1 2This is a summary of the named.conf options supported by 3this version of BIND 9. 4 5acl <string> { <address_match_element>; ... }; // may occur multiple times 6 7controls { 8 inet ( <ipv4_address> | <ipv6_address> | 9 * ) [ port ( <integer> | * ) ] allow 10 { <address_match_element>; ... } [ 11 keys { <string>; ... } ] [ read-only 12 <boolean> ]; // may occur multiple times 13 unix <quoted_string> perm <integer> 14 owner <integer> group <integer> [ 15 keys { <string>; ... } ] [ read-only 16 <boolean> ]; // may occur multiple times 17}; // may occur multiple times 18 19dlz <string> { 20 database <string>; 21 search <boolean>; 22}; // may occur multiple times 23 24dnssec-policy <string> { 25 dnskey-ttl <duration>; 26 keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime 27 <duration_or_unlimited> algorithm <string> [ <integer> ]; ... }; 28 max-zone-ttl <duration>; 29 nsec3param [ iterations <integer> ] [ optout <boolean> ] [ 30 salt-length <integer> ]; 31 parent-ds-ttl <duration>; 32 parent-propagation-delay <duration>; 33 parent-registration-delay <duration>; // obsolete 34 publish-safety <duration>; 35 purge-keys <duration>; 36 retire-safety <duration>; 37 signatures-refresh <duration>; 38 signatures-validity <duration>; 39 signatures-validity-dnskey <duration>; 40 zone-propagation-delay <duration>; 41}; // may occur multiple times 42 43dyndb <string> <quoted_string> { 44 <unspecified-text> }; // may occur multiple times 45 46key <string> { 47 algorithm <string>; 48 secret <string>; 49}; // may occur multiple times 50 51logging { 52 category <string> { <string>; ... }; // may occur multiple times 53 channel <string> { 54 buffered <boolean>; 55 file <quoted_string> [ versions ( unlimited | <integer> ) ] 56 [ size <size> ] [ suffix ( increment | timestamp ) ]; 57 null; 58 print-category <boolean>; 59 print-severity <boolean>; 60 print-time ( iso8601 | iso8601-utc | local | <boolean> ); 61 severity <log_severity>; 62 stderr; 63 syslog [ <syslog_facility> ]; 64 }; // may occur multiple times 65}; 66 67lwres { <unspecified-text> }; // obsolete, may occur multiple times 68 69managed-keys { <string> ( static-key 70 | initial-key | static-ds | 71 initial-ds ) <integer> <integer> 72 <integer> <quoted_string>; ... }; // may occur multiple times, deprecated 73 74masters <string> [ port <integer> ] [ dscp 75 <integer> ] { ( <remote-servers> | 76 <ipv4_address> [ port <integer> ] | 77 <ipv6_address> [ port <integer> ] ) [ key 78 <string> ]; ... }; // may occur multiple times 79 80options { 81 acache-cleaning-interval <integer>; // obsolete 82 acache-enable <boolean>; // obsolete 83 additional-from-auth <boolean>; // obsolete 84 additional-from-cache <boolean>; // obsolete 85 allow-new-zones <boolean>; 86 allow-notify { <address_match_element>; ... }; 87 allow-query { <address_match_element>; ... }; 88 allow-query-cache { <address_match_element>; ... }; 89 allow-query-cache-on { <address_match_element>; ... }; 90 allow-query-on { <address_match_element>; ... }; 91 allow-recursion { <address_match_element>; ... }; 92 allow-recursion-on { <address_match_element>; ... }; 93 allow-transfer { <address_match_element>; ... }; 94 allow-update { <address_match_element>; ... }; 95 allow-update-forwarding { <address_match_element>; ... }; 96 allow-v6-synthesis { <address_match_element>; ... }; // obsolete 97 also-notify [ port <integer> ] [ dscp <integer> ] { ( 98 <remote-servers> | <ipv4_address> [ port <integer> ] | 99 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 100 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 101 ] [ dscp <integer> ]; 102 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 103 * ) ] [ dscp <integer> ]; 104 answer-cookie <boolean>; 105 attach-cache <string>; 106 auth-nxdomain <boolean>; // default changed 107 auto-dnssec ( allow | maintain | off ); 108 automatic-interface-scan <boolean>; 109 avoid-v4-udp-ports { <portrange>; ... }; 110 avoid-v6-udp-ports { <portrange>; ... }; 111 bindkeys-file <quoted_string>; 112 blackhole { <address_match_element>; ... }; 113 cache-file <quoted_string>; // deprecated 114 catalog-zones { zone <string> [ default-masters [ port <integer> ] 115 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 116 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 117 <string> ]; ... } ] [ zone-directory <quoted_string> ] [ 118 in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; 119 check-dup-records ( fail | warn | ignore ); 120 check-integrity <boolean>; 121 check-mx ( fail | warn | ignore ); 122 check-mx-cname ( fail | warn | ignore ); 123 check-names ( primary | master | 124 secondary | slave | response ) ( 125 fail | warn | ignore ); // may occur multiple times 126 check-sibling <boolean>; 127 check-spf ( warn | ignore ); 128 check-srv-cname ( fail | warn | ignore ); 129 check-wildcard <boolean>; 130 cleaning-interval <integer>; // obsolete 131 clients-per-query <integer>; 132 cookie-algorithm ( aes | siphash24 ); 133 cookie-secret <string>; // may occur multiple times 134 coresize ( default | unlimited | <sizeval> ); 135 datasize ( default | unlimited | <sizeval> ); 136 deallocate-on-exit <boolean>; // ancient 137 deny-answer-addresses { <address_match_element>; ... } [ 138 except-from { <string>; ... } ]; 139 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 140 } ]; 141 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 142 directory <quoted_string>; 143 disable-algorithms <string> { <string>; 144 ... }; // may occur multiple times 145 disable-ds-digests <string> { <string>; 146 ... }; // may occur multiple times 147 disable-empty-zone <string>; // may occur multiple times 148 dns64 <netprefix> { 149 break-dnssec <boolean>; 150 clients { <address_match_element>; ... }; 151 exclude { <address_match_element>; ... }; 152 mapped { <address_match_element>; ... }; 153 recursive-only <boolean>; 154 suffix <ipv6_address>; 155 }; // may occur multiple times 156 dns64-contact <string>; 157 dns64-server <string>; 158 dnskey-sig-validity <integer>; 159 dnsrps-enable <boolean>; // not configured 160 dnsrps-options { <unspecified-text> }; // not configured 161 dnssec-accept-expired <boolean>; 162 dnssec-dnskey-kskonly <boolean>; 163 dnssec-enable <boolean>; // obsolete 164 dnssec-loadkeys-interval <integer>; 165 dnssec-lookaside ( <string> 166 trust-anchor <string> | 167 auto | no ); // obsolete, may occur multiple times 168 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 169 dnssec-policy <string>; 170 dnssec-secure-to-insecure <boolean>; 171 dnssec-update-mode ( maintain | no-resign ); 172 dnssec-validation ( yes | no | auto ); 173 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 174 ( query | response ) ]; ... }; 175 dnstap-identity ( <quoted_string> | none | hostname ); 176 dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited | 177 <size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix ( 178 increment | timestamp ) ]; 179 dnstap-version ( <quoted_string> | none ); 180 dscp <integer>; 181 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 182 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 183 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 184 <integer> ] [ dscp <integer> ] ); ... }; 185 dump-file <quoted_string>; 186 edns-udp-size <integer>; 187 empty-contact <string>; 188 empty-server <string>; 189 empty-zones-enable <boolean>; 190 fake-iquery <boolean>; // ancient 191 fetch-glue <boolean>; // ancient 192 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 193 fetches-per-server <integer> [ ( drop | fail ) ]; 194 fetches-per-zone <integer> [ ( drop | fail ) ]; 195 files ( default | unlimited | <sizeval> ); 196 filter-aaaa { <address_match_element>; ... }; // obsolete 197 filter-aaaa-on-v4 <boolean>; // obsolete 198 filter-aaaa-on-v6 <boolean>; // obsolete 199 flush-zones-on-shutdown <boolean>; 200 forward ( first | only ); 201 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 202 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 203 fstrm-set-buffer-hint <integer>; 204 fstrm-set-flush-timeout <integer>; 205 fstrm-set-input-queue-size <integer>; 206 fstrm-set-output-notify-threshold <integer>; 207 fstrm-set-output-queue-model ( mpsc | spsc ); 208 fstrm-set-output-queue-size <integer>; 209 fstrm-set-reopen-interval <duration>; 210 geoip-directory ( <quoted_string> | none ); 211 geoip-use-ecs <boolean>; // obsolete 212 glue-cache <boolean>; 213 has-old-clients <boolean>; // ancient 214 heartbeat-interval <integer>; 215 host-statistics <boolean>; // ancient 216 host-statistics-max <integer>; // ancient 217 hostname ( <quoted_string> | none ); 218 interface-interval <duration>; 219 ixfr-from-differences ( primary | master | secondary | slave | 220 <boolean> ); 221 keep-response-order { <address_match_element>; ... }; 222 key-directory <quoted_string>; 223 lame-ttl <duration>; 224 listen-on [ port <integer> ] [ dscp 225 <integer> ] { 226 <address_match_element>; ... }; // may occur multiple times 227 listen-on-v6 [ port <integer> ] [ dscp 228 <integer> ] { 229 <address_match_element>; ... }; // may occur multiple times 230 lmdb-mapsize <sizeval>; 231 lock-file ( <quoted_string> | none ); 232 maintain-ixfr-base <boolean>; // ancient 233 managed-keys-directory <quoted_string>; 234 masterfile-format ( map | raw | text ); 235 masterfile-style ( full | relative ); 236 match-mapped-addresses <boolean>; 237 max-acache-size ( unlimited | <sizeval> ); // obsolete 238 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 239 max-cache-ttl <duration>; 240 max-clients-per-query <integer>; 241 max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient 242 max-ixfr-ratio ( unlimited | <percentage> ); 243 max-journal-size ( default | unlimited | <sizeval> ); 244 max-ncache-ttl <duration>; 245 max-records <integer>; 246 max-recursion-depth <integer>; 247 max-recursion-queries <integer>; 248 max-refresh-time <integer>; 249 max-retry-time <integer>; 250 max-rsa-exponent-size <integer>; 251 max-stale-ttl <duration>; 252 max-transfer-idle-in <integer>; 253 max-transfer-idle-out <integer>; 254 max-transfer-time-in <integer>; 255 max-transfer-time-out <integer>; 256 max-udp-size <integer>; 257 max-zone-ttl ( unlimited | <duration> ); 258 memstatistics <boolean>; 259 memstatistics-file <quoted_string>; 260 message-compression <boolean>; 261 min-cache-ttl <duration>; 262 min-ncache-ttl <duration>; 263 min-refresh-time <integer>; 264 min-retry-time <integer>; 265 min-roots <integer>; // ancient 266 minimal-any <boolean>; 267 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 268 multi-master <boolean>; 269 multiple-cnames <boolean>; // ancient 270 named-xfer <quoted_string>; // ancient 271 new-zones-directory <quoted_string>; 272 no-case-compress { <address_match_element>; ... }; 273 nocookie-udp-size <integer>; 274 nosit-udp-size <integer>; // obsolete 275 notify ( explicit | master-only | primary-only | <boolean> ); 276 notify-delay <integer>; 277 notify-rate <integer>; 278 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 279 dscp <integer> ]; 280 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 281 [ dscp <integer> ]; 282 notify-to-soa <boolean>; 283 nsec3-test-zone <boolean>; // test only 284 nta-lifetime <duration>; 285 nta-recheck <duration>; 286 nxdomain-redirect <string>; 287 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 288 dscp <integer> ]; 289 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 290 ] [ dscp <integer> ]; 291 pid-file ( <quoted_string> | none ); 292 port <integer>; 293 preferred-glue <string>; 294 prefetch <integer> [ <integer> ]; 295 provide-ixfr <boolean>; 296 qname-minimization ( strict | relaxed | disabled | off ); 297 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 298 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 299 port ( <integer> | * ) ) ) [ dscp <integer> ]; 300 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 301 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 302 port ( <integer> | * ) ) ) [ dscp <integer> ]; 303 querylog <boolean>; 304 queryport-pool-ports <integer>; // obsolete 305 queryport-pool-updateinterval <integer>; // obsolete 306 random-device ( <quoted_string> | none ); 307 rate-limit { 308 all-per-second <integer>; 309 errors-per-second <integer>; 310 exempt-clients { <address_match_element>; ... }; 311 ipv4-prefix-length <integer>; 312 ipv6-prefix-length <integer>; 313 log-only <boolean>; 314 max-table-size <integer>; 315 min-table-size <integer>; 316 nodata-per-second <integer>; 317 nxdomains-per-second <integer>; 318 qps-scale <integer>; 319 referrals-per-second <integer>; 320 responses-per-second <integer>; 321 slip <integer>; 322 window <integer>; 323 }; 324 recursing-file <quoted_string>; 325 recursion <boolean>; 326 recursive-clients <integer>; 327 request-expire <boolean>; 328 request-ixfr <boolean>; 329 request-nsid <boolean>; 330 request-sit <boolean>; // obsolete 331 require-server-cookie <boolean>; 332 reserved-sockets <integer>; 333 resolver-nonbackoff-tries <integer>; 334 resolver-query-timeout <integer>; 335 resolver-retry-interval <integer>; 336 response-padding { <address_match_element>; ... } block-size 337 <integer>; 338 response-policy { zone <string> [ add-soa <boolean> ] [ log 339 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 340 <duration> ] [ policy ( cname | disabled | drop | given | no-op 341 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 342 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 343 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 344 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 345 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 346 nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] 347 [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 348 nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ 349 dnsrps-options { <unspecified-text> } ]; 350 rfc2308-type1 <boolean>; // ancient 351 root-delegation-only [ exclude { <string>; ... } ]; 352 root-key-sentinel <boolean>; 353 rrset-order { [ class <string> ] [ type <string> ] [ name 354 <quoted_string> ] <string> <string>; ... }; 355 secroots-file <quoted_string>; 356 send-cookie <boolean>; 357 serial-queries <integer>; // ancient 358 serial-query-rate <integer>; 359 serial-update-method ( date | increment | unixtime ); 360 server-id ( <quoted_string> | none | hostname ); 361 servfail-ttl <duration>; 362 session-keyalg <string>; 363 session-keyfile ( <quoted_string> | none ); 364 session-keyname <string>; 365 sig-signing-nodes <integer>; 366 sig-signing-signatures <integer>; 367 sig-signing-type <integer>; 368 sig-validity-interval <integer> [ <integer> ]; 369 sit-secret <string>; // obsolete 370 sortlist { <address_match_element>; ... }; 371 stacksize ( default | unlimited | <sizeval> ); 372 stale-answer-client-timeout ( disabled | off | <integer> ); 373 stale-answer-enable <boolean>; 374 stale-answer-ttl <duration>; 375 stale-cache-enable <boolean>; 376 stale-refresh-time <duration>; 377 startup-notify-rate <integer>; 378 statistics-file <quoted_string>; 379 statistics-interval <integer>; // ancient 380 suppress-initial-notify <boolean>; // not yet implemented 381 synth-from-dnssec <boolean>; 382 tcp-advertised-timeout <integer>; 383 tcp-clients <integer>; 384 tcp-idle-timeout <integer>; 385 tcp-initial-timeout <integer>; 386 tcp-keepalive-timeout <integer>; 387 tcp-listen-queue <integer>; 388 tkey-dhkey <quoted_string> <integer>; 389 tkey-domain <quoted_string>; 390 tkey-gssapi-credential <quoted_string>; 391 tkey-gssapi-keytab <quoted_string>; 392 topology { <address_match_element>; ... }; // ancient 393 transfer-format ( many-answers | one-answer ); 394 transfer-message-size <integer>; 395 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 396 dscp <integer> ]; 397 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 398 ] [ dscp <integer> ]; 399 transfers-in <integer>; 400 transfers-out <integer>; 401 transfers-per-ns <integer>; 402 treat-cr-as-space <boolean>; // ancient 403 trust-anchor-telemetry <boolean>; // experimental 404 try-tcp-refresh <boolean>; 405 update-check-ksk <boolean>; 406 use-alt-transfer-source <boolean>; 407 use-id-pool <boolean>; // ancient 408 use-ixfr <boolean>; // obsolete 409 use-queryport-pool <boolean>; // obsolete 410 use-v4-udp-ports { <portrange>; ... }; 411 use-v6-udp-ports { <portrange>; ... }; 412 v6-bias <integer>; 413 validate-except { <string>; ... }; 414 version ( <quoted_string> | none ); 415 zero-no-soa-ttl <boolean>; 416 zero-no-soa-ttl-cache <boolean>; 417 zone-statistics ( full | terse | none | <boolean> ); 418}; 419 420parental-agents <string> [ port <integer> ] [ 421 dscp <integer> ] { ( <remote-servers> | 422 <ipv4_address> [ port <integer> ] | 423 <ipv6_address> [ port <integer> ] ) [ key 424 <string> ]; ... }; // may occur multiple times 425 426plugin ( query ) <string> [ { <unspecified-text> 427 } ]; // may occur multiple times 428 429primaries <string> [ port <integer> ] [ dscp 430 <integer> ] { ( <remote-servers> | 431 <ipv4_address> [ port <integer> ] | 432 <ipv6_address> [ port <integer> ] ) [ key 433 <string> ]; ... }; // may occur multiple times 434 435server <netprefix> { 436 bogus <boolean>; 437 edns <boolean>; 438 edns-udp-size <integer>; 439 edns-version <integer>; 440 keys <server_key>; 441 max-udp-size <integer>; 442 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 443 dscp <integer> ]; 444 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 445 [ dscp <integer> ]; 446 padding <integer>; 447 provide-ixfr <boolean>; 448 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 449 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 450 port ( <integer> | * ) ) ) [ dscp <integer> ]; 451 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 452 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 453 port ( <integer> | * ) ) ) [ dscp <integer> ]; 454 request-expire <boolean>; 455 request-ixfr <boolean>; 456 request-nsid <boolean>; 457 request-sit <boolean>; // obsolete 458 send-cookie <boolean>; 459 support-ixfr <boolean>; // obsolete 460 tcp-keepalive <boolean>; 461 tcp-only <boolean>; 462 transfer-format ( many-answers | one-answer ); 463 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 464 dscp <integer> ]; 465 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 466 ] [ dscp <integer> ]; 467 transfers <integer>; 468}; // may occur multiple times 469 470statistics-channels { 471 inet ( <ipv4_address> | <ipv6_address> | 472 * ) [ port ( <integer> | * ) ] [ 473 allow { <address_match_element>; ... 474 } ]; // may occur multiple times 475}; // may occur multiple times 476 477trust-anchors { <string> ( static-key | 478 initial-key | static-ds | initial-ds ) 479 <integer> <integer> <integer> 480 <quoted_string>; ... }; // may occur multiple times 481 482trusted-keys { <string> <integer> 483 <integer> <integer> 484 <quoted_string>; ... }; // may occur multiple times, deprecated 485 486view <string> [ <class> ] { 487 acache-cleaning-interval <integer>; // obsolete 488 acache-enable <boolean>; // obsolete 489 additional-from-auth <boolean>; // obsolete 490 additional-from-cache <boolean>; // obsolete 491 allow-new-zones <boolean>; 492 allow-notify { <address_match_element>; ... }; 493 allow-query { <address_match_element>; ... }; 494 allow-query-cache { <address_match_element>; ... }; 495 allow-query-cache-on { <address_match_element>; ... }; 496 allow-query-on { <address_match_element>; ... }; 497 allow-recursion { <address_match_element>; ... }; 498 allow-recursion-on { <address_match_element>; ... }; 499 allow-transfer { <address_match_element>; ... }; 500 allow-update { <address_match_element>; ... }; 501 allow-update-forwarding { <address_match_element>; ... }; 502 allow-v6-synthesis { <address_match_element>; ... }; // obsolete 503 also-notify [ port <integer> ] [ dscp <integer> ] { ( 504 <remote-servers> | <ipv4_address> [ port <integer> ] | 505 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 506 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 507 ] [ dscp <integer> ]; 508 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 509 * ) ] [ dscp <integer> ]; 510 attach-cache <string>; 511 auth-nxdomain <boolean>; // default changed 512 auto-dnssec ( allow | maintain | off ); 513 cache-file <quoted_string>; // deprecated 514 catalog-zones { zone <string> [ default-masters [ port <integer> ] 515 [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port 516 <integer> ] | <ipv6_address> [ port <integer> ] ) [ key 517 <string> ]; ... } ] [ zone-directory <quoted_string> ] [ 518 in-memory <boolean> ] [ min-update-interval <duration> ]; ... }; 519 check-dup-records ( fail | warn | ignore ); 520 check-integrity <boolean>; 521 check-mx ( fail | warn | ignore ); 522 check-mx-cname ( fail | warn | ignore ); 523 check-names ( primary | master | 524 secondary | slave | response ) ( 525 fail | warn | ignore ); // may occur multiple times 526 check-sibling <boolean>; 527 check-spf ( warn | ignore ); 528 check-srv-cname ( fail | warn | ignore ); 529 check-wildcard <boolean>; 530 cleaning-interval <integer>; // obsolete 531 clients-per-query <integer>; 532 deny-answer-addresses { <address_match_element>; ... } [ 533 except-from { <string>; ... } ]; 534 deny-answer-aliases { <string>; ... } [ except-from { <string>; ... 535 } ]; 536 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 537 disable-algorithms <string> { <string>; 538 ... }; // may occur multiple times 539 disable-ds-digests <string> { <string>; 540 ... }; // may occur multiple times 541 disable-empty-zone <string>; // may occur multiple times 542 dlz <string> { 543 database <string>; 544 search <boolean>; 545 }; // may occur multiple times 546 dns64 <netprefix> { 547 break-dnssec <boolean>; 548 clients { <address_match_element>; ... }; 549 exclude { <address_match_element>; ... }; 550 mapped { <address_match_element>; ... }; 551 recursive-only <boolean>; 552 suffix <ipv6_address>; 553 }; // may occur multiple times 554 dns64-contact <string>; 555 dns64-server <string>; 556 dnskey-sig-validity <integer>; 557 dnsrps-enable <boolean>; // not configured 558 dnsrps-options { <unspecified-text> }; // not configured 559 dnssec-accept-expired <boolean>; 560 dnssec-dnskey-kskonly <boolean>; 561 dnssec-enable <boolean>; // obsolete 562 dnssec-loadkeys-interval <integer>; 563 dnssec-lookaside ( <string> 564 trust-anchor <string> | 565 auto | no ); // obsolete, may occur multiple times 566 dnssec-must-be-secure <string> <boolean>; // may occur multiple times 567 dnssec-policy <string>; 568 dnssec-secure-to-insecure <boolean>; 569 dnssec-update-mode ( maintain | no-resign ); 570 dnssec-validation ( yes | no | auto ); 571 dnstap { ( all | auth | client | forwarder | resolver | update ) [ 572 ( query | response ) ]; ... }; 573 dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port 574 <integer> ] [ dscp <integer> ] | <ipv4_address> [ port 575 <integer> ] [ dscp <integer> ] | <ipv6_address> [ port 576 <integer> ] [ dscp <integer> ] ); ... }; 577 dyndb <string> <quoted_string> { 578 <unspecified-text> }; // may occur multiple times 579 edns-udp-size <integer>; 580 empty-contact <string>; 581 empty-server <string>; 582 empty-zones-enable <boolean>; 583 fetch-glue <boolean>; // ancient 584 fetch-quota-params <integer> <fixedpoint> <fixedpoint> <fixedpoint>; 585 fetches-per-server <integer> [ ( drop | fail ) ]; 586 fetches-per-zone <integer> [ ( drop | fail ) ]; 587 filter-aaaa { <address_match_element>; ... }; // obsolete 588 filter-aaaa-on-v4 <boolean>; // obsolete 589 filter-aaaa-on-v6 <boolean>; // obsolete 590 forward ( first | only ); 591 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 592 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 593 glue-cache <boolean>; 594 ixfr-from-differences ( primary | master | secondary | slave | 595 <boolean> ); 596 key <string> { 597 algorithm <string>; 598 secret <string>; 599 }; // may occur multiple times 600 key-directory <quoted_string>; 601 lame-ttl <duration>; 602 lmdb-mapsize <sizeval>; 603 maintain-ixfr-base <boolean>; // ancient 604 managed-keys { <string> ( 605 static-key | initial-key 606 | static-ds | initial-ds 607 ) <integer> <integer> 608 <integer> 609 <quoted_string>; ... }; // may occur multiple times, deprecated 610 masterfile-format ( map | raw | text ); 611 masterfile-style ( full | relative ); 612 match-clients { <address_match_element>; ... }; 613 match-destinations { <address_match_element>; ... }; 614 match-recursive-only <boolean>; 615 max-acache-size ( unlimited | <sizeval> ); // obsolete 616 max-cache-size ( default | unlimited | <sizeval> | <percentage> ); 617 max-cache-ttl <duration>; 618 max-clients-per-query <integer>; 619 max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient 620 max-ixfr-ratio ( unlimited | <percentage> ); 621 max-journal-size ( default | unlimited | <sizeval> ); 622 max-ncache-ttl <duration>; 623 max-records <integer>; 624 max-recursion-depth <integer>; 625 max-recursion-queries <integer>; 626 max-refresh-time <integer>; 627 max-retry-time <integer>; 628 max-stale-ttl <duration>; 629 max-transfer-idle-in <integer>; 630 max-transfer-idle-out <integer>; 631 max-transfer-time-in <integer>; 632 max-transfer-time-out <integer>; 633 max-udp-size <integer>; 634 max-zone-ttl ( unlimited | <duration> ); 635 message-compression <boolean>; 636 min-cache-ttl <duration>; 637 min-ncache-ttl <duration>; 638 min-refresh-time <integer>; 639 min-retry-time <integer>; 640 min-roots <integer>; // ancient 641 minimal-any <boolean>; 642 minimal-responses ( no-auth | no-auth-recursive | <boolean> ); 643 multi-master <boolean>; 644 new-zones-directory <quoted_string>; 645 no-case-compress { <address_match_element>; ... }; 646 nocookie-udp-size <integer>; 647 nosit-udp-size <integer>; // obsolete 648 notify ( explicit | master-only | primary-only | <boolean> ); 649 notify-delay <integer>; 650 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 651 dscp <integer> ]; 652 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 653 [ dscp <integer> ]; 654 notify-to-soa <boolean>; 655 nsec3-test-zone <boolean>; // test only 656 nta-lifetime <duration>; 657 nta-recheck <duration>; 658 nxdomain-redirect <string>; 659 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 660 dscp <integer> ]; 661 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 662 ] [ dscp <integer> ]; 663 plugin ( query ) <string> [ { 664 <unspecified-text> } ]; // may occur multiple times 665 preferred-glue <string>; 666 prefetch <integer> [ <integer> ]; 667 provide-ixfr <boolean>; 668 qname-minimization ( strict | relaxed | disabled | off ); 669 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port ( 670 <integer> | * ) ] ) | ( [ [ address ] ( <ipv4_address> | * ) ] 671 port ( <integer> | * ) ) ) [ dscp <integer> ]; 672 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ port ( 673 <integer> | * ) ] ) | ( [ [ address ] ( <ipv6_address> | * ) ] 674 port ( <integer> | * ) ) ) [ dscp <integer> ]; 675 queryport-pool-ports <integer>; // obsolete 676 queryport-pool-updateinterval <integer>; // obsolete 677 rate-limit { 678 all-per-second <integer>; 679 errors-per-second <integer>; 680 exempt-clients { <address_match_element>; ... }; 681 ipv4-prefix-length <integer>; 682 ipv6-prefix-length <integer>; 683 log-only <boolean>; 684 max-table-size <integer>; 685 min-table-size <integer>; 686 nodata-per-second <integer>; 687 nxdomains-per-second <integer>; 688 qps-scale <integer>; 689 referrals-per-second <integer>; 690 responses-per-second <integer>; 691 slip <integer>; 692 window <integer>; 693 }; 694 recursion <boolean>; 695 request-expire <boolean>; 696 request-ixfr <boolean>; 697 request-nsid <boolean>; 698 request-sit <boolean>; // obsolete 699 require-server-cookie <boolean>; 700 resolver-nonbackoff-tries <integer>; 701 resolver-query-timeout <integer>; 702 resolver-retry-interval <integer>; 703 response-padding { <address_match_element>; ... } block-size 704 <integer>; 705 response-policy { zone <string> [ add-soa <boolean> ] [ log 706 <boolean> ] [ max-policy-ttl <duration> ] [ min-update-interval 707 <duration> ] [ policy ( cname | disabled | drop | given | no-op 708 | nodata | nxdomain | passthru | tcp-only <quoted_string> ) ] [ 709 recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 710 nsdname-enable <boolean> ]; ... } [ add-soa <boolean> ] [ 711 break-dnssec <boolean> ] [ max-policy-ttl <duration> ] [ 712 min-update-interval <duration> ] [ min-ns-dots <integer> ] [ 713 nsip-wait-recurse <boolean> ] [ qname-wait-recurse <boolean> ] 714 [ recursive-only <boolean> ] [ nsip-enable <boolean> ] [ 715 nsdname-enable <boolean> ] [ dnsrps-enable <boolean> ] [ 716 dnsrps-options { <unspecified-text> } ]; 717 rfc2308-type1 <boolean>; // ancient 718 root-delegation-only [ exclude { <string>; ... } ]; 719 root-key-sentinel <boolean>; 720 rrset-order { [ class <string> ] [ type <string> ] [ name 721 <quoted_string> ] <string> <string>; ... }; 722 send-cookie <boolean>; 723 serial-update-method ( date | increment | unixtime ); 724 server <netprefix> { 725 bogus <boolean>; 726 edns <boolean>; 727 edns-udp-size <integer>; 728 edns-version <integer>; 729 keys <server_key>; 730 max-udp-size <integer>; 731 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 732 ) ] [ dscp <integer> ]; 733 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 734 | * ) ] [ dscp <integer> ]; 735 padding <integer>; 736 provide-ixfr <boolean>; 737 query-source ( ( [ address ] ( <ipv4_address> | * ) [ port 738 ( <integer> | * ) ] ) | ( [ [ address ] ( 739 <ipv4_address> | * ) ] port ( <integer> | * ) ) ) [ 740 dscp <integer> ]; 741 query-source-v6 ( ( [ address ] ( <ipv6_address> | * ) [ 742 port ( <integer> | * ) ] ) | ( [ [ address ] ( 743 <ipv6_address> | * ) ] port ( <integer> | * ) ) ) [ 744 dscp <integer> ]; 745 request-expire <boolean>; 746 request-ixfr <boolean>; 747 request-nsid <boolean>; 748 request-sit <boolean>; // obsolete 749 send-cookie <boolean>; 750 support-ixfr <boolean>; // obsolete 751 tcp-keepalive <boolean>; 752 tcp-only <boolean>; 753 transfer-format ( many-answers | one-answer ); 754 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 755 * ) ] [ dscp <integer> ]; 756 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 757 <integer> | * ) ] [ dscp <integer> ]; 758 transfers <integer>; 759 }; // may occur multiple times 760 servfail-ttl <duration>; 761 sig-signing-nodes <integer>; 762 sig-signing-signatures <integer>; 763 sig-signing-type <integer>; 764 sig-validity-interval <integer> [ <integer> ]; 765 sortlist { <address_match_element>; ... }; 766 stale-answer-client-timeout ( disabled | off | <integer> ); 767 stale-answer-enable <boolean>; 768 stale-answer-ttl <duration>; 769 stale-cache-enable <boolean>; 770 stale-refresh-time <duration>; 771 suppress-initial-notify <boolean>; // not yet implemented 772 synth-from-dnssec <boolean>; 773 topology { <address_match_element>; ... }; // ancient 774 transfer-format ( many-answers | one-answer ); 775 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 776 dscp <integer> ]; 777 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 778 ] [ dscp <integer> ]; 779 trust-anchor-telemetry <boolean>; // experimental 780 trust-anchors { <string> ( static-key | 781 initial-key | static-ds | initial-ds 782 ) <integer> <integer> <integer> 783 <quoted_string>; ... }; // may occur multiple times 784 trusted-keys { <string> 785 <integer> <integer> 786 <integer> 787 <quoted_string>; ... }; // may occur multiple times, deprecated 788 try-tcp-refresh <boolean>; 789 update-check-ksk <boolean>; 790 use-alt-transfer-source <boolean>; 791 use-queryport-pool <boolean>; // obsolete 792 v6-bias <integer>; 793 validate-except { <string>; ... }; 794 zero-no-soa-ttl <boolean>; 795 zero-no-soa-ttl-cache <boolean>; 796 zone <string> [ <class> ] { 797 allow-notify { <address_match_element>; ... }; 798 allow-query { <address_match_element>; ... }; 799 allow-query-on { <address_match_element>; ... }; 800 allow-transfer { <address_match_element>; ... }; 801 allow-update { <address_match_element>; ... }; 802 allow-update-forwarding { <address_match_element>; ... }; 803 also-notify [ port <integer> ] [ dscp <integer> ] { ( 804 <remote-servers> | <ipv4_address> [ port <integer> ] | 805 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 806 ... }; 807 alt-transfer-source ( <ipv4_address> | * ) [ port ( 808 <integer> | * ) ] [ dscp <integer> ]; 809 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( 810 <integer> | * ) ] [ dscp <integer> ]; 811 auto-dnssec ( allow | maintain | off ); 812 check-dup-records ( fail | warn | ignore ); 813 check-integrity <boolean>; 814 check-mx ( fail | warn | ignore ); 815 check-mx-cname ( fail | warn | ignore ); 816 check-names ( fail | warn | ignore ); 817 check-sibling <boolean>; 818 check-spf ( warn | ignore ); 819 check-srv-cname ( fail | warn | ignore ); 820 check-wildcard <boolean>; 821 database <string>; 822 delegation-only <boolean>; 823 dialup ( notify | notify-passive | passive | refresh | 824 <boolean> ); 825 dlz <string>; 826 dnskey-sig-validity <integer>; 827 dnssec-dnskey-kskonly <boolean>; 828 dnssec-loadkeys-interval <integer>; 829 dnssec-policy <string>; 830 dnssec-secure-to-insecure <boolean>; 831 dnssec-update-mode ( maintain | no-resign ); 832 file <quoted_string>; 833 forward ( first | only ); 834 forwarders [ port <integer> ] [ dscp <integer> ] { ( 835 <ipv4_address> | <ipv6_address> ) [ port <integer> ] [ 836 dscp <integer> ]; ... }; 837 in-view <string>; 838 inline-signing <boolean>; 839 ixfr-base <quoted_string>; // ancient 840 ixfr-from-differences <boolean>; 841 ixfr-tmp-file <quoted_string>; // ancient 842 journal <quoted_string>; 843 key-directory <quoted_string>; 844 maintain-ixfr-base <boolean>; // ancient 845 masterfile-format ( map | raw | text ); 846 masterfile-style ( full | relative ); 847 masters [ port <integer> ] [ dscp <integer> ] { ( 848 <remote-servers> | <ipv4_address> [ port <integer> ] | 849 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 850 ... }; 851 max-ixfr-log-size ( default | unlimited | 852 <sizeval> ); // ancient 853 max-ixfr-ratio ( unlimited | <percentage> ); 854 max-journal-size ( default | unlimited | <sizeval> ); 855 max-records <integer>; 856 max-refresh-time <integer>; 857 max-retry-time <integer>; 858 max-transfer-idle-in <integer>; 859 max-transfer-idle-out <integer>; 860 max-transfer-time-in <integer>; 861 max-transfer-time-out <integer>; 862 max-zone-ttl ( unlimited | <duration> ); 863 min-refresh-time <integer>; 864 min-retry-time <integer>; 865 multi-master <boolean>; 866 notify ( explicit | master-only | primary-only | <boolean> ); 867 notify-delay <integer>; 868 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * 869 ) ] [ dscp <integer> ]; 870 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> 871 | * ) ] [ dscp <integer> ]; 872 notify-to-soa <boolean>; 873 nsec3-test-zone <boolean>; // test only 874 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 875 <remote-servers> | <ipv4_address> [ port <integer> ] | 876 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 877 ... }; 878 parental-source ( <ipv4_address> | * ) [ port ( <integer> | 879 * ) ] [ dscp <integer> ]; 880 parental-source-v6 ( <ipv6_address> | * ) [ port ( 881 <integer> | * ) ] [ dscp <integer> ]; 882 primaries [ port <integer> ] [ dscp <integer> ] { ( 883 <remote-servers> | <ipv4_address> [ port <integer> ] | 884 <ipv6_address> [ port <integer> ] ) [ key <string> ]; 885 ... }; 886 pubkey <integer> <integer> <integer> 887 <quoted_string>; // ancient 888 request-expire <boolean>; 889 request-ixfr <boolean>; 890 serial-update-method ( date | increment | unixtime ); 891 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 892 server-names { <string>; ... }; 893 sig-signing-nodes <integer>; 894 sig-signing-signatures <integer>; 895 sig-signing-type <integer>; 896 sig-validity-interval <integer> [ <integer> ]; 897 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | 898 * ) ] [ dscp <integer> ]; 899 transfer-source-v6 ( <ipv6_address> | * ) [ port ( 900 <integer> | * ) ] [ dscp <integer> ]; 901 try-tcp-refresh <boolean>; 902 type ( primary | master | secondary | slave | mirror | 903 delegation-only | forward | hint | redirect | 904 static-stub | stub ); 905 update-check-ksk <boolean>; 906 update-policy ( local | { ( deny | grant ) <string> ( 907 6to4-self | external | krb5-self | krb5-selfsub | 908 krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | 909 name | self | selfsub | selfwild | subdomain | tcp-self 910 | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... }; 911 use-alt-transfer-source <boolean>; 912 zero-no-soa-ttl <boolean>; 913 zone-statistics ( full | terse | none | <boolean> ); 914 }; // may occur multiple times 915 zone-statistics ( full | terse | none | <boolean> ); 916}; // may occur multiple times 917 918zone <string> [ <class> ] { 919 allow-notify { <address_match_element>; ... }; 920 allow-query { <address_match_element>; ... }; 921 allow-query-on { <address_match_element>; ... }; 922 allow-transfer { <address_match_element>; ... }; 923 allow-update { <address_match_element>; ... }; 924 allow-update-forwarding { <address_match_element>; ... }; 925 also-notify [ port <integer> ] [ dscp <integer> ] { ( 926 <remote-servers> | <ipv4_address> [ port <integer> ] | 927 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 928 alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) 929 ] [ dscp <integer> ]; 930 alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | 931 * ) ] [ dscp <integer> ]; 932 auto-dnssec ( allow | maintain | off ); 933 check-dup-records ( fail | warn | ignore ); 934 check-integrity <boolean>; 935 check-mx ( fail | warn | ignore ); 936 check-mx-cname ( fail | warn | ignore ); 937 check-names ( fail | warn | ignore ); 938 check-sibling <boolean>; 939 check-spf ( warn | ignore ); 940 check-srv-cname ( fail | warn | ignore ); 941 check-wildcard <boolean>; 942 database <string>; 943 delegation-only <boolean>; 944 dialup ( notify | notify-passive | passive | refresh | <boolean> ); 945 dlz <string>; 946 dnskey-sig-validity <integer>; 947 dnssec-dnskey-kskonly <boolean>; 948 dnssec-loadkeys-interval <integer>; 949 dnssec-policy <string>; 950 dnssec-secure-to-insecure <boolean>; 951 dnssec-update-mode ( maintain | no-resign ); 952 file <quoted_string>; 953 forward ( first | only ); 954 forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address> 955 | <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... }; 956 in-view <string>; 957 inline-signing <boolean>; 958 ixfr-base <quoted_string>; // ancient 959 ixfr-from-differences <boolean>; 960 ixfr-tmp-file <quoted_string>; // ancient 961 journal <quoted_string>; 962 key-directory <quoted_string>; 963 maintain-ixfr-base <boolean>; // ancient 964 masterfile-format ( map | raw | text ); 965 masterfile-style ( full | relative ); 966 masters [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> 967 | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port 968 <integer> ] ) [ key <string> ]; ... }; 969 max-ixfr-log-size ( default | unlimited | <sizeval> ); // ancient 970 max-ixfr-ratio ( unlimited | <percentage> ); 971 max-journal-size ( default | unlimited | <sizeval> ); 972 max-records <integer>; 973 max-refresh-time <integer>; 974 max-retry-time <integer>; 975 max-transfer-idle-in <integer>; 976 max-transfer-idle-out <integer>; 977 max-transfer-time-in <integer>; 978 max-transfer-time-out <integer>; 979 max-zone-ttl ( unlimited | <duration> ); 980 min-refresh-time <integer>; 981 min-retry-time <integer>; 982 multi-master <boolean>; 983 notify ( explicit | master-only | primary-only | <boolean> ); 984 notify-delay <integer>; 985 notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 986 dscp <integer> ]; 987 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] 988 [ dscp <integer> ]; 989 notify-to-soa <boolean>; 990 nsec3-test-zone <boolean>; // test only 991 parental-agents [ port <integer> ] [ dscp <integer> ] { ( 992 <remote-servers> | <ipv4_address> [ port <integer> ] | 993 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 994 parental-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 995 dscp <integer> ]; 996 parental-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 997 ] [ dscp <integer> ]; 998 primaries [ port <integer> ] [ dscp <integer> ] { ( 999 <remote-servers> | <ipv4_address> [ port <integer> ] | 1000 <ipv6_address> [ port <integer> ] ) [ key <string> ]; ... }; 1001 pubkey <integer> <integer> <integer> <quoted_string>; // ancient 1002 request-expire <boolean>; 1003 request-ixfr <boolean>; 1004 serial-update-method ( date | increment | unixtime ); 1005 server-addresses { ( <ipv4_address> | <ipv6_address> ); ... }; 1006 server-names { <string>; ... }; 1007 sig-signing-nodes <integer>; 1008 sig-signing-signatures <integer>; 1009 sig-signing-type <integer>; 1010 sig-validity-interval <integer> [ <integer> ]; 1011 transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ 1012 dscp <integer> ]; 1013 transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) 1014 ] [ dscp <integer> ]; 1015 try-tcp-refresh <boolean>; 1016 type ( primary | master | secondary | slave | mirror | 1017 delegation-only | forward | hint | redirect | static-stub | 1018 stub ); 1019 update-check-ksk <boolean>; 1020 update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | 1021 external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self 1022 | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild 1023 | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] 1024 <rrtypelist>; ... }; 1025 use-alt-transfer-source <boolean>; 1026 zero-no-soa-ttl <boolean>; 1027 zone-statistics ( full | terse | none | <boolean> ); 1028}; // may occur multiple times 1029 1030