1::
2
3  options {
4  	allow-new-zones <boolean>;
5  	allow-notify { <address_match_element>; ... };
6  	allow-query { <address_match_element>; ... };
7  	allow-query-cache { <address_match_element>; ... };
8  	allow-query-cache-on { <address_match_element>; ... };
9  	allow-query-on { <address_match_element>; ... };
10  	allow-recursion { <address_match_element>; ... };
11  	allow-recursion-on { <address_match_element>; ... };
12  	allow-transfer { <address_match_element>; ... };
13  	allow-update { <address_match_element>; ... };
14  	allow-update-forwarding { <address_match_element>; ... };
15  	also-notify [ port <integer> ] [ dscp <integer> ] { (
16  	    <remote-servers> | <ipv4_address> [ port <integer> ] |
17  	    <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
18  	    <string> ]; ... };
19  	alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
20  	    ] [ dscp <integer> ];
21  	alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
22  	    * ) ] [ dscp <integer> ];
23  	answer-cookie <boolean>;
24  	attach-cache <string>;
25  	auth-nxdomain <boolean>;
26  	auto-dnssec ( allow | maintain | off );
27  	automatic-interface-scan <boolean>;
28  	avoid-v4-udp-ports { <portrange>; ... };
29  	avoid-v6-udp-ports { <portrange>; ... };
30  	bindkeys-file <quoted_string>;
31  	blackhole { <address_match_element>; ... };
32  	catalog-zones { zone <string> [ default-masters [ port <integer> ]
33  	    [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port
34  	    <integer> ] | <ipv6_address> [ port <integer> ] ) [ key
35  	    <string> ] [ tls <string> ]; ... } ] [ default-primaries [ port
36  	    <integer> ] [ dscp <integer> ] { ( <remote-servers> |
37  	    <ipv4_address> [ port <integer> ] | <ipv6_address> [ port
38  	    <integer> ] ) [ key <string> ] [ tls <string> ]; ... } ] [
39  	    zone-directory <quoted_string> ] [ in-memory <boolean> ] [
40  	    min-update-interval <duration> ]; ... };
41  	check-dup-records ( fail | warn | ignore );
42  	check-integrity <boolean>;
43  	check-mx ( fail | warn | ignore );
44  	check-mx-cname ( fail | warn | ignore );
45  	check-names ( primary | master |
46  	    secondary | slave | response ) (
47  	    fail | warn | ignore );
48  	check-sibling <boolean>;
49  	check-spf ( warn | ignore );
50  	check-srv-cname ( fail | warn | ignore );
51  	check-wildcard <boolean>;
52  	clients-per-query <integer>;
53  	cookie-algorithm ( aes | siphash24 );
54  	cookie-secret <string>;
55  	coresize ( default | unlimited | <sizeval> );
56  	datasize ( default | unlimited | <sizeval> );
57  	deny-answer-addresses { <address_match_element>; ... } [
58  	    except-from { <string>; ... } ];
59  	deny-answer-aliases { <string>; ... } [ except-from { <string>; ...
60  	    } ];
61  	dialup ( notify | notify-passive | passive | refresh | <boolean> );
62  	directory <quoted_string>;
63  	disable-algorithms <string> { <string>;
64  	    ... };
65  	disable-ds-digests <string> { <string>;
66  	    ... };
67  	disable-empty-zone <string>;
68  	dns64 <netprefix> {
69  		break-dnssec <boolean>;
70  		clients { <address_match_element>; ... };
71  		exclude { <address_match_element>; ... };
72  		mapped { <address_match_element>; ... };
73  		recursive-only <boolean>;
74  		suffix <ipv6_address>;
75  	};
76  	dns64-contact <string>;
77  	dns64-server <string>;
78  	dnskey-sig-validity <integer>;
79  	dnsrps-enable <boolean>;
80  	dnsrps-options { <unspecified-text> };
81  	dnssec-accept-expired <boolean>;
82  	dnssec-dnskey-kskonly <boolean>;
83  	dnssec-loadkeys-interval <integer>;
84  	dnssec-must-be-secure <string> <boolean>;
85  	dnssec-policy <string>;
86  	dnssec-secure-to-insecure <boolean>;
87  	dnssec-update-mode ( maintain | no-resign );
88  	dnssec-validation ( yes | no | auto );
89  	dnstap { ( all | auth | client | forwarder | resolver | update ) [
90  	    ( query | response ) ]; ... };
91  	dnstap-identity ( <quoted_string> | none | hostname );
92  	dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
93  	    <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
94  	    increment | timestamp ) ];
95  	dnstap-version ( <quoted_string> | none );
96  	dscp <integer>;
97  	dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
98  	    <integer> ] [ dscp <integer> ] | <ipv4_address> [ port
99  	    <integer> ] [ dscp <integer> ] | <ipv6_address> [ port
100  	    <integer> ] [ dscp <integer> ] ); ... };
101  	dump-file <quoted_string>;
102  	edns-udp-size <integer>;
103  	empty-contact <string>;
