/contrib/bind9/doc/arm/Bv9ARM.ch06.html

https://bitbucket.org/freebsd/freebsd-head/ · HTML · 10776 lines · 10720 code · 39 blank · 17 comment · 0 complexity · 23bebf82675bbeb8b00207a8416d590f MD5 · raw file

Large files are truncated click here to view the full file

  1. <!--
  2. - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
  3. - Copyright (C) 2000-2003 Internet Software Consortium.
  4. -
  5. - Permission to use, copy, modify, and/or distribute this software for any
  6. - purpose with or without fee is hereby granted, provided that the above
  7. - copyright notice and this permission notice appear in all copies.
  8. -
  9. - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10. - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11. - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12. - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13. - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14. - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15. - PERFORMANCE OF THIS SOFTWARE.
  16. -->
  17. <!-- $Id$ -->
  18. <html>
  19. <head>
  20. <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  21. <title>Chapter 6. BIND 9 Configuration Reference</title>
  22. <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
  23. <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
  24. <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
  25. <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
  26. <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
  27. </head>
  28. <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
  29. <div class="navheader">
  30. <table width="100%" summary="Navigation header">
  31. <tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
  32. <tr>
  33. <td width="20%" align="left">
  34. <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
  35. <th width="60%" align="center"> </th>
  36. <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
  37. </td>
  38. </tr>
  39. </table>
  40. <hr>
  41. </div>
  42. <div class="chapter" lang="en">
  43. <div class="titlepage"><div><div><h2 class="title">
  44. <a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
  45. <div class="toc">
  46. <p><b>Table of Contents</b></p>
  47. <dl>
  48. <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
  49. <dd><dl>
  50. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
  51. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
  52. </dl></dd>
  53. <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
  54. <dd><dl>
  55. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
  56. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
  57. Usage</a></span></dt>
  58. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
  59. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
  60. Usage</a></span></dt>
  61. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
  62. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
  63. Usage</a></span></dt>
  64. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
  65. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
  66. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
  67. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
  68. Usage</a></span></dt>
  69. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
  70. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
  71. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
  72. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
  73. Usage</a></span></dt>
  74. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
  75. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
  76. Usage</a></span></dt>
  77. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
  78. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
  79. Usage</a></span></dt>
  80. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
  81. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589481"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
  82. Usage</a></span></dt>
  83. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
  84. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589689"><span><strong class="command">trusted-keys</strong></span> Statement Definition
  85. and Usage</a></span></dt>
  86. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589736"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
  87. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
  88. and Usage</a></span></dt>
  89. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
  90. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590162"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
  91. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
  92. Statement Grammar</a></span></dt>
  93. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591713"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
  94. </dl></dd>
  95. <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595116">Zone File</a></span></dt>
  96. <dd><dl>
  97. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
  98. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597415">Discussion of MX Records</a></span></dt>
  99. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
  100. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597962">Inverse Mapping in IPv4</a></span></dt>
  101. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598157">Other Zone File Directives</a></span></dt>
  102. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598430"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
  103. <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
  104. </dl></dd>
  105. <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
  106. <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
  107. </dl>
  108. </div>
  109. <p>
  110. <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
  111. to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
  112. areas
  113. of configuration, such as views. <acronym class="acronym">BIND</acronym>
  114. 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
  115. 9, although more complex configurations should be reviewed to check
  116. if they can be more efficiently implemented using the new features
  117. found in <acronym class="acronym">BIND</acronym> 9.
  118. </p>
  119. <p>
  120. <acronym class="acronym">BIND</acronym> 4 configuration files can be
  121. converted to the new format
  122. using the shell script
  123. <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
  124. </p>
  125. <div class="sect1" lang="en">
  126. <div class="titlepage"><div><div><h2 class="title" style="clear: both">
  127. <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
  128. <p>
  129. Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
  130. file documentation:
  131. </p>
  132. <div class="informaltable"><table border="1">
  133. <colgroup>
  134. <col>
  135. <col>
  136. </colgroup>
  137. <tbody>
  138. <tr>
  139. <td>
  140. <p>
  141. <code class="varname">acl_name</code>
  142. </p>
  143. </td>
  144. <td>
  145. <p>
  146. The name of an <code class="varname">address_match_list</code> as
  147. defined by the <span><strong class="command">acl</strong></span> statement.
