/contrib/bind9/doc/arm/Bv9ARM.ch06.html
https://bitbucket.org/freebsd/freebsd-head/ · HTML · 10776 lines · 10720 code · 39 blank · 17 comment · 0 complexity · 23bebf82675bbeb8b00207a8416d590f MD5 · raw file
Large files are truncated click here to view the full file
- <!--
- - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id$ -->
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <title>Chapter 6. BIND 9 Configuration Reference</title>
- <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
- <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
- <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
- </head>
- <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
- <div class="navheader">
- <table width="100%" summary="Navigation header">
- <tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
- <tr>
- <td width="20%" align="left">
- <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
- <th width="60%" align="center"> </th>
- <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
- </td>
- </tr>
- </table>
- <hr>
- </div>
- <div class="chapter" lang="en">
- <div class="titlepage"><div><div><h2 class="title">
- <a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
- <div class="toc">
- <p><b>Table of Contents</b></p>
- <dl>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589481"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589689"><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589736"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590162"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
- Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591713"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595116">Zone File</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597415">Discussion of MX Records</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597962">Inverse Mapping in IPv4</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598157">Other Zone File Directives</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598430"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
- <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
- </dl>
- </div>
- <p>
- <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
- to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
- areas
- of configuration, such as views. <acronym class="acronym">BIND</acronym>
- 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
- 9, although more complex configurations should be reviewed to check
- if they can be more efficiently implemented using the new features
- found in <acronym class="acronym">BIND</acronym> 9.
- </p>
- <p>
- <acronym class="acronym">BIND</acronym> 4 configuration files can be
- converted to the new format
- using the shell script
- <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
- </p>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
- <p>
- Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
- file documentation:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="varname">acl_name</code>
- </p>
- </td>
- <td>
- <p>
- The name of an <code class="varname">address_match_list</code> as
- defined by the <span><strong class="command">acl</strong></span> statement.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">address_match_list</code>
- </p>
- </td>
- <td>
- <p>
- A list of one or more
- <code class="varname">ip_addr</code>,
- <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
- or <code class="varname">acl_name</code> elements, see
- <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">masters_list</code>
- </p>
- </td>
- <td>
- <p>
- A named list of one or more <code class="varname">ip_addr</code>
- with optional <code class="varname">key_id</code> and/or
- <code class="varname">ip_port</code>.
- A <code class="varname">masters_list</code> may include other
- <code class="varname">masters_lists</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">domain_name</code>
- </p>
- </td>
- <td>
- <p>
- A quoted string which will be used as
- a DNS name, for example "<code class="literal">my.test.domain</code>".
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">namelist</code>
- </p>
- </td>
- <td>
- <p>
- A list of one or more <code class="varname">domain_name</code>
- elements.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">dotted_decimal</code>
- </p>
- </td>
- <td>
- <p>
- One to four integers valued 0 through
- 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
- <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip4_addr</code>
- </p>
- </td>
- <td>
- <p>
- An IPv4 address with exactly four elements
- in <code class="varname">dotted_decimal</code> notation.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip6_addr</code>
- </p>
- </td>
- <td>
- <p>
- An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
- IPv6 scoped addresses that have ambiguity on their
- scope zones must be disambiguated by an appropriate
- zone ID with the percent character (`%') as
- delimiter. It is strongly recommended to use
- string zone names rather than numeric identifiers,
- in order to be robust against system configuration
- changes. However, since there is no standard
- mapping for such names and identifier values,
- currently only interface names as link identifiers
- are supported, assuming one-to-one mapping between
- interfaces and links. For example, a link-local
- address <span><strong class="command">fe80::1</strong></span> on the link
- attached to the interface <span><strong class="command">ne0</strong></span>
- can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
- Note that on most systems link-local addresses
- always have the ambiguity, and need to be
- disambiguated.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip_addr</code>
- </p>
- </td>
- <td>
- <p>
- An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip_port</code>
- </p>
- </td>
- <td>
- <p>
- An IP port <code class="varname">number</code>.
- The <code class="varname">number</code> is limited to 0
- through 65535, with values
- below 1024 typically restricted to use by processes running
- as root.