104  	empty-server <string>;
105  	empty-zones-enable <boolean>;
106  	fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>;
107  	fetches-per-server <integer> [ ( drop | fail ) ];
108  	fetches-per-zone <integer> [ ( drop | fail ) ];
109  	files ( default | unlimited | <sizeval> );
110  	flush-zones-on-shutdown <boolean>;
111  	forward ( first | only );
112  	forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
113  	    | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
114  	fstrm-set-buffer-hint <integer>;
115  	fstrm-set-flush-timeout <integer>;
116  	fstrm-set-input-queue-size <integer>;
117  	fstrm-set-output-notify-threshold <integer>;
118  	fstrm-set-output-queue-model ( mpsc | spsc );
119  	fstrm-set-output-queue-size <integer>;
120  	fstrm-set-reopen-interval <duration>;
121  	geoip-directory ( <quoted_string> | none );
122  	glue-cache <boolean>; // deprecated
123  	heartbeat-interval <integer>;
124  	hostname ( <quoted_string> | none );
125  	http-listener-clients <integer>;
126  	http-port <integer>;
127  	http-streams-per-connection <integer>;
128  	https-port <integer>;
129  	interface-interval <duration>;
130  	ipv4only-contact <string>;
131  	ipv4only-enable <boolean>;
132  	ipv4only-server <string>;
133  	ixfr-from-differences ( primary | master | secondary | slave |
134  	    <boolean> );
135  	keep-response-order { <address_match_element>; ... };
136  	key-directory <quoted_string>;
137  	lame-ttl <duration>;
138  	listen-on [ port <integer> ] [ dscp
139  	    <integer> ] [ tls <string> ] [ http
140  	    <string> ] {
141  	    <address_match_element>; ... };
142  	listen-on-v6 [ port <integer> ] [ dscp
143  	    <integer> ] [ tls <string> ] [ http
144  	    <string> ] {
145  	    <address_match_element>; ... };
146  	lmdb-mapsize <sizeval>;
147  	lock-file ( <quoted_string> | none );
148  	managed-keys-directory <quoted_string>;
149  	masterfile-format ( raw | text );
150  	masterfile-style ( full | relative );
151  	match-mapped-addresses <boolean>;
152  	max-cache-size ( default | unlimited | <sizeval> | <percentage> );
153  	max-cache-ttl <duration>;
154  	max-clients-per-query <integer>;
155  	max-ixfr-ratio ( unlimited | <percentage> );
156  	max-journal-size ( default | unlimited | <sizeval> );
157  	max-ncache-ttl <duration>;
158  	max-records <integer>;
159  	max-recursion-depth <integer>;
160  	max-recursion-queries <integer>;
161  	max-refresh-time <integer>;
162  	max-retry-time <integer>;
163  	max-rsa-exponent-size <integer>;
164  	max-stale-ttl <duration>;
165  	max-transfer-idle-in <integer>;
166  	max-transfer-idle-out <integer>;
167  	max-transfer-time-in <integer>;
168  	max-transfer-time-out <integer>;
169  	max-udp-size <integer>;
170  	max-zone-ttl ( unlimited | <duration> );
171  	memstatistics <boolean>;
172  	memstatistics-file <quoted_string>;
173  	message-compression <boolean>;
174  	min-cache-ttl <duration>;
175  	min-ncache-ttl <duration>;
176  	min-refresh-time <integer>;
177  	min-retry-time <integer>;
178  	minimal-any <boolean>;
179  	minimal-responses ( no-auth | no-auth-recursive | <boolean> );
180  	multi-master <boolean>;
181  	new-zones-directory <quoted_string>;
182  	no-case-compress { <address_match_element>; ... };
183  	nocookie-udp-size <integer>;
184  	notify ( explicit | master-only | primary-only | <boolean> );
185  	notify-delay <integer>;
186  	notify-rate <integer>;
187  	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
188  	    dscp <integer> ];
189  	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
190  	    [ dscp <integer> ];
191  	notify-to-soa <boolean>;
192  	nta-lifetime <duration>;
193  	nta-recheck <duration>;
194  	nxdomain-redirect <string>;
195  	parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
196  	    dscp <integer> ];
197  	parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
198  	    ] [ dscp <integer> ];
199  	pid-file ( <quoted_string> | none );
200  	port <integer>;
201  	preferred-glue <string>;
202  	prefetch <integer> [ <integer> ];
203  	provide-ixfr <boolean>;
204  	qname-minimization ( strict | relaxed | disabled | off );
205  	query-source ( ( [ address ] ( <ipv4_address> | * ) [ port (
206  	    <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ]
207  	    port ( <integer> | * ) ) ) [ dscp <integer> ];
208  	query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port (
209  	    <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ]
210  	    port ( <integer> | * ) ) ) [ dscp <integer> ];
