/contrib/bind9/doc/arm/Bv9ARM.ch06.html
HTML | 10075 lines | 10019 code | 39 blank | 17 comment | 0 complexity | 23bebf82675bbeb8b00207a8416d590f MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
- <!--
- - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id$ -->
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <title>Chapter 6. BIND 9 Configuration Reference</title>
- <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
- <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
- <link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
- </head>
- <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
- <div class="navheader">
- <table width="100%" summary="Navigation header">
- <tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr>
- <tr>
- <td width="20%" align="left">
- <a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
- <th width="60%" align="center"> </th>
- <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
- </td>
- </tr>
- </table>
- <hr>
- </div>
- <div class="chapter" lang="en">
- <div class="titlepage"><div><div><h2 class="title">
- <a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div>
- <div class="toc">
- <p><b>Table of Contents</b></p>
- <dl>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574332">Comment Syntax</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574986"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575176"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575467"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575484"><span><strong class="command">include</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575576"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575600"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575758"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575884"><span><strong class="command">logging</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577910"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577984"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578116"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578160"><span><strong class="command">masters</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578174"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589481"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
- Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589689"><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2589736"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition
- and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590162"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
- Statement Grammar</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591713"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2595116">Zone File</a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597415">Discussion of MX Records</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2597962">Inverse Mapping in IPv4</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598157">Other Zone File Directives</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2598430"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
- <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
- </dl>
- </div>
- <p>
- <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar
- to <acronym class="acronym">BIND</acronym> 8; however, there are a few new
- areas
- of configuration, such as views. <acronym class="acronym">BIND</acronym>
- 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym>
- 9, although more complex configurations should be reviewed to check
- if they can be more efficiently implemented using the new features
- found in <acronym class="acronym">BIND</acronym> 9.
- </p>
- <p>
- <acronym class="acronym">BIND</acronym> 4 configuration files can be
- converted to the new format
- using the shell script
- <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.
- </p>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
- <p>
- Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration
- file documentation:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="varname">acl_name</code>
- </p>
- </td>
- <td>
- <p>
- The name of an <code class="varname">address_match_list</code> as
- defined by the <span><strong class="command">acl</strong></span> statement.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">address_match_list</code>
- </p>
- </td>
- <td>
- <p>
- A list of one or more
- <code class="varname">ip_addr</code>,
- <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>,
- or <code class="varname">acl_name</code> elements, see
- <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">masters_list</code>
- </p>
- </td>
- <td>
- <p>
- A named list of one or more <code class="varname">ip_addr</code>
- with optional <code class="varname">key_id</code> and/or
- <code class="varname">ip_port</code>.
- A <code class="varname">masters_list</code> may include other
- <code class="varname">masters_lists</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">domain_name</code>
- </p>
- </td>
- <td>
- <p>
- A quoted string which will be used as
- a DNS name, for example "<code class="literal">my.test.domain</code>".
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">namelist</code>
- </p>
- </td>
- <td>
- <p>
- A list of one or more <code class="varname">domain_name</code>
- elements.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">dotted_decimal</code>
- </p>
- </td>
- <td>
- <p>
- One to four integers valued 0 through
- 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>,
- <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip4_addr</code>
- </p>
- </td>
- <td>
- <p>
- An IPv4 address with exactly four elements
- in <code class="varname">dotted_decimal</code> notation.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip6_addr</code>
- </p>
- </td>
- <td>
- <p>
- An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
- IPv6 scoped addresses that have ambiguity on their
- scope zones must be disambiguated by an appropriate
- zone ID with the percent character (`%') as
- delimiter. It is strongly recommended to use
- string zone names rather than numeric identifiers,
- in order to be robust against system configuration
- changes. However, since there is no standard
- mapping for such names and identifier values,
- currently only interface names as link identifiers
- are supported, assuming one-to-one mapping between
- interfaces and links. For example, a link-local
- address <span><strong class="command">fe80::1</strong></span> on the link
- attached to the interface <span><strong class="command">ne0</strong></span>
- can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
- Note that on most systems link-local addresses
- always have the ambiguity, and need to be
- disambiguated.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip_addr</code>
- </p>
- </td>
- <td>
- <p>
- An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip_port</code>
- </p>
- </td>
- <td>
- <p>
- An IP port <code class="varname">number</code>.
- The <code class="varname">number</code> is limited to 0
- through 65535, with values
- below 1024 typically restricted to use by processes running
- as root.
- In some cases, an asterisk (`*') character can be used as a
- placeholder to
- select a random high-numbered port.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ip_prefix</code>
- </p>
- </td>
- <td>
- <p>
- An IP network specified as an <code class="varname">ip_addr</code>,
- followed by a slash (`/') and then the number of bits in the
- netmask.
- Trailing zeros in a <code class="varname">ip_addr</code>
- may omitted.
- For example, <span><strong class="command">127/8</strong></span> is the
- network <span><strong class="command">127.0.0.0</strong></span> with
- netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
- network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
- </p>
- <p>
- When specifying a prefix involving a IPv6 scoped address
- the scope may be omitted. In that case the prefix will
- match packets from any scope.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">key_id</code>
- </p>
- </td>
- <td>
- <p>
- A <code class="varname">domain_name</code> representing
- the name of a shared key, to be used for transaction
- security.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">key_list</code>
- </p>
- </td>
- <td>
- <p>
- A list of one or more
- <code class="varname">key_id</code>s,
- separated by semicolons and ending with a semicolon.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">number</code>
- </p>
- </td>
- <td>
- <p>
- A non-negative 32-bit integer
- (i.e., a number between 0 and 4294967295, inclusive).
- Its acceptable value might further
- be limited by the context in which it is used.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">path_name</code>
- </p>
- </td>
- <td>
- <p>
- A quoted string which will be used as
- a pathname, such as <code class="filename">zones/master/my.test.domain</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">port_list</code>
- </p>
- </td>
- <td>
- <p>
- A list of an <code class="varname">ip_port</code> or a port
- range.
- A port range is specified in the form of
- <strong class="userinput"><code>range</code></strong> followed by
- two <code class="varname">ip_port</code>s,
- <code class="varname">port_low</code> and
- <code class="varname">port_high</code>, which represents
- port numbers from <code class="varname">port_low</code> through
- <code class="varname">port_high</code>, inclusive.
- <code class="varname">port_low</code> must not be larger than
- <code class="varname">port_high</code>.
- For example,
- <strong class="userinput"><code>range 1024 65535</code></strong> represents
- ports from 1024 through 65535.
- In either case an asterisk (`*') character is not
- allowed as a valid <code class="varname">ip_port</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">size_spec</code>
- </p>
- </td>
- <td>
- <p>
- A number, the word <strong class="userinput"><code>unlimited</code></strong>,
- or the word <strong class="userinput"><code>default</code></strong>.
- </p>
- <p>
- An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
- use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
- the limit that was in force when the server was started.
- </p>
- <p>
- A <code class="varname">number</code> can optionally be
- followed by a scaling factor:
- <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong>
- for kilobytes,
- <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong>
- for megabytes, and
- <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
- which scale by 1024, 1024*1024, and 1024*1024*1024
- respectively.
- </p>
- <p>
- The value must be representable as a 64-bit unsigned integer
- (0 to 18446744073709551615, inclusive).
- Using <code class="varname">unlimited</code> is the best
- way
- to safely set a really large number.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">yes_or_no</code>
- </p>
- </td>
- <td>
- <p>
- Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
- The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
- also accepted, as are the numbers <strong class="userinput"><code>1</code></strong>
- and <strong class="userinput"><code>0</code></strong>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">dialup_option</code>
- </p>
- </td>
- <td>
- <p>
- One of <strong class="userinput"><code>yes</code></strong>,
- <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
- <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
- <strong class="userinput"><code>passive</code></strong>.
- When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
- <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
- are restricted to slave and stub zones.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574099"></a>Syntax</h4></div></div></div>
- <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
- [<span class="optional"> address_match_list_element; ... </span>]
- <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
- key key_id | acl_name | { address_match_list } )
- </pre>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574126"></a>Definition and Usage</h4></div></div></div>
- <p>
- Address match lists are primarily used to determine access
- control for various server operations. They are also used in
- the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
- statements. The elements which constitute an address match
- list can be any of the following:
- </p>
- <div class="itemizedlist"><ul type="disc">
- <li>an IP address (IPv4 or IPv6)</li>
- <li>an IP prefix (in `/' notation)</li>
- <li>
- a key ID, as defined by the <span><strong class="command">key</strong></span>
- statement
- </li>
- <li>the name of an address match list defined with
- the <span><strong class="command">acl</strong></span> statement
- </li>
- <li>a nested address match list enclosed in braces</li>
- </ul></div>
- <p>
- Elements can be negated with a leading exclamation mark (`!'),
- and the match list names "any", "none", "localhost", and
- "localnets" are predefined. More information on those names
- can be found in the description of the acl statement.
- </p>
- <p>
- The addition of the key clause made the name of this syntactic
- element something of a misnomer, since security keys can be used
- to validate access without regard to a host or network address.
- Nonetheless, the term "address match list" is still used
- throughout the documentation.
- </p>
- <p>
- When a given IP address or prefix is compared to an address
- match list, the comparison takes place in approximately O(1)
- time. However, key comparisons require that the list of keys
- be traversed until a matching key is found, and therefore may
- be somewhat slower.
- </p>
- <p>
- The interpretation of a match depends on whether the list is being
- used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
- <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
- </p>
- <p>
- When used as an access control list, a non-negated match
- allows access and a negated match denies access. If
- there is no match, access is denied. The clauses
- <span><strong class="command">allow-notify</strong></span>,
- <span><strong class="command">allow-recursion</strong></span>,
- <span><strong class="command">allow-recursion-on</strong></span>,
- <span><strong class="command">allow-query</strong></span>,
- <span><strong class="command">allow-query-on</strong></span>,
- <span><strong class="command">allow-query-cache</strong></span>,
- <span><strong class="command">allow-query-cache-on</strong></span>,
- <span><strong class="command">allow-transfer</strong></span>,
- <span><strong class="command">allow-update</strong></span>,
- <span><strong class="command">allow-update-forwarding</strong></span>, and
- <span><strong class="command">blackhole</strong></span> all use address match
- lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
- server to refuse queries on any of the machine's
- addresses which do not match the list.