  148. </p>
  149. </td>
  150. </tr>
  151. <tr>
  152. <td>
  153. <p>
  154. <code class="varname">address_match_list</code>
  155. </p>
  156. </td>
  157. <td>
  158. <p>
  159. A list of one or more
  160. <code class="varname">ip_addr</code>,
  161. <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
  162. or <code class="varname">acl_name</code> elements, see
  163. <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.
  164. </p>
  165. </td>
  166. </tr>
  167. <tr>
  168. <td>
  169. <p>
  170. <code class="varname">masters_list</code>
  171. </p>
  172. </td>
  173. <td>
  174. <p>
  175. A named list of one or more <code class="varname">ip_addr</code>
  176. with optional <code class="varname">key_id</code> and/or
  177. <code class="varname">ip_port</code>.
  178. A <code class="varname">masters_list</code> may include other
  179. <code class="varname">masters_lists</code>.
  180. </p>
  181. </td>
  182. </tr>
  183. <tr>
  184. <td>
  185. <p>
  186. <code class="varname">domain_name</code>
  187. </p>
  188. </td>
  189. <td>
  190. <p>
  191. A quoted string which will be used as
  192. a DNS name, for example "<code class="literal">my.test.domain</code>".
  193. </p>
  194. </td>
  195. </tr>
  196. <tr>
  197. <td>
  198. <p>
  199. <code class="varname">namelist</code>
  200. </p>
  201. </td>
  202. <td>
  203. <p>
  204. A list of one or more <code class="varname">domain_name</code>
  205. elements.
  206. </p>
  207. </td>
  208. </tr>
  209. <tr>
  210. <td>
  211. <p>
  212. <code class="varname">dotted_decimal</code>
  213. </p>
  214. </td>
  215. <td>
  216. <p>
  217. One to four integers valued 0 through
  218. 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
  219. <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
  220. </p>
  221. </td>
  222. </tr>
  223. <tr>
  224. <td>
  225. <p>
  226. <code class="varname">ip4_addr</code>
  227. </p>
  228. </td>
  229. <td>
  230. <p>
  231. An IPv4 address with exactly four elements
  232. in <code class="varname">dotted_decimal</code> notation.
  233. </p>
  234. </td>
  235. </tr>
  236. <tr>
  237. <td>
  238. <p>
  239. <code class="varname">ip6_addr</code>
  240. </p>
  241. </td>
  242. <td>
  243. <p>
  244. An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
  245. IPv6 scoped addresses that have ambiguity on their
  246. scope zones must be disambiguated by an appropriate
  247. zone ID with the percent character (`%') as
  248. delimiter. It is strongly recommended to use
  249. string zone names rather than numeric identifiers,
  250. in order to be robust against system configuration
  251. changes. However, since there is no standard
  252. mapping for such names and identifier values,
  253. currently only interface names as link identifiers
  254. are supported, assuming one-to-one mapping between
  255. interfaces and links. For example, a link-local
  256. address <span><strong class="command">fe80::1</strong></span> on the link
  257. attached to the interface <span><strong class="command">ne0</strong></span>
  258. can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
  259. Note that on most systems link-local addresses
  260. always have the ambiguity, and need to be
  261. disambiguated.
  262. </p>
  263. </td>
  264. </tr>
  265. <tr>
  266. <td>
  267. <p>
  268. <code class="varname">ip_addr</code>
  269. </p>
  270. </td>
  271. <td>
  272. <p>
  273. An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
  274. </p>
  275. </td>
  276. </tr>
  277. <tr>
  278. <td>
  279. <p>
  280. <code class="varname">ip_port</code>
  281. </p>
  282. </td>
  283. <td>
  284. <p>
  285. An IP port <code class="varname">number</code>.
  286. The <code class="varname">number</code> is limited to 0
  287. through 65535, with values
  288. below 1024 typically restricted to use by processes running
  289. as root.
  290. In some cases, an asterisk (`*') character can be used as a
  291. placeholder to
  292. select a random high-numbered port.
  293. </p>
  294. </td>
  295. </tr>
  296. <tr>
  297. <td>
  298. <p>
  299. <code class="varname">ip_prefix</code>
  300. </p>
  301. </td>
  302. <td>
  303. <p>
  304. An IP network specified as an <code class="varname">ip_addr</code>,
  305. followed by a slash (`/') and then the number of bits in the
  306. netmask.
  307. Trailing zeros in a <code class="varname">ip_addr</code>
  308. may omitted.
  309. For example, <span><strong class="command">127/8</strong></span> is the
  310. network <span><strong class="command">127.0.0.0</strong></span> with
  311. netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
  312. network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
  313. </p>
  314. <p>
  315. When specifying a prefix involving a IPv6 scoped address
  316. the scope may be omitted. In that case the prefix will
  317. match packets from any scope.
  318. </p>
  319. </td>
  320. </tr>
  321. <tr>
  322. <td>
  323. <p>
  324. <code class="varname">key_id</code>
  325. </p>
  326. </td>
  327. <td>
  328. <p>
  329. A <code class="varname">domain_name</code> representing
  330. the name of a shared key, to be used for transaction
  331. security.
  332. </p>
  333. </td>
  334. </tr>
  335. <tr>
  336. <td>
  337. <p>
  338. <code class="varname">key_list</code>
  339. </p>
  340. </td>
  341. <td>
  342. <p>
  343. A list of one or more
  344. <code class="varname">key_id</code>s,
  345. separated by semicolons and ending with a semicolon.
  346. </p>
  347. </td>
  348. </tr>
  349. <tr>
  350. <td>
  351. <p>
  352. <code class="varname">number</code>
  353. </p>
  354. </td>
  355. <td>
  356. <p>
  357. A non-negative 32-bit integer
  358. (i.e., a number between 0 and 4294967295, inclusive).
  359. Its acceptable value might further
  360. be limited by the context in which it is used.
  361. </p>
  362. </td>
  363. </tr>
  364. <tr>
  365. <td>
  366. <p>
  367. <code class="varname">path_name</code>
  368. </p>
  369. </td>
  370. <td>
  371. <p>
  372. A quoted string which will be used as
  373. a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
  374. </p>
  375. </td>
  376. </tr>
  377. <tr>
  378. <td>
  379. <p>
  380. <code class="varname">port_list</code>
  381. </p>
  382. </td>
  383. <td>
  384. <p>
  385. A list of an <code class="varname">ip_port</code> or a port
  386. range.
  387. A port range is specified in the form of
  388. <strong class="userinput"><code>range</code></strong> followed by
  389. two <code class="varname">ip_port</code>s,
  390. <code class="varname">port_low</code> and
  391. <code class="varname">port_high</code>, which represents
  392. port numbers from <code class="varname">port_low</code> through
  393. <code class="varname">port_high</code>, inclusive.
  394. <code class="varname">port_low</code> must not be larger than
  395. <code class="varname">port_high</code>.
  396. For example,
  397. <strong class="userinput"><code>range 1024 65535</code></strong> represents
  398. ports from 1024 through 65535.
  399. In either case an asterisk (`*') character is not
  400. allowed as a valid <code class="varname">ip_port</code>.
  401. </p>
  402. </td>
  403. </tr>
  404. <tr>
  405. <td>
  406. <p>
  407. <code class="varname">size_spec</code>
  408. </p>
  409. </td>
  410. <td>
  411. <p>
  412. A number, the word <strong class="userinput"><code>unlimited</code></strong>,
  413. or the word <strong class="userinput"><code>default</code></strong>.
  414. </p>
  415. <p>
  416. An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
  417. use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
  418. the limit that was in force when the server was started.
  419. </p>
  420. <p>
  421. A <code class="varname">number</code> can optionally be
  422. followed by a scaling factor:
  423. <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
  424. for kilobytes,
  425. <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
  426. for megabytes, and
  427. <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
  428. which scale by 1024, 1024*1024, and 1024*1024*1024
  429. respectively.
  430. </p>
  431. <p>
  432. The value must be representable as a 64-bit unsigned integer
  433. (0 to 18446744073709551615, inclusive).
  434. Using <code class="varname">unlimited</code> is the best
  435. way
  436. to safely set a really large number.
  437. </p>
  438. </td>
  439. </tr>
  440. <tr>
  441. <td>
  442. <p>
  443. <code class="varname">yes_or_no</code>
  444. </p>
  445. </td>
  446. <td>
  447. <p>
  448. Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
  449. The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
  450. also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
  451. and <strong class="userinput"><code>0</code></strong>.
  452. </p>
  453. </td>
  454. </tr>
  455. <tr>
  456. <td>
  457. <p>
  458. <code class="varname">dialup_option</code>
  459. </p>
  460. </td>
  461. <td>
  462. <p>
  463. One of <strong class="userinput"><code>yes</code></strong>,
  464. <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
  465. <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
  466. <strong class="userinput"><code>passive</code></strong>.
  467. When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
  468. <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
  469. are restricted to slave and stub zones.
  470. </p>
  471. </td>
  472. </tr>
  473. </tbody>
  474. </table></div>
  475. <div class="sect2" lang="en">
  476. <div class="titlepage"><div><div><h3 class="title">
  477. <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
  478. <div class="sect3" lang="en">
  479. <div class="titlepage"><div><div><h4 class="title">
  480. <a name="id2574099"></a>Syntax</h4></div></div></div>
  481. <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
  482. [<span class="optional"> address_match_list_element; ... </span>]
  483. <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
  484. key key_id | acl_name | { address_match_list } )
  485. </pre>
  486. </div>
  487. <div class="sect3" lang="en">
  488. <div class="titlepage"><div><div><h4 class="title">
  489. <a name="id2574126"></a>Definition and Usage</h4></div></div></div>
  490. <p>
  491. Address match lists are primarily used to determine access
  492. control for various server operations. They are also used in
  493. the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
  494. statements. The elements which constitute an address match
  495. list can be any of the following:
  496. </p>
  497. <div class="itemizedlist"><ul type="disc">
  498. <li>an IP address (IPv4 or IPv6)</li>
  499. <li>an IP prefix (in `/' notation)</li>
  500. <li>
  501. a key ID, as defined by the <span><strong class="command">key</strong></span>
  502. statement
  503. </li>
  504. <li>the name of an address match list defined with
  505. the <span><strong class="command">acl</strong></span> statement
  506. </li>
  507. <li>a nested address match list enclosed in braces</li>
  508. </ul></div>
  509. <p>
  510. Elements can be negated with a leading exclamation mark (`!'),
  511. and the match list names "any", "none", "localhost", and
  512. "localnets" are predefined. More information on those names
  513. can be found in the description of the acl statement.
  514. </p>
  515. <p>
  516. The addition of the key clause made the name of this syntactic
  517. element something of a misnomer, since security keys can be used
  518. to validate access without regard to a host or network address.
  519. Nonetheless, the term "address match list" is still used
  520. throughout the documentation.
  521. </p>
  522. <p>
  523. When a given IP address or prefix is compared to an address
  524. match list, the comparison takes place in approximately O(1)
  525. time. However, key comparisons require that the list of keys
  526. be traversed until a matching key is found, and therefore may
  527. be somewhat slower.
  528. </p>
  529. <p>
  530. The interpretation of a match depends on whether the list is being
  531. used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
  532. <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
  533. </p>
  534. <p>
  535. When used as an access control list, a non-negated match
  536. allows access and a negated match denies access. If
  537. there is no match, access is denied. The clauses
  538. <span><strong class="command">allow-notify</strong></span>,
  539. <span><strong class="command">allow-recursion</strong></span>,
  540. <span><strong class="command">allow-recursion-on</strong></span>,
  541. <span><strong class="command">allow-query</strong></span>,
  542. <span><strong class="command">allow-query-on</strong></span>,
  543. <span><strong class="command">allow-query-cache</strong></span>,
  544. <span><strong class="command">allow-query-cache-on</strong></span>,
  545. <span><strong class="command">allow-transfer</strong></span>,
  546. <span><strong class="command">allow-update</strong></span>,
  547. <span><strong class="command">allow-update-forwarding</strong></span>, and
  548. <span><strong class="command">blackhole</strong></span> all use address match
  549. lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
  550. server to refuse queries on any of the machine's
  551. addresses which do not match the list.
  552. </p>
  553. <p>
  554. Order of insertion is significant. If more than one element
  555. in an ACL is found to match a given IP address or prefix,
  556. preference will be given to the one that came
  557. <span class="emphasis"><em>first</em></span> in the ACL definition.
  558. Because of this first-match behavior, an element that
  559. defines a subset of another element in the list should
  560. come before the broader element, regardless of whether
  561. either is negated. For example, in
  562. <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
  563. the 1.2.3.13 element is completely useless because the
  564. algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
  565. element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
  566. that problem by having 1.2.3.13 blocked by the negation, but
  567. all other 1.2.3.* hosts fall through.
  568. </p>
  569. </div>
  570. </div>
  571. <div class="sect2" lang="en">
  572. <div class="titlepage"><div><div><h3 class="title">
  573. <a name="id2574332"></a>Comment Syntax</h3></div></div></div>
  574. <p>
  575. The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
  576. comments to appear
  577. anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
  578. file. To appeal to programmers of all kinds, they can be written
  579. in the C, C++, or shell/perl style.