211  	querylog <boolean>;
212  	random-device ( <quoted_string> | none );
213  	rate-limit {
214  		all-per-second <integer>;
215  		errors-per-second <integer>;
216  		exempt-clients { <address_match_element>; ... };
217  		ipv4-prefix-length <integer>;
218  		ipv6-prefix-length <integer>;
219  		log-only <boolean>;
220  		max-table-size <integer>;
221  		min-table-size <integer>;
222  		nodata-per-second <integer>;
223  		nxdomains-per-second <integer>;
224  		qps-scale <integer>;
225  		referrals-per-second <integer>;
226  		responses-per-second <integer>;
227  		slip <integer>;
228  		window <integer>;
229  	};
230  	recursing-file <quoted_string>;
231  	recursion <boolean>;
232  	recursive-clients <integer>;
233  	request-expire <boolean>;
234  	request-ixfr <boolean>;
235  	request-nsid <boolean>;
236  	require-server-cookie <boolean>;
237  	reserved-sockets <integer>;
238  	resolver-nonbackoff-tries <integer>;
239  	resolver-query-timeout <integer>;
240  	resolver-retry-interval <integer>;
241  	response-padding { <address_match_element>; ... } block-size
242  	    <integer>;
243  	response-policy { zone <string> [ add-soa <boolean> ] [ log
244  	    <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval
245  	    <duration> ] [ policy ( cname | disabled | drop | given | no-op
246  	    | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [
247  	    recursive-only <boolean> ] [ nsip-enable <boolean> ] [
248  	    nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [
249  	    break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [
250  	    min-update-interval <duration> ] [ min-ns-dots <integer> ] [
251  	    nsip-wait-recurse <boolean> ] [ nsdname-wait-recurse <boolean>
252  	    ] [ qname-wait-recurse <boolean> ] [ recursive-only <boolean> ]
253  	    [ nsip-enable <boolean> ] [ nsdname-enable <boolean> ] [
254  	    dnsrps-enable <boolean> ] [ dnsrps-options { <unspecified-text>
255  	    } ];
256  	root-delegation-only [ exclude { <string>; ... } ];
257  	root-key-sentinel <boolean>;
258  	rrset-order { [ class <string> ] [ type <string> ] [ name
259  	    <quoted_string> ] <string> <string>; ... };
260  	secroots-file <quoted_string>;
261  	send-cookie <boolean>;
262  	serial-query-rate <integer>;
263  	serial-update-method ( date | increment | unixtime );
264  	server-id ( <quoted_string> | none | hostname );
265  	servfail-ttl <duration>;
266  	session-keyalg <string>;
267  	session-keyfile ( <quoted_string> | none );
268  	session-keyname <string>;
269  	sig-signing-nodes <integer>;
270  	sig-signing-signatures <integer>;
271  	sig-signing-type <integer>;
272  	sig-validity-interval <integer> [ <integer> ];
273  	sortlist { <address_match_element>; ... };
274  	stacksize ( default | unlimited | <sizeval> );
275  	stale-answer-client-timeout ( disabled | off | <integer> );
276  	stale-answer-enable <boolean>;
277  	stale-answer-ttl <duration>;
278  	stale-cache-enable <boolean>;
279  	stale-refresh-time <duration>;
280  	startup-notify-rate <integer>;
281  	statistics-file <quoted_string>;
282  	synth-from-dnssec <boolean>;
283  	tcp-advertised-timeout <integer>;
284  	tcp-clients <integer>;
285  	tcp-idle-timeout <integer>;
286  	tcp-initial-timeout <integer>;
287  	tcp-keepalive-timeout <integer>;
288  	tcp-listen-queue <integer>;
289  	tcp-receive-buffer <integer>;
290  	tcp-send-buffer <integer>;
291  	tkey-dhkey <quoted_string> <integer>;
292  	tkey-domain <quoted_string>;
293  	tkey-gssapi-credential <quoted_string>;
294  	tkey-gssapi-keytab <quoted_string>;
295  	tls-port <integer>;
296  	transfer-format ( many-answers | one-answer );
297  	transfer-message-size <integer>;
298  	transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [
299  	    dscp <integer> ];
300  	transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * )
301  	    ] [ dscp <integer> ];
302  	transfers-in <integer>;
303  	transfers-out <integer>;
304  	transfers-per-ns <integer>;
305  	trust-anchor-telemetry <boolean>; // experimental
306  	try-tcp-refresh <boolean>;
307  	udp-receive-buffer <integer>;
308  	udp-send-buffer <integer>;
309  	update-check-ksk <boolean>;
310  	use-alt-transfer-source <boolean>;
311  	use-v4-udp-ports { <portrange>; ... };
312  	use-v6-udp-ports { <portrange>; ... };
313  	v6-bias <integer>;
314  	validate-except { <string>; ... };
315  	version ( <quoted_string> | none );
316  	zero-no-soa-ttl <boolean>;
317  	zero-no-soa-ttl-cache <boolean>;
318  	zone-statistics ( full | terse | none | <boolean> );
319  };
320