- </p>
- <p>
- Order of insertion is significant. If more than one element
- in an ACL is found to match a given IP address or prefix,
- preference will be given to the one that came
- <span class="emphasis"><em>first</em></span> in the ACL definition.
- Because of this first-match behavior, an element that
- defines a subset of another element in the list should
- come before the broader element, regardless of whether
- either is negated. For example, in
- <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
- the 1.2.3.13 element is completely useless because the
- algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
- element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
- that problem by having 1.2.3.13 blocked by the negation, but
- all other 1.2.3.* hosts fall through.
- </p>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2574332"></a>Comment Syntax</h3></div></div></div>
- <p>
- The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
- comments to appear
- anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration
- file. To appeal to programmers of all kinds, they can be written
- in the C, C++, or shell/perl style.
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574347"></a>Syntax</h4></div></div></div>
- <p>
- </p>
- <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
- <p>
- </p>
- <pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre>
- <p>
- </p>
- <pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells
- # and perl</pre>
- <p>
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2574377"></a>Definition and Usage</h4></div></div></div>
- <p>
- Comments may appear anywhere that whitespace may appear in
- a <acronym class="acronym">BIND</acronym> configuration file.
- </p>
- <p>
- C-style comments start with the two characters /* (slash,
- star) and end with */ (star, slash). Because they are completely
- delimited with these characters, they can be used to comment only
- a portion of a line or to span multiple lines.
- </p>
- <p>
- C-style comments cannot be nested. For example, the following
- is not valid because the entire comment ends with the first */:
- </p>
- <p>
- </p>
- <pre class="programlisting">/* This is the start of a comment.
- This is still part of the comment.
- /* This is an incorrect attempt at nesting a comment. */
- This is no longer in any comment. */
- </pre>
- <p>
- </p>
- <p>
- C++-style comments start with the two characters // (slash,
- slash) and continue to the end of the physical line. They cannot
- be continued across multiple physical lines; to have one logical
- comment span multiple lines, each line must use the // pair.
- For example:
- </p>
- <p>
- </p>
- <pre class="programlisting">// This is the start of a comment. The next line
- // is a new comment, even though it is logically
- // part of the previous comment.
- </pre>
- <p>
- </p>
- <p>
- Shell-style (or perl-style, if you prefer) comments start
- with the character <code class="literal">#</code> (number sign)
- and continue to the end of the
- physical line, as in C++ comments.
- For example:
- </p>
- <p>
- </p>
- <pre class="programlisting"># This is the start of a comment. The next line
- # is a new comment, even though it is logically
- # part of the previous comment.
- </pre>
- <p>
- </p>
- <div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Warning</h3>
- <p>
- You cannot use the semicolon (`;') character
- to start a comment such as you would in a zone file. The
- semicolon indicates the end of a configuration
- statement.
- </p>
- </div>
- </div>
- </div>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
- <p>
- A <acronym class="acronym">BIND</acronym> 9 configuration consists of
- statements and comments.
- Statements end with a semicolon. Statements and comments are the
- only elements that can appear without enclosing braces. Many
- statements contain a block of sub-statements, which are also
- terminated with a semicolon.
- </p>
- <p>
- The following statements are supported:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">acl</strong></span></p>
- </td>
- <td>
- <p>
- defines a named IP address
- matching list, for access control and other uses.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">controls</strong></span></p>
- </td>
- <td>
- <p>
- declares control channels to be used
- by the <span><strong class="command">rndc</strong></span> utility.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">include</strong></span></p>
- </td>
- <td>
- <p>
- includes a file.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">key</strong></span></p>
- </td>
- <td>
- <p>
- specifies key information for use in
- authentication and authorization using TSIG.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">logging</strong></span></p>
- </td>
- <td>
- <p>
- specifies what the server logs, and where
- the log messages are sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">lwres</strong></span></p>
- </td>
- <td>
- <p>
- configures <span><strong class="command">named</strong></span> to
- also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>).
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">masters</strong></span></p>
- </td>
- <td>
- <p>
- defines a named masters list for
- inclusion in stub and slave zone masters clauses.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">options</strong></span></p>
- </td>
- <td>
- <p>
- controls global server configuration
- options and sets defaults for other statements.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">server</strong></span></p>
- </td>
- <td>
- <p>
- sets certain configuration options on
- a per-server basis.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">statistics-channels</strong></span></p>
- </td>
- <td>
- <p>
- declares communication channels to get access to
- <span><strong class="command">named</strong></span> statistics.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">trusted-keys</strong></span></p>
- </td>
- <td>
- <p>
- defines trusted DNSSEC keys.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">managed-keys</strong></span></p>
- </td>
- <td>
- <p>
- lists DNSSEC keys to be kept up to date
- using RFC 5011 trust anchor maintenance.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">view</strong></span></p>
- </td>
- <td>
- <p>
- defines a view.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">zone</strong></span></p>
- </td>
- <td>
- <p>
- defines a zone.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The <span><strong class="command">logging</strong></span> and
- <span><strong class="command">options</strong></span> statements may only occur once
- per
- configuration.
- </p>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2574986"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
- address_match_list
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">acl</strong></span> statement assigns a symbolic
- name to an address match list. It gets its name from a primary
- use of address match lists: Access Control Lists (ACLs).
- </p>
- <p>
- Note that an address match list's name must be defined
- with <span><strong class="command">acl</strong></span> before it can be used
- elsewhere; no forward references are allowed.
- </p>
- <p>
- The following ACLs are built-in:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">any</strong></span></p>
- </td>
- <td>
- <p>
- Matches all hosts.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">none</strong></span></p>
- </td>
- <td>
- <p>
- Matches no hosts.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">localhost</strong></span></p>
- </td>
- <td>
- <p>
- Matches the IPv4 and IPv6 addresses of all network
- interfaces on the system.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">localnets</strong></span></p>
- </td>
- <td>
- <p>
- Matches any host on an IPv4 or IPv6 network
- for which the system has an interface.
- Some systems do not provide a way to determine the prefix
- lengths of
- local IPv6 addresses.
- In such a case, <span><strong class="command">localnets</strong></span>
- only matches the local
- IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575176"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">controls</strong></span> {
- [ inet ( ip_addr | * ) [ port ip_port ]
- allow { <em class="replaceable"><code> address_match_list </code></em> }
- keys { <em class="replaceable"><code>key_list</code></em> }; ]
- [ inet ...; ]
- [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em>
- keys { <em class="replaceable"><code>key_list</code></em> }; ]
- [ unix ...; ]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">controls</strong></span> statement declares control
- channels to be used by system administrators to control the
- operation of the name server. These control channels are
- used by the <span><strong class="command">rndc</strong></span> utility to send
- commands to and retrieve non-DNS results from a name server.
- </p>
- <p>
- An <span><strong class="command">inet</strong></span> control channel is a TCP socket
- listening at the specified <span><strong class="command">ip_port</strong></span> on the
- specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- If you will only use <span><strong class="command">rndc</strong></span> on the local host,
- using the loopback address (<code class="literal">127.0.0.1</code>
- or <code class="literal">::1</code>) is recommended for maximum security.
- </p>
- <p>
- If no port is specified, port 953 is used. The asterisk
- "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>.
- </p>
- <p>
- The ability to issue commands over the control channel is
- restricted by the <span><strong class="command">allow</strong></span> and
- <span><strong class="command">keys</strong></span> clauses.
- Connections to the control channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>. This is for simple
- IP address based filtering only; any <span><strong class="command">key_id</strong></span>
- elements of the <span><strong class="command">address_match_list</strong></span>
- are ignored.
- </p>
- <p>
- A <span><strong class="command">unix</strong></span> control channel is a UNIX domain
- socket listening at the specified path in the file system.
- Access to the socket is specified by the <span><strong class="command">perm</strong></span>,
- <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses.
- Note on some platforms (SunOS and Solaris) the permissions
- (<span><strong class="command">perm</strong></span>) are applied to the parent directory
- as the permissions on the socket itself are ignored.
- </p>
- <p>
- The primary authorization mechanism of the command
- channel is the <span><strong class="command">key_list</strong></span>, which
- contains a list of <span><strong class="command">key_id</strong></span>s.
- Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span>
- is authorized to execute commands over the control channel.
- See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>)
- for information about configuring keys in <span><strong class="command">rndc</strong></span>.
- </p>
- <p>
- If no <span><strong class="command">controls</strong></span> statement is present,
- <span><strong class="command">named</strong></span> will set up a default
- control channel listening on the loopback address 127.0.0.1
- and its IPv6 counterpart ::1.
- In this case, and also when the <span><strong class="command">controls</strong></span> statement
- is present but does not have a <span><strong class="command">keys</strong></span> clause,
- <span><strong class="command">named</strong></span> will attempt to load the command channel key
- from the file <code class="filename">rndc.key</code> in
- <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
- was specified as when <acronym class="acronym">BIND</acronym> was built).
- To create a <code class="filename">rndc.key</code> file, run
- <strong class="userinput"><code>rndc-confgen -a</code></strong>.
- </p>
- <p>
- The <code class="filename">rndc.key</code> feature was created to
- ease the transition of systems from <acronym class="acronym">BIND</acronym> 8,
- which did not have digital signatures on its command channel
- messages and thus did not have a <span><strong class="command">keys</strong></span> clause.
- It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8
- configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged,
- and still have <span><strong class="command">rndc</strong></span> work the same way
- <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
- command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
- installed.
- </p>
- <p>
- Since the <code class="filename">rndc.key</code> feature
- is only intended to allow the backward-compatible usage of
- <acronym class="acronym">BIND</acronym> 8 configuration files, this
- feature does not
- have a high degree of configurability. You cannot easily change
- the key name or the size of the secret, so you should make a
- <code class="filename">rndc.conf</code> with your own key if you
- wish to change
- those things. The <code class="filename">rndc.key</code> file
- also has its
- permissions set such that only the owner of the file (the user that
- <span><strong class="command">named</strong></span> is running as) can access it.