  580. </p>
  581. <div class="sect3" lang="en">
  582. <div class="titlepage"><div><div><h4 class="title">
  583. <a name="id2574347"></a>Syntax</h4></div></div></div>
  584. <p>
  585. </p>
  586. <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
  587. <p>
  588. </p>
  589. <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
  590. <p>
  591. </p>
  592. <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
  593. # and perl</pre>
  594. <p>
  595. </p>
  596. </div>
  597. <div class="sect3" lang="en">
  598. <div class="titlepage"><div><div><h4 class="title">
  599. <a name="id2574377"></a>Definition and Usage</h4></div></div></div>
  600. <p>
  601. Comments may appear anywhere that whitespace may appear in
  602. a <acronym class="acronym">BIND</acronym> configuration file.
  603. </p>
  604. <p>
  605. C-style comments start with the two characters /* (slash,
  606. star) and end with */ (star, slash). Because they are completely
  607. delimited with these characters, they can be used to comment only
  608. a portion of a line or to span multiple lines.
  609. </p>
  610. <p>
  611. C-style comments cannot be nested. For example, the following
  612. is not valid because the entire comment ends with the first */:
  613. </p>
  614. <p>
  615. </p>
  616. <pre class="programlisting">/* This is the start of a comment.
  617. This is still part of the comment.
  618. /* This is an incorrect attempt at nesting a comment. */
  619. This is no longer in any comment. */
  620. </pre>
  621. <p>
  622. </p>
  623. <p>
  624. C++-style comments start with the two characters // (slash,
  625. slash) and continue to the end of the physical line. They cannot
  626. be continued across multiple physical lines; to have one logical
  627. comment span multiple lines, each line must use the // pair.
  628. For example:
  629. </p>
  630. <p>
  631. </p>
  632. <pre class="programlisting">// This is the start of a comment. The next line
  633. // is a new comment, even though it is logically
  634. // part of the previous comment.
  635. </pre>
  636. <p>
  637. </p>
  638. <p>
  639. Shell-style (or perl-style, if you prefer) comments start
  640. with the character <code class="literal">#</code> (number sign)
  641. and continue to the end of the
  642. physical line, as in C++ comments.
  643. For example:
  644. </p>
  645. <p>
  646. </p>
  647. <pre class="programlisting"># This is the start of a comment. The next line
  648. # is a new comment, even though it is logically
  649. # part of the previous comment.
  650. </pre>
  651. <p>
  652. </p>
  653. <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
  654. <h3 class="title">Warning</h3>
  655. <p>
  656. You cannot use the semicolon (`;') character
  657. to start a comment such as you would in a zone file. The
  658. semicolon indicates the end of a configuration
  659. statement.
  660. </p>
  661. </div>
  662. </div>
  663. </div>
  664. </div>
  665. <div class="sect1" lang="en">
  666. <div class="titlepage"><div><div><h2 class="title" style="clear: both">
  667. <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
  668. <p>
  669. A <acronym class="acronym">BIND</acronym> 9 configuration consists of
  670. statements and comments.
  671. Statements end with a semicolon. Statements and comments are the
  672. only elements that can appear without enclosing braces. Many
  673. statements contain a block of sub-statements, which are also
  674. terminated with a semicolon.
  675. </p>
  676. <p>
  677. The following statements are supported:
  678. </p>
  679. <div class="informaltable"><table border="1">
  680. <colgroup>
  681. <col>
  682. <col>
  683. </colgroup>
  684. <tbody>
  685. <tr>
  686. <td>
  687. <p><span><strong class="command">acl</strong></span></p>
  688. </td>
  689. <td>
  690. <p>
  691. defines a named IP address
  692. matching list, for access control and other uses.
  693. </p>
  694. </td>
  695. </tr>
  696. <tr>
  697. <td>
  698. <p><span><strong class="command">controls</strong></span></p>
  699. </td>
  700. <td>
  701. <p>
  702. declares control channels to be used
  703. by the <span><strong class="command">rndc</strong></span> utility.
  704. </p>
  705. </td>
  706. </tr>
  707. <tr>
  708. <td>
  709. <p><span><strong class="command">include</strong></span></p>
  710. </td>
  711. <td>
  712. <p>
  713. includes a file.
  714. </p>
  715. </td>
  716. </tr>
  717. <tr>
  718. <td>
  719. <p><span><strong class="command">key</strong></span></p>
  720. </td>
  721. <td>
  722. <p>
  723. specifies key information for use in
  724. authentication and authorization using TSIG.
  725. </p>
  726. </td>
  727. </tr>
  728. <tr>
  729. <td>
  730. <p><span><strong class="command">logging</strong></span></p>
  731. </td>
  732. <td>
  733. <p>
  734. specifies what the server logs, and where
  735. the log messages are sent.
  736. </p>
  737. </td>
  738. </tr>
  739. <tr>
  740. <td>
  741. <p><span><strong class="command">lwres</strong></span></p>
  742. </td>
  743. <td>
  744. <p>
  745. configures <span><strong class="command">named</strong></span> to
  746. also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
  747. </p>
  748. </td>
  749. </tr>
  750. <tr>
  751. <td>
  752. <p><span><strong class="command">masters</strong></span></p>
  753. </td>
  754. <td>
  755. <p>
  756. defines a named masters list for
  757. inclusion in stub and slave zone masters clauses.
  758. </p>
  759. </td>
  760. </tr>
  761. <tr>
  762. <td>
  763. <p><span><strong class="command">options</strong></span></p>
  764. </td>
  765. <td>
  766. <p>
  767. controls global server configuration
  768. options and sets defaults for other statements.
  769. </p>
  770. </td>
  771. </tr>
  772. <tr>
  773. <td>
  774. <p><span><strong class="command">server</strong></span></p>
  775. </td>
  776. <td>
  777. <p>
  778. sets certain configuration options on
  779. a per-server basis.
  780. </p>
  781. </td>
  782. </tr>
  783. <tr>
  784. <td>
  785. <p><span><strong class="command">statistics-channels</strong></span></p>
  786. </td>
  787. <td>
  788. <p>
  789. declares communication channels to get access to
  790. <span><strong class="command">named</strong></span> statistics.
  791. </p>
  792. </td>
  793. </tr>
  794. <tr>
  795. <td>
  796. <p><span><strong class="command">trusted-keys</strong></span></p>
  797. </td>
  798. <td>
  799. <p>
  800. defines trusted DNSSEC keys.
  801. </p>
  802. </td>
  803. </tr>
  804. <tr>
  805. <td>
  806. <p><span><strong class="command">managed-keys</strong></span></p>
  807. </td>
  808. <td>
  809. <p>
  810. lists DNSSEC keys to be kept up to date
  811. using RFC 5011 trust anchor maintenance.
  812. </p>
  813. </td>
  814. </tr>
  815. <tr>
  816. <td>
  817. <p><span><strong class="command">view</strong></span></p>
  818. </td>
  819. <td>
  820. <p>
  821. defines a view.
  822. </p>
  823. </td>
  824. </tr>
  825. <tr>
  826. <td>
  827. <p><span><strong class="command">zone</strong></span></p>
  828. </td>
  829. <td>
  830. <p>
  831. defines a zone.
  832. </p>
  833. </td>
  834. </tr>
  835. </tbody>
  836. </table></div>
  837. <p>
  838. The <span><strong class="command">logging</strong></span> and
  839. <span><strong class="command">options</strong></span> statements may only occur once
  840. per
  841. configuration.
  842. </p>
  843. <div class="sect2" lang="en">
  844. <div class="titlepage"><div><div><h3 class="title">
  845. <a name="id2574986"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
  846. <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
  847. address_match_list
  848. };
  849. </pre>
  850. </div>
  851. <div class="sect2" lang="en">
  852. <div class="titlepage"><div><div><h3 class="title">
  853. <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
  854. Usage</h3></div></div></div>
  855. <p>
  856. The <span><strong class="command">acl</strong></span> statement assigns a symbolic
  857. name to an address match list. It gets its name from a primary
  858. use of address match lists: Access Control Lists (ACLs).
  859. </p>
  860. <p>
  861. Note that an address match list's name must be defined
  862. with <span><strong class="command">acl</strong></span> before it can be used
  863. elsewhere; no forward references are allowed.