- In some cases, an asterisk (`*') character can be used as a
- placeholder to
- select a random high-numbered port.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip_prefix</code>
- </p>
- </td>
- <td>
- <p>
- An IP network specified as an <code class="varname">ip_addr</code>,
- followed by a slash (`/') and then the number of bits in the
- netmask.
- Trailing zeros in a <code class="varname">ip_addr</code>
- may omitted.
- For example, <span><strong class="command">127/8</strong></span> is the
- network <span><strong class="command">127.0.0.0</strong></span> with
- netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
- network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
- </p>
- <p>
- When specifying a prefix involving a IPv6 scoped address
- the scope may be omitted. In that case the prefix will
- match packets from any scope.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">key_id</code>
- </p>
- </td>
- <td>
- <p>
- A <code class="varname">domain_name</code> representing
- the name of a shared key, to be used for transaction
- security.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">key_list</code>
- </p>
- </td>
- <td>
- <p>
- A list of one or more
- <code class="varname">key_id</code>s,
- separated by semicolons and ending with a semicolon.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">number</code>
- </p>
- </td>
- <td>
- <p>
- A non-negative 32-bit integer
- (i.e., a number between 0 and 4294967295, inclusive).
- Its acceptable value might further
- be limited by the context in which it is used.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">path_name</code>
- </p>
- </td>
- <td>
- <p>
- A quoted string which will be used as
- a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">port_list</code>
- </p>
- </td>
- <td>
- <p>
- A list of an <code class="varname">ip_port</code> or a port
- range.
- A port range is specified in the form of
- <strong class="userinput"><code>range</code></strong> followed by
- two <code class="varname">ip_port</code>s,
- <code class="varname">port_low</code> and
- <code class="varname">port_high</code>, which represents
- port numbers from <code class="varname">port_low</code> through
- <code class="varname">port_high</code>, inclusive.
- <code class="varname">port_low</code> must not be larger than
- <code class="varname">port_high</code>.
- For example,
- <strong class="userinput"><code>range 1024 65535</code></strong> represents
- ports from 1024 through 65535.
- In either case an asterisk (`*') character is not
- allowed as a valid <code class="varname">ip_port</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">size_spec</code>
- </p>
- </td>
- <td>
- <p>
- A number, the word <strong class="userinput"><code>unlimited</code></strong>,
- or the word <strong class="userinput"><code>default</code></strong>.
- </p>
- <p>
- An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
- use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
- the limit that was in force when the server was started.
- </p>
- <p>
- A <code class="varname">number</code> can optionally be
- followed by a scaling factor:
- <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
- for kilobytes,
- <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
- for megabytes, and
- <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
- which scale by 1024, 1024*1024, and 1024*1024*1024
- respectively.
- </p>
- <p>
- The value must be representable as a 64-bit unsigned integer
- (0 to 18446744073709551615, inclusive).
- Using <code class="varname">unlimited</code> is the best
- way
- to safely set a really large number.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">yes_or_no</code>
- </p>
- </td>
- <td>
- <p>
- Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
- The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
- also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
- and <strong class="userinput"><code>0</code></strong>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">dialup_option</code>
- </p>
- </td>
- <td>
- <p>
- One of <strong class="userinput"><code>yes</code></strong>,
- <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
- <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
- <strong class="userinput"><code>passive</code></strong>.
- When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
- <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
- are restricted to slave and stub zones.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574099"></a>Syntax</h4></div></div></div>
- <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
- [<span class="optional"> address_match_list_element; ... </span>]
- <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
- key key_id | acl_name | { address_match_list } )
- </pre>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574126"></a>Definition and Usage</h4></div></div></div>
- <p>
- Address match lists are primarily used to determine access
- control for various server operations. They are also used in
- the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
- statements. The elements which constitute an address match
- list can be any of the following:
- </p>
- <div class="itemizedlist"><ul type="disc">
- <li>an IP address (IPv4 or IPv6)</li>
- <li>an IP prefix (in `/' notation)</li>
- <li>
- a key ID, as defined by the <span><strong class="command">key</strong></span>
- statement
- </li>
- <li>the name of an address match list defined with
- the <span><strong class="command">acl</strong></span> statement
- </li>
- <li>a nested address match list enclosed in braces</li>
- </ul></div>
- <p>
- Elements can be negated with a leading exclamation mark (`!'),
- and the match list names "any", "none", "localhost", and
- "localnets" are predefined. More information on those names
- can be found in the description of the acl statement.
- </p>
- <p>
- The addition of the key clause made the name of this syntactic
- element something of a misnomer, since security keys can be used
- to validate access without regard to a host or network address.
- Nonetheless, the term "address match list" is still used
- throughout the documentation.
- </p>
- <p>
- When a given IP address or prefix is compared to an address
- match list, the comparison takes place in approximately O(1)
- time. However, key comparisons require that the list of keys
- be traversed until a matching key is found, and therefore may
- be somewhat slower.
- </p>
- <p>
- The interpretation of a match depends on whether the list is being
- used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
- <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
- </p>
- <p>
- When used as an access control list, a non-negated match
- allows access and a negated match denies access. If
- there is no match, access is denied. The clauses
- <span><strong class="command">allow-notify</strong></span>,
- <span><strong class="command">allow-recursion</strong></span>,
- <span><strong class="command">allow-recursion-on</strong></span>,
- <span><strong class="command">allow-query</strong></span>,
- <span><strong class="command">allow-query-on</strong></span>,
- <span><strong class="command">allow-query-cache</strong></span>,
- <span><strong class="command">allow-query-cache-on</strong></span>,
- <span><strong class="command">allow-transfer</strong></span>,
- <span><strong class="command">allow-update</strong></span>,
- <span><strong class="command">allow-update-forwarding</strong></span>, and
- <span><strong class="command">blackhole</strong></span> all use address match
- lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
- server to refuse queries on any of the machine's
- addresses which do not match the list.
- </p>
- <p>
- Order of insertion is significant. If more than one element
- in an ACL is found to match a given IP address or prefix,
- preference will be given to the one that came
- <span class="emphasis"><em>first</em></span> in the ACL definition.
- Because of this first-match behavior, an element that
- defines a subset of another element in the list should
- come before the broader element, regardless of whether
- either is negated. For example, in
- <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
- the 1.2.3.13 element is completely useless because the
- algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
- element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
- that problem by having 1.2.3.13 blocked by the negation, but
- all other 1.2.3.* hosts fall through.
- </p>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2574332"></a>Comment Syntax</h3></div></div></div>
- <p>
- The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
- comments to appear
- anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
- file. To appeal to programmers of all kinds, they can be written
- in the C, C++, or shell/perl style.
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574347"></a>Syntax</h4></div></div></div>
- <p>
- </p>
- <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
- <p>
- </p>
- <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
- <p>
- </p>
- <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
- # and perl</pre>
- <p>
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574377"></a>Definition and Usage</h4></div></div></div>
- <p>
- Comments may appear anywhere that whitespace may appear in
- a <acronym class="acronym">BIND</acronym> configuration file.
- </p>
- <p>
- C-style comments start with the two characters /* (slash,
- star) and end with */ (star, slash). Because they are completely
- delimited with these characters, they can be used to comment only
- a portion of a line or to span multiple lines.
- </p>
- <p>
- C-style comments cannot be nested. For example, the following
- is not valid because the entire comment ends with the first */:
- </p>
- <p>
- </p>
- <pre class="programlisting">/* This is the start of a comment.
- This is still part of the comment.
- /* This is an incorrect attempt at nesting a comment. */
- This is no longer in any comment. */
- </pre>
- <p>
- </p>
- <p>
- C++-style comments start with the two characters // (slash,
- slash) and continue to the end of the physical line. They cannot
- be continued across multiple physical lines; to have one logical
- comment span multiple lines, each line must use the // pair.
- For example:
- </p>
- <p>
- </p>
- <pre class="programlisting">// This is the start of a comment. The next line
- // is a new comment, even though it is logically
- // part of the previous comment.
- </pre>
- <p>
- </p>
- <p>
- Shell-style (or perl-style, if you prefer) comments start
- with the character <code class="literal">#</code> (number sign)
- and continue to the end of the
- physical line, as in C++ comments.
- For example:
- </p>
- <p>
- </p>
- <pre class="programlisting"># This is the start of a comment. The next line
- # is a new comment, even though it is logically
- # part of the previous comment.
- </pre>
- <p>
- </p>
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Warning</h3>
- <p>
- You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.
- </p>
- </div>
- </div>
- </div>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
- <p>
- A <acronym class="acronym">BIND</acronym> 9 configuration consists of
- statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.
- </p>
- <p>
- The following statements are supported:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">acl</strong></span></p>
- </td>
- <td>
- <p>
- defines a named IP address
- matching list, for access control and other uses.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">controls</strong></span></p>
- </td>
- <td>
- <p>
- declares control channels to be used
- by the <span><strong class="command">rndc</strong></span> utility.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">include</strong></span></p>
- </td>
- <td>
- <p>
- includes a file.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">key</strong></span></p>
- </td>
- <td>
- <p>
- specifies key information for use in
- authentication and authorization using TSIG.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">logging</strong></span></p>
- </td>
- <td>
- <p>
- specifies what the server logs, and where
- the log messages are sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">lwres</strong></span></p>
- </td>
- <td>
- <p>
- configures <span><strong class="command">named</strong></span> to
- also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">masters</strong></span></p>
- </td>
- <td>
- <p>
- defines a named masters list for
- inclusion in stub and slave zone masters clauses.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">options</strong></span></p>
- </td>
- <td>
- <p>
- controls global server configuration
- options and sets defaults for other statements.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">server</strong></span></p>
- </td>
- <td>
- <p>
- sets certain configuration options on
- a per-server basis.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">statistics-channels</strong></span></p>
- </td>
- <td>
- <p>
- declares communication channels to get access to
- <span><strong class="command">named</strong></span> statistics.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">trusted-keys</strong></span></p>
- </td>
- <td>
- <p>
- defines trusted DNSSEC keys.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">managed-keys</strong></span></p>
- </td>
- <td>
- <p>
- lists DNSSEC keys to be kept up to date
- using RFC 5011 trust anchor maintenance.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">view</strong></span></p>
- </td>
- <td>
- <p>
- defines a view.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">zone</strong></span></p>
- </td>
- <td>
- <p>
- defines a zone.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The <span><strong class="command">logging</strong></span> and
- <span><strong class="command">options</strong></span> statements may only occur once
- per
- configuration.
- </p>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2574986"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
- address_match_list
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">acl</strong></span> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).
- </p>
- <p>
- Note that an address match list's name must be defined
- with <span><strong class="command">acl</strong></span> before it can be used
- elsewhere; no forward references are allowed.
- </p>
- <p>
- The following ACLs are built-in:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">any</strong></span></p>
- </td>
- <td>
- <p>
- Matches all hosts.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">none</strong></span></p>
- </td>
- <td>
- <p>
- Matches no hosts.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">localhost</strong></span></p>
- </td>
- <td>
- <p>
- Matches the IPv4 and IPv6 addresses of all network
- interfaces on the system.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">localnets</strong></span></p>
- </td>
- <td>
- <p>
- Matches any host on an IPv4 or IPv6 network
- for which the system has an interface.
- Some systems do not provide a way to determine the prefix
- lengths of
- local IPv6 addresses.
- In such a case, <span><strong class="command">localnets</strong></span>
- only matches the local
- IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575176"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">controls</strong></span> {
- [ inet ( ip_addr | * ) [ port ip_port ]
- allow { <em class="replaceable"><code> address_match_list </code></em> }
- keys { <em class="replaceable"><code>key_list</code></em> }; ]
- [ inet ...; ]
- [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
- keys { <em class="replaceable"><code>key_list</code></em> }; ]
- [ unix ...; ]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">controls</strong></span> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <span><strong class="command">rndc</strong></span> utility to send
- commands to and retrieve non-DNS results from a name server.
- </p>
- <p>
- An <span><strong class="command">inet</strong></span> control channel is a TCP socket
- listening at the specified <span><strong class="command">ip_port</strong></span> on the
- specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- If you will only use <span><strong class="command">rndc</strong></span> on the local host,
- using the loopback address (<code class="literal">127.0.0.1</code>
- or <code class="literal">::1</code>) is recommended for maximum security.
- </p>
- <p>
- If no port is specified, port 953 is used. The asterisk
- "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
- </p>
- <p>
- The ability to issue commands over the control channel is
- restricted by the <span><strong class="command">allow</strong></span> and
- <span><strong class="command">keys</strong></span> clauses.
- Connections to the control channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>. This is for simple
- IP address based filtering only; any <span><strong class="command">key_id</strong></span>
- elements of the <span><strong class="command">address_match_list</strong></span>
- are ignored.
- </p>
- <p>
- A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
- socket listening at the specified path in the file system.
- Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
- <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
- Note on some platforms (SunOS and Solaris) the permissions
- (<span><strong class="command">perm</strong></span>) are applied to the parent directory
- as the permissions on the socket itself are ignored.
- </p>
- <p>
- The primary authorization mechanism of the command
- channel is the <span><strong class="command">key_list</strong></span>, which
- contains a list of <span><strong class="command">key_id</strong></span>s.
- Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
- is authorized to execute commands over the control channel.
- See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
- for information about configuring keys in <span><strong class="command">rndc</strong></span>.
- </p>
- <p>
- If no <span><strong class="command">controls</strong></span> statement is present,
- <span><strong class="command">named</strong></span> will set up a default
- control channel listening on the loopback address 127.0.0.1
- and its IPv6 counterpart ::1.
- In this case, and also when the <span><strong class="command">controls</strong></span> statement
- is present but does not have a <span><strong class="command">keys</strong></span> clause,
- <span><strong class="command">named</strong></span> will attempt to load the command channel key
- from the file <code class="filename">rndc.key</code> in
- <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
- was specified as when <acronym class="acronym">BIND</acronym> was built).
- To create a <code class="filename">rndc.key</code> file, run
- <strong class="userinput"><code>rndc-confgen -a</code></strong>.
- </p>
- <p>
- The <code class="filename">rndc.key</code> feature was created to
- ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
- which did not have digital signatures on its command channel
- messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
- It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
- configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
- and still have <span><strong class="command">rndc</strong></span> work the same way
- <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
- command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
- installed.
- </p>
- <p>
- Since the <code class="filename">rndc.key</code> feature
- is only intended to allow the backward-compatible usage of
- <acronym class="acronym">BIND</acronym> 8 configuration files, this
- feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <code class="filename">rndc.conf</code> with your own key if you
- wish to change
- those things. The <code class="filename">rndc.key</code> file
- also has its
- permissions set such that only the owner of the file (the user that
- <span><strong class="command">named</strong></span> is running as) can access it.
- If you
- desire greater flexibility in allowing other users to access
- <span><strong class="command">rndc</strong></span> commands, then you need to create
- a
- <code class="filename">rndc.conf</code> file and make it group
- readable by a group
- that contains the users who should have access.
- </p>
- <p>
- To disable the command channel, use an empty
- <span><strong class="command">controls</strong></span> statement:
- <span><strong class="command">controls { };</strong></span>.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575467"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575484"></a><span><strong class="command">include</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">include</strong></span> statement inserts the
- specified file at the point where the <span><strong class="command">include</strong></span>
- statement is encountered. The <span><strong class="command">include</strong></span>
- statement facilitates the administration of configuration
- files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575576"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
- algorithm <em class="replaceable"><code>string</code></em>;
- secret <em class="replaceable"><code>string</code></em>;
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575600"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">key</strong></span> statement defines a shared
- secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
- or the command channel
- (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
- Usage”</a>).
- </p>
- <p>
- The <span><strong class="command">key</strong></span> statement can occur at the
- top level
- of the configuration file or inside a <span><strong class="command">view</strong></span>
- statement. Keys defined in top-level <span><strong class="command">key</strong></span>
- statements can be used in all views. Keys intended for use in
- a <span><strong class="command">controls</strong></span> statement
- (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition…