1.. highlight: console 2 3named.conf - configuration file for **named** 4--------------------------------------------- 5 6Synopsis 7~~~~~~~~ 8 9:program:`named.conf` 10 11Description 12~~~~~~~~~~~ 13 14``named.conf`` is the configuration file for ``named``. Statements are 15enclosed in braces and terminated with a semi-colon. Clauses in the 16statements are also semi-colon terminated. The usual comment styles are 17supported: 18 19C style: /\* \*/ 20 21 C++ style: // to end of line 22 23Unix style: # to end of line 24 25ACL 26^^^ 27 28:: 29 30 acl string { address_match_element; ... }; 31 32CONTROLS 33^^^^^^^^ 34 35:: 36 37 controls { 38 inet ( ipv4_address | ipv6_address | 39 * ) [ port ( integer | * ) ] allow 40 { address_match_element; ... } [ 41 keys { string; ... } ] [ read-only 42 boolean ]; 43 unix quoted_string perm integer 44 owner integer group integer [ 45 keys { string; ... } ] [ read-only 46 boolean ]; 47 }; 48 49DLZ 50^^^ 51 52:: 53 54 dlz string { 55 database string; 56 search boolean; 57 }; 58 59DNSSEC-POLICY 60^^^^^^^^^^^^^ 61 62:: 63 64 dnssec-policy string { 65 dnskey-ttl duration; 66 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime 67 duration_or_unlimited algorithm string [ integer ]; ... }; 68 max-zone-ttl duration; 69 nsec3param [ iterations integer ] [ optout boolean ] [ 70 salt-length integer ]; 71 parent-ds-ttl duration; 72 parent-propagation-delay duration; 73 publish-safety duration; 74 purge-keys duration; 75 retire-safety duration; 76 signatures-refresh duration; 77 signatures-validity duration; 78 signatures-validity-dnskey duration; 79 zone-propagation-delay duration; 80 }; 81 82DYNDB 83^^^^^ 84 85:: 86 87 dyndb string quoted_string { 88 unspecified-text }; 89 90HTTP 91^^^^ 92 93:: 94 95 http string { 96 endpoints { quoted_string; ... }; 97 listener-clients integer; 98 streams-per-connection integer; 99 }; 100 101KEY 102^^^ 103 104:: 105 106 key string { 107 algorithm string; 108 secret string; 109 }; 110 111LOGGING 112^^^^^^^ 113 114:: 115 116 logging { 117 category string { string; ... }; 118 channel string { 119 buffered boolean; 120 file quoted_string [ versions ( unlimited | integer ) ] 121 [ size size ] [ suffix ( increment | timestamp ) ]; 122 null; 123 print-category boolean; 124 print-severity boolean; 125 print-time ( iso8601 | iso8601-utc | local | boolean ); 126 severity log_severity; 127 stderr; 128 syslog [ syslog_facility ]; 129 }; 130 }; 131 132MANAGED-KEYS 133^^^^^^^^^^^^ 134 135See DNSSEC-KEYS. 136 137:: 138 139 managed-keys { string ( static-key 140 | initial-key | static-ds | 141 initial-ds ) integer integer 142 integer quoted_string; ... };, deprecated 143 144MASTERS 145^^^^^^^ 146 147:: 148 149 masters string [ port integer ] [ dscp 150 integer ] { ( remote-servers | 151 ipv4_address [ port integer ] | 152 ipv6_address [ port integer ] ) [ key 153 string ] [ tls string ]; ... }; 154 155OPTIONS 156^^^^^^^ 157 158:: 159 160 options { 161 allow-new-zones boolean; 162 allow-notify { address_match_element; ... }; 163 allow-query { address_match_element; ... }; 164 allow-query-cache { address_match_element; ... }; 165 allow-query-cache-on { address_match_element; ... }; 166 allow-query-on { address_match_element; ... }; 167 allow-recursion { address_match_element; ... }; 168 allow-recursion-on { address_match_element; ... }; 169 allow-transfer { address_match_element; ... }; 170 allow-update { address_match_element; ... }; 171 allow-update-forwarding { address_match_element; ... }; 172 also-notify [ port integer ] [ dscp integer ] { ( 173 remote-servers | ipv4_address [ port integer ] | 174 ipv6_address [ port integer ] ) [ key string ] [ tls 175 string ]; ... }; 176 alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) 177 ] [ dscp integer ]; 178 alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | 179 * ) ] [ dscp integer ]; 180 answer-cookie boolean; 181 attach-cache string; 182 auth-nxdomain boolean; 183 auto-dnssec ( allow | maintain | off ); 184 automatic-interface-scan boolean; 185 avoid-v4-udp-ports { portrange; ... }; 186 avoid-v6-udp-ports { portrange; ... }; 187 bindkeys-file quoted_string; 188 blackhole { address_match_element; ... }; 189 catalog-zones { zone string [ default-masters [ port integer ] 190 [ dscp integer ] { ( remote-servers | ipv4_address [ port 191 integer ] | ipv6_address [ port integer ] ) [ key 192 string ] [ tls string ]; ... } ] [ default-primaries [ port 193 integer ] [ dscp integer ] { ( remote-servers | 194 ipv4_address [ port integer ] | ipv6_address [ port 195 integer ] ) [ key string ] [ tls string ]; ... } ] [ 196 zone-directory quoted_string ] [ in-memory boolean ] [ 197 min-update-interval duration ]; ... }; 198 check-dup-records ( fail | warn | ignore ); 199 check-integrity boolean; 200 check-mx ( fail | warn | ignore ); 201 check-mx-cname ( fail | warn | ignore ); 202 check-names ( primary | master | 203 secondary | slave | response ) ( 204 fail | warn | ignore ); 205 check-sibling boolean; 206 check-spf ( warn | ignore ); 207 check-srv-cname ( fail | warn | ignore ); 208 check-wildcard boolean; 209 clients-per-query integer; 210 cookie-algorithm ( aes | siphash24 ); 211 cookie-secret string; 212 coresize ( default | unlimited | sizeval ); 213 datasize ( default | unlimited | sizeval ); 214 deny-answer-addresses { address_match_element; ... } [ 215 except-from { string; ... } ]; 216 deny-answer-aliases { string; ... } [ except-from { string; ... 217 } ]; 218 dialup ( notify | notify-passive | passive | refresh | boolean ); 219 directory quoted_string; 220 disable-algorithms string { string; 221 ... }; 222 disable-ds-digests string { string; 223 ... }; 224 disable-empty-zone string; 225 dns64 netprefix { 226 break-dnssec boolean; 227 clients { address_match_element; ... }; 228 exclude { address_match_element; ... }; 229 mapped { address_match_element; ... }; 230 recursive-only boolean; 231 suffix ipv6_address; 232 }; 233 dns64-contact string; 234 dns64-server string; 235 dnskey-sig-validity integer; 236 dnsrps-enable boolean; 237 dnsrps-options { unspecified-text }; 238 dnssec-accept-expired boolean; 239 dnssec-dnskey-kskonly boolean; 240 dnssec-loadkeys-interval integer; 241 dnssec-must-be-secure string boolean; 242 dnssec-policy string; 243 dnssec-secure-to-insecure boolean; 244 dnssec-update-mode ( maintain | no-resign ); 245 dnssec-validation ( yes | no | auto ); 246 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 247 ( query | response ) ]; ... }; 248 dnstap-identity ( quoted_string | none | hostname ); 249 dnstap-output ( file | unix ) quoted_string [ size ( unlimited | 250 size ) ] [ versions ( unlimited | integer ) ] [ suffix ( 251 increment | timestamp ) ]; 252 dnstap-version ( quoted_string | none ); 253 dscp integer; 254 dual-stack-servers [ port integer ] { ( quoted_string [ port 255 integer ] [ dscp integer ] | ipv4_address [ port 256 integer ] [ dscp integer ] | ipv6_address [ port 257 integer ] [ dscp integer ] ); ... }; 258 dump-file quoted_string; 259 edns-udp-size integer; 260 empty-contact string; 261 empty-server string; 262 empty-zones-enable boolean; 263 fetch-quota-params integer fixedpoint fixedpoint fixedpoint; 264 fetches-per-server integer [ ( drop | fail ) ]; 265 fetches-per-zone integer [ ( drop | fail ) ]; 266 files ( default | unlimited | sizeval ); 267 flush-zones-on-shutdown boolean; 268 forward ( first | only ); 269 forwarders [ port integer ] [ dscp integer ] { ( ipv4_address 270 | ipv6_address ) [ port integer ] [ dscp integer ]; ... }; 271 fstrm-set-buffer-hint integer; 272 fstrm-set-flush-timeout integer; 273 fstrm-set-input-queue-size integer; 274 fstrm-set-output-notify-threshold integer; 275 fstrm-set-output-queue-model ( mpsc | spsc ); 276 fstrm-set-output-queue-size integer; 277 fstrm-set-reopen-interval duration; 278 geoip-directory ( quoted_string | none ); 279 glue-cache boolean;// deprecated 280 heartbeat-interval integer; 281 hostname ( quoted_string | none ); 282 http-listener-clients integer; 283 http-port integer; 284 http-streams-per-connection integer; 285 https-port integer; 286 interface-interval duration; 287 ipv4only-contact string; 288 ipv4only-enable boolean; 289 ipv4only-server string; 290 ixfr-from-differences ( primary | master | secondary | slave | 291 boolean ); 292 keep-response-order { address_match_element; ... }; 293 key-directory quoted_string; 294 lame-ttl duration; 295 listen-on [ port integer ] [ dscp 296 integer ] [ tls string ] [ http 297 string ] { 298 address_match_element; ... }; 299 listen-on-v6 [ port integer ] [ dscp 300 integer ] [ tls string ] [ http 301 string ] { 302 address_match_element; ... }; 303 lmdb-mapsize sizeval; 304 lock-file ( quoted_string | none ); 305 managed-keys-directory quoted_string; 306 masterfile-format ( raw | text ); 307 masterfile-style ( full | relative ); 308 match-mapped-addresses boolean; 309 max-cache-size ( default | unlimited | sizeval | percentage ); 310 max-cache-ttl duration; 311 max-clients-per-query integer; 312 max-ixfr-ratio ( unlimited | percentage ); 313 max-journal-size ( default | unlimited | sizeval ); 314 max-ncache-ttl duration; 315 max-records integer; 316 max-recursion-depth integer; 317 max-recursion-queries integer; 318 max-refresh-time integer; 319 max-retry-time integer; 320 max-rsa-exponent-size integer; 321 max-stale-ttl duration; 322 max-transfer-idle-in integer; 323 max-transfer-idle-out integer; 324 max-transfer-time-in integer; 325 max-transfer-time-out integer; 326 max-udp-size integer; 327 max-zone-ttl ( unlimited | duration ); 328 memstatistics boolean; 329 memstatistics-file quoted_string; 330 message-compression boolean; 331 min-cache-ttl duration; 332 min-ncache-ttl duration; 333 min-refresh-time integer; 334 min-retry-time integer; 335 minimal-any boolean; 336 minimal-responses ( no-auth | no-auth-recursive | boolean ); 337 multi-master boolean; 338 new-zones-directory quoted_string; 339 no-case-compress { address_match_element; ... }; 340 nocookie-udp-size integer; 341 notify ( explicit | master-only | primary-only | boolean ); 342 notify-delay integer; 343 notify-rate integer; 344 notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 345 dscp integer ]; 346 notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] 347 [ dscp integer ]; 348 notify-to-soa boolean; 349 nta-lifetime duration; 350 nta-recheck duration; 351 nxdomain-redirect string; 352 parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 353 dscp integer ]; 354 parental-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 355 ] [ dscp integer ]; 356 pid-file ( quoted_string | none ); 357 port integer; 358 preferred-glue string; 359 prefetch integer [ integer ]; 360 provide-ixfr boolean; 361 qname-minimization ( strict | relaxed | disabled | off ); 362 query-source ( ( [ address ] ( ipv4_address | * ) [ port ( 363 integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ] 364 port ( integer | * ) ) ) [ dscp integer ]; 365 query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port ( 366 integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ] 367 port ( integer | * ) ) ) [ dscp integer ]; 368 querylog boolean; 369 random-device ( quoted_string | none ); 370 rate-limit { 371 all-per-second integer; 372 errors-per-second integer; 373 exempt-clients { address_match_element; ... }; 374 ipv4-prefix-length integer; 375 ipv6-prefix-length integer; 376 log-only boolean; 377 max-table-size integer; 378 min-table-size integer; 379 nodata-per-second integer; 380 nxdomains-per-second integer; 381 qps-scale integer; 382 referrals-per-second integer; 383 responses-per-second integer; 384 slip integer; 385 window integer; 386 }; 387 recursing-file quoted_string; 388 recursion boolean; 389 recursive-clients integer; 390 request-expire boolean; 391 request-ixfr boolean; 392 request-nsid boolean; 393 require-server-cookie boolean; 394 reserved-sockets integer; 395 resolver-nonbackoff-tries integer; 396 resolver-query-timeout integer; 397 resolver-retry-interval integer; 398 response-padding { address_match_element; ... } block-size 399 integer; 400 response-policy { zone string [ add-soa boolean ] [ log 401 boolean ] [ max-policy-ttl duration ] [ min-update-interval 402 duration ] [ policy ( cname | disabled | drop | given | no-op 403 | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ 404 recursive-only boolean ] [ nsip-enable boolean ] [ 405 nsdname-enable boolean ]; ... } [ add-soa boolean ] [ 406 break-dnssec boolean ] [ max-policy-ttl duration ] [ 407 min-update-interval duration ] [ min-ns-dots integer ] [ 408 nsip-wait-recurse boolean ] [ nsdname-wait-recurse boolean 409 ] [ qname-wait-recurse boolean ] [ recursive-only boolean ] 410 [ nsip-enable boolean ] [ nsdname-enable boolean ] [ 411 dnsrps-enable boolean ] [ dnsrps-options { unspecified-text 412 } ]; 413 root-delegation-only [ exclude { string; ... } ]; 414 root-key-sentinel boolean; 415 rrset-order { [ class string ] [ type string ] [ name 416 quoted_string ] string string; ... }; 417 secroots-file quoted_string; 418 send-cookie boolean; 419 serial-query-rate integer; 420 serial-update-method ( date | increment | unixtime ); 421 server-id ( quoted_string | none | hostname ); 422 servfail-ttl duration; 423 session-keyalg string; 424 session-keyfile ( quoted_string | none ); 425 session-keyname string; 426 sig-signing-nodes integer; 427 sig-signing-signatures integer; 428 sig-signing-type integer; 429 sig-validity-interval integer [ integer ]; 430 sortlist { address_match_element; ... }; 431 stacksize ( default | unlimited | sizeval ); 432 stale-answer-client-timeout ( disabled | off | integer ); 433 stale-answer-enable boolean; 434 stale-answer-ttl duration; 435 stale-cache-enable boolean; 436 stale-refresh-time duration; 437 startup-notify-rate integer; 438 statistics-file quoted_string; 439 synth-from-dnssec boolean; 440 tcp-advertised-timeout integer; 441 tcp-clients integer; 442 tcp-idle-timeout integer; 443 tcp-initial-timeout integer; 444 tcp-keepalive-timeout integer; 445 tcp-listen-queue integer; 446 tcp-receive-buffer integer; 447 tcp-send-buffer integer; 448 tkey-dhkey quoted_string integer; 449 tkey-domain quoted_string; 450 tkey-gssapi-credential quoted_string; 451 tkey-gssapi-keytab quoted_string; 452 tls-port integer; 453 transfer-format ( many-answers | one-answer ); 454 transfer-message-size integer; 455 transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 456 dscp integer ]; 457 transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 458 ] [ dscp integer ]; 459 transfers-in integer; 460 transfers-out integer; 461 transfers-per-ns integer; 462 trust-anchor-telemetry boolean; // experimental 463 try-tcp-refresh boolean; 464 udp-receive-buffer integer; 465 udp-send-buffer integer; 466 update-check-ksk boolean; 467 use-alt-transfer-source boolean; 468 use-v4-udp-ports { portrange; ... }; 469 use-v6-udp-ports { portrange; ... }; 470 v6-bias integer; 471 validate-except { string; ... }; 472 version ( quoted_string | none ); 473 zero-no-soa-ttl boolean; 474 zero-no-soa-ttl-cache boolean; 475 zone-statistics ( full | terse | none | boolean ); 476 }; 477 478PARENTAL-AGENTS 479^^^^^^^^^^^^^^^ 480 481:: 482 483 parental-agents string [ port integer ] [ 484 dscp integer ] { ( remote-servers | 485 ipv4_address [ port integer ] | 486 ipv6_address [ port integer ] ) [ key 487 string ] [ tls string ]; ... }; 488 489PLUGIN 490^^^^^^ 491 492:: 493 494 plugin ( query ) string [ { unspecified-text 495 } ]; 496 497PRIMARIES 498^^^^^^^^^ 499 500:: 501 502 primaries string [ port integer ] [ dscp 503 integer ] { ( remote-servers | 504 ipv4_address [ port integer ] | 505 ipv6_address [ port integer ] ) [ key 506 string ] [ tls string ]; ... }; 507 508SERVER 509^^^^^^ 510 511:: 512 513 server netprefix { 514 bogus boolean; 515 edns boolean; 516 edns-udp-size integer; 517 edns-version integer; 518 keys server_key; 519 max-udp-size integer; 520 notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 521 dscp integer ]; 522 notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] 523 [ dscp integer ]; 524 padding integer; 525 provide-ixfr boolean; 526 query-source ( ( [ address ] ( ipv4_address | * ) [ port ( 527 integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ] 528 port ( integer | * ) ) ) [ dscp integer ]; 529 query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port ( 530 integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ] 531 port ( integer | * ) ) ) [ dscp integer ]; 532 request-expire boolean; 533 request-ixfr boolean; 534 request-nsid boolean; 535 send-cookie boolean; 536 tcp-keepalive boolean; 537 tcp-only boolean; 538 transfer-format ( many-answers | one-answer ); 539 transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 540 dscp integer ]; 541 transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 542 ] [ dscp integer ]; 543 transfers integer; 544 }; 545 546STATISTICS-CHANNELS 547^^^^^^^^^^^^^^^^^^^ 548 549:: 550 551 statistics-channels { 552 inet ( ipv4_address | ipv6_address | 553 * ) [ port ( integer | * ) ] [ 554 allow { address_match_element; ... 555 } ]; 556 }; 557 558TLS 559^^^ 560 561:: 562 563 tls string { 564 ca-file quoted_string; 565 cert-file quoted_string; 566 ciphers string; 567 dhparam-file quoted_string; 568 hostname quoted_string; 569 key-file quoted_string; 570 prefer-server-ciphers boolean; 571 protocols { string; ... }; 572 session-tickets boolean; 573 }; 574 575TRUST-ANCHORS 576^^^^^^^^^^^^^ 577 578:: 579 580 trust-anchors { string ( static-key | 581 initial-key | static-ds | initial-ds ) 582 integer integer integer 583 quoted_string; ... }; 584 585TRUSTED-KEYS 586^^^^^^^^^^^^ 587 588Deprecated - see DNSSEC-KEYS. 589 590:: 591 592 trusted-keys { string integer 593 integer integer 594 quoted_string; ... };, deprecated 595 596VIEW 597^^^^ 598 599:: 600 601 view string [ class ] { 602 allow-new-zones boolean; 603 allow-notify { address_match_element; ... }; 604 allow-query { address_match_element; ... }; 605 allow-query-cache { address_match_element; ... }; 606 allow-query-cache-on { address_match_element; ... }; 607 allow-query-on { address_match_element; ... }; 608 allow-recursion { address_match_element; ... }; 609 allow-recursion-on { address_match_element; ... }; 610 allow-transfer { address_match_element; ... }; 611 allow-update { address_match_element; ... }; 612 allow-update-forwarding { address_match_element; ... }; 613 also-notify [ port integer ] [ dscp integer ] { ( 614 remote-servers | ipv4_address [ port integer ] | 615 ipv6_address [ port integer ] ) [ key string ] [ tls 616 string ]; ... }; 617 alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) 618 ] [ dscp integer ]; 619 alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | 620 * ) ] [ dscp integer ]; 621 attach-cache string; 622 auth-nxdomain boolean; 623 auto-dnssec ( allow | maintain | off ); 624 catalog-zones { zone string [ default-masters [ port integer ] 625 [ dscp integer ] { ( remote-servers | ipv4_address [ port 626 integer ] | ipv6_address [ port integer ] ) [ key 627 string ] [ tls string ]; ... } ] [ default-primaries [ port 628 integer ] [ dscp integer ] { ( remote-servers | 629 ipv4_address [ port integer ] | ipv6_address [ port 630 integer ] ) [ key string ] [ tls string ]; ... } ] [ 631 zone-directory quoted_string ] [ in-memory boolean ] [ 632 min-update-interval duration ]; ... }; 633 check-dup-records ( fail | warn | ignore ); 634 check-integrity boolean; 635 check-mx ( fail | warn | ignore ); 636 check-mx-cname ( fail | warn | ignore ); 637 check-names ( primary | master | 638 secondary | slave | response ) ( 639 fail | warn | ignore ); 640 check-sibling boolean; 641 check-spf ( warn | ignore ); 642 check-srv-cname ( fail | warn | ignore ); 643 check-wildcard boolean; 644 clients-per-query integer; 645 deny-answer-addresses { address_match_element; ... } [ 646 except-from { string; ... } ]; 647 deny-answer-aliases { string; ... } [ except-from { string; ... 648 } ]; 649 dialup ( notify | notify-passive | passive | refresh | boolean ); 650 disable-algorithms string { string; 651 ... }; 652 disable-ds-digests string { string; 653 ... }; 654 disable-empty-zone string; 655 dlz string { 656 database string; 657 search boolean; 658 }; 659 dns64 netprefix { 660 break-dnssec boolean; 661 clients { address_match_element; ... }; 662 exclude { address_match_element; ... }; 663 mapped { address_match_element; ... }; 664 recursive-only boolean; 665 suffix ipv6_address; 666 }; 667 dns64-contact string; 668 dns64-server string; 669 dnskey-sig-validity integer; 670 dnsrps-enable boolean; 671 dnsrps-options { unspecified-text }; 672 dnssec-accept-expired boolean; 673 dnssec-dnskey-kskonly boolean; 674 dnssec-loadkeys-interval integer; 675 dnssec-must-be-secure string boolean; 676 dnssec-policy string; 677 dnssec-secure-to-insecure boolean; 678 dnssec-update-mode ( maintain | no-resign ); 679 dnssec-validation ( yes | no | auto ); 680 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 681 ( query | response ) ]; ... }; 682 dual-stack-servers [ port integer ] { ( quoted_string [ port 683 integer ] [ dscp integer ] | ipv4_address [ port 684 integer ] [ dscp integer ] | ipv6_address [ port 685 integer ] [ dscp integer ] ); ... }; 686 dyndb string quoted_string { 687 unspecified-text }; 688 edns-udp-size integer; 689 empty-contact string; 690 empty-server string; 691 empty-zones-enable boolean; 692 fetch-quota-params integer fixedpoint fixedpoint fixedpoint; 693 fetches-per-server integer [ ( drop | fail ) ]; 694 fetches-per-zone integer [ ( drop | fail ) ]; 695 forward ( first | only ); 696 forwarders [ port integer ] [ dscp integer ] { ( ipv4_address 697 | ipv6_address ) [ port integer ] [ dscp integer ]; ... }; 698 glue-cache boolean;// deprecated 699 ipv4only-contact string; 700 ipv4only-enable boolean; 701 ipv4only-server string; 702 ixfr-from-differences ( primary | master | secondary | slave | 703 boolean ); 704 key string { 705 algorithm string; 706 secret string; 707 }; 708 key-directory quoted_string; 709 lame-ttl duration; 710 lmdb-mapsize sizeval; 711 managed-keys { string ( 712 static-key | initial-key 713 | static-ds | initial-ds 714 ) integer integer 715 integer 716 quoted_string; ... };, deprecated 717 masterfile-format ( raw | text ); 718 masterfile-style ( full | relative ); 719 match-clients { address_match_element; ... }; 720 match-destinations { address_match_element; ... }; 721 match-recursive-only boolean; 722 max-cache-size ( default | unlimited | sizeval | percentage ); 723 max-cache-ttl duration; 724 max-clients-per-query integer; 725 max-ixfr-ratio ( unlimited | percentage ); 726 max-journal-size ( default | unlimited | sizeval ); 727 max-ncache-ttl duration; 728 max-records integer; 729 max-recursion-depth integer; 730 max-recursion-queries integer; 731 max-refresh-time integer; 732 max-retry-time integer; 733 max-stale-ttl duration; 734 max-transfer-idle-in integer; 735 max-transfer-idle-out integer; 736 max-transfer-time-in integer; 737 max-transfer-time-out integer; 738 max-udp-size integer; 739 max-zone-ttl ( unlimited | duration ); 740 message-compression boolean; 741 min-cache-ttl duration; 742 min-ncache-ttl duration; 743 min-refresh-time integer; 744 min-retry-time integer; 745 minimal-any boolean; 746 minimal-responses ( no-auth | no-auth-recursive | boolean ); 747 multi-master boolean; 748 new-zones-directory quoted_string; 749 no-case-compress { address_match_element; ... }; 750 nocookie-udp-size integer; 751 notify ( explicit | master-only | primary-only | boolean ); 752 notify-delay integer; 753 notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 754 dscp integer ]; 755 notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] 756 [ dscp integer ]; 757 notify-to-soa boolean; 758 nta-lifetime duration; 759 nta-recheck duration; 760 nxdomain-redirect string; 761 parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 762 dscp integer ]; 763 parental-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 764 ] [ dscp integer ]; 765 plugin ( query ) string [ { 766 unspecified-text } ]; 767 preferred-glue string; 768 prefetch integer [ integer ]; 769 provide-ixfr boolean; 770 qname-minimization ( strict | relaxed | disabled | off ); 771 query-source ( ( [ address ] ( ipv4_address | * ) [ port ( 772 integer | * ) ] ) | ( [ [ address ] ( ipv4_address | * ) ] 773 port ( integer | * ) ) ) [ dscp integer ]; 774 query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ port ( 775 integer | * ) ] ) | ( [ [ address ] ( ipv6_address | * ) ] 776 port ( integer | * ) ) ) [ dscp integer ]; 777 rate-limit { 778 all-per-second integer; 779 errors-per-second integer; 780 exempt-clients { address_match_element; ... }; 781 ipv4-prefix-length integer; 782 ipv6-prefix-length integer; 783 log-only boolean; 784 max-table-size integer; 785 min-table-size integer; 786 nodata-per-second integer; 787 nxdomains-per-second integer; 788 qps-scale integer; 789 referrals-per-second integer; 790 responses-per-second integer; 791 slip integer; 792 window integer; 793 }; 794 recursion boolean; 795 request-expire boolean; 796 request-ixfr boolean; 797 request-nsid boolean; 798 require-server-cookie boolean; 799 resolver-nonbackoff-tries integer; 800 resolver-query-timeout integer; 801 resolver-retry-interval integer; 802 response-padding { address_match_element; ... } block-size 803 integer; 804 response-policy { zone string [ add-soa boolean ] [ log 805 boolean ] [ max-policy-ttl duration ] [ min-update-interval 806 duration ] [ policy ( cname | disabled | drop | given | no-op 807 | nodata | nxdomain | passthru | tcp-only quoted_string ) ] [ 808 recursive-only boolean ] [ nsip-enable boolean ] [ 809 nsdname-enable boolean ]; ... } [ add-soa boolean ] [ 810 break-dnssec boolean ] [ max-policy-ttl duration ] [ 811 min-update-interval duration ] [ min-ns-dots integer ] [ 812 nsip-wait-recurse boolean ] [ nsdname-wait-recurse boolean 813 ] [ qname-wait-recurse boolean ] [ recursive-only boolean ] 814 [ nsip-enable boolean ] [ nsdname-enable boolean ] [ 815 dnsrps-enable boolean ] [ dnsrps-options { unspecified-text 816 } ]; 817 root-delegation-only [ exclude { string; ... } ]; 818 root-key-sentinel boolean; 819 rrset-order { [ class string ] [ type string ] [ name 820 quoted_string ] string string; ... }; 821 send-cookie boolean; 822 serial-update-method ( date | increment | unixtime ); 823 server netprefix { 824 bogus boolean; 825 edns boolean; 826 edns-udp-size integer; 827 edns-version integer; 828 keys server_key; 829 max-udp-size integer; 830 notify-source ( ipv4_address | * ) [ port ( integer | * 831 ) ] [ dscp integer ]; 832 notify-source-v6 ( ipv6_address | * ) [ port ( integer 833 | * ) ] [ dscp integer ]; 834 padding integer; 835 provide-ixfr boolean; 836 query-source ( ( [ address ] ( ipv4_address | * ) [ port 837 ( integer | * ) ] ) | ( [ [ address ] ( 838 ipv4_address | * ) ] port ( integer | * ) ) ) [ 839 dscp integer ]; 840 query-source-v6 ( ( [ address ] ( ipv6_address | * ) [ 841 port ( integer | * ) ] ) | ( [ [ address ] ( 842 ipv6_address | * ) ] port ( integer | * ) ) ) [ 843 dscp integer ]; 844 request-expire boolean; 845 request-ixfr boolean; 846 request-nsid boolean; 847 send-cookie boolean; 848 tcp-keepalive boolean; 849 tcp-only boolean; 850 transfer-format ( many-answers | one-answer ); 851 transfer-source ( ipv4_address | * ) [ port ( integer | 852 * ) ] [ dscp integer ]; 853 transfer-source-v6 ( ipv6_address | * ) [ port ( 854 integer | * ) ] [ dscp integer ]; 855 transfers integer; 856 }; 857 servfail-ttl duration; 858 sig-signing-nodes integer; 859 sig-signing-signatures integer; 860 sig-signing-type integer; 861 sig-validity-interval integer [ integer ]; 862 sortlist { address_match_element; ... }; 863 stale-answer-client-timeout ( disabled | off | integer ); 864 stale-answer-enable boolean; 865 stale-answer-ttl duration; 866 stale-cache-enable boolean; 867 stale-refresh-time duration; 868 synth-from-dnssec boolean; 869 transfer-format ( many-answers | one-answer ); 870 transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 871 dscp integer ]; 872 transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 873 ] [ dscp integer ]; 874 trust-anchor-telemetry boolean; // experimental 875 trust-anchors { string ( static-key | 876 initial-key | static-ds | initial-ds 877 ) integer integer integer 878 quoted_string; ... }; 879 trusted-keys { string 880 integer integer 881 integer 882 quoted_string; ... };, deprecated 883 try-tcp-refresh boolean; 884 update-check-ksk boolean; 885 use-alt-transfer-source boolean; 886 v6-bias integer; 887 validate-except { string; ... }; 888 zero-no-soa-ttl boolean; 889 zero-no-soa-ttl-cache boolean; 890 zone string [ class ] { 891 allow-notify { address_match_element; ... }; 892 allow-query { address_match_element; ... }; 893 allow-query-on { address_match_element; ... }; 894 allow-transfer { address_match_element; ... }; 895 allow-update { address_match_element; ... }; 896 allow-update-forwarding { address_match_element; ... }; 897 also-notify [ port integer ] [ dscp integer ] { ( 898 remote-servers | ipv4_address [ port integer ] | 899 ipv6_address [ port integer ] ) [ key string ] [ 900 tls string ]; ... }; 901 alt-transfer-source ( ipv4_address | * ) [ port ( 902 integer | * ) ] [ dscp integer ]; 903 alt-transfer-source-v6 ( ipv6_address | * ) [ port ( 904 integer | * ) ] [ dscp integer ]; 905 auto-dnssec ( allow | maintain | off ); 906 check-dup-records ( fail | warn | ignore ); 907 check-integrity boolean; 908 check-mx ( fail | warn | ignore ); 909 check-mx-cname ( fail | warn | ignore ); 910 check-names ( fail | warn | ignore ); 911 check-sibling boolean; 912 check-spf ( warn | ignore ); 913 check-srv-cname ( fail | warn | ignore ); 914 check-wildcard boolean; 915 database string; 916 delegation-only boolean; 917 dialup ( notify | notify-passive | passive | refresh | 918 boolean ); 919 dlz string; 920 dnskey-sig-validity integer; 921 dnssec-dnskey-kskonly boolean; 922 dnssec-loadkeys-interval integer; 923 dnssec-policy string; 924 dnssec-secure-to-insecure boolean; 925 dnssec-update-mode ( maintain | no-resign ); 926 file quoted_string; 927 forward ( first | only ); 928 forwarders [ port integer ] [ dscp integer ] { ( 929 ipv4_address | ipv6_address ) [ port integer ] [ 930 dscp integer ]; ... }; 931 in-view string; 932 inline-signing boolean; 933 ixfr-from-differences boolean; 934 journal quoted_string; 935 key-directory quoted_string; 936 masterfile-format ( raw | text ); 937 masterfile-style ( full | relative ); 938 masters [ port integer ] [ dscp integer ] { ( 939 remote-servers | ipv4_address [ port integer ] | 940 ipv6_address [ port integer ] ) [ key string ] [ 941 tls string ]; ... }; 942 max-ixfr-ratio ( unlimited | percentage ); 943 max-journal-size ( default | unlimited | sizeval ); 944 max-records integer; 945 max-refresh-time integer; 946 max-retry-time integer; 947 max-transfer-idle-in integer; 948 max-transfer-idle-out integer; 949 max-transfer-time-in integer; 950 max-transfer-time-out integer; 951 max-zone-ttl ( unlimited | duration ); 952 min-refresh-time integer; 953 min-retry-time integer; 954 multi-master boolean; 955 notify ( explicit | master-only | primary-only | boolean ); 956 notify-delay integer; 957 notify-source ( ipv4_address | * ) [ port ( integer | * 958 ) ] [ dscp integer ]; 959 notify-source-v6 ( ipv6_address | * ) [ port ( integer 960 | * ) ] [ dscp integer ]; 961 notify-to-soa boolean; 962 parental-agents [ port integer ] [ dscp integer ] { ( 963 remote-servers | ipv4_address [ port integer ] | 964 ipv6_address [ port integer ] ) [ key string ] [ 965 tls string ]; ... }; 966 parental-source ( ipv4_address | * ) [ port ( integer | 967 * ) ] [ dscp integer ]; 968 parental-source-v6 ( ipv6_address | * ) [ port ( 969 integer | * ) ] [ dscp integer ]; 970 primaries [ port integer ] [ dscp integer ] { ( 971 remote-servers | ipv4_address [ port integer ] | 972 ipv6_address [ port integer ] ) [ key string ] [ 973 tls string ]; ... }; 974 request-expire boolean; 975 request-ixfr boolean; 976 serial-update-method ( date | increment | unixtime ); 977 server-addresses { ( ipv4_address | ipv6_address ); ... }; 978 server-names { string; ... }; 979 sig-signing-nodes integer; 980 sig-signing-signatures integer; 981 sig-signing-type integer; 982 sig-validity-interval integer [ integer ]; 983 transfer-source ( ipv4_address | * ) [ port ( integer | 984 * ) ] [ dscp integer ]; 985 transfer-source-v6 ( ipv6_address | * ) [ port ( 986 integer | * ) ] [ dscp integer ]; 987 try-tcp-refresh boolean; 988 type ( primary | master | secondary | slave | mirror | 989 delegation-only | forward | hint | redirect | 990 static-stub | stub ); 991 update-check-ksk boolean; 992 update-policy ( local | { ( deny | grant ) string ( 993 6to4-self | external | krb5-self | krb5-selfsub | 994 krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | 995 name | self | selfsub | selfwild | subdomain | tcp-self 996 | wildcard | zonesub ) [ string ] rrtypelist; ... }; 997 use-alt-transfer-source boolean; 998 zero-no-soa-ttl boolean; 999 zone-statistics ( full | terse | none | boolean ); 1000 }; 1001 zone-statistics ( full | terse | none | boolean ); 1002 }; 1003 1004ZONE 1005^^^^ 1006 1007:: 1008 1009 zone string [ class ] { 1010 allow-notify { address_match_element; ... }; 1011 allow-query { address_match_element; ... }; 1012 allow-query-on { address_match_element; ... }; 1013 allow-transfer { address_match_element; ... }; 1014 allow-update { address_match_element; ... }; 1015 allow-update-forwarding { address_match_element; ... }; 1016 also-notify [ port integer ] [ dscp integer ] { ( 1017 remote-servers | ipv4_address [ port integer ] | 1018 ipv6_address [ port integer ] ) [ key string ] [ tls 1019 string ]; ... }; 1020 alt-transfer-source ( ipv4_address | * ) [ port ( integer | * ) 1021 ] [ dscp integer ]; 1022 alt-transfer-source-v6 ( ipv6_address | * ) [ port ( integer | 1023 * ) ] [ dscp integer ]; 1024 auto-dnssec ( allow | maintain | off ); 1025 check-dup-records ( fail | warn | ignore ); 1026 check-integrity boolean; 1027 check-mx ( fail | warn | ignore ); 1028 check-mx-cname ( fail | warn | ignore ); 1029 check-names ( fail | warn | ignore ); 1030 check-sibling boolean; 1031 check-spf ( warn | ignore ); 1032 check-srv-cname ( fail | warn | ignore ); 1033 check-wildcard boolean; 1034 database string; 1035 delegation-only boolean; 1036 dialup ( notify | notify-passive | passive | refresh | boolean ); 1037 dlz string; 1038 dnskey-sig-validity integer; 1039 dnssec-dnskey-kskonly boolean; 1040 dnssec-loadkeys-interval integer; 1041 dnssec-policy string; 1042 dnssec-secure-to-insecure boolean; 1043 dnssec-update-mode ( maintain | no-resign ); 1044 file quoted_string; 1045 forward ( first | only ); 1046 forwarders [ port integer ] [ dscp integer ] { ( ipv4_address 1047 | ipv6_address ) [ port integer ] [ dscp integer ]; ... }; 1048 in-view string; 1049 inline-signing boolean; 1050 ixfr-from-differences boolean; 1051 journal quoted_string; 1052 key-directory quoted_string; 1053 masterfile-format ( raw | text ); 1054 masterfile-style ( full | relative ); 1055 masters [ port integer ] [ dscp integer ] { ( remote-servers 1056 | ipv4_address [ port integer ] | ipv6_address [ port 1057 integer ] ) [ key string ] [ tls string ]; ... }; 1058 max-ixfr-ratio ( unlimited | percentage ); 1059 max-journal-size ( default | unlimited | sizeval ); 1060 max-records integer; 1061 max-refresh-time integer; 1062 max-retry-time integer; 1063 max-transfer-idle-in integer; 1064 max-transfer-idle-out integer; 1065 max-transfer-time-in integer; 1066 max-transfer-time-out integer; 1067 max-zone-ttl ( unlimited | duration ); 1068 min-refresh-time integer; 1069 min-retry-time integer; 1070 multi-master boolean; 1071 notify ( explicit | master-only | primary-only | boolean ); 1072 notify-delay integer; 1073 notify-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 1074 dscp integer ]; 1075 notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ] 1076 [ dscp integer ]; 1077 notify-to-soa boolean; 1078 parental-agents [ port integer ] [ dscp integer ] { ( 1079 remote-servers | ipv4_address [ port integer ] | 1080 ipv6_address [ port integer ] ) [ key string ] [ tls 1081 string ]; ... }; 1082 parental-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 1083 dscp integer ]; 1084 parental-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 1085 ] [ dscp integer ]; 1086 primaries [ port integer ] [ dscp integer ] { ( 1087 remote-servers | ipv4_address [ port integer ] | 1088 ipv6_address [ port integer ] ) [ key string ] [ tls 1089 string ]; ... }; 1090 request-expire boolean; 1091 request-ixfr boolean; 1092 serial-update-method ( date | increment | unixtime ); 1093 server-addresses { ( ipv4_address | ipv6_address ); ... }; 1094 server-names { string; ... }; 1095 sig-signing-nodes integer; 1096 sig-signing-signatures integer; 1097 sig-signing-type integer; 1098 sig-validity-interval integer [ integer ]; 1099 transfer-source ( ipv4_address | * ) [ port ( integer | * ) ] [ 1100 dscp integer ]; 1101 transfer-source-v6 ( ipv6_address | * ) [ port ( integer | * ) 1102 ] [ dscp integer ]; 1103 try-tcp-refresh boolean; 1104 type ( primary | master | secondary | slave | mirror | 1105 delegation-only | forward | hint | redirect | static-stub | 1106 stub ); 1107 update-check-ksk boolean; 1108 update-policy ( local | { ( deny | grant ) string ( 6to4-self | 1109 external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self 1110 | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild 1111 | subdomain | tcp-self | wildcard | zonesub ) [ string ] 1112 rrtypelist; ... }; 1113 use-alt-transfer-source boolean; 1114 zero-no-soa-ttl boolean; 1115 zone-statistics ( full | terse | none | boolean ); 1116 }; 1117 1118Files 1119~~~~~ 1120 1121``/etc/named.conf`` 1122 1123See Also 1124~~~~~~~~ 1125 1126:manpage:`named(8)`, :manpage:`named-checkconf(8)`, :manpage:`rndc(8)`, :manpage:`rndc-confgen(8)`, :manpage:`tsig-keygen(8)`, BIND 9 Administrator Reference Manual. 1127 1128