  864. </p>
  865. <p>
  866. The following ACLs are built-in:
  867. </p>
  868. <div class="informaltable"><table border="1">
  869. <colgroup>
  870. <col>
  871. <col>
  872. </colgroup>
  873. <tbody>
  874. <tr>
  875. <td>
  876. <p><span><strong class="command">any</strong></span></p>
  877. </td>
  878. <td>
  879. <p>
  880. Matches all hosts.
  881. </p>
  882. </td>
  883. </tr>
  884. <tr>
  885. <td>
  886. <p><span><strong class="command">none</strong></span></p>
  887. </td>
  888. <td>
  889. <p>
  890. Matches no hosts.
  891. </p>
  892. </td>
  893. </tr>
  894. <tr>
  895. <td>
  896. <p><span><strong class="command">localhost</strong></span></p>
  897. </td>
  898. <td>
  899. <p>
  900. Matches the IPv4 and IPv6 addresses of all network
  901. interfaces on the system.
  902. </p>
  903. </td>
  904. </tr>
  905. <tr>
  906. <td>
  907. <p><span><strong class="command">localnets</strong></span></p>
  908. </td>
  909. <td>
  910. <p>
  911. Matches any host on an IPv4 or IPv6 network
  912. for which the system has an interface.
  913. Some systems do not provide a way to determine the prefix
  914. lengths of
  915. local IPv6 addresses.
  916. In such a case, <span><strong class="command">localnets</strong></span>
  917. only matches the local
  918. IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
  919. </p>
  920. </td>
  921. </tr>
  922. </tbody>
  923. </table></div>
  924. </div>
  925. <div class="sect2" lang="en">
  926. <div class="titlepage"><div><div><h3 class="title">
  927. <a name="id2575176"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
  928. <pre class="programlisting"><span><strong class="command">controls</strong></span> {
  929. [ inet ( ip_addr | * ) [ port ip_port ]
  930. allow { <em class="replaceable"><code> address_match_list </code></em> }
  931. keys { <em class="replaceable"><code>key_list</code></em> }; ]
  932. [ inet ...; ]
  933. [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
  934. keys { <em class="replaceable"><code>key_list</code></em> }; ]
  935. [ unix ...; ]
  936. };
  937. </pre>
  938. </div>
  939. <div class="sect2" lang="en">
  940. <div class="titlepage"><div><div><h3 class="title">
  941. <a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
  942. Usage</h3></div></div></div>
  943. <p>
  944. The <span><strong class="command">controls</strong></span> statement declares control
  945. channels to be used by system administrators to control the
  946. operation of the name server. These control channels are
  947. used by the <span><strong class="command">rndc</strong></span> utility to send
  948. commands to and retrieve non-DNS results from a name server.
  949. </p>
  950. <p>
  951. An <span><strong class="command">inet</strong></span> control channel is a TCP socket
  952. listening at the specified <span><strong class="command">ip_port</strong></span> on the
  953. specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
  954. address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
  955. interpreted as the IPv4 wildcard address; connections will be
  956. accepted on any of the system's IPv4 addresses.
  957. To listen on the IPv6 wildcard address,
  958. use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
  959. If you will only use <span><strong class="command">rndc</strong></span> on the local host,
  960. using the loopback address (<code class="literal">127.0.0.1</code>
  961. or <code class="literal">::1</code>) is recommended for maximum security.
  962. </p>
  963. <p>
  964. If no port is specified, port 953 is used. The asterisk
  965. "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
  966. </p>
  967. <p>
  968. The ability to issue commands over the control channel is
  969. restricted by the <span><strong class="command">allow</strong></span> and
  970. <span><strong class="command">keys</strong></span> clauses.
  971. Connections to the control channel are permitted based on the
  972. <span><strong class="command">address_match_list</strong></span>. This is for simple
  973. IP address based filtering only; any <span><strong class="command">key_id</strong></span>
  974. elements of the <span><strong class="command">address_match_list</strong></span>
  975. are ignored.
  976. </p>
  977. <p>
  978. A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
  979. socket listening at the specified path in the file system.
  980. Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
  981. <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
  982. Note on some platforms (SunOS and Solaris) the permissions
  983. (<span><strong class="command">perm</strong></span>) are applied to the parent directory
  984. as the permissions on the socket itself are ignored.
  985. </p>
  986. <p>
  987. The primary authorization mechanism of the command
  988. channel is the <span><strong class="command">key_list</strong></span>, which
  989. contains a list of <span><strong class="command">key_id</strong></span>s.
  990. Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
  991. is authorized to execute commands over the control channel.
  992. See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>)
  993. for information about configuring keys in <span><strong class="command">rndc</strong></span>.