- If you
- desire greater flexibility in allowing other users to access
- <span><strong class="command">rndc</strong></span> commands, then you need to create
- a
- <code class="filename">rndc.conf</code> file and make it group
- readable by a group
- that contains the users who should have access.
- </p>
- <p>
- To disable the command channel, use an empty
- <span><strong class="command">controls</strong></span> statement:
- <span><strong class="command">controls { };</strong></span>.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575467"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575484"></a><span><strong class="command">include</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">include</strong></span> statement inserts the
- specified file at the point where the <span><strong class="command">include</strong></span>
- statement is encountered. The <span><strong class="command">include</strong></span>
- statement facilitates the administration of configuration
- files
- by permitting the reading or writing of some things but not
- others. For example, the statement could include private keys
- that are readable only by the name server.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575576"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
- algorithm <em class="replaceable"><code>string</code></em>;
- secret <em class="replaceable"><code>string</code></em>;
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575600"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">key</strong></span> statement defines a shared
- secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
- or the command channel
- (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
- Usage”</a>).
- </p>
- <p>
- The <span><strong class="command">key</strong></span> statement can occur at the
- top level
- of the configuration file or inside a <span><strong class="command">view</strong></span>
- statement. Keys defined in top-level <span><strong class="command">key</strong></span>
- statements can be used in all views. Keys intended for use in
- a <span><strong class="command">controls</strong></span> statement
- (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and
- Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and
- Usage”</a>)
- must be defined at the top level.
- </p>
- <p>
- The <em class="replaceable"><code>key_id</code></em>, also known as the
- key name, is a domain name uniquely identifying the key. It can
- be used in a <span><strong class="command">server</strong></span>
- statement to cause requests sent to that
- server to be signed with this key, or in address match lists to
- verify that incoming requests have been signed with a key
- matching this name, algorithm, and secret.
- </p>
- <p>
- The <em class="replaceable"><code>algorithm_id</code></em> is a string
- that specifies a security/authentication algorithm. Named
- supports <code class="literal">hmac-md5</code>,
- <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>,
- <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code>
- and <code class="literal">hmac-sha512</code> TSIG authentication.
- Truncated hashes are supported by appending the minimum
- number of required bits preceded by a dash, e.g.
- <code class="literal">hmac-sha1-80</code>. The
- <em class="replaceable"><code>secret_string</code></em> is the secret
- to be used by the algorithm, and is treated as a base-64
- encoded string.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575758"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">logging</strong></span> {
- [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
- ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
- [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
- [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
- | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
- | <span><strong class="command">stderr</strong></span>
- | <span><strong class="command">null</strong></span> );
- [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
- <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
- [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
- }; ]
- [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
- <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ]
- }; ]
- ...
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2575884"></a><span><strong class="command">logging</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">logging</strong></span> statement configures a
- wide
- variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
- associates output methods, format options and severity levels with
- a name that can then be used with the <span><strong class="command">category</strong></span> phrase
- to select how various classes of messages are logged.
- </p>
- <p>
- Only one <span><strong class="command">logging</strong></span> statement is used to
- define
- as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
- the logging configuration will be:
- </p>
- <pre class="programlisting">logging {
- category default { default_syslog; default_debug; };
- category unmatched { null; };
- };
- </pre>
- <p>
- In <acronym class="acronym">BIND</acronym> 9, the logging configuration
- is only established when
- the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was
- established as soon as the <span><strong class="command">logging</strong></span>
- statement
- was parsed. When the server is starting up, all logging messages
- regarding syntax errors in the configuration file go to the default
- channels, or to standard error if the "<code class="option">-g</code>" option
- was specified.
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2576005"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
- <p>
- All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
- you can make as many of them as you want.
- </p>
- <p>
- Every channel definition must include a destination clause that
- says whether messages selected for the channel go to a file, to a
- particular syslog facility, to the standard error stream, or are
- discarded. It can optionally also limit the message severity level
- that will be accepted by the channel (the default is
- <span><strong class="command">info</strong></span>), and whether to include a
- <span><strong class="command">named</strong></span>-generated time stamp, the
- category name
- and/or severity level (the default is not to include any).
- </p>
- <p>
- The <span><strong class="command">null</strong></span> destination clause
- causes all messages sent to the channel to be discarded;
- in that case, other options for the channel are meaningless.
- </p>
- <p>
- The <span><strong class="command">file</strong></span> destination clause directs
- the channel
- to a disk file. It can include limitations
- both on how large the file is allowed to become, and how many
- versions
- of the file will be saved each time the file is opened.
- </p>
- <p>
- If you use the <span><strong class="command">versions</strong></span> log file
- option, then
- <span><strong class="command">named</strong></span> will retain that many backup
- versions of the file by
- renaming them when opening. For example, if you choose to keep
- three old versions
- of the file <code class="filename">lamers.log</code>, then just
- before it is opened
- <code class="filename">lamers.log.1</code> is renamed to
- <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
- to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
- renamed to <code class="filename">lamers.log.0</code>.
- You can say <span><strong class="command">versions unlimited</strong></span> to
- not limit
- the number of versions.
- If a <span><strong class="command">size</strong></span> option is associated with
- the log file,
- then renaming is only done when the file being opened exceeds the
- indicated size. No backup versions are kept by default; any
- existing
- log file is simply appended.
- </p>
- <p>
- The <span><strong class="command">size</strong></span> option for files is used
- to limit log
- growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
- stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
- associated with it. If backup versions are kept, the files are
- rolled as
- described above and a new one begun. If there is no
- <span><strong class="command">versions</strong></span> option, no more data will
- be written to the log
- until some out-of-band mechanism removes or truncates the log to
- less than the
- maximum size. The default behavior is not to limit the size of
- the
- file.
- </p>
- <p>
- Example usage of the <span><strong class="command">size</strong></span> and
- <span><strong class="command">versions</strong></span> options:
- </p>
- <pre class="programlisting">channel an_example_channel {
- file "example.log" versions 3 size 20m;
- print-time yes;
- print-category yes;
- };
- </pre>
- <p>
- The <span><strong class="command">syslog</strong></span> destination clause
- directs the
- channel to the system log. Its argument is a
- syslog facility as described in the <span><strong class="command">syslog</strong></span> man
- page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
- <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
- <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
- <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
- <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
- <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
- <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
- <span><strong class="command">local7</strong></span>, however not all facilities
- are supported on
- all operating systems.
- How <span><strong class="command">syslog</strong></span> will handle messages
- sent to
- this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
- page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
- only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
- then this clause is silently ignored.
- </p>
- <p>
- The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
- "priorities", except that they can also be used if you are writing
- straight to a file rather than using <span><strong class="command">syslog</strong></span>.
- Messages which are not at least of the severity level given will
- not be selected for the channel; messages of higher severity
- levels
- will be accepted.
- </p>
- <p>
- If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
- will also determine what eventually passes through. For example,
- defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
- only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
- cause messages of severity <span><strong class="command">info</strong></span> and
- <span><strong class="command">notice</strong></span> to
- be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
- messages of only <span><strong class="command">warning</strong></span> or higher,
- then <span><strong class="command">syslogd</strong></span> would
- print all messages it received from the channel.
- </p>
- <p>
- The <span><strong class="command">stderr</strong></span> destination clause
- directs the
- channel to the server's standard error stream. This is intended
- for
- use when the server is running as a foreground process, for
- example
- when debugging a configuration.
- </p>
- <p>
- The server can supply extensive debugging information when
- it is in debugging mode. If the server's global debug level is
- greater
- than zero, then debugging mode will be active. The global debug
- level is set either by starting the <span><strong class="command">named</strong></span> server
- with the <code class="option">-d</code> flag followed by a positive integer,
- or by running <span><strong class="command">rndc trace</strong></span>.
- The global debug level
- can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc
- notrace</strong></span>. All debugging messages in the server have a debug
- level, and higher debug levels give more detailed output. Channels
- that specify a specific debug severity, for example:
- </p>
- <pre class="programlisting">channel specific_debug_level {
- file "foo";
- severity debug 3;
- };
- </pre>
- <p>
- will get debugging output of level 3 or less any time the
- server is in debugging mode, regardless of the global debugging
- level. Channels with <span><strong class="command">dynamic</strong></span>
- severity use the
- server's global debug level to determine what messages to print.
- </p>
- <p>
- If <span><strong class="command">print-time</strong></span> has been turned on,
- then
- the date and time will be logged. <span><strong class="command">print-time</strong></span> may
- be specified for a <span><strong class="command">syslog</strong></span> channel,
- but is usually
- pointless since <span><strong class="command">syslog</strong></span> also logs
- the date and
- time. If <span><strong class="command">print-category</strong></span> is
- requested, then the
- category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
- on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
- be used in any combination, and will always be printed in the
- following
- order: time, category, severity. Here is an example where all
- three <span><strong class="command">print-</strong></span> options
- are on:
- </p>
- <p>
- <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code>
- </p>
- <p>
- There are four predefined channels that are used for
- <span><strong class="command">named</strong></span>'s default logging as follows.
- How they are
- used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>.
- </p>
- <pre class="programlisting">channel default_syslog {
- // send to syslog's daemon facility
- syslog daemon;
- // only send priority info and higher
- severity info;
- channel default_debug {
- // write to named.run in the working directory
- // Note: stderr is used instead of "named.run" if
- // the server is started with the '-f' option.
- file "named.run";
- // log at the server's current debug level
- severity dynamic;
- };
- channel default_stderr {
- // writes to stderr
- stderr;
- // only send priority info and higher
- severity info;
- };
- channel null {
- // toss anything sent to this channel
- null;
- };
- </pre>
- <p>
- The <span><strong class="command">default_debug</strong></span> channel has the
- special
- property that it only produces output when the server's debug
- level is
- nonzero. It normally writes to a file called <code class="filename">named.run</code>
- in the server's working directory.
