1 2This is a summary of the named.conf options supported by 3this version of BIND 9. 4 5acl <string> { <address_match_element>; ... }; // may occur multiple times 6 7controls { 8 inet ( <ipv4_address> | <ipv6_address> | 9 * ) [ port ( <integer> | * ) ] allow 10 { <address_match_element>; ... } [ 11 keys { <string>; ... } ] [ read-only 12 <boolean> ]; // may occur multiple times 13 unix <quoted_string> perm <integer> 14 owner <integer> group <integer> [ 15 keys { <string>; ... } ] [ read-only 16 <boolean> ]; // may occur multiple times 17}; // may occur multiple times 18 19dlz <string> { 20 database <string>; 21 search <boolean>; 22}; // may occur multiple times 23 24dnssec-policy <string> { 25 dnskey-ttl <duration>; 26 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime 27 <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; 28 max-zone-ttl <duration>; 29 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ 30 salt-length <integer> ]; 31 parent-ds-ttl <duration>; 32 parent-propagation-delay <duration>; 33 publish-safety <duration>; 34 purge-keys <duration>; 35 retire-safety <duration>; 36 signatures-refresh <duration>; 37 signatures-validity <duration>; 38 signatures-validity-dnskey <duration>; 39 zone-propagation-delay <duration>; 40}; // may occur multiple times 41 42dyndb <string> <quoted_string> { 43 <unspecified-text> }; // may occur multiple times 44 45http <string> { 46 endpoints { <quoted_string>; ... }; 47 listener-clients <integer>; 48 streams-per-connection <integer>; 49}; // may occur multiple times 50 51key <string> { 52 algorithm <string>; 53 secret <string>; 54}; // may occur multiple times 55 56logging { 57 category <string> { <string>; ... }; // may occur multiple times 58 channel <string> { 59 buffered <boolean>; 60 file <quoted_string> [ versions ( unlimited | <integer> ) ] 61 [ size <size> ] [ suffix ( increment | timestamp ) ]; 62 null; 63 print-category <boolean>; 64 print-severity <boolean>; 65 print-time ( iso8601 | iso8601-utc | local | <boolean> ); 66 severity <log_severity>; 67 stderr; 68 syslog [ <syslog_facility> ]; 69 }; // may occur multiple times 70}; 71 72managed-keys { <string> ( static-key 73 | initial-key | static-ds | 74 initial-ds ) <integer> <integer> 75 <integer> <quoted_string>; ... }; // may occur multiple times, deprecated 76 77masters <string> [ port <integer> ] [ dscp 78 <integer> ] { ( <remote-servers> | 79 <ipv4_address> [ port <integer> ] | 80 <ipv6_address> [ port <integer> ] ) [ key 81 <string> ] [ tls <string> ]; ... }; // may occur multiple times 82 83options { 84 allow-new-zones <boolean>; 85 allow-notify { <address_match_element>; ... }; 86 allow-query { <address_match_element>; ... }; 87 allow-query-cache { <address_match_element>; ... }; 88 allow-query-cache-on { <address_match_element>; ... }; 89 allow-query-on { <address_match_element>; ... }; 90 allow-recursion { <address_match_element>; ... }; 91 allow-recursion-on { <address_match_element>; ... }; 92 allow-transfer { <address_match_element>; ... }; 93 allow-update { <address_match_element>; ... }; 94 allow-update-forwarding { <address_match_element>; ... }; 95 also-notify [ port <integer> ] [ dscp <integer> ] { ( 96 <remote-servers> | <ipv4_address> [ port <integer> ] | 97 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 98 <string> ]; ... }; 99 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 100 ] [ dscp <integer> ]; 101 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 102 * ) ] [ dscp <integer> ]; 103 answer-cookie <boolean>; 104 attach-cache <string>; 105 auth-nxdomain <boolean>; 106 auto-dnssec ( allow | maintain | off ); 107 automatic-interface-scan <boolean>; 108 avoid-v4-udp-ports { <portrange>; ... }; 109 avoid-v6-udp-ports { <portrange>; ... }; 110 bindkeys-file <quoted_string>; 111 blackhole { <address_match_element>; ... }; 112 catalog-zones { zone <string> [ default-masters [ port <integer> ] 113 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 114 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 115 <string> ] [ tls <string> ]; ... } ] [ default-primaries [ port 116 <integer> ] [ dscp <integer> ] { ( <remote-servers> | 117 <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 118 <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ 119 zone-directory <quoted_string> ] [ in-memory <boolean> ] [ 120 min-update-interval <duration> ]; ... }; 121 check-dup-records ( fail | warn | ignore ); 122 check-integrity <boolean>; 123 check-mx ( fail | warn | ignore ); 124 check-mx-cname ( fail | warn | ignore ); 125 check-names ( primary | master | 126 secondary | slave | response ) ( 127 fail | warn | ignore ); // may occur multiple times 128 check-sibling <boolean>; 129 check-spf ( warn | ignore ); 130 check-srv-cname ( fail | warn | ignore ); 131 check-wildcard <boolean>; 132 clients-per-query <integer>; 133 cookie-algorithm ( aes | siphash24 ); 134 cookie-secret <string>; // may occur multiple times 135 coresize ( default | unlimited | <sizeval> ); 136 datasize ( default | unlimited | <sizeval> ); 137 deny-answer-addresses { <address_match_element>; ... } [ 138 except-from { <string>; ... } ]; 139 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 140 } ]; 141 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 142 directory <quoted_string>; 143 disable-algorithms <string> { <string>; 144 ... }; // may occur multiple times 145 disable-ds-digests <string> { <string>; 146 ... }; // may occur multiple times 147 disable-empty-zone <string>; // may occur multiple times 148 dns64 <netprefix> { 149 break-dnssec <boolean>; 150 clients { <address_match_element>; ... }; 151 exclude { <address_match_element>; ... }; 152 mapped { <address_match_element>; ... }; 153 recursive-only <boolean>; 154 suffix <ipv6_address>; 155 }; // may occur multiple times 156 dns64-contact <string>; 157 dns64-server <string>; 158 dnskey-sig-validity <integer>; 159 dnsrps-enable <boolean>; 160 dnsrps-options { <unspecified-text> }; 161 dnssec-accept-expired <boolean>; 162 dnssec-dnskey-kskonly <boolean>; 163 dnssec-loadkeys-interval <integer>; 164 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 165 dnssec-policy <string>; 166 dnssec-secure-to-insecure <boolean>; 167 dnssec-update-mode ( maintain | no-resign ); 168 dnssec-validation ( yes | no | auto ); 169 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 170 ( query | response ) ]; ... }; 171 dnstap-identity ( <quoted_string> | none | hostname ); 172 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | 173 <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( 174 increment | timestamp ) ]; 175 dnstap-version ( <quoted_string> | none ); 176 dscp <integer>; 177 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 178 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 179 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 180 <integer> ] [ dscp <integer> ] ); ... }; 181 dump-file <quoted_string>; 182 edns-udp-size <integer>; 183 empty-contact <string>; 184 empty-server <string>; 185 empty-zones-enable <boolean>; 186 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 187 fetches-per-server <integer> [ ( drop | fail ) ]; 188 fetches-per-zone <integer> [ ( drop | fail ) ]; 189 files ( default | unlimited | <sizeval> ); 190 flush-zones-on-shutdown <boolean>; 191 forward ( first | only ); 192 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 193 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 194 fstrm-set-buffer-hint <integer>; 195 fstrm-set-flush-timeout <integer>; 196 fstrm-set-input-queue-size <integer>; 197 fstrm-set-output-notify-threshold <integer>; 198 fstrm-set-output-queue-model ( mpsc | spsc ); 199 fstrm-set-output-queue-size <integer>; 200 fstrm-set-reopen-interval <duration>; 201 geoip-directory ( <quoted_string> | none ); 202 glue-cache <boolean>; // deprecated 203 heartbeat-interval <integer>; 204 hostname ( <quoted_string> | none ); 205 http-listener-clients <integer>; 206 http-port <integer>; 207 http-streams-per-connection <integer>; 208 https-port <integer>; 209 interface-interval <duration>; 210 ipv4only-contact <string>; 211 ipv4only-enable <boolean>; 212 ipv4only-server <string>; 213 ixfr-from-differences ( primary | master | secondary | slave | 214 <boolean> ); 215 keep-response-order { <address_match_element>; ... }; 216 key-directory <quoted_string>; 217 lame-ttl <duration>; 218 listen-on [ port <integer> ] [ dscp 219 <integer> ] [ tls <string> ] [ http 220 <string> ] { 221 <address_match_element>; ... }; // may occur multiple times 222 listen-on-v6 [ port <integer> ] [ dscp 223 <integer> ] [ tls <string> ] [ http 224 <string> ] { 225 <address_match_element>; ... }; // may occur multiple times 226 lmdb-mapsize <sizeval>; 227 lock-file ( <quoted_string> | none ); 228 managed-keys-directory <quoted_string>; 229 masterfile-format ( raw | text ); 230 masterfile-style ( full | relative ); 231 match-mapped-addresses <boolean>; 232 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 233 max-cache-ttl <duration>; 234 max-clients-per-query <integer>; 235 max-ixfr-ratio ( unlimited | <percentage> ); 236 max-journal-size ( default | unlimited | <sizeval> ); 237 max-ncache-ttl <duration>; 238 max-records <integer>; 239 max-recursion-depth <integer>; 240 max-recursion-queries <integer>; 241 max-refresh-time <integer>; 242 max-retry-time <integer>; 243 max-rsa-exponent-size <integer>; 244 max-stale-ttl <duration>; 245 max-transfer-idle-in <integer>; 246 max-transfer-idle-out <integer>; 247 max-transfer-time-in <integer>; 248 max-transfer-time-out <integer>; 249 max-udp-size <integer>; 250 max-zone-ttl ( unlimited | <duration> ); 251 memstatistics <boolean>; 252 memstatistics-file <quoted_string>; 253 message-compression <boolean>; 254 min-cache-ttl <duration>; 255 min-ncache-ttl <duration>; 256 min-refresh-time <integer>; 257 min-retry-time <integer>; 258 minimal-any <boolean>; 259 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 260 multi-master <boolean>; 261 new-zones-directory <quoted_string>; 262 no-case-compress { <address_match_element>; ... }; 263 nocookie-udp-size <integer>; 264 notify ( explicit | master-only | primary-only | <boolean> ); 265 notify-delay <integer>; 266 notify-rate <integer>; 267 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 268 dscp <integer> ]; 269 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 270 [ dscp <integer> ]; 271 notify-to-soa <boolean>; 272 nta-lifetime <duration>; 273 nta-recheck <duration>; 274 nxdomain-redirect <string>; 275 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 276 dscp <integer> ]; 277 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 278 ] [ dscp <integer> ]; 279 pid-file ( <quoted_string> | none ); 280 port <integer>; 281 preferred-glue <string>; 282 prefetch <integer> [ <integer> ]; 283 provide-ixfr <boolean>; 284 qname-minimization ( strict | relaxed | disabled | off ); 285 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 286 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 287 port ( <integer> | * ) ) ) [ dscp <integer> ]; 288 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 289 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 290 port ( <integer> | * ) ) ) [ dscp <integer> ]; 291 querylog <boolean>; 292 random-device ( <quoted_string> | none ); 293 rate-limit { 294 all-per-second <integer>; 295 errors-per-second <integer>; 296 exempt-clients { <address_match_element>; ... }; 297 ipv4-prefix-length <integer>; 298 ipv6-prefix-length <integer>; 299 log-only <boolean>; 300 max-table-size <integer>; 301 min-table-size <integer>; 302 nodata-per-second <integer>; 303 nxdomains-per-second <integer>; 304 qps-scale <integer>; 305 referrals-per-second <integer>; 306 responses-per-second <integer>; 307 slip <integer>; 308 window <integer>; 309 }; 310 recursing-file <quoted_string>; 311 recursion <boolean>; 312 recursive-clients <integer>; 313 request-expire <boolean>; 314 request-ixfr <boolean>; 315 request-nsid <boolean>; 316 require-server-cookie <boolean>; 317 reserved-sockets <integer>; 318 resolver-nonbackoff-tries <integer>; 319 resolver-query-timeout <integer>; 320 resolver-retry-interval <integer>; 321 response-padding { <address_match_element>; ... } block-size 322 <integer>; 323 response-policy { zone <string> [ add-soa <boolean> ] [ log 324 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 325 <duration> ] [ policy ( cname | disabled | drop | given | no-op 326 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 327 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 328 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 329 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 330 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 331 nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> 332 ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] 333 [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ 334 dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> 335 } ]; 336 root-delegation-only [ exclude { <string>; ... } ]; 337 root-key-sentinel <boolean>; 338 rrset-order { [ class <string> ] [ type <string> ] [ name 339 <quoted_string> ] <string> <string>; ... }; 340 secroots-file <quoted_string>; 341 send-cookie <boolean>; 342 serial-query-rate <integer>; 343 serial-update-method ( date | increment | unixtime ); 344 server-id ( <quoted_string> | none | hostname ); 345 servfail-ttl <duration>; 346 session-keyalg <string>; 347 session-keyfile ( <quoted_string> | none ); 348 session-keyname <string>; 349 sig-signing-nodes <integer>; 350 sig-signing-signatures <integer>; 351 sig-signing-type <integer>; 352 sig-validity-interval <integer> [ <integer> ]; 353 sortlist { <address_match_element>; ... }; 354 stacksize ( default | unlimited | <sizeval> ); 355 stale-answer-client-timeout ( disabled | off | <integer> ); 356 stale-answer-enable <boolean>; 357 stale-answer-ttl <duration>; 358 stale-cache-enable <boolean>; 359 stale-refresh-time <duration>; 360 startup-notify-rate <integer>; 361 statistics-file <quoted_string>; 362 synth-from-dnssec <boolean>; 363 tcp-advertised-timeout <integer>; 364 tcp-clients <integer>; 365 tcp-idle-timeout <integer>; 366 tcp-initial-timeout <integer>; 367 tcp-keepalive-timeout <integer>; 368 tcp-listen-queue <integer>; 369 tcp-receive-buffer <integer>; 370 tcp-send-buffer <integer>; 371 tkey-dhkey <quoted_string> <integer>; 372 tkey-domain <quoted_string>; 373 tkey-gssapi-credential <quoted_string>; 374 tkey-gssapi-keytab <quoted_string>; 375 tls-port <integer>; 376 transfer-format ( many-answers | one-answer ); 377 transfer-message-size <integer>; 378 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 379 dscp <integer> ]; 380 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 381 ] [ dscp <integer> ]; 382 transfers-in <integer>; 383 transfers-out <integer>; 384 transfers-per-ns <integer>; 385 trust-anchor-telemetry <boolean>; // experimental 386 try-tcp-refresh <boolean>; 387 udp-receive-buffer <integer>; 388 udp-send-buffer <integer>; 389 update-check-ksk <boolean>; 390 use-alt-transfer-source <boolean>; 391 use-v4-udp-ports { <portrange>; ... }; 392 use-v6-udp-ports { <portrange>; ... }; 393 v6-bias <integer>; 394 validate-except { <string>; ... }; 395 version ( <quoted_string> | none ); 396 zero-no-soa-ttl <boolean>; 397 zero-no-soa-ttl-cache <boolean>; 398 zone-statistics ( full | terse | none | <boolean> ); 399}; 400 401parental-agents <string> [ port <integer> ] [ 402 dscp <integer> ] { ( <remote-servers> | 403 <ipv4_address> [ port <integer> ] | 404 <ipv6_address> [ port <integer> ] ) [ key 405 <string> ] [ tls <string> ]; ... }; // may occur multiple times 406 407plugin ( query ) <string> [ { <unspecified-text> 408 } ]; // may occur multiple times 409 410primaries <string> [ port <integer> ] [ dscp 411 <integer> ] { ( <remote-servers> | 412 <ipv4_address> [ port <integer> ] | 413 <ipv6_address> [ port <integer> ] ) [ key 414 <string> ] [ tls <string> ]; ... }; // may occur multiple times 415 416server <netprefix> { 417 bogus <boolean>; 418 edns <boolean>; 419 edns-udp-size <integer>; 420 edns-version <integer>; 421 keys <server_key>; 422 max-udp-size <integer>; 423 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 424 dscp <integer> ]; 425 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 426 [ dscp <integer> ]; 427 padding <integer>; 428 provide-ixfr <boolean>; 429 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 430 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 431 port ( <integer> | * ) ) ) [ dscp <integer> ]; 432 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 433 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 434 port ( <integer> | * ) ) ) [ dscp <integer> ]; 435 request-expire <boolean>; 436 request-ixfr <boolean>; 437 request-nsid <boolean>; 438 send-cookie <boolean>; 439 tcp-keepalive <boolean>; 440 tcp-only <boolean>; 441 transfer-format ( many-answers | one-answer ); 442 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 443 dscp <integer> ]; 444 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 445 ] [ dscp <integer> ]; 446 transfers <integer>; 447}; // may occur multiple times 448 449statistics-channels { 450 inet ( <ipv4_address> | <ipv6_address> | 451 * ) [ port ( <integer> | * ) ] [ 452 allow { <address_match_element>; ... 453 } ]; // may occur multiple times 454}; // may occur multiple times 455 456tls <string> { 457 ca-file <quoted_string>; 458 cert-file <quoted_string>; 459 ciphers <string>; 460 dhparam-file <quoted_string>; 461 hostname <quoted_string>; 462 key-file <quoted_string>; 463 prefer-server-ciphers <boolean>; 464 protocols { <string>; ... }; 465 session-tickets <boolean>; 466}; // may occur multiple times 467 468trust-anchors { <string> ( static-key | 469 initial-key | static-ds | initial-ds ) 470 <integer> <integer> <integer> 471 <quoted_string>; ... }; // may occur multiple times 472 473trusted-keys { <string> <integer> 474 <integer> <integer> 475 <quoted_string>; ... }; // may occur multiple times, deprecated 476 477view <string> [ <class> ] { 478 allow-new-zones <boolean>; 479 allow-notify { <address_match_element>; ... }; 480 allow-query { <address_match_element>; ... }; 481 allow-query-cache { <address_match_element>; ... }; 482 allow-query-cache-on { <address_match_element>; ... }; 483 allow-query-on { <address_match_element>; ... }; 484 allow-recursion { <address_match_element>; ... }; 485 allow-recursion-on { <address_match_element>; ... }; 486 allow-transfer { <address_match_element>; ... }; 487 allow-update { <address_match_element>; ... }; 488 allow-update-forwarding { <address_match_element>; ... }; 489 also-notify [ port <integer> ] [ dscp <integer> ] { ( 490 <remote-servers> | <ipv4_address> [ port <integer> ] | 491 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 492 <string> ]; ... }; 493 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 494 ] [ dscp <integer> ]; 495 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 496 * ) ] [ dscp <integer> ]; 497 attach-cache <string>; 498 auth-nxdomain <boolean>; 499 auto-dnssec ( allow | maintain | off ); 500 catalog-zones { zone <string> [ default-masters [ port <integer> ] 501 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 502 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 503 <string> ] [ tls <string> ]; ... } ] [ default-primaries [ port 504 <integer> ] [ dscp <integer> ] { ( <remote-servers> | 505 <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 506 <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [ 507 zone-directory <quoted_string> ] [ in-memory <boolean> ] [ 508 min-update-interval <duration> ]; ... }; 509 check-dup-records ( fail | warn | ignore ); 510 check-integrity <boolean>; 511 check-mx ( fail | warn | ignore ); 512 check-mx-cname ( fail | warn | ignore ); 513 check-names ( primary | master | 514 secondary | slave | response ) ( 515 fail | warn | ignore ); // may occur multiple times 516 check-sibling <boolean>; 517 check-spf ( warn | ignore ); 518 check-srv-cname ( fail | warn | ignore ); 519 check-wildcard <boolean>; 520 clients-per-query <integer>; 521 deny-answer-addresses { <address_match_element>; ... } [ 522 except-from { <string>; ... } ]; 523 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 524 } ]; 525 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 526 disable-algorithms <string> { <string>; 527 ... }; // may occur multiple times 528 disable-ds-digests <string> { <string>; 529 ... }; // may occur multiple times 530 disable-empty-zone <string>; // may occur multiple times 531 dlz <string> { 532 database <string>; 533 search <boolean>; 534 }; // may occur multiple times 535 dns64 <netprefix> { 536 break-dnssec <boolean>; 537 clients { <address_match_element>; ... }; 538 exclude { <address_match_element>; ... }; 539 mapped { <address_match_element>; ... }; 540 recursive-only <boolean>; 541 suffix <ipv6_address>; 542 }; // may occur multiple times 543 dns64-contact <string>; 544 dns64-server <string>; 545 dnskey-sig-validity <integer>; 546 dnsrps-enable <boolean>; 547 dnsrps-options { <unspecified-text> }; 548 dnssec-accept-expired <boolean>; 549 dnssec-dnskey-kskonly <boolean>; 550 dnssec-loadkeys-interval <integer>; 551 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 552 dnssec-policy <string>; 553 dnssec-secure-to-insecure <boolean>; 554 dnssec-update-mode ( maintain | no-resign ); 555 dnssec-validation ( yes | no | auto ); 556 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 557 ( query | response ) ]; ... }; 558 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 559 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 560 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 561 <integer> ] [ dscp <integer> ] ); ... }; 562 dyndb <string> <quoted_string> { 563 <unspecified-text> }; // may occur multiple times 564 edns-udp-size <integer>; 565 empty-contact <string>; 566 empty-server <string>; 567 empty-zones-enable <boolean>; 568 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 569 fetches-per-server <integer> [ ( drop | fail ) ]; 570 fetches-per-zone <integer> [ ( drop | fail ) ]; 571 forward ( first | only ); 572 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 573 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 574 glue-cache <boolean>; // deprecated 575 ipv4only-contact <string>; 576 ipv4only-enable <boolean>; 577 ipv4only-server <string>; 578 ixfr-from-differences ( primary | master | secondary | slave | 579 <boolean> ); 580 key <string> { 581 algorithm <string>; 582 secret <string>; 583 }; // may occur multiple times 584 key-directory <quoted_string>; 585 lame-ttl <duration>; 586 lmdb-mapsize <sizeval>; 587 managed-keys { <string> ( 588 static-key | initial-key 589 | static-ds | initial-ds 590 ) <integer> <integer> 591 <integer> 592 <quoted_string>; ... }; // may occur multiple times, deprecated 593 masterfile-format ( raw | text ); 594 masterfile-style ( full | relative ); 595 match-clients { <address_match_element>; ... }; 596 match-destinations { <address_match_element>; ... }; 597 match-recursive-only <boolean>; 598 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 599 max-cache-ttl <duration>; 600 max-clients-per-query <integer>; 601 max-ixfr-ratio ( unlimited | <percentage> ); 602 max-journal-size ( default | unlimited | <sizeval> ); 603 max-ncache-ttl <duration>; 604 max-records <integer>; 605 max-recursion-depth <integer>; 606 max-recursion-queries <integer>; 607 max-refresh-time <integer>; 608 max-retry-time <integer>; 609 max-stale-ttl <duration>; 610 max-transfer-idle-in <integer>; 611 max-transfer-idle-out <integer>; 612 max-transfer-time-in <integer>; 613 max-transfer-time-out <integer>; 614 max-udp-size <integer>; 615 max-zone-ttl ( unlimited | <duration> ); 616 message-compression <boolean>; 617 min-cache-ttl <duration>; 618 min-ncache-ttl <duration>; 619 min-refresh-time <integer>; 620 min-retry-time <integer>; 621 minimal-any <boolean>; 622 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 623 multi-master <boolean>; 624 new-zones-directory <quoted_string>; 625 no-case-compress { <address_match_element>; ... }; 626 nocookie-udp-size <integer>; 627 notify ( explicit | master-only | primary-only | <boolean> ); 628 notify-delay <integer>; 629 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 630 dscp <integer> ]; 631 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 632 [ dscp <integer> ]; 633 notify-to-soa <boolean>; 634 nta-lifetime <duration>; 635 nta-recheck <duration>; 636 nxdomain-redirect <string>; 637 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 638 dscp <integer> ]; 639 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 640 ] [ dscp <integer> ]; 641 plugin ( query ) <string> [ { 642 <unspecified-text> } ]; // may occur multiple times 643 preferred-glue <string>; 644 prefetch <integer> [ <integer> ]; 645 provide-ixfr <boolean>; 646 qname-minimization ( strict | relaxed | disabled | off ); 647 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 648 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 649 port ( <integer> | * ) ) ) [ dscp <integer> ]; 650 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 651 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 652 port ( <integer> | * ) ) ) [ dscp <integer> ]; 653 rate-limit { 654 all-per-second <integer>; 655 errors-per-second <integer>; 656 exempt-clients { <address_match_element>; ... }; 657 ipv4-prefix-length <integer>; 658 ipv6-prefix-length <integer>; 659 log-only <boolean>; 660 max-table-size <integer>; 661 min-table-size <integer>; 662 nodata-per-second <integer>; 663 nxdomains-per-second <integer>; 664 qps-scale <integer>; 665 referrals-per-second <integer>; 666 responses-per-second <integer>; 667 slip <integer>; 668 window <integer>; 669 }; 670 recursion <boolean>; 671 request-expire <boolean>; 672 request-ixfr <boolean>; 673 request-nsid <boolean>; 674 require-server-cookie <boolean>; 675 resolver-nonbackoff-tries <integer>; 676 resolver-query-timeout <integer>; 677 resolver-retry-interval <integer>; 678 response-padding { <address_match_element>; ... } block-size 679 <integer>; 680 response-policy { zone <string> [ add-soa <boolean> ] [ log 681 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 682 <duration> ] [ policy ( cname | disabled | drop | given | no-op 683 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 684 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 685 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 686 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 687 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 688 nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean> 689 ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ] 690 [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [ 691 dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text> 692 } ]; 693 root-delegation-only [ exclude { <string>; ... } ]; 694 root-key-sentinel <boolean>; 695 rrset-order { [ class <string> ] [ type <string> ] [ name 696 <quoted_string> ] <string> <string>; ... }; 697 send-cookie <boolean>; 698 serial-update-method ( date | increment | unixtime ); 699 server <netprefix> { 700 bogus <boolean>; 701 edns <boolean>; 702 edns-udp-size <integer>; 703 edns-version <integer>; 704 keys <server_key>; 705 max-udp-size <integer>; 706 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 707 ) ] [ dscp <integer> ]; 708 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 709 | * ) ] [ dscp <integer> ]; 710 padding <integer>; 711 provide-ixfr <boolean>; 712 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port 713 ( <integer> | * ) ] ) | ( [ [ address ] ( 714 <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ 715 dscp <integer> ]; 716 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ 717 port ( <integer> | * ) ] ) | ( [ [ address ] ( 718 <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ 719 dscp <integer> ]; 720 request-expire <boolean>; 721 request-ixfr <boolean>; 722 request-nsid <boolean>; 723 send-cookie <boolean>; 724 tcp-keepalive <boolean>; 725 tcp-only <boolean>; 726 transfer-format ( many-answers | one-answer ); 727 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 728 * ) ] [ dscp <integer> ]; 729 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 730 <integer> | * ) ] [ dscp <integer> ]; 731 transfers <integer>; 732 }; // may occur multiple times 733 servfail-ttl <duration>; 734 sig-signing-nodes <integer>; 735 sig-signing-signatures <integer>; 736 sig-signing-type <integer>; 737 sig-validity-interval <integer> [ <integer> ]; 738 sortlist { <address_match_element>; ... }; 739 stale-answer-client-timeout ( disabled | off | <integer> ); 740 stale-answer-enable <boolean>; 741 stale-answer-ttl <duration>; 742 stale-cache-enable <boolean>; 743 stale-refresh-time <duration>; 744 synth-from-dnssec <boolean>; 745 transfer-format ( many-answers | one-answer ); 746 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 747 dscp <integer> ]; 748 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 749 ] [ dscp <integer> ]; 750 trust-anchor-telemetry <boolean>; // experimental 751 trust-anchors { <string> ( static-key | 752 initial-key | static-ds | initial-ds 753 ) <integer> <integer> <integer> 754 <quoted_string>; ... }; // may occur multiple times 755 trusted-keys { <string> 756 <integer> <integer> 757 <integer> 758 <quoted_string>; ... }; // may occur multiple times, deprecated 759 try-tcp-refresh <boolean>; 760 update-check-ksk <boolean>; 761 use-alt-transfer-source <boolean>; 762 v6-bias <integer>; 763 validate-except { <string>; ... }; 764 zero-no-soa-ttl <boolean>; 765 zero-no-soa-ttl-cache <boolean>; 766 zone <string> [ <class> ] { 767 allow-notify { <address_match_element>; ... }; 768 allow-query { <address_match_element>; ... }; 769 allow-query-on { <address_match_element>; ... }; 770 allow-transfer { <address_match_element>; ... }; 771 allow-update { <address_match_element>; ... }; 772 allow-update-forwarding { <address_match_element>; ... }; 773 also-notify [ port <integer> ] [ dscp <integer> ] { ( 774 <remote-servers> | <ipv4_address> [ port <integer> ] | 775 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 776 tls <string> ]; ... }; 777 alt-transfer-source ( <ipv4_address> | * ) [ port ( 778 <integer> | * ) ] [ dscp <integer> ]; 779 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( 780 <integer> | * ) ] [ dscp <integer> ]; 781 auto-dnssec ( allow | maintain | off ); 782 check-dup-records ( fail | warn | ignore ); 783 check-integrity <boolean>; 784 check-mx ( fail | warn | ignore ); 785 check-mx-cname ( fail | warn | ignore ); 786 check-names ( fail | warn | ignore ); 787 check-sibling <boolean>; 788 check-spf ( warn | ignore ); 789 check-srv-cname ( fail | warn | ignore ); 790 check-wildcard <boolean>; 791 database <string>; 792 delegation-only <boolean>; 793 dialup ( notify | notify-passive | passive | refresh | 794 <boolean> ); 795 dlz <string>; 796 dnskey-sig-validity <integer>; 797 dnssec-dnskey-kskonly <boolean>; 798 dnssec-loadkeys-interval <integer>; 799 dnssec-policy <string>; 800 dnssec-secure-to-insecure <boolean>; 801 dnssec-update-mode ( maintain | no-resign ); 802 file <quoted_string>; 803 forward ( first | only ); 804 forwarders [ port <integer> ] [ dscp <integer> ] { ( 805 <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ 806 dscp <integer> ]; ... }; 807 in-view <string>; 808 inline-signing <boolean>; 809 ixfr-from-differences <boolean>; 810 journal <quoted_string>; 811 key-directory <quoted_string>; 812 masterfile-format ( raw | text ); 813 masterfile-style ( full | relative ); 814 masters [ port <integer> ] [ dscp <integer> ] { ( 815 <remote-servers> | <ipv4_address> [ port <integer> ] | 816 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 817 tls <string> ]; ... }; 818 max-ixfr-ratio ( unlimited | <percentage> ); 819 max-journal-size ( default | unlimited | <sizeval> ); 820 max-records <integer>; 821 max-refresh-time <integer>; 822 max-retry-time <integer>; 823 max-transfer-idle-in <integer>; 824 max-transfer-idle-out <integer>; 825 max-transfer-time-in <integer>; 826 max-transfer-time-out <integer>; 827 max-zone-ttl ( unlimited | <duration> ); 828 min-refresh-time <integer>; 829 min-retry-time <integer>; 830 multi-master <boolean>; 831 notify ( explicit | master-only | primary-only | <boolean> ); 832 notify-delay <integer>; 833 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 834 ) ] [ dscp <integer> ]; 835 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 836 | * ) ] [ dscp <integer> ]; 837 notify-to-soa <boolean>; 838 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 839 <remote-servers> | <ipv4_address> [ port <integer> ] | 840 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 841 tls <string> ]; ... }; 842 parental-source ( <ipv4_address> | * ) [ port ( <integer> | 843 * ) ] [ dscp <integer> ]; 844 parental-source-v6 ( <ipv6_address> | * ) [ port ( 845 <integer> | * ) ] [ dscp <integer> ]; 846 primaries [ port <integer> ] [ dscp <integer> ] { ( 847 <remote-servers> | <ipv4_address> [ port <integer> ] | 848 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ 849 tls <string> ]; ... }; 850 request-expire <boolean>; 851 request-ixfr <boolean>; 852 serial-update-method ( date | increment | unixtime ); 853 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 854 server-names { <string>; ... }; 855 sig-signing-nodes <integer>; 856 sig-signing-signatures <integer>; 857 sig-signing-type <integer>; 858 sig-validity-interval <integer> [ <integer> ]; 859 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 860 * ) ] [ dscp <integer> ]; 861 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 862 <integer> | * ) ] [ dscp <integer> ]; 863 try-tcp-refresh <boolean>; 864 type ( primary | master | secondary | slave | mirror | 865 delegation-only | forward | hint | redirect | 866 static-stub | stub ); 867 update-check-ksk <boolean>; 868 update-policy ( local | { ( deny | grant ) <string> ( 869 6to4-self | external | krb5-self | krb5-selfsub | 870 krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | 871 name | self | selfsub | selfwild | subdomain | tcp-self 872 | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... }; 873 use-alt-transfer-source <boolean>; 874 zero-no-soa-ttl <boolean>; 875 zone-statistics ( full | terse | none | <boolean> ); 876 }; // may occur multiple times 877 zone-statistics ( full | terse | none | <boolean> ); 878}; // may occur multiple times 879 880zone <string> [ <class> ] { 881 allow-notify { <address_match_element>; ... }; 882 allow-query { <address_match_element>; ... }; 883 allow-query-on { <address_match_element>; ... }; 884 allow-transfer { <address_match_element>; ... }; 885 allow-update { <address_match_element>; ... }; 886 allow-update-forwarding { <address_match_element>; ... }; 887 also-notify [ port <integer> ] [ dscp <integer> ] { ( 888 <remote-servers> | <ipv4_address> [ port <integer> ] | 889 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 890 <string> ]; ... }; 891 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 892 ] [ dscp <integer> ]; 893 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 894 * ) ] [ dscp <integer> ]; 895 auto-dnssec ( allow | maintain | off ); 896 check-dup-records ( fail | warn | ignore ); 897 check-integrity <boolean>; 898 check-mx ( fail | warn | ignore ); 899 check-mx-cname ( fail | warn | ignore ); 900 check-names ( fail | warn | ignore ); 901 check-sibling <boolean>; 902 check-spf ( warn | ignore ); 903 check-srv-cname ( fail | warn | ignore ); 904 check-wildcard <boolean>; 905 database <string>; 906 delegation-only <boolean>; 907 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 908 dlz <string>; 909 dnskey-sig-validity <integer>; 910 dnssec-dnskey-kskonly <boolean>; 911 dnssec-loadkeys-interval <integer>; 912 dnssec-policy <string>; 913 dnssec-secure-to-insecure <boolean>; 914 dnssec-update-mode ( maintain | no-resign ); 915 file <quoted_string>; 916 forward ( first | only ); 917 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 918 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 919 in-view <string>; 920 inline-signing <boolean>; 921 ixfr-from-differences <boolean>; 922 journal <quoted_string>; 923 key-directory <quoted_string>; 924 masterfile-format ( raw | text ); 925 masterfile-style ( full | relative ); 926 masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> 927 | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 928 <integer> ] ) [ key <string> ] [ tls <string> ]; ... }; 929 max-ixfr-ratio ( unlimited | <percentage> ); 930 max-journal-size ( default | unlimited | <sizeval> ); 931 max-records <integer>; 932 max-refresh-time <integer>; 933 max-retry-time <integer>; 934 max-transfer-idle-in <integer>; 935 max-transfer-idle-out <integer>; 936 max-transfer-time-in <integer>; 937 max-transfer-time-out <integer>; 938 max-zone-ttl ( unlimited | <duration> ); 939 min-refresh-time <integer>; 940 min-retry-time <integer>; 941 multi-master <boolean>; 942 notify ( explicit | master-only | primary-only | <boolean> ); 943 notify-delay <integer>; 944 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 945 dscp <integer> ]; 946 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 947 [ dscp <integer> ]; 948 notify-to-soa <boolean>; 949 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 950 <remote-servers> | <ipv4_address> [ port <integer> ] | 951 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 952 <string> ]; ... }; 953 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 954 dscp <integer> ]; 955 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 956 ] [ dscp <integer> ]; 957 primaries [ port <integer> ] [ dscp <integer> ] { ( 958 <remote-servers> | <ipv4_address> [ port <integer> ] | 959 <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls 960 <string> ]; ... }; 961 request-expire <boolean>; 962 request-ixfr <boolean>; 963 serial-update-method ( date | increment | unixtime ); 964 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 965 server-names { <string>; ... }; 966 sig-signing-nodes <integer>; 967 sig-signing-signatures <integer>; 968 sig-signing-type <integer>; 969 sig-validity-interval <integer> [ <integer> ]; 970 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 971 dscp <integer> ]; 972 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 973 ] [ dscp <integer> ]; 974 try-tcp-refresh <boolean>; 975 type ( primary | master | secondary | slave | mirror | 976 delegation-only | forward | hint | redirect | static-stub | 977 stub ); 978 update-check-ksk <boolean>; 979 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | 980 external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self 981 | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild 982 | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] 983 <rrtypelist>; ... }; 984 use-alt-transfer-source <boolean>; 985 zero-no-soa-ttl <boolean>; 986 zone-statistics ( full | terse | none | <boolean> ); 987}; // may occur multiple times 988 989