disabled | drop | given | no-op 639 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 640 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 641 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 642 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 643 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 644 nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] 645 [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 646 nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ 647 dnsrps-options { <unspecified-text> } ]; 648 root-delegation-only [ exclude { <string>; ... } ]; 649 root-key-sentinel <boolean>; 650 rrset-order { [ class <string> ] [ type <string> ] [ name 651 <quoted_string> ] <string> <string>; ... }; 652 send-cookie <boolean>; 653 serial-update-method ( date | increment | unixtime ); 654 server <netprefix> { 655 bogus <boolean>; 656 edns <boolean>; 657 edns-udp-size <integer>; 658 edns-version <integer>; 659 keys <server_key>; 660 max-udp-size <integer>; 661 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 662 ) ] [ dscp <integer> ]; 663 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 664 | * ) ] [ dscp <integer> ]; 665 padding <integer>; 666 provide-ixfr <boolean>; 667 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port 668 ( <integer> | * ) ] ) | ( [ [ address ] ( 669 <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ 670 dscp <integer> ]; 671 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ 672 port ( <integer> | * ) ] ) | ( [ [ address ] ( 673 <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ 674 dscp <integer> ]; 675 request-expire <boolean>; 676 request-ixfr <boolean>; 677 request-nsid <boolean>; 678 send-cookie <boolean>; 679 tcp-keepalive <boolean>; 680 tcp-only <boolean>; 681 transfer-format ( many-answers | one-answer ); 682 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 683 * ) ] [ dscp <integer> ]; 684 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 685 <integer> | * ) ] [ dscp <integer> ]; 686 transfers <integer>; 687 }; // may occur multiple times 688 servfail-ttl <duration>; 689 sig-signing-nodes <integer>; 690 sig-signing-signatures <integer>; 691 sig-signing-type <integer>; 692 sig-validity-interval <integer> [ <integer> ]; 693 sortlist { <address_match_element>; ... }; 694 stale-answer-client-timeout ( disabled | off | <integer> ); 695 stale-answer-enable <boolean>; 696 stale-answer-ttl <duration>; 697 stale-cache-enable <boolean>; 698 stale-refresh-time <duration>; 699 synth-from-dnssec <boolean>; 700 transfer-format ( many-answers | one-answer ); 701 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 702 dscp <integer> ]; 703 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 704 ] [ dscp <integer> ]; 705 trust-anchor-telemetry <boolean>; // experimental 706 trust-anchors { <string> ( static-key | 707 initial-key | static-ds | initial-ds 708 ) <integer> <integer> <integer> 709 <quoted_string>; ... }; // may occur multiple times 710 trusted-keys { <string> 711 <integer> <integer> 712 <integer> 713 <quoted_string>; ... }; // may occur multiple times, deprecated 714 try-tcp-refresh <boolean>; 715 update-check-ksk <boolean>; 716 use-alt-transfer-source <boolean>; 717 v6-bias <integer>; 718 validate-except { <string>; ... }; 719 zero-no-soa-ttl <boolean>; 720 zero-no-soa-ttl-cache <boolean>; 721 zone <string> [ <class> ] { 722 allow-notify { <address_match_element>; ... }; 723 allow-query { <address_match_element>; ... }; 724 allow-query-on { <address_match_element>; ... }; 725 allow-transfer { <address_match_element>; ... }; 726 allow-update { <address_match_element>; ... }; 727 allow-update-forwarding { <address_match_element>; ... }; 728 also-notify [ port <integer> ] [ dscp <integer> ] { ( 729 <remote-servers> | <ipv4_address> [ port <integer> ] | 730 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 731 ... }; 732 alt-transfer-source ( <ipv4_address> | * ) [ port ( 733 <integer> | * ) ] [ dscp <integer> ]; 734 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( 735 <integer> | * ) ] [ dscp <integer> ]; 736 auto-dnssec ( allow | maintain | off ); 737 check-dup-records ( fail | warn | ignore ); 738 check-integrity <boolean>; 739 check-mx ( fail | warn | ignore ); 740 check-mx-cname ( fail | warn | ignore ); 741 check-names ( fail | warn | ignore ); 742 check-sibling <boolean>; 743 check-spf ( warn | ignore ); 744 check-srv-cname ( fail | warn | ignore ); 745 check-wildcard <boolean>; 746 database <string>; 747 delegation-only <boolean>; 748 dialup ( notify | notify-passive | passive | refresh | 749 <boolean> ); 750 dlz <string>; 751 dnskey-sig-validity <integer>; 752 dnssec-dnskey-kskonly <boolean>; 753 dnssec-loadkeys-interval <integer>; 754 dnssec-policy <string>; 755 dnssec-secure-to-insecure <boolean>; 756 dnssec-update-mode ( maintain | no-resign ); 757 file <quoted_string>; 758 forward ( first | only ); 759 forwarders [ port <integer> ] [ dscp <integer> ] { ( 760 <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ 761 dscp <integer> ]; ... }; 762 in-view <string>; 763 inline-signing <boolean>; 764 ixfr-from-differences <boolean>; 765 journal <quoted_string>; 766 key-directory <quoted_string>; 767 masterfile-format ( map | raw | text ); 768 masterfile-style ( full | relative ); 769 masters [ port <integer> ] [ dscp <integer> ] { ( 770 <remote-servers> | <ipv4_address> [ port <integer> ] | 771 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 772 ... }; 773 max-ixfr-ratio ( unlimited | <percentage> ); 774 max-journal-size ( default | unlimited | <sizeval> ); 775 max-records <integer>; 776 max-refresh-time <integer>; 777 max-retry-time <integer>; 778 max-transfer-idle-in <integer>; 779 max-transfer-idle-out <integer>; 780 max-transfer-time-in <integer>; 781 max-transfer-time-out <integer>; 782 max-zone-ttl ( unlimited | <duration> ); 783 min-refresh-time <integer>; 784 min-retry-time <integer>; 785 multi-master <boolean>; 786 notify ( explicit | master-only | primary-only | <boolean> ); 787 notify-delay <integer>; 788 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 789 ) ] [ dscp <integer> ]; 790 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 791 | * ) ] [ dscp <integer> ]; 792 notify-to-soa <boolean>; 793 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 794 <remote-servers> | <ipv4_address> [ port <integer> ] | 795 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 796 ... }; 797 parental-source ( <ipv4_address> | * ) [ port ( <integer> | 798 * ) ] [ dscp <integer> ]; 799 parental-source-v6 ( <ipv6_address> | * ) [ port ( 800 <integer> | * ) ] [ dscp <integer> ]; 801 primaries [ port <integer> ] [ dscp <integer> ] { ( 802 <remote-servers> | <ipv4_address> [ port <integer> ] | 803 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 804 ... }; 805 request-expire <boolean>; 806 request-ixfr <boolean>; 807 serial-update-method ( date | increment | unixtime ); 808 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 809 server-names { <string>; ... }; 810 sig-signing-nodes <integer>; 811 sig-signing-signatures <integer>; 812 sig-signing-type <integer>; 813 sig-validity-interval <integer> [ <integer> ]; 814 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 815 * ) ] [ dscp <integer> ]; 816 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 817 <integer> | * ) ] [ dscp <integer> ]; 818 try-tcp-refresh <boolean>; 819 type ( primary | master | secondary | slave | mirror | 820 delegation-only | forward | hint | redirect | 821 static-stub | stub ); 822 update-check-ksk <boolean>; 823 update-policy ( local | { ( deny | grant ) <string> ( 824 6to4-self | external | krb5-self | krb5-selfsub | 825 krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | 826 name | self | selfsub | selfwild | subdomain | tcp-self 827 | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... }; 828 use-alt-transfer-source <boolean>; 829 zero-no-soa-ttl <boolean>; 830 zone-statistics ( full | terse | none | <boolean> ); 831 }; // may occur multiple times 832 zone-statistics ( full | terse | none | <boolean> ); 833}; // may occur multiple times 834 835zone <string> [ <class> ] { 836 allow-notify { <address_match_element>; ... }; 837 allow-query { <address_match_element>; ... }; 838 allow-query-on { <address_match_element>; ... }; 839 allow-transfer { <address_match_element>; ... }; 840 allow-update { <address_match_element>; ... }; 841 allow-update-forwarding { <address_match_element>; ... }; 842 also-notify [ port <integer> ] [ dscp <integer> ] { ( 843 <remote-servers> | <ipv4_address> [ port <integer> ] | 844 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 845 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 846 ] [ dscp <integer> ]; 847 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 848 * ) ] [ dscp <integer> ]; 849 auto-dnssec ( allow | maintain | off ); 850 check-dup-records ( fail | warn | ignore ); 851 check-integrity <boolean>; 852 check-mx ( fail | warn | ignore ); 853 check-mx-cname ( fail | warn | ignore ); 854 check-names ( fail | warn | ignore ); 855 check-sibling <boolean>; 856 check-spf ( warn | ignore ); 857 check-srv-cname ( fail | warn | ignore ); 858 check-wildcard <boolean>; 859 database <string>; 860 delegation-only <boolean>; 861 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 862 dlz <string>; 863 dnskey-sig-validity <integer>; 864 dnssec-dnskey-kskonly <boolean>; 865 dnssec-loadkeys-interval <integer>; 866 dnssec-policy <string>; 867 dnssec-secure-to-insecure <boolean>; 868 dnssec-update-mode ( maintain | no-resign ); 869 file <quoted_string>; 870 forward ( first | only ); 871 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 872 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 873 in-view <string>; 874 inline-signing <boolean>; 875 ixfr-from-differences <boolean>; 876 journal <quoted_string>; 877 key-directory <quoted_string>; 878 masterfile-format ( map | raw | text ); 879 masterfile-style ( full | relative ); 880 masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> 881 | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 882 <integer> ] ) [ key <string> ]; ... }; 883 max-ixfr-ratio ( unlimited | <percentage> ); 884 max-journal-size ( default | unlimited | <sizeval> ); 885 max-records <integer>; 886 max-refresh-time <integer>; 887 max-retry-time <integer>; 888 max-transfer-idle-in <integer>; 889 max-transfer-idle-out <integer>; 890 max-transfer-time-in <integer>; 891 max-transfer-time-out <integer>; 892 max-zone-ttl ( unlimited | <duration> ); 893 min-refresh-time <integer>; 894 min-retry-time <integer>; 895 multi-master <boolean>; 896 notify ( explicit | master-only | primary-only | <boolean> ); 897 notify-delay <integer>; 898 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 899 dscp <integer> ]; 900 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 901 [ dscp <integer> ]; 902 notify-to-soa <boolean>; 903 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 904 <remote-servers> | <ipv4_address> [ port <integer> ] | 905 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 906 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 907 dscp <integer> ]; 908 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 909 ] [ dscp <integer> ]; 910 primaries [ port <integer> ] [ dscp <integer> ] { ( 911 <remote-servers> | <ipv4_address> [ port <integer> ] | 912 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 913 request-expire <boolean>; 914 request-ixfr <boolean>; 915 serial-update-method ( date | increment | unixtime ); 916 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 917 server-names { <string>; ... }; 918 sig-signing-nodes <integer>; 919 sig-signing-signatures <integer>; 920 sig-signing-type <integer>; 921 sig-validity-interval <integer> [ <integer> ]; 922 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 923 dscp <integer> ]; 924 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 925 ] [ dscp <integer> ]; 926 try-tcp-refresh <boolean>; 927 type ( primary | master | secondary | slave | mirror | 928 delegation-only | forward | hint | redirect | static-stub | 929 stub ); 930 update-check-ksk <boolean>; 931 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | 932 external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self 933 | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild 934 | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] 935 <rrtypelist>; ... }; 936 use-alt-transfer-source <boolean>; 937 zero-no-soa-ttl <boolean>; 938 zone-statistics ( full | terse | none | <boolean> ); 939}; // may occur multiple times 940 941