- </p>
- <p>
- For security reasons, when the "<code class="option">-u</code>"
- command line option is used, the <code class="filename">named.run</code> file
- is created only after <span><strong class="command">named</strong></span> has
- changed to the
- new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
- starting up and still running as root is discarded. If you need
- to capture this output, you must run the server with the "<code class="option">-g</code>"
- option and redirect standard error to a file.
- </p>
- <p>
- Once a channel is defined, it cannot be redefined. Thus you
- cannot alter the built-in channels directly, but you can modify
- the default logging by pointing categories at channels you have
- defined.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
- <p>
- There are many categories, so you can send the logs you want
- to see wherever you want, without seeing logs you don't want. If
- you don't specify a list of channels for a category, then log
- messages
- in that category will be sent to the <span><strong class="command">default</strong></span> category
- instead. If you don't specify a default category, the following
- "default default" is used:
- </p>
- <pre class="programlisting">category default { default_syslog; default_debug; };
- </pre>
- <p>
- As an example, let's say you want to log security events to
- a file, but you also want keep the default logging behavior. You'd
- specify the following:
- </p>
- <pre class="programlisting">channel my_security_channel {
- file "my_security_file";
- severity info;
- };
- category security {
- my_security_channel;
- default_syslog;
- default_debug;
- };</pre>
- <p>
- To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:
- </p>
- <pre class="programlisting">category xfer-out { null; };
- category notify { null; };
- </pre>
- <p>
- Following are the available categories and brief descriptions
- of the types of log information they contain. More
- categories may be added in future <acronym class="acronym">BIND</acronym> releases.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">default</strong></span></p>
- </td>
- <td>
- <p>
- The default category defines the logging
- options for those categories where no specific
- configuration has been
- defined.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">general</strong></span></p>
- </td>
- <td>
- <p>
- The catch-all. Many things still aren't
- classified into categories, and they all end up here.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">database</strong></span></p>
- </td>
- <td>
- <p>
- Messages relating to the databases used
- internally by the name server to store zone and cache
- data.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">security</strong></span></p>
- </td>
- <td>
- <p>
- Approval and denial of requests.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">config</strong></span></p>
- </td>
- <td>
- <p>
- Configuration file parsing and processing.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">resolver</strong></span></p>
- </td>
- <td>
- <p>
- DNS resolution, such as the recursive
- lookups performed on behalf of clients by a caching name
- server.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">xfer-in</strong></span></p>
- </td>
- <td>
- <p>
- Zone transfers the server is receiving.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">xfer-out</strong></span></p>
- </td>
- <td>
- <p>
- Zone transfers the server is sending.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">notify</strong></span></p>
- </td>
- <td>
- <p>
- The NOTIFY protocol.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">client</strong></span></p>
- </td>
- <td>
- <p>
- Processing of client requests.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">unmatched</strong></span></p>
- </td>
- <td>
- <p>
- Messages that <span><strong class="command">named</strong></span> was unable to determine the
- class of or for which there was no matching <span><strong class="command">view</strong></span>.
- A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
- This category is best sent to a file or stderr, by
- default it is sent to
- the <span><strong class="command">null</strong></span> channel.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">network</strong></span></p>
- </td>
- <td>
- <p>
- Network operations.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">update</strong></span></p>
- </td>
- <td>
- <p>
- Dynamic updates.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">update-security</strong></span></p>
- </td>
- <td>
- <p>
- Approval and denial of update requests.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">queries</strong></span></p>
- </td>
- <td>
- <p>
- Specify where queries should be logged to.
- </p>
- <p>
- At startup, specifying the category <span><strong class="command">queries</strong></span> will also
- enable query logging unless <span><strong class="command">querylog</strong></span> option has been
- specified.
- </p>
- <p>
- The query log entry reports the client's IP
- address and port number, and the query name,
- class and type. Next it reports whether the
- Recursion Desired flag was set (+ if set, -
- if not set), if the query was signed (S),
- EDNS was in use (E), if TCP was used (T), if
- DO (DNSSEC Ok) was set (D), or if CD (Checking
- Disabled) was set (C). After this the
- destination address the query was sent to is
- reported.
- </p>
- <p>
- <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
- </p>
- <p>
- <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">query-errors</strong></span></p>
- </td>
- <td>
- <p>
- Information about queries that resulted in some
- failure.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">dispatch</strong></span></p>
- </td>
- <td>
- <p>
- Dispatching of incoming packets to the
- server modules where they are to be processed.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">dnssec</strong></span></p>
- </td>
- <td>
- <p>
- DNSSEC and TSIG protocol processing.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">lame-servers</strong></span></p>
- </td>
- <td>
- <p>
- Lame servers. These are misconfigurations
- in remote servers, discovered by BIND 9 when trying to
- query those servers during resolution.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">delegation-only</strong></span></p>
- </td>
- <td>
- <p>
- Delegation only. Logs queries that have been
- forced to NXDOMAIN as the result of a
- delegation-only zone or a
- <span><strong class="command">delegation-only</strong></span> in a hint
- or stub zone declaration.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">edns-disabled</strong></span></p>
- </td>
- <td>
- <p>
- Log queries that have been forced to use plain
- DNS due to timeouts. This is often due to
- the remote servers not being RFC 1034 compliant
- (not always returning FORMERR or similar to
- EDNS queries and other extensions to the DNS
- when they are not understood). In other words, this is
- targeted at servers that fail to respond to
- DNS queries that they don't understand.
- </p>
- <p>
- Note: the log message can also be due to
- packet loss. Before reporting servers for
- non-RFC 1034 compliance they should be re-tested
- to determine the nature of the non-compliance.
- This testing should prevent or reduce the
- number of false-positive reports.
- </p>
- <p>
- Note: eventually <span><strong class="command">named</strong></span> will have to stop
- treating such timeouts as due to RFC 1034 non
- compliance and start treating it as plain
- packet loss. Falsely classifying packet
- loss as due to RFC 1034 non compliance impacts
- on DNSSEC validation which requires EDNS for
- the DNSSEC records to be returned.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">RPZ</strong></span></p>
- </td>
- <td>
- <p>
- Information about errors in response policy zone files,
- rewritten responses, and at the highest
- <span><strong class="command">debug</strong></span> levels, mere rewriting
- attempts.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2577322"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
- <p>
- The <span><strong class="command">query-errors</strong></span> category is
- specifically intended for debugging purposes: To identify
- why and how specific queries result in responses which
- indicate an error.
- Messages of this category are therefore only logged
- with <span><strong class="command">debug</strong></span> levels.
- </p>
- <p>
- At the debug levels of 1 or higher, each response with the
- rcode of SERVFAIL is logged as follows:
- </p>
- <p>
- <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
- </p>
- <p>
- This means an error resulting in SERVFAIL was
- detected at line 3880 of source file
- <code class="filename">query.c</code>.
- Log messages of this level will particularly
- help identify the cause of SERVFAIL for an
- authoritative server.
- </p>
- <p>
- At the debug levels of 2 or higher, detailed context
- information of recursive resolutions that resulted in
- SERVFAIL is logged.
- The log message will look like as follows:
- </p>
- <p>
- </p>
- <pre class="programlisting">
- fetch completed at resolver.c:2970 for www.example.com/A
- in 30.000183: timed out/success [domain:example.com,
- referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,
- badresp:1,adberr:0,findfail:0,valfail:0]
- </pre>
- <p>
- </p>
- <p>
- The first part before the colon shows that a recursive
- resolution for AAAA records of www.example.com completed
- in 30.000183 seconds and the final result that led to the
- SERVFAIL was determined at line 2970 of source file
- <code class="filename">resolver.c</code>.
- </p>
- <p>
- The following part shows the detected final result and the
- latest result of DNSSEC validation.
- The latter is always success when no validation attempt
- is made.
- In this example, this query resulted in SERVFAIL probably
- because all name servers are down or unreachable, leading
- to a timeout in 30 seconds.
- DNSSEC validation was probably not attempted.
- </p>
- <p>
- The last part enclosed in square brackets shows statistics
- information collected for this particular resolution
- attempt.
- The <code class="varname">domain</code> field shows the deepest zone
- that the resolver reached;
- it is the zone where the error was finally detected.
- The meaning of the other fields is summarized in the
- following table.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><code class="varname">referral</code></p>
- </td>
- <td>
- <p>
- The number of referrals the resolver received
- throughout the resolution process.
- In the above example this is 2, which are most
- likely com and example.com.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">restart</code></p>
- </td>
- <td>
- <p>
- The number of cycles that the resolver tried
- remote servers at the <code class="varname">domain</code>
- zone.
- In each cycle the resolver sends one query
- (possibly resending it, depending on the response)
- to each known name server of
- the <code class="varname">domain</code> zone.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">qrysent</code></p>
- </td>
- <td>
- <p>
- The number of queries the resolver sent at the
- <code class="varname">domain</code> zone.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">timeout</code></p>
- </td>
- <td>
- <p>
- The number of timeouts since the resolver
- received the last response.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">lame</code></p>
- </td>
- <td>
- <p>
- The number of lame servers the resolver detected
- at the <code class="varname">domain</code> zone.
- A server is detected to be lame either by an
- invalid response or as a result of lookup in
- BIND9's address database (ADB), where lame
- servers are cached.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">neterr</code></p>
- </td>
- <td>
- <p>
- The number of erroneous results that the
- resolver encountered in sending queries
- at the <code class="varname">domain</code> zone.
- One common case is the remote server is
- unreachable and the resolver receives an ICMP
- unreachable error message.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">badresp</code></p>
- </td>
- <td>
- <p>
- The number of unexpected responses (other than
- <code class="varname">lame</code>) to queries sent by the
- resolver at the <code class="varname">domain</code> zone.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">adberr</code></p>
- </td>
- <td>
- <p>
- Failures in finding remote server addresses
- of the <code class="varname">domain</code> zone in the ADB.
- One common case of this is that the remote
- server's name does not have any address records.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">findfail</code></p>
- </td>
- <td>
- <p>
- Failures of resolving remote server addresses.
- This is a total number of failures throughout
- the resolution process.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><code class="varname">valfail</code></p>
- </td>
- <td>
- <p>
- Failures of DNSSEC validation.
- Validation failures are counted throughout
- the resolution process (not limited to
- the <code class="varname">domain</code> zone), but should
- only happen in <code class="varname">domain</code>.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- At the debug levels of 3 or higher, the same messages
- as those at the debug 1 level are logged for other errors
- than SERVFAIL.
- Note that negative responses such as NXDOMAIN are not
- regarded as errors here.
- </p>
- <p>
- At the debug levels of 4 or higher, the same messages
- as those at the debug 2 level are logged for other errors
- than SERVFAIL.
- Unlike the above case of level 3, messages are logged for
- negative responses.
- This is because any unexpected results can be difficult to
- debug in the recursion case.
- </p>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2577910"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
- <p>
- This is the grammar of the <span><strong class="command">lwres</strong></span>
- statement in the <code class="filename">named.conf</code> file:
- </p>
- <pre class="programlisting"><span><strong class="command">lwres</strong></span> {
- [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
- [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
- [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
- [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2577984"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">lwres</strong></span> statement configures the
- name
- server to also act as a lightweight resolver server. (See
- <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple
- <span><strong class="command">lwres</strong></span> statements configuring
- lightweight resolver servers with different properties.
- </p>
- <p>
- The <span><strong class="command">listen-on</strong></span> statement specifies a
- list of
- addresses (and ports) that this instance of a lightweight resolver
- daemon
- should accept requests on. If no port is specified, port 921 is
- used.
- If this statement is omitted, requests will be accepted on
- 127.0.0.1,
- port 921.
- </p>
- <p>
- The <span><strong class="command">view</strong></span> statement binds this
- instance of a
- lightweight resolver daemon to a view in the DNS namespace, so that
- the
- response will be constructed in the same manner as a normal DNS
- query
- matching this view. If this statement is omitted, the default view
- is
- used, and if there is no default view, an error is triggered.
- </p>
- <p>
- The <span><strong class="command">search</strong></span> statement is equivalent to
- the
- <span><strong class="command">search</strong></span> statement in
- <code class="filename">/etc/resolv.conf</code>. It provides a
- list of domains
- which are appended to relative names in queries.
- </p>
- <p>
- The <span><strong class="command">ndots</strong></span> statement is equivalent to
- the
- <span><strong class="command">ndots</strong></span> statement in
- <code class="filename">/etc/resolv.conf</code>. It indicates the
- minimum
- number of dots in a relative domain name that should result in an
- exact match lookup before search path elements are appended.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2578116"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting">
- <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> |
- <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2578160"></a><span><strong class="command">masters</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p><span><strong class="command">masters</strong></span>
- lists allow for a common set of masters to be easily used by
- multiple stub and slave zones.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2578174"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
- <p>
- This is the grammar of the <span><strong class="command">options</strong></span>
- statement in the <code class="filename">named.conf</code> file:
- </p>
- <pre class="programlisting"><span><strong class="command">options</strong></span> {
- [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>]
- [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
- [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
- [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
- [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
- [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
- [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
- [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>]
- [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>]
- [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
- [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>]
- [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
- [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>]
- [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> |
- <em class="replaceable"><code>no</code></em> |
- <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>]
- [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] {
- ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] |
- <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ;
- ... }; </span>]
- [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )
- ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
- [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>]
- [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>]
- [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
- [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
- [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
- [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
- [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> )
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
- [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
- [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> )
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] |
- [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
- [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
- [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
- [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
- [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
- [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
- [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
- [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
- [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
- [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
- [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
- [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>]
- [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> dns64 <em class="replaceable"><code>IPv6-prefix</code></em> {
- [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> suffix IPv6-address; </span>]
- [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- }; </span>];
- [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>]
- [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>]
- [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
- [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
- [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>;
- [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
- [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
- [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>]
- [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>]
- [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>]
- [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
- [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>]
- [<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em> [<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>] ; } ; </span>]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">options</strong></span> statement sets up global
- options
- to be used by <acronym class="acronym">BIND</acronym>. This statement
- may appear only
- once in a configuration file. If there is no <span><strong class="command">options</strong></span>
- statement, an options block with each option set to its default will
- be used.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt>
- <dd>
- <p>
- Allows multiple views to share a single cache
- database.
- Each view has its own cache database by default, but
- if multiple views have the same operational policy
- for name resolution and caching, those views can
- share a single cache to save memory and possibly
- improve resolution efficiency by using this option.
- </p>
- <p>
- The <span><strong class="command">attach-cache</strong></span> option
- may also be specified in <span><strong class="command">view</strong></span>
- statements, in which case it overrides the
- global <span><strong class="command">attach-cache</strong></span> option.
- </p>
- <p>
- The <em class="replaceable"><code>cache_name</code></em> specifies
- the cache to be shared.
- When the <span><strong class="command">named</strong></span> server configures
- views which are supposed to share a cache, it
- creates a cache with the specified name for the
- first view of these sharing views.
- The rest of the views will simply refer to the
- already created cache.
- </p>
- <p>
- One common configuration to share a cache would be to
- allow all views to share a single cache.
- This can be done by specifying
- the <span><strong class="command">attach-cache</strong></span> as a global
- option with an arbitrary name.
- </p>
- <p>
- Another possible operation is to allow a subset of
- all views to share a cache while the others to
- retain their own caches.
- For example, if there are three views A, B, and C,
- and only A and B should share a cache, specify the
- <span><strong class="command">attach-cache</strong></span> option as a view A (or
- B)'s option, referring to the other view name:
- </p>
- <pre class="programlisting">
- view "A" {
- // this view has its own cache
- ...
- };
- view "B" {
- // this view refers to A's cache
- attach-cache "A";
- };
- view "C" {
- // this view has its own cache
- ...
- };
- </pre>
- <p>
- Views that share a cache must have the same policy
- on configurable parameters that may affect caching.
- The current implementation requires the following
- configurable options be consistent among these
- views:
- <span><strong class="command">check-names</strong></span>,
- <span><strong class="command">cleaning-interval</strong></span>,
- <span><strong class="command">dnssec-accept-expired</strong></span>,
- <span><strong class="command">dnssec-validation</strong></span>,
- <span><strong class="command">max-cache-ttl</strong></span>,
- <span><strong class="command">max-ncache-ttl</strong></span>,
- <span><strong class="command">max-cache-size</strong></span>, and
- <span><strong class="command">zero-no-soa-ttl</strong></span>.
- </p>
- <p>
- Note that there may be other parameters that may
- cause confusion if they are inconsistent for
- different views that share a single cache.
- For example, if these views define different sets of
- forwarders that can return different answers for the
- same question, sharing the answer does not make
- sense or could even be harmful.
- It is administrator's responsibility to ensure
- configuration differences in different views do
- not cause disruption with a shared cache.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
- <dd><p>
- The working directory of the server.
- Any non-absolute pathnames in the configuration file will be
- taken
- as relative to this directory. The default location for most
- server
- output files (e.g. <code class="filename">named.run</code>)
- is this directory.
- If a directory is not specified, the working directory
- defaults to `<code class="filename">.</code>', the directory from
- which the server
- was started. The directory specified should be an absolute
- path.
- </p></dd>
- <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
- <dd><p>
- When performing dynamic update of secure zones, the
- directory where the public and private DNSSEC key files
- should be found, if different than the current working
- directory. (Note that this option has no effect on the
- paths for files containing non-DNSSEC keys such as
- <code class="filename">bind.keys</code>,
- <code class="filename">rndc.key</code> or
- <code class="filename">session.key</code>.)
- </p></dd>
- <dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt>
- <dd><p>
- The directory used to hold the files used to track managed keys.
- By default it is the working directory. It there are no
- views then the file <code class="filename">managed-keys.bind</code>
- otherwise a SHA256 hash of the view name is used with
- <code class="filename">.mkeys</code> extension added.
- </p></dd>
- <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
- <dd><p>
- <span class="emphasis"><em>This option is obsolete.</em></span> It
- was used in <acronym class="acronym">BIND</acronym> 8 to specify
- the pathname to the <span><strong class="command">named-xfer</strong></span>
- program. In <acronym class="acronym">BIND</acronym> 9, no separate
- <span><strong class="command">named-xfer</strong></span> program is needed;
- its functionality is built into the name server.
- </p></dd>
- <dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt>
- <dd><p>
- The KRB5 keytab file to use for GSS-TSIG updates. If
- this option is set and tkey-gssapi-credential is not
- set, then updates will be allowed with any key
- matching a principal in the specified keytab.
- </p></dd>
- <dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
- <dd><p>
- The security credential with which the server should
- authenticate keys requested by the GSS-TSIG protocol.
- Currently only Kerberos 5 authentication is available
- and the credential is a Kerberos principal which the
- server can acquire through the default system key
- file, normally <code class="filename">/etc/krb5.keytab</code>.
- The location keytab file can be overridden using the
- tkey-gssapi-keytab option. Normally this principal is
- of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>".
- To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must
- also be set if a specific keytab is not set with
- tkey-gssapi-keytab.
- </p></dd>
- <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
- <dd><p>
- The domain appended to the names of all shared keys
- generated with <span><strong class="command">TKEY</strong></span>. When a
- client requests a <span><strong class="command">TKEY</strong></span> exchange,
- it may or may not specify the desired name for the
- key. If present, the name of the shared key will
- be <code class="varname">client specified part</code> +
- <code class="varname">tkey-domain</code>. Otherwise, the
- name of the shared key will be <code class="varname">random hex
- digits</code> + <code class="varname">tkey-domain</code>.
- In most cases, the <span><strong class="command">domainname</strong></span>
- should be the server's domain name, or an otherwise
- non-existent subdomain like
- "_tkey.<code class="varname">domainname</code>". If you are
- using GSS-TSIG, this variable must be defined, unless
- you specify a specific keytab using tkey-gssapi-keytab.
- </p></dd>
- <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
- <dd><p>
- The Diffie-Hellman key used by the server
- to generate shared keys with clients using the Diffie-Hellman
- mode
- of <span><strong class="command">TKEY</strong></span>. The server must be
- able to load the
- public and private keys from files in the working directory.
- In
- most cases, the keyname should be the server's host name.
- </p></dd>
- <dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt>
- <dd><p>
- This is for testing only. Do not use.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
- <dd><p>
- The pathname of the file the server dumps
- the database to when instructed to do so with
- <span><strong class="command">rndc dumpdb</strong></span>.
- If not specified, the default is <code class="filename">named_dump.db</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
- <dd><p>
- The pathname of the file the server writes memory
- usage statistics to on exit. If not specified,
- the default is <code class="filename">named.memstats</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
- <dd><p>
- The pathname of the file the server writes its process ID
- in. If not specified, the default is
- <code class="filename">/var/run/named/named.pid</code>.
- The PID file is used by programs that want to send signals to
- the running
- name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
- use of a PID file — no file will be written and any
- existing one will be removed. Note that <span><strong class="command">none</strong></span>
- is a keyword, not a filename, and therefore is not enclosed
- in
- double quotes.
- </p></dd>
- <dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt>
- <dd><p>
- The pathname of the file the server dumps
- the queries that are currently recursing when instructed
- to do so with <span><strong class="command">rndc recursing</strong></span>.
- If not specified, the default is <code class="filename">named.recursing</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
- <dd><p>
- The pathname of the file the server appends statistics
- to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
- If not specified, the default is <code class="filename">named.stats</code> in the
- server's current directory. The format of the file is
- described
- in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt>
- <dd><p>
- The pathname of a file to override the built-in trusted
- keys provided by <span><strong class="command">named</strong></span>.
- See the discussion of <span><strong class="command">dnssec-lookaside</strong></span>
- and <span><strong class="command">dnssec-validation</strong></span> for details.
- If not specified, the default is
- <code class="filename">/etc/bind.keys</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt>
- <dd><p>
- The pathname of the file the server dumps
- security roots to when instructed to do so with
- <span><strong class="command">rndc secroots</strong></span>.
- If not specified, the default is
- <code class="filename">named.secroots</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt>
- <dd><p>
- The pathname of the file into which to write a TSIG
- session key generated by <span><strong class="command">named</strong></span> for use by
- <span><strong class="command">nsupdate -l</strong></span>. If not specified, the
- default is <code class="filename">/var/run/named/session.key</code>.
- (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in
- particular the discussion of the
- <span><strong class="command">update-policy</strong></span> statement's
- <strong class="userinput"><code>local</code></strong> option for more
- information about this feature.)
- </p></dd>
- <dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt>
- <dd><p>
- The key name to use for the TSIG session key.
- If not specified, the default is "local-ddns".
- </p></dd>
- <dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt>
- <dd><p>
- The algorithm to use for the TSIG session key.
- Valid values are hmac-sha1, hmac-sha224, hmac-sha256,
- hmac-sha384, hmac-sha512 and hmac-md5. If not
- specified, the default is hmac-sha256.
- </p></dd>
- <dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
- <dd><p>
- The UDP/TCP port number the server uses for
- receiving and sending DNS protocol traffic.
- The default is 53. This option is mainly intended for server
- testing;
- a server using a port other than 53 will not be able to
- communicate with
- the global DNS.
- </p></dd>
- <dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
- <dd><p>
- The source of entropy to be used by the server. Entropy is
- primarily needed
- for DNSSEC operations, such as TKEY transactions and dynamic
- update of signed
- zones. This options specifies the device (or file) from which
- to read
- entropy. If this is a file, operations requiring entropy will
- fail when the
- file has been exhausted. If not specified, the default value
- is
- <code class="filename">/dev/random</code>
- (or equivalent) when present, and none otherwise. The
- <span><strong class="command">random-device</strong></span> option takes
- effect during
- the initial configuration load at server startup time and
- is ignored on subsequent reloads.
- </p></dd>
- <dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
- <dd><p>
- If specified, the listed type (A or AAAA) will be emitted
- before other glue
- in the additional section of a query response.
- The default is not to prefer any type (NONE).
- </p></dd>
- <dt>
- <a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span>
- </dt>
- <dd>
- <p>
- Turn on enforcement of delegation-only in TLDs
- (top level domains) and root zones with an optional
- exclude list.
- </p>
- <p>
- DS queries are expected to be made to and be answered by
- delegation only zones. Such queries and responses are
- treated as an exception to delegation-only processing
- and are not converted to NXDOMAIN responses provided
- a CNAME is not discovered at the query name.
- </p>
- <p>
- If a delegation only zone server also serves a child
- zone it is not always possible to determine whether
- an answer comes from the delegation only zone or the
- child zone. SOA NS and DNSKEY records are apex
- only records and a matching response that contains
- these records or DS is treated as coming from a
- child zone. RRSIG records are also examined to see
- if they are signed by a child zone or not. The
- authority section is also examined to see if there
- is evidence that the answer is from the child zone.
- Answers that are determined to be from a child zone
- are not converted to NXDOMAIN responses. Despite
- all these checks there is still a possibility of
- false negatives when a child zone is being served.
- </p>
- <p>
- Similarly false positives can arise from empty nodes
- (no records at the name) in the delegation only zone
- when the query type is not ANY.
- </p>
- <p>
- Note some TLDs are not delegation only (e.g. "DE", "LV",
- "US" and "MUSEUM"). This list is not exhaustive.
- </p>
- <pre class="programlisting">
- options {
- root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
- };
- </pre>
- </dd>
- <dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
- <dd><p>
- Disable the specified DNSSEC algorithms at and below the
- specified name.
- Multiple <span><strong class="command">disable-algorithms</strong></span>
- statements are allowed.
- Only the most specific will be applied.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
- <dd>
- <p>
- When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the
- validator with an alternate method to validate DNSKEY
- records at the top of a zone. When a DNSKEY is at or
- below a domain specified by the deepest
- <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC
- validation has left the key untrusted, the trust-anchor
- will be appended to the key name and a DLV record will be
- looked up to see if it can validate the key. If the DLV
- record validates a DNSKEY (similarly to the way a DS
- record does) the DNSKEY RRset is deemed to be trusted.
- </p>
- <p>
- If <span><strong class="command">dnssec-lookaside</strong></span> is set to
- <strong class="userinput"><code>auto</code></strong>, then built-in default
- values for the DLV domain and trust anchor will be
- used, along with a built-in key for validation.
- </p>
- <p>
- If <span><strong class="command">dnssec-lookaside</strong></span> is set to
- <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside
- is not used.
- </p>
- <p>
- The default DLV key is stored in the file
- <code class="filename">bind.keys</code>;
- <span><strong class="command">named</strong></span> will load that key at
- startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to
- <code class="constant">auto</code>. A copy of the file is
- installed along with <acronym class="acronym">BIND</acronym> 9, and is
- current as of the release date. If the DLV key expires, a
- new copy of <code class="filename">bind.keys</code> can be downloaded
- from <a href="" target="_top">https://www.isc.org/solutions/dlv</a>.
- </p>
- <p>
- (To prevent problems if <code class="filename">bind.keys</code> is
- not found, the current key is also compiled in to
- <span><strong class="command">named</strong></span>. Relying on this is not
- recommended, however, as it requires <span><strong class="command">named</strong></span>
- to be recompiled with a new key when the DLV key expires.)
- </p>
- <p>
- NOTE: <span><strong class="command">named</strong></span> only loads certain specific
- keys from <code class="filename">bind.keys</code>: those for the
- DLV zone and for the DNS root zone. The file cannot be
- used to store keys for other zones.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
- <dd><p>
- Specify hierarchies which must be or may not be secure
- (signed and validated). If <strong class="userinput"><code>yes</code></strong>,
- then <span><strong class="command">named</strong></span> will only accept answers if
- they are secure. If <strong class="userinput"><code>no</code></strong>, then normal
- DNSSEC validation applies allowing for insecure answers to
- be accepted. The specified domain must be under a
- <span><strong class="command">trusted-keys</strong></span> or
- <span><strong class="command">managed-keys</strong></span> statement, or
- <span><strong class="command">dnssec-lookaside</strong></span> must be active.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt>
- <dd>
- <p>
- This directive instructs <span><strong class="command">named</strong></span> to
- return mapped IPv4 addresses to AAAA queries when
- there are no AAAA records. It is intended to be
- used in conjunction with a NAT64. Each
- <span><strong class="command">dns64</strong></span> defines one DNS64 prefix.
- Multiple DNS64 prefixes can be defined.
- </p>
- <p>
- Compatible IPv6 prefixes have lengths of 32, 40, 48, 56,
- 64 and 96 as per RFC 6052.
- </p>
- <p>
- Additionally a reverse IP6.ARPA zone will be created for
- the prefix to provide a mapping from the IP6.ARPA names
- to the corresponding IN-ADDR.ARPA names using synthesized
- CNAMEs. <span><strong class="command">dns64-server</strong></span> and
- <span><strong class="command">dns64-contact</strong></span> can be used to specify
- the name of the server and contact for the zones. These
- are settable at the view / options level. These are
- not settable on a per-prefix basis.
- </p>
- <p>
- Each <span><strong class="command">dns64</strong></span> supports an optional
- <span><strong class="command">clients</strong></span> ACL that determines which
- clients are affected by this directive. If not defined,
- it defaults to <strong class="userinput"><code>any;</code></strong>.
- </p>
- <p>
- Each <span><strong class="command">dns64</strong></span> supports an optional
- <span><strong class="command">mapped</strong></span> ACL that selects which
- IPv4 addresses are to be mapped in the corresponding
- A RRset. If not defined it defaults to
- <strong class="userinput"><code>any;</code></strong>.
- </p>
- <p>
- Normally, DNS64 won't apply to a domain name that
- owns one or more AAAA records; these records will
- simply be returned. The optional
- <span><strong class="command">exclude</strong></span> ACL allows specification
- of a list of IPv6 addresses that will be ignored
- if they appear in a domain name's AAAA records, and
- DNS64 will be applied to any A records the domain
- name owns. If not defined, <span><strong class="command">exclude</strong></span>
- defaults to none.
- </p>
- <p>
- A optional <span><strong class="command">suffix</strong></span> can also
- be defined to set the bits trailing the mapped
- IPv4 address bits. By default these bits are
- set to <strong class="userinput"><code>::</code></strong>. The bits
- matching the prefix and mapped IPv4 address
- must be zero.
- </p>
- <p>
- If <span><strong class="command">recursive-only</strong></span> is set to
- <span><strong class="command">yes</strong></span> the DNS64 synthesis will
- only happen for recursive queries. The default
- is <span><strong class="command">no</strong></span>.
- </p>
- <p>
- If <span><strong class="command">break-dnssec</strong></span> is set to
- <span><strong class="command">yes</strong></span> the DNS64 synthesis will
- happen even if the result, if validated, would
- cause a DNSSEC validation failure. If this option
- is set to <span><strong class="command">no</strong></span> (the default), the DO
- is set on the incoming query, and there are RRSIGs on
- the applicable records, then synthesis will not happen.
- </p>
- <pre class="programlisting">
- acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
- dns64 64:FF9B::/96 {
- clients { any; };
- mapped { !rfc1918; any; };
- exclude { 64:FF9B::/96; ::ffff:0000:0000/96; };
- suffix ::;
- };
- </pre>
- </dd>
- </dl></div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="boolean_options"></a>Boolean Options</h4></div></div></div>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong>, then zones can be
- added at runtime via <span><strong class="command">rndc addzone</strong></span>
- or deleted via <span><strong class="command">rndc delzone</strong></span>.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
- is always set on NXDOMAIN responses, even if the server is
- not actually
- authoritative. The default is <strong class="userinput"><code>no</code></strong>;
- this is
- a change from <acronym class="acronym">BIND</acronym> 8. If you
- are using very old DNS software, you
- may need to set it to <strong class="userinput"><code>yes</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
- <dd><p>
- This option was used in <acronym class="acronym">BIND</acronym>
- 8 to enable checking
- for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
- the checks.
- </p></dd>
- <dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
- <dd><p>
- Write memory statistics to the file specified by
- <span><strong class="command">memstatistics-file</strong></span> at exit.
- The default is <strong class="userinput"><code>no</code></strong> unless
- '-m record' is specified on the command line in
- which case it is <strong class="userinput"><code>yes</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
- <dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then the
- server treats all zones as if they are doing zone transfers
- across
- a dial-on-demand dialup link, which can be brought up by
- traffic
- originating from this server. This has different effects
- according
- to zone type and concentrates the zone maintenance so that
- it all
- happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
- hopefully during the one call. It also suppresses some of
- the normal
- zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- <p>
- The <span><strong class="command">dialup</strong></span> option
- may also be specified in the <span><strong class="command">view</strong></span> and
- <span><strong class="command">zone</strong></span> statements,
- in which case it overrides the global <span><strong class="command">dialup</strong></span>
- option.
- </p>
- <p>
- If the zone is a master zone, then the server will send out a
- NOTIFY
- request to all the slaves (default). This should trigger the
- zone serial
- number check in the slave (providing it supports NOTIFY)
- allowing the slave
- to verify the zone while the connection is active.
- The set of servers to which NOTIFY is sent can be controlled
- by
- <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.
- </p>
- <p>
- If the
- zone is a slave or stub zone, then the server will suppress
- the regular
- "zone up to date" (refresh) queries and only perform them
- when the
- <span><strong class="command">heartbeat-interval</strong></span> expires in
- addition to sending
- NOTIFY requests.
- </p>
- <p>
- Finer control can be achieved by using
- <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY
- messages,
- <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY
- messages and
- suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
- which suppresses normal refresh processing and sends refresh
- queries
- when the <span><strong class="command">heartbeat-interval</strong></span>
- expires, and
- <strong class="userinput"><code>passive</code></strong> which just disables normal
- refresh
- processing.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- dialup mode
- </p>
- </td>
- <td>
- <p>
- normal refresh
- </p>
- </td>
- <td>
- <p>
- heart-beat refresh
- </p>
- </td>
- <td>
- <p>
- heart-beat notify
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">no</strong></span> (default)</p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">yes</strong></span></p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">notify</strong></span></p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">refresh</strong></span></p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">passive</strong></span></p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">notify-passive</strong></span></p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- no
- </p>
- </td>
- <td>
- <p>
- yes
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- Note that normal NOTIFY processing is not affected by
- <span><strong class="command">dialup</strong></span>.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
- <dd><p>
- In <acronym class="acronym">BIND</acronym> 8, this option
- enabled simulating the obsolete DNS query type
- IQUERY. <acronym class="acronym">BIND</acronym> 9 never does
- IQUERY simulation.
- </p></dd>
- <dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
- <dd><p>
- This option is obsolete.
- In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
- caused the server to attempt to fetch glue resource records
- it
- didn't have when constructing the additional
- data section of a response. This is now considered a bad
- idea
- and BIND 9 never does it.
- </p></dd>
- <dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
- <dd><p>
- When the nameserver exits due receiving SIGTERM,
- flush or do not flush any pending zone writes. The default
- is
- <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
- <dd><p>
- This option was incorrectly implemented
- in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9.
- To achieve the intended effect
- of
- <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
- the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
- and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
- </p></dd>
- <dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
- <dd><p>
- In BIND 8, this enables keeping of
- statistics for every host that the name server interacts
- with.
- Not implemented in BIND 9.
- </p></dd>
- <dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
- <dd><p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <acronym class="acronym">BIND</acronym> 8 to
- determine whether a transaction log was
- kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction
- log whenever possible. If you need to disable outgoing
- incremental zone
- transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong>, then when generating
- responses the server will only add records to the authority
- and additional data sections when they are required (e.g.
- delegations, negative responses). This may improve the
- performance of the server.
- The default is <strong class="userinput"><code>no</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
- <dd><p>
- This option was used in <acronym class="acronym">BIND</acronym> 8 to allow
- a domain name to have multiple CNAME records in violation of
- the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards
- always strictly enforces the CNAME rules both in master
- files and dynamic updates.
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
- <dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong> (the default),
- DNS NOTIFY messages are sent when a zone the server is
- authoritative for
- changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are
- sent to the
- servers listed in the zone's NS records (except the master
- server identified
- in the SOA MNAME field), and to any servers listed in the
- <span><strong class="command">also-notify</strong></span> option.
- </p>
- <p>
- If <strong class="userinput"><code>master-only</code></strong>, notifies are only
- sent
- for master zones.
- If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only
- to
- servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
- If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
- </p>
- <p>
- The <span><strong class="command">notify</strong></span> option may also be
- specified in the <span><strong class="command">zone</strong></span>
- statement,
- in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
- It would only be necessary to turn off this option if it
- caused slaves
- to crash.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
- in the NS RRset against the SOA MNAME. Normally a NOTIFY
- message is not sent to the SOA MNAME (SOA ORIGIN) as it is
- supposed to contain the name of the ultimate master.
- Sometimes, however, a slave is listed as the SOA MNAME in
- hidden master configurations and in that case you would
- want the ultimate master to still send NOTIFY messages to
- all the nameservers listed in the NS RRset.
- </p></dd>
- <dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong>, and a
- DNS query requests recursion, then the server will attempt
- to do
- all the work required to answer the query. If recursion is
- off
- and the server does not already know the answer, it will
- return a
- referral response. The default is
- <strong class="userinput"><code>yes</code></strong>.
- Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
- clients from getting data from the server's cache; it only
- prevents new data from being cached as an effect of client
- queries.
- Caching may still occur as an effect the server's internal
- operation, such as NOTIFY address lookups.
- See also <span><strong class="command">fetch-glue</strong></span> above.
- </p></dd>
- <dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
- <dd>
- <p>
- Setting this to <strong class="userinput"><code>yes</code></strong> will
- cause the server to send NS records along with the SOA
- record for negative
- answers. The default is <strong class="userinput"><code>no</code></strong>.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- Not yet implemented in <acronym class="acronym">BIND</acronym>
- 9.
- </p>
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
- <dd><p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- <acronym class="acronym">BIND</acronym> 9 always allocates query
- IDs from a pool.
- </p></dd>
- <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong>, the server will collect
- statistical data on all zones (unless specifically turned
- off
- on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
- in the <span><strong class="command">zone</strong></span> statement).
- The default is <strong class="userinput"><code>no</code></strong>.
- These statistics may be accessed
- using <span><strong class="command">rndc stats</strong></span>, which will
- dump them to the file listed
- in the <span><strong class="command">statistics-file</strong></span>. See
- also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
- <dd><p>
- <span class="emphasis"><em>This option is obsolete</em></span>.
- If you need to disable IXFR to a particular server or
- servers, see
- the information on the <span><strong class="command">provide-ixfr</strong></span> option
- in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
- Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
- Usage”</a>.
- See also
- <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">provide-ixfr</strong></span> in
- <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
- Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
- Usage”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">request-ixfr</strong></span> in
- <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and
- Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and
- Usage”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
- <dd><p>
- This option was used in <acronym class="acronym">BIND</acronym>
- 8 to make
- the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
- as a space or tab character,
- to facilitate loading of zone files on a UNIX system that
- were generated
- on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>"
- and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines
- are always accepted,
- and the option is ignored.
- </p></dd>
- <dt>
- <span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
- </dt>
- <dd>
- <p>
- These options control the behavior of an authoritative
- server when
- answering queries which have additional data, or when
- following CNAME
- and DNAME chains.
- </p>
- <p>
- When both of these options are set to <strong class="userinput"><code>yes</code></strong>
- (the default) and a
- query is being answered from authoritative data (a zone
- configured into the server), the additional data section of
- the
- reply will be filled in using data from other authoritative
- zones
- and from the cache. In some situations this is undesirable,
- such
- as when there is concern over the correctness of the cache,
- or
- in servers where slave zones may be added and modified by
- untrusted third parties. Also, avoiding
- the search for this additional data will speed up server
- operations
- at the possible expense of additional queries to resolve
- what would
- otherwise be provided in the additional section.
- </p>
- <p>
- For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
- and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
- records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
- if known, even though they are not in the example.com zone.