  994. </p>
  995. <p>
  996. If no <span><strong class="command">controls</strong></span> statement is present,
  997. <span><strong class="command">named</strong></span> will set up a default
  998. control channel listening on the loopback address 127.0.0.1
  999. and its IPv6 counterpart ::1.
  1000. In this case, and also when the <span><strong class="command">controls</strong></span> statement
  1001. is present but does not have a <span><strong class="command">keys</strong></span> clause,
  1002. <span><strong class="command">named</strong></span> will attempt to load the command channel key
  1003. from the file <code class="filename">rndc.key</code> in
  1004. <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
  1005. was specified as when <acronym class="acronym">BIND</acronym> was built).
  1006. To create a <code class="filename">rndc.key</code> file, run
  1007. <strong class="userinput"><code>rndc-confgen -a</code></strong>.
  1008. </p>
  1009. <p>
  1010. The <code class="filename">rndc.key</code> feature was created to
  1011. ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
  1012. which did not have digital signatures on its command channel
  1013. messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
  1014. It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
  1015. configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
  1016. and still have <span><strong class="command">rndc</strong></span> work the same way
  1017. <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
  1018. command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
  1019. installed.
  1020. </p>
  1021. <p>
  1022. Since the <code class="filename">rndc.key</code> feature
  1023. is only intended to allow the backward-compatible usage of
  1024. <acronym class="acronym">BIND</acronym> 8 configuration files, this
  1025. feature does not
  1026. have a high degree of configurability. You cannot easily change
  1027. the key name or the size of the secret, so you should make a
  1028. <code class="filename">rndc.conf</code> with your own key if you
  1029. wish to change
  1030. those things. The <code class="filename">rndc.key</code> file
  1031. also has its
  1032. permissions set such that only the owner of the file (the user that
  1033. <span><strong class="command">named</strong></span> is running as) can access it.
  1034. If you
  1035. desire greater flexibility in allowing other users to access
  1036. <span><strong class="command">rndc</strong></span> commands, then you need to create
  1037. a
  1038. <code class="filename">rndc.conf</code> file and make it group
  1039. readable by a group
  1040. that contains the users who should have access.
  1041. </p>
  1042. <p>
  1043. To disable the command channel, use an empty
  1044. <span><strong class="command">controls</strong></span> statement:
  1045. <span><strong class="command">controls { };</strong></span>.
  1046. </p>
  1047. </div>
  1048. <div class="sect2" lang="en">
  1049. <div class="titlepage"><div><div><h3 class="title">
  1050. <a name="id2575467"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
  1051. <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
  1052. </div>
  1053. <div class="sect2" lang="en">
  1054. <div class="titlepage"><div><div><h3 class="title">
  1055. <a name="id2575484"></a><span><strong class="command">include</strong></span> Statement Definition and
  1056. Usage</h3></div></div></div>
  1057. <p>
  1058. The <span><strong class="command">include</strong></span> statement inserts the
  1059. specified file at the point where the <span><strong class="command">include</strong></span>
  1060. statement is encountered. The <span><strong class="command">include</strong></span>
  1061. statement facilitates the administration of configuration
  1062. files
  1063. by permitting the reading or writing of some things but not
  1064. others. For example, the statement could include private keys
  1065. that are readable only by the name server.
  1066. </p>
  1067. </div>
  1068. <div class="sect2" lang="en">
  1069. <div class="titlepage"><div><div><h3 class="title">
  1070. <a name="id2575576"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
  1071. <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
  1072. algorithm <em class="replaceable"><code>string</code></em>;
  1073. secret <em class="replaceable"><code>string</code></em>;
  1074. };
  1075. </pre>
  1076. </div>
  1077. <div class="sect2" lang="en">
  1078. <div class="titlepage"><div><div><h3 class="title">
  1079. <a name="id2575600"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
  1080. <p>
  1081. The <span><strong class="command">key</strong></span> statement defines a shared
  1082. secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
  1083. or the command channel
  1084. (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
  1085. Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and
  1086. Usage&#8221;</a>).
  1087. </p>
  1088. <p>
  1089. The <span><strong class="command">key</strong></span> statement can occur at the
  1090. top level
  1091. of the configuration file or inside a <span><strong class="command">view</strong></span>
  1092. statement. Keys defined in top-level <span><strong class="command">key</strong></span>
  1093. statements can be used in all views. Keys intended for use in
  1094. a <span><strong class="command">controls</strong></span> statement
  1095. (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
  1096. Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition…