1 2This is a summary of the named.conf options supported by 3this version of BIND 9. 4 5acl <string> { <address_match_element>; ... }; // may occur multiple times 6 7controls { 8 inet ( <ipv4_address> | <ipv6_address> | 9 * ) [ port ( <integer> | * ) ] allow 10 { <address_match_element>; ... } [ 11 keys { <string>; ... } ] [ read-only 12 <boolean> ]; // may occur multiple times 13 unix <quoted_string> perm <integer> 14 owner <integer> group <integer> [ 15 keys { <string>; ... } ] [ read-only 16 <boolean> ]; // may occur multiple times 17}; // may occur multiple times 18 19dlz <string> { 20 database <string>; 21 search <boolean>; 22}; // may occur multiple times 23 24dnssec-policy <string> { 25 dnskey-ttl <duration>; 26 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime 27 <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; 28 max-zone-ttl <duration>; 29 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ 30 salt-length <integer> ]; 31 parent-ds-ttl <duration>; 32 parent-propagation-delay <duration>; 33 parent-registration-delay <duration>; // obsolete 34 publish-safety <duration>; 35 purge-keys <duration>; 36 retire-safety <duration>; 37 signatures-refresh <duration>; 38 signatures-validity <duration>; 39 signatures-validity-dnskey <duration>; 40 zone-propagation-delay <duration>; 41}; // may occur multiple times 42 43dyndb <string> <quoted_string> { 44 <unspecified-text> }; // may occur multiple times 45 46http <string> { 47 endpoints { <quoted_string>; ... }; 48 listener-clients <integer>; 49 streams-per-connection <integer>; 50}; // may occur multiple times 51 52key <string> { 53 algorithm <string>; 54 secret <string>; 55}; // may occur multiple times 56 57logging { 58 category <string> { <string>; ... }; // may occur multiple times 59 channel <string> { 60 buffered <boolean>; 61 file <quoted_string> [ versions ( unlimited | <integer> ) ] 62 [ size <size> ] [ suffix ( increment | timestamp ) ]; 63 null; 64 print-category <boolean>; 65 print-severity <boolean>; 66 print-time ( iso8601 | iso8601-utc | local | <boolean> ); 67 severity <log_severity>; 68 stderr; 69 syslog [ <syslog_facility> ]; 70 }; // may occur multiple times 71}; 72 73managed-keys { <string> ( static-key 74 | initial-key | static-ds | 75 initial-ds ) <integer> <integer> 76 <integer> <quoted_string>; ... }; // may occur multiple times, deprecated 77 78masters <string> [ port <integer> ] [ dscp 79 <integer> ] { ( <remote-servers> | 80 <ipv4_address> [ port <integer> ] | 81 <ipv6_address> [ port <integer> ] ) [ key 82 <string> ] [ tls <string> ]; ... }; // may occur multiple times 83 84options { 85 allow-new-zones <boolean>; 86 allow-notify { <address_match_element>; ... }; 87 allow-query { <address_match_element>; ... }; 88 allow-query-cache { <address_match_element>; ... }; 89 allow-query-cache-on { <address_match_element>; ... }; 90 allow-query-on { <address_match_element>; ... }; 91 allow-recursion { <address_match_element>; ... }; 92 allow-recursion-on { <address_match_element>; ... }; 93 allow-transfer { <address_match_element>; ... }; 94 allow-update { <address_match_element>; ... }; 95 allow-update-forwarding { <address_match_element>; ... }; 96 also-notify [ port <integer> ] [ dscp <integer> ] { ( 97 <remote-servers> | <ipv4_address> [ port <integer> ] | 98 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 99 <string> ]; ... }; 100 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 101 ] [ dscp <integer> ]; 102 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 103 * ) ] [ dscp <integer> ]; 104 answer-cookie <boolean>; 105 attach-cache <string>; 106 auth-nxdomain <boolean>; 107 auto-dnssec ( allow | maintain | off ); 108 automatic-interface-scan <boolean>; 109 avoid-v4-udp-ports { <portrange>; ... }; 110 avoid-v6-udp-ports { <portrange>; ... }; 111 bindkeys-file <quoted_string>; 112 blackhole { <address_match_element>; ... }; 113 catalog-zones { zone <string> [ default-masters [ port <integer> ] 114 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 115 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 116 <string> ] [ tls <string> ]; ... } ] [ default-primaries [ port 117 <integer> ] [ dscp <integer> ] { ( <remote-servers> | 118 <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 119 <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ 120 zone-directory <quoted_string> ] [ in-memory <boolean> ] [ 121 min-update-interval <duration> ]; ... }; 122 check-dup-records ( fail | warn | ignore ); 123 check-integrity <boolean>; 124 check-mx ( fail | warn | ignore ); 125 check-mx-cname ( fail | warn | ignore ); 126 check-names ( primary | master | 127 secondary | slave | response ) ( 128 fail | warn | ignore ); // may occur multiple times 129 check-sibling <boolean>; 130 check-spf ( warn | ignore ); 131 check-srv-cname ( fail | warn | ignore ); 132 check-wildcard <boolean>; 133 clients-per-query <integer>; 134 cookie-algorithm ( aes | siphash24 ); 135 cookie-secret <string>; // may occur multiple times 136 coresize ( default | unlimited | <sizeval> ); 137 datasize ( default | unlimited | <sizeval> ); 138 deny-answer-addresses { <address_match_element>; ... } [ 139 except-from { <string>; ... } ]; 140 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 141 } ]; 142 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 143 directory <quoted_string>; 144 disable-algorithms <string> { <string>; 145 ... }; // may occur multiple times 146 disable-ds-digests <string> { <string>; 147 ... }; // may occur multiple times 148 disable-empty-zone <string>; // may occur multiple times 149 dns64 <netprefix> { 150 break-dnssec <boolean>; 151 clients { <address_match_element>; ... }; 152 exclude { <address_match_element>; ... }; 153 mapped { <address_match_element>; ... }; 154 recursive-only <boolean>; 155 suffix <ipv6_address>; 156 }; // may occur multiple times 157 dns64-contact <string>; 158 dns64-server <string>; 159 dnskey-sig-validity <integer>; 160 dnsrps-enable <boolean>; 161 dnsrps-options { <unspecified-text> }; 162 dnssec-accept-expired <boolean>; 163 dnssec-dnskey-kskonly <boolean>; 164 dnssec-loadkeys-interval <integer>; 165 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 166 dnssec-policy <string>; 167 dnssec-secure-to-insecure <boolean>; 168 dnssec-update-mode ( maintain | no-resign ); 169 dnssec-validation ( yes | no | auto ); 170 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 171 ( query | response ) ]; ... }; 172 dnstap-identity ( <quoted_string> | none | hostname ); 173 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | 174 <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( 175 increment | timestamp ) ]; 176 dnstap-version ( <quoted_string> | none ); 177 dscp <integer>; 178 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 179 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 180 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 181 <integer> ] [ dscp <integer> ] ); ... }; 182 dump-file <quoted_string>; 183 edns-udp-size <integer>; 184 empty-contact <string>; 185 empty-server <string>; 186 empty-zones-enable <boolean>; 187 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 188 fetches-per-server <integer> [ ( drop | fail ) ]; 189 fetches-per-zone <integer> [ ( drop | fail ) ]; 190 files ( default | unlimited | <sizeval> ); 191 flush-zones-on-shutdown <boolean>; 192 forward ( first | only ); 193 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 194 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 195 fstrm-set-buffer-hint <integer>; 196 fstrm-set-flush-timeout <integer>; 197 fstrm-set-input-queue-size <integer>; 198 fstrm-set-output-notify-threshold <integer>; 199 fstrm-set-output-queue-model ( mpsc | spsc ); 200 fstrm-set-output-queue-size <integer>; 201 fstrm-set-reopen-interval <duration>; 202 geoip-directory ( <quoted_string> | none ); 203 glue-cache <boolean>; // deprecated 204 heartbeat-interval <integer>; 205 hostname ( <quoted_string> | none ); 206 http-listener-clients <integer>; 207 http-port <integer>; 208 http-streams-per-connection <integer>; 209 https-port <integer>; 210 interface-interval <duration>; 211 ipv4only-contact <string>; 212 ipv4only-enable <boolean>; 213 ipv4only-server <string>; 214 ixfr-from-differences ( primary | master | secondary | slave | 215 <boolean> ); 216 keep-response-order { <address_match_element>; ... }; 217 key-directory <quoted_string>; 218 lame-ttl <duration>; 219 listen-on [ port <integer> ] [ dscp 220 <integer> ] [ tls <string> ] [ http 221 <string> ] { 222 <address_match_element>; ... }; // may occur multiple times 223 listen-on-v6 [ port <integer> ] [ dscp 224 <integer> ] [ tls <string> ] [ http 225 <string> ] { 226 <address_match_element>; ... }; // may occur multiple times 227 lmdb-mapsize <sizeval>; 228 lock-file ( <quoted_string> | none ); 229 managed-keys-directory <quoted_string>; 230 masterfile-format ( raw | text ); 231 masterfile-style ( full | relative ); 232 match-mapped-addresses <boolean>; 233 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 234 max-cache-ttl <duration>; 235 max-clients-per-query <integer>; 236 max-ixfr-ratio ( unlimited | <percentage> ); 237 max-journal-size ( default | unlimited | <sizeval> ); 238 max-ncache-ttl <duration>; 239 max-records <integer>; 240 max-recursion-depth <integer>; 241 max-recursion-queries <integer>; 242 max-refresh-time <integer>; 243 max-retry-time <integer>; 244 max-rsa-exponent-size <integer>; 245 max-stale-ttl <duration>; 246 max-transfer-idle-in <integer>; 247 max-transfer-idle-out <integer>; 248 max-transfer-time-in <integer>; 249 max-transfer-time-out <integer>; 250 max-udp-size <integer>; 251 max-zone-ttl ( unlimited | <duration> ); 252 memstatistics <boolean>; 253 memstatistics-file <quoted_string>; 254 message-compression <boolean>; 255 min-cache-ttl <duration>; 256 min-ncache-ttl <duration>; 257 min-refresh-time <integer>; 258 min-retry-time <integer>; 259 minimal-any <boolean>; 260 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 261 multi-master <boolean>; 262 new-zones-directory <quoted_string>; 263 no-case-compress { <address_match_element>; ... }; 264 nocookie-udp-size <integer>; 265 notify ( explicit | master-only | primary-only | <boolean> ); 266 notify-delay <integer>; 267 notify-rate <integer>; 268 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 269 dscp <integer> ]; 270 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 271 [ dscp <integer> ]; 272 notify-to-soa <boolean>; 273 nsec3-test-zone <boolean>; // test only 274 nta-lifetime <duration>; 275 nta-recheck <duration>; 276 nxdomain-redirect <string>; 277 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 278 dscp <integer> ]; 279 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 280 ] [ dscp <integer> ]; 281 pid-file ( <quoted_string> | none ); 282 port <integer>; 283 preferred-glue <string>; 284 prefetch <integer> [ <integer> ]; 285 provide-ixfr <boolean>; 286 qname-minimization ( strict | relaxed | disabled | off ); 287 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 288 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 289 port ( <integer> | * ) ) ) [ dscp <integer> ]; 290 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 291 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 292 port ( <integer> | * ) ) ) [ dscp <integer> ]; 293 querylog <boolean>; 294 random-device ( <quoted_string> | none ); 295 rate-limit { 296 all-per-second <integer>; 297 errors-per-second <integer>; 298 exempt-clients { <address_match_element>; ... }; 299 ipv4-prefix-length <integer>; 300 ipv6-prefix-length <integer>; 301 log-only <boolean>; 302 max-table-size <integer>; 303 min-table-size <integer>; 304 nodata-per-second <integer>; 305 nxdomains-per-second <integer>; 306 qps-scale <integer>; 307 referrals-per-second <integer>; 308 responses-per-second <integer>; 309 slip <integer>; 310 window <integer>; 311 }; 312 recursing-file <quoted_string>; 313 recursion <boolean>; 314 recursive-clients <integer>; 315 request-expire <boolean>; 316 request-ixfr <boolean>; 317 request-nsid <boolean>; 318 require-server-cookie <boolean>; 319 reserved-sockets <integer>; 320 resolver-nonbackoff-tries <integer>; 321 resolver-query-timeout <integer>; 322 resolver-retry-interval <integer>; 323 response-padding { <address_match_element>; ... } block-size 324 <integer>; 325 response-policy { zone <string> [ add-soa <boolean> ] [ log 326 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 327 <duration> ] [ policy ( cname | disabled | drop | given | no-op 328 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 329 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 330 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 331 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 332 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 333 nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> 334 ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] 335 [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ 336 dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> 337 } ]; 338 root-delegation-only [ exclude { <string>; ... } ]; 339 root-key-sentinel <boolean>; 340 rrset-order { [ class <string> ] [ type <string> ] [ name 341 <quoted_string> ] <string> <string>; ... }; 342 secroots-file <quoted_string>; 343 send-cookie <boolean>; 344 serial-query-rate <integer>; 345 serial-update-method ( date | increment | unixtime ); 346 server-id ( <quoted_string> | none | hostname ); 347 servfail-ttl <duration>; 348 session-keyalg <string>; 349 session-keyfile ( <quoted_string> | none ); 350 session-keyname <string>; 351 sig-signing-nodes <integer>; 352 sig-signing-signatures <integer>; 353 sig-signing-type <integer>; 354 sig-validity-interval <integer> [ <integer> ]; 355 sortlist { <address_match_element>; ... }; 356 stacksize ( default | unlimited | <sizeval> ); 357 stale-answer-client-timeout ( disabled | off | <integer> ); 358 stale-answer-enable <boolean>; 359 stale-answer-ttl <duration>; 360 stale-cache-enable <boolean>; 361 stale-refresh-time <duration>; 362 startup-notify-rate <integer>; 363 statistics-file <quoted_string>; 364 suppress-initial-notify <boolean>; // obsolete 365 synth-from-dnssec <boolean>; 366 tcp-advertised-timeout <integer>; 367 tcp-clients <integer>; 368 tcp-idle-timeout <integer>; 369 tcp-initial-timeout <integer>; 370 tcp-keepalive-timeout <integer>; 371 tcp-listen-queue <integer>; 372 tcp-receive-buffer <integer>; 373 tcp-send-buffer <integer>; 374 tkey-dhkey <quoted_string> <integer>; 375 tkey-domain <quoted_string>; 376 tkey-gssapi-credential <quoted_string>; 377 tkey-gssapi-keytab <quoted_string>; 378 tls-port <integer>; 379 transfer-format ( many-answers | one-answer ); 380 transfer-message-size <integer>; 381 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 382 dscp <integer> ]; 383 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 384 ] [ dscp <integer> ]; 385 transfers-in <integer>; 386 transfers-out <integer>; 387 transfers-per-ns <integer>; 388 trust-anchor-telemetry <boolean>; // experimental 389 try-tcp-refresh <boolean>; 390 udp-receive-buffer <integer>; 391 udp-send-buffer <integer>; 392 update-check-ksk <boolean>; 393 use-alt-transfer-source <boolean>; 394 use-v4-udp-ports { <portrange>; ... }; 395 use-v6-udp-ports { <portrange>; ... }; 396 v6-bias <integer>; 397 validate-except { <string>; ... }; 398 version ( <quoted_string> | none ); 399 zero-no-soa-ttl <boolean>; 400 zero-no-soa-ttl-cache <boolean>; 401 zone-statistics ( full | terse | none | <boolean> ); 402}; 403 404parental-agents <string> [ port <integer> ] [ 405 dscp <integer> ] { ( <remote-servers> | 406 <ipv4_address> [ port <integer> ] | 407 <ipv6_address> [ port <integer> ] ) [ key 408 <string> ] [ tls <string> ]; ... }; // may occur multiple times 409 410plugin ( query ) <string> [ { <unspecified-text> 411 } ]; // may occur multiple times 412 413primaries <string> [ port <integer> ] [ dscp 414 <integer> ] { ( <remote-servers> | 415 <ipv4_address> [ port <integer> ] | 416 <ipv6_address> [ port <integer> ] ) [ key 417 <string> ] [ tls <string> ]; ... }; // may occur multiple times 418 419server <netprefix> { 420 bogus <boolean>; 421 edns <boolean>; 422 edns-udp-size <integer>; 423 edns-version <integer>; 424 keys <server_key>; 425 max-udp-size <integer>; 426 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 427 dscp <integer> ]; 428 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 429 [ dscp <integer> ]; 430 padding <integer>; 431 provide-ixfr <boolean>; 432 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 433 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 434 port ( <integer> | * ) ) ) [ dscp <integer> ]; 435 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 436 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 437 port ( <integer> | * ) ) ) [ dscp <integer> ]; 438 request-expire <boolean>; 439 request-ixfr <boolean>; 440 request-nsid <boolean>; 441 send-cookie <boolean>; 442 tcp-keepalive <boolean>; 443 tcp-only <boolean>; 444 transfer-format ( many-answers | one-answer ); 445 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 446 dscp <integer> ]; 447 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 448 ] [ dscp <integer> ]; 449 transfers <integer>; 450}; // may occur multiple times 451 452statistics-channels { 453 inet ( <ipv4_address> | <ipv6_address> | 454 * ) [ port ( <integer> | * ) ] [ 455 allow { <address_match_element>; ... 456 } ]; // may occur multiple times 457}; // may occur multiple times 458 459tls <string> { 460 ca-file <quoted_string>; 461 cert-file <quoted_string>; 462 ciphers <string>; 463 dhparam-file <quoted_string>; 464 hostname <quoted_string>; 465 key-file <quoted_string>; 466 prefer-server-ciphers <boolean>; 467 protocols { <string>; ... }; 468 session-tickets <boolean>; 469}; // may occur multiple times 470 471trust-anchors { <string> ( static-key | 472 initial-key | static-ds | initial-ds ) 473 <integer> <integer> <integer> 474 <quoted_string>; ... }; // may occur multiple times 475 476trusted-keys { <string> <integer> 477 <integer> <integer> 478 <quoted_string>; ... }; // may occur multiple times, deprecated 479 480view <string> [ <class> ] { 481 allow-new-zones <boolean>; 482 allow-notify { <address_match_element>; ... }; 483 allow-query { <address_match_element>; ... }; 484 allow-query-cache { <address_match_element>; ... }; 485 allow-query-cache-on { <address_match_element>; ... }; 486 allow-query-on { <address_match_element>; ... }; 487 allow-recursion { <address_match_element>; ... }; 488 allow-recursion-on { <address_match_element>; ... }; 489 allow-transfer { <address_match_element>; ... }; 490 allow-update { <address_match_element>; ... }; 491 allow-update-forwarding { <address_match_element>; ... }; 492 also-notify [ port <integer> ] [ dscp <integer> ] { ( 493 <remote-servers> | <ipv4_address> [ port <integer> ] | 494 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 495 <string> ]; ... }; 496 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 497 ] [ dscp <integer> ]; 498 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 499 * ) ] [ dscp <integer> ]; 500 attach-cache <string>; 501 auth-nxdomain <boolean>; 502 auto-dnssec ( allow | maintain | off ); 503 catalog-zones { zone <string> [ default-masters [ port <integer> ] 504 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 505 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 506 <string> ] [ tls <string> ]; ... } ] [ default-primaries [ port 507 <integer> ] [ dscp <integer> ] { ( <remote-servers> | 508 <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 509 <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ 510 zone-directory <quoted_string> ] [ in-memory <boolean> ] [ 511 min-update-interval <duration> ]; ... }; 512 check-dup-records ( fail | warn | ignore ); 513 check-integrity <boolean>; 514 check-mx ( fail | warn | ignore ); 515 check-mx-cname ( fail | warn | ignore ); 516 check-names ( primary | master | 517 secondary | slave | response ) ( 518 fail | warn | ignore ); // may occur multiple times 519 check-sibling <boolean>; 520 check-spf ( warn | ignore ); 521 check-srv-cname ( fail | warn | ignore ); 522 check-wildcard <boolean>; 523 clients-per-query <integer>; 524 deny-answer-addresses { <address_match_element>; ... } [ 525 except-from { <string>; ... } ]; 526 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 527 } ]; 528 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 529 disable-algorithms <string> { <string>; 530 ... }; // may occur multiple times 531 disable-ds-digests <string> { <string>; 532 ... }; // may occur multiple times 533 disable-empty-zone <string>; // may occur multiple times 534 dlz <string> { 535 database <string>; 536 search <boolean>; 537 }; // may occur multiple times 538 dns64 <netprefix> { 539 break-dnssec <boolean>; 540 clients { <address_match_element>; ... }; 541 exclude { <address_match_element>; ... }; 542 mapped { <address_match_element>; ... }; 543 recursive-only <boolean>; 544 suffix <ipv6_address>; 545 }; // may occur multiple times 546 dns64-contact <string>; 547 dns64-server <string>; 548 dnskey-sig-validity <integer>; 549 dnsrps-enable <boolean>; 550 dnsrps-options { <unspecified-text> }; 551 dnssec-accept-expired <boolean>; 552 dnssec-dnskey-kskonly <boolean>; 553 dnssec-loadkeys-interval <integer>; 554 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 555 dnssec-policy <string>; 556 dnssec-secure-to-insecure <boolean>; 557 dnssec-update-mode ( maintain | no-resign ); 558 dnssec-validation ( yes | no | auto ); 559 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 560 ( query | response ) ]; ... }; 561 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 562 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 563 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 564 <integer> ] [ dscp <integer> ] ); ... }; 565 dyndb <string> <quoted_string> { 566 <unspecified-text> }; // may occur multiple times 567 edns-udp-size <integer>; 568 empty-contact <string>; 569 empty-server <string>; 570 empty-zones-enable <boolean>; 571 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 572 fetches-per-server <integer> [ ( drop | fail ) ]; 573 fetches-per-zone <integer> [ ( drop | fail ) ]; 574 forward ( first | only ); 575 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 576 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 577 glue-cache <boolean>; // deprecated 578 ipv4only-contact <string>; 579 ipv4only-enable <boolean>; 580 ipv4only-server <string>; 581 ixfr-from-differences ( primary | master | secondary | slave | 582 <boolean> ); 583 key <string> { 584 algorithm <string>; 585 secret <string>; 586 }; // may occur multiple times 587 key-directory <quoted_string>; 588 lame-ttl <duration>; 589 lmdb-mapsize <sizeval>; 590 managed-keys { <string> ( 591 static-key | initial-key 592 | static-ds | initial-ds 593 ) <integer> <integer> 594 <integer> 595 <quoted_string>; ... }; // may occur multiple times, deprecated 596 masterfile-format ( raw | text ); 597 masterfile-style ( full | relative ); 598 match-clients { <address_match_element>; ... }; 599 match-destinations { <address_match_element>; ... }; 600 match-recursive-only <boolean>; 601 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 602 max-cache-ttl <duration>; 603 max-clients-per-query <integer>; 604 max-ixfr-ratio ( unlimited | <percentage> ); 605 max-journal-size ( default | unlimited | <sizeval> ); 606 max-ncache-ttl <duration>; 607 max-records <integer>; 608 max-recursion-depth <integer>; 609 max-recursion-queries <integer>; 610 max-refresh-time <integer>; 611 max-retry-time <integer>; 612 max-stale-ttl <duration>; 613 max-transfer-idle-in <integer>; 614 max-transfer-idle-out <integer>; 615 max-transfer-time-in <integer>; 616 max-transfer-time-out <integer>; 617 max-udp-size <integer>; 618 max-zone-ttl ( unlimited | <duration> ); 619 message-compression <boolean>; 620 min-cache-ttl <duration>; 621 min-ncache-ttl <duration>; 622 min-refresh-time <integer>; 623 min-retry-time <integer>; 624 minimal-any <boolean>; 625 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 626 multi-master <boolean>; 627 new-zones-directory <quoted_string>; 628 no-case-compress { <address_match_element>; ... }; 629 nocookie-udp-size <integer>; 630 notify ( explicit | master-only | primary-only | <boolean> ); 631 notify-delay <integer>; 632 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 633 dscp <integer> ]; 634 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 635 [ dscp <integer> ]; 636 notify-to-soa <boolean>; 637 nsec3-test-zone <boolean>; // test only 638 nta-lifetime <duration>; 639 nta-recheck <duration>; 640 nxdomain-redirect <string>; 641 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 642 dscp <integer> ]; 643 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 644 ] [ dscp <integer> ]; 645 plugin ( query ) <string> [ { 646 <unspecified-text> } ]; // may occur multiple times 647 preferred-glue <string>; 648 prefetch <integer> [ <integer> ]; 649 provide-ixfr <boolean>; 650 qname-minimization ( strict | relaxed | disabled | off ); 651 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 652 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 653 port ( <integer> | * ) ) ) [ dscp <integer> ]; 654 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 655 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 656 port ( <integer> | * ) ) ) [ dscp <integer> ]; 657 rate-limit { 658 all-per-second <integer>; 659 errors-per-second <integer>; 660 exempt-clients { <address_match_element>; ... }; 661 ipv4-prefix-length <integer>; 662 ipv6-prefix-length <integer>; 663 log-only <boolean>; 664 max-table-size <integer>; 665 min-table-size <integer>; 666 nodata-per-second <integer>; 667 nxdomains-per-second <integer>; 668 qps-scale <integer>; 669 referrals-per-second <integer>; 670 responses-per-second <integer>; 671 slip <integer>; 672 window <integer>; 673 }; 674 recursion <boolean>; 675 request-expire <boolean>; 676 request-ixfr <boolean>; 677 request-nsid <boolean>; 678 require-server-cookie <boolean>; 679 resolver-nonbackoff-tries <integer>; 680 resolver-query-timeout <integer>; 681 resolver-retry-interval <integer>; 682 response-padding { <address_match_element>; ... } block-size 683 <integer>; 684 response-policy { zone <string> [ add-soa <boolean> ] [ log 685 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 686 <duration> ] [ policy ( cname | disabled | drop | given | no-op 687 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 688 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 689 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 690 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 691 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 692 nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> 693 ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] 694 [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ 695 dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> 696 } ]; 697 root-delegation-only [ exclude { <string>; ... } ]; 698 root-key-sentinel <boolean>; 699 rrset-order { [ class <string> ] [ type <string> ] [ name 700 <quoted_string> ] <string> <string>; ... }; 701 send-cookie <boolean>; 702 serial-update-method ( date | increment | unixtime ); 703 server <netprefix> { 704 bogus <boolean>; 705 edns <boolean>; 706 edns-udp-size <integer>; 707 edns-version <integer>; 708 keys <server_key>; 709 max-udp-size <integer>; 710 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 711 ) ] [ dscp <integer> ]; 712 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 713 | * ) ] [ dscp <integer> ]; 714 padding <integer>; 715 provide-ixfr <boolean>; 716 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port 717 ( <integer> | * ) ] ) | ( [ [ address ] ( 718 <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ 719 dscp <integer> ]; 720 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ 721 port ( <integer> | * ) ] ) | ( [ [ address ] ( 722 <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ 723 dscp <integer> ]; 724 request-expire <boolean>; 725 request-ixfr <boolean>; 726 request-nsid <boolean>; 727 send-cookie <boolean>; 728 tcp-keepalive <boolean>; 729 tcp-only <boolean>; 730 transfer-format ( many-answers | one-answer ); 731 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 732 * ) ] [ dscp <integer> ]; 733 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 734 <integer> | * ) ] [ dscp <integer> ]; 735 transfers <integer>; 736 }; // may occur multiple times 737 servfail-ttl <duration>; 738 sig-signing-nodes <integer>; 739 sig-signing-signatures <integer>; 740 sig-signing-type <integer>; 741 sig-validity-interval <integer> [ <integer> ]; 742 sortlist { <address_match_element>; ... }; 743 stale-answer-client-timeout ( disabled | off | <integer> ); 744 stale-answer-enable <boolean>; 745 stale-answer-ttl <duration>; 746 stale-cache-enable <boolean>; 747 stale-refresh-time <duration>; 748 suppress-initial-notify <boolean>; // obsolete 749 synth-from-dnssec <boolean>; 750 transfer-format ( many-answers | one-answer ); 751 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 752 dscp <integer> ]; 753 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 754 ] [ dscp <integer> ]; 755 trust-anchor-telemetry <boolean>; // experimental 756 trust-anchors { <string> ( static-key | 757 initial-key | static-ds | initial-ds 758 ) <integer> <integer> <integer> 759 <quoted_string>; ... }; // may occur multiple times 760 trusted-keys { <string> 761 <integer> <integer> 762 <integer> 763 <quoted_string>; ... }; // may occur multiple times, deprecated 764 try-tcp-refresh <boolean>; 765 update-check-ksk <boolean>; 766 use-alt-transfer-source <boolean>; 767 v6-bias <integer>; 768 validate-except { <string>; ... }; 769 zero-no-soa-ttl <boolean>; 770 zero-no-soa-ttl-cache <boolean>; 771 zone <string> [ <class> ] { 772 allow-notify { <address_match_element>; ... }; 773 allow-query { <address_match_element>; ... }; 774 allow-query-on { <address_match_element>; ... }; 775 allow-transfer { <address_match_element>; ... }; 776 allow-update { <address_match_element>; ... }; 777 allow-update-forwarding { <address_match_element>; ... }; 778 also-notify [ port <integer> ] [ dscp <integer> ] { ( 779 <remote-servers> | <ipv4_address> [ port <integer> ] | 780 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 781 tls <string> ]; ... }; 782 alt-transfer-source ( <ipv4_address> | * ) [ port ( 783 <integer> | * ) ] [ dscp <integer> ]; 784 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( 785 <integer> | * ) ] [ dscp <integer> ]; 786 auto-dnssec ( allow | maintain | off ); 787 check-dup-records ( fail | warn | ignore ); 788 check-integrity <boolean>; 789 check-mx ( fail | warn | ignore ); 790 check-mx-cname ( fail | warn | ignore ); 791 check-names ( fail | warn | ignore ); 792 check-sibling <boolean>; 793 check-spf ( warn | ignore ); 794 check-srv-cname ( fail | warn | ignore ); 795 check-wildcard <boolean>; 796 database <string>; 797 delegation-only <boolean>; 798 dialup ( notify | notify-passive | passive | refresh | 799 <boolean> ); 800 dlz <string>; 801 dnskey-sig-validity <integer>; 802 dnssec-dnskey-kskonly <boolean>; 803 dnssec-loadkeys-interval <integer>; 804 dnssec-policy <string>; 805 dnssec-secure-to-insecure <boolean>; 806 dnssec-update-mode ( maintain | no-resign ); 807 file <quoted_string>; 808 forward ( first | only ); 809 forwarders [ port <integer> ] [ dscp <integer> ] { ( 810 <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ 811 dscp <integer> ]; ... }; 812 in-view <string>; 813 inline-signing <boolean>; 814 ixfr-from-differences <boolean>; 815 journal <quoted_string>; 816 key-directory <quoted_string>; 817 masterfile-format ( raw | text ); 818 masterfile-style ( full | relative ); 819 masters [ port <integer> ] [ dscp <integer> ] { ( 820 <remote-servers> | <ipv4_address> [ port <integer> ] | 821 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 822 tls <string> ]; ... }; 823 max-ixfr-ratio ( unlimited | <percentage> ); 824 max-journal-size ( default | unlimited | <sizeval> ); 825 max-records <integer>; 826 max-refresh-time <integer>; 827 max-retry-time <integer>; 828 max-transfer-idle-in <integer>; 829 max-transfer-idle-out <integer>; 830 max-transfer-time-in <integer>; 831 max-transfer-time-out <integer>; 832 max-zone-ttl ( unlimited | <duration> ); 833 min-refresh-time <integer>; 834 min-retry-time <integer>; 835 multi-master <boolean>; 836 notify ( explicit | master-only | primary-only | <boolean> ); 837 notify-delay <integer>; 838 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 839 ) ] [ dscp <integer> ]; 840 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 841 | * ) ] [ dscp <integer> ]; 842 notify-to-soa <boolean>; 843 nsec3-test-zone <boolean>; // test only 844 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 845 <remote-servers> | <ipv4_address> [ port <integer> ] | 846 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 847 tls <string> ]; ... }; 848 parental-source ( <ipv4_address> | * ) [ port ( <integer> | 849 * ) ] [ dscp <integer> ]; 850 parental-source-v6 ( <ipv6_address> | * ) [ port ( 851 <integer> | * ) ] [ dscp <integer> ]; 852 primaries [ port <integer> ] [ dscp <integer> ] { ( 853 <remote-servers> | <ipv4_address> [ port <integer> ] | 854 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 855 tls <string> ]; ... }; 856 request-expire <boolean>; 857 request-ixfr <boolean>; 858 serial-update-method ( date | increment | unixtime ); 859 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 860 server-names { <string>; ... }; 861 sig-signing-nodes <integer>; 862 sig-signing-signatures <integer>; 863 sig-signing-type <integer>; 864 sig-validity-interval <integer> [ <integer> ]; 865 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 866 * ) ] [ dscp <integer> ]; 867 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 868 <integer> | * ) ] [ dscp <integer> ]; 869 try-tcp-refresh <boolean>; 870 type ( primary | master | secondary | slave | mirror | 871 delegation-only | forward | hint | redirect | 872 static-stub | stub ); 873 update-check-ksk <boolean>; 874 update-policy ( local | { ( deny | grant ) <string> ( 875 6to4-self | external | krb5-self | krb5-selfsub | 876 krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | 877 name | self | selfsub | selfwild | subdomain | tcp-self 878 | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... }; 879 use-alt-transfer-source <boolean>; 880 zero-no-soa-ttl <boolean>; 881 zone-statistics ( full | terse | none | <boolean> ); 882 }; // may occur multiple times 883 zone-statistics ( full | terse | none | <boolean> ); 884}; // may occur multiple times 885 886zone <string> [ <class> ] { 887 allow-notify { <address_match_element>; ... }; 888 allow-query { <address_match_element>; ... }; 889 allow-query-on { <address_match_element>; ... }; 890 allow-transfer { <address_match_element>; ... }; 891 allow-update { <address_match_element>; ... }; 892 allow-update-forwarding { <address_match_element>; ... }; 893 also-notify [ port <integer> ] [ dscp <integer> ] { ( 894 <remote-servers> | <ipv4_address> [ port <integer> ] | 895 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 896 <string> ]; ... }; 897 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 898 ] [ dscp <integer> ]; 899 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 900 * ) ] [ dscp <integer> ]; 901 auto-dnssec ( allow | maintain | off ); 902 check-dup-records ( fail | warn | ignore ); 903 check-integrity <boolean>; 904 check-mx ( fail | warn | ignore ); 905 check-mx-cname ( fail | warn | ignore ); 906 check-names ( fail | warn | ignore ); 907 check-sibling <boolean>; 908 check-spf ( warn | ignore ); 909 check-srv-cname ( fail | warn | ignore ); 910 check-wildcard <boolean>; 911 database <string>; 912 delegation-only <boolean>; 913 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 914 dlz <string>; 915 dnskey-sig-validity <integer>; 916 dnssec-dnskey-kskonly <boolean>; 917 dnssec-loadkeys-interval <integer>; 918 dnssec-policy <string>; 919 dnssec-secure-to-insecure <boolean>; 920 dnssec-update-mode ( maintain | no-resign ); 921 file <quoted_string>; 922 forward ( first | only ); 923 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 924 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 925 in-view <string>; 926 inline-signing <boolean>; 927 ixfr-from-differences <boolean>; 928 journal <quoted_string>; 929 key-directory <quoted_string>; 930 masterfile-format ( raw | text ); 931 masterfile-style ( full | relative ); 932 masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> 933 | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 934 <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; 935 max-ixfr-ratio ( unlimited | <percentage> ); 936 max-journal-size ( default | unlimited | <sizeval> ); 937 max-records <integer>; 938 max-refresh-time <integer>; 939 max-retry-time <integer>; 940 max-transfer-idle-in <integer>; 941 max-transfer-idle-out <integer>; 942 max-transfer-time-in <integer>; 943 max-transfer-time-out <integer>; 944 max-zone-ttl ( unlimited | <duration> ); 945 min-refresh-time <integer>; 946 min-retry-time <integer>; 947 multi-master <boolean>; 948 notify ( explicit | master-only | primary-only | <boolean> ); 949 notify-delay <integer>; 950 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 951 dscp <integer> ]; 952 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 953 [ dscp <integer> ]; 954 notify-to-soa <boolean>; 955 nsec3-test-zone <boolean>; // test only 956 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 957 <remote-servers> | <ipv4_address> [ port <integer> ] | 958 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 959 <string> ]; ... }; 960 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 961 dscp <integer> ]; 962 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 963 ] [ dscp <integer> ]; 964 primaries [ port <integer> ] [ dscp <integer> ] { ( 965 <remote-servers> | <ipv4_address> [ port <integer> ] | 966 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 967 <string> ]; ... }; 968 request-expire <boolean>; 969 request-ixfr <boolean>; 970 serial-update-method ( date | increment | unixtime ); 971 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 972 server-names { <string>; ... }; 973 sig-signing-nodes <integer>; 974 sig-signing-signatures <integer>; 975 sig-signing-type <integer>; 976 sig-validity-interval <integer> [ <integer> ]; 977 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 978 dscp <integer> ]; 979 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 980 ] [ dscp <integer> ]; 981 try-tcp-refresh <boolean>; 982 type ( primary | master | secondary | slave | mirror | 983 delegation-only | forward | hint | redirect | static-stub | 984 stub ); 985 update-check-ksk <boolean>; 986 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | 987 external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self 988 | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild 989 | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] 990 <rrtypelist>; ... }; 991 use-alt-transfer-source <boolean>; 992 zero-no-soa-ttl <boolean>; 993 zone-statistics ( full | terse | none | <boolean> ); 994}; // may occur multiple times 995 996