- Setting these options to <span><strong class="command">no</strong></span>
- disables this behavior and makes
- the server only search for additional data in the zone it
- answers from.
- </p>
- <p>
- These options are intended for use in authoritative-only
- servers, or in authoritative-only views. Attempts to set
- them to <span><strong class="command">no</strong></span> without also
- specifying
- <span><strong class="command">recursion no</strong></span> will cause the
- server to
- ignore the options and log a warning message.
- </p>
- <p>
- Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
- disables the use of the cache not only for additional data
- lookups
- but also when looking up the answer. This is usually the
- desired
- behavior in an authoritative-only server where the
- correctness of
- the cached data is an issue.
- </p>
- <p>
- When a name server is non-recursively queried for a name
- that is not
- below the apex of any served zone, it normally answers with
- an
- "upwards referral" to the root servers or the servers of
- some other
- known parent of the query name. Since the data in an
- upwards referral
- comes from the cache, the server will not be able to provide
- upwards
- referrals when <span><strong class="command">additional-from-cache no</strong></span>
- has been specified. Instead, it will respond to such
- queries
- with REFUSED. This should not cause any problems since
- upwards referrals are not required for the resolution
- process.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
- <dd>
- <p>
- If <strong class="userinput"><code>yes</code></strong>, then an
- IPv4-mapped IPv6 address will match any address match
- list entries that match the corresponding IPv4 address.
- </p>
- <p>
- This option was introduced to work around a kernel quirk
- in some operating systems that causes IPv4 TCP
- connections, such as zone transfers, to be accepted on an
- IPv6 socket using mapped addresses. This caused address
- match lists designed for IPv4 to fail to match. However,
- <span><strong class="command">named</strong></span> now solves this problem
- internally. The use of this option is discouraged.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt>
- <dd>
- <p>
- This option is only available when
- <acronym class="acronym">BIND</acronym> 9 is compiled with the
- <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the
- "configure" command line. It is intended to help the
- transition from IPv4 to IPv6 by not giving IPv6 addresses
- to DNS clients unless they have connections to the IPv6
- Internet. This is not recommended unless absolutely
- necessary. The default is <strong class="userinput"><code>no</code></strong>.
- The <span><strong class="command">filter-aaaa-on-v4</strong></span> option
- may also be specified in <span><strong class="command">view</strong></span> statements
- to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span>
- option.
- </p>
- <p>
- If <strong class="userinput"><code>yes</code></strong>,
- the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>,
- and if the response does not include DNSSEC signatures,
- then all AAAA records are deleted from the response.
- This filtering applies to all responses and not only
- authoritative responses.
- </p>
- <p>
- If <strong class="userinput"><code>break-dnssec</code></strong>,
- then AAAA records are deleted even when dnssec is enabled.
- As suggested by the name, this makes the response not verify,
- because the DNSSEC protocol is designed detect deletions.
- </p>
- <p>
- This mechanism can erroneously cause other servers to
- not give AAAA records to their clients.
- A recursing server with both IPv6 and IPv4 network connections
- that queries an authoritative server using this mechanism
- via IPv4 will be denied AAAA records even if its client is
- using IPv6.
- </p>
- <p>
- This mechanism is applied to authoritative as well as
- non-authoritative records.
- A client using IPv4 that is not allowed recursion can
- erroneously be given AAAA records because the server is not
- allowed to check for A records.
- </p>
- <p>
- Some AAAA records are given to IPv4 clients in glue records.
- IPv4 clients that are servers can then erroneously
- answer requests for AAAA records received via IPv4.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
- <dd>
- <p>
- When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master
- zone from its zone file or receives a new version of a slave
- file by a non-incremental zone transfer, it will compare
- the new version to the previous one and calculate a set
- of differences. The differences are then logged in the
- zone's journal file such that the changes can be transmitted
- to downstream slaves as an incremental zone transfer.
- </p>
- <p>
- By allowing incremental zone transfers to be used for
- non-dynamic zones, this option saves bandwidth at the
- expense of increased CPU and memory consumption at the
- master.
- In particular, if the new version of a zone is completely
- different from the previous one, the set of differences
- will be of a size comparable to the combined size of the
- old and new zone version, and the server will need to
- temporarily allocate memory to hold this complete
- difference set.
- </p>
- <p><span><strong class="command">ixfr-from-differences</strong></span>
- also accepts <span><strong class="command">master</strong></span> and
- <span><strong class="command">slave</strong></span> at the view and options
- levels which causes
- <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
- all <span><strong class="command">master</strong></span> or
- <span><strong class="command">slave</strong></span> zones respectively.
- It is off by default.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
- <dd><p>
- This should be set when you have multiple masters for a zone
- and the
- addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
- not log
- when the serial number on the master is less than what <span><strong class="command">named</strong></span>
- currently
- has. The default is <strong class="userinput"><code>no</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
- <dd><p>
- Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>,
- <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
- The default is <strong class="userinput"><code>yes</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
- <dd><p>
- Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
- Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
- set to <strong class="userinput"><code>yes</code></strong> to be effective.
- If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation
- is disabled. If set to <strong class="userinput"><code>auto</code></strong>,
- DNSSEC validation is enabled, and a default
- trust-anchor for the DNS root zone is used. If set to
- <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled,
- but a trust anchor must be manually configured using
- a <span><strong class="command">trusted-keys</strong></span> or
- <span><strong class="command">managed-keys</strong></span> statement. The default
- is <strong class="userinput"><code>yes</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
- <dd><p>
- Accept expired signatures when verifying DNSSEC signatures.
- The default is <strong class="userinput"><code>no</code></strong>.
- Setting this option to <strong class="userinput"><code>yes</code></strong>
- leaves <span><strong class="command">named</strong></span> vulnerable to
- replay attacks.
- </p></dd>
- <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
- <dd><p>
- Specify whether query logging should be started when <span><strong class="command">named</strong></span>
- starts.
- If <span><strong class="command">querylog</strong></span> is not specified,
- then the query logging
- is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
- <dd>
- <p>
- This option is used to restrict the character set and syntax
- of
- certain domain names in master files and/or DNS responses
- received
- from the network. The default varies according to usage
- area. For
- <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
- For <span><strong class="command">slave</strong></span> zones the default
- is <span><strong class="command">warn</strong></span>.
- For answers received from the network (<span><strong class="command">response</strong></span>)
- the default is <span><strong class="command">ignore</strong></span>.
- </p>
- <p>
- The rules for legal hostnames and mail domains are derived
- from RFC 952 and RFC 821 as modified by RFC 1123.
- </p>
- <p><span><strong class="command">check-names</strong></span>
- applies to the owner names of A, AAAA and MX records.
- It also applies to the domain names in the RDATA of NS, SOA,
- MX, and SRV records.
- It also applies to the RDATA of PTR records where the owner
- name indicated that it is a reverse lookup of a hostname
- (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt>
- <dd><p>
- Check master zones for records that are treated as different
- by DNSSEC but are semantically equal in plain DNS. The
- default is to <span><strong class="command">warn</strong></span>. Other possible
- values are <span><strong class="command">fail</strong></span> and
- <span><strong class="command">ignore</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
- <dd><p>
- Check whether the MX record appears to refer to a IP address.
- The default is to <span><strong class="command">warn</strong></span>. Other possible
- values are <span><strong class="command">fail</strong></span> and
- <span><strong class="command">ignore</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
- <dd><p>
- This option is used to check for non-terminal wildcards.
- The use of non-terminal wildcards is almost always as a
- result of a failure
- to understand the wildcard matching algorithm (RFC 1034).
- This option
- affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check
- for non-terminal wildcards and issue a warning.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
- <dd><p>
- Perform post load zone integrity checks on master
- zones. This checks that MX and SRV records refer
- to address (A or AAAA) records and that glue
- address records exist for delegated zones. For
- MX and SRV records only in-zone hostnames are
- checked (for out-of-zone hostnames use
- <span><strong class="command">named-checkzone</strong></span>).
- For NS records only names below top of zone are
- checked (for out-of-zone names and glue consistency
- checks use <span><strong class="command">named-checkzone</strong></span>).
- The default is <span><strong class="command">yes</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt>
- <dd><p>
- If <span><strong class="command">check-integrity</strong></span> is set then
- fail, warn or ignore MX records that refer
- to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt>
- <dd><p>
- If <span><strong class="command">check-integrity</strong></span> is set then
- fail, warn or ignore SRV records that refer
- to CNAMES. The default is to <span><strong class="command">warn</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
- <dd><p>
- When performing integrity checks, also check that
- sibling glue exists. The default is <span><strong class="command">yes</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
- <dd><p>
- When returning authoritative negative responses to
- SOA queries set the TTL of the SOA record returned in
- the authority section to zero.
- The default is <span><strong class="command">yes</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt>
- <dd><p>
- When caching a negative response to a SOA query
- set the TTL to zero.
- The default is <span><strong class="command">no</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
- <dd>
- <p>
- When set to the default value of <code class="literal">yes</code>,
- check the KSK bit in each key to determine how the key
- should be used when generating RRSIGs for a secure zone.
- </p>
- <p>
- Ordinarily, zone-signing keys (that is, keys without the
- KSK bit set) are used to sign the entire zone, while
- key-signing keys (keys with the KSK bit set) are only
- used to sign the DNSKEY RRset at the zone apex.
- However, if this option is set to <code class="literal">no</code>,
- then the KSK bit is ignored; KSKs are treated as if they
- were ZSKs and are used to sign the entire zone. This is
- similar to the <span><strong class="command">dnssec-signzone -z</strong></span>
- command line option.
- </p>
- <p>
- When this option is set to <code class="literal">yes</code>, there
- must be at least two active keys for every algorithm
- represented in the DNSKEY RRset: at least one KSK and one
- ZSK per algorithm. If there is any algorithm for which
- this requirement is not met, this option will be ignored
- for that algorithm.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
- <dd>
- <p>
- When this option and <span><strong class="command">update-check-ksk</strong></span>
- are both set to <code class="literal">yes</code>, only key-signing
- keys (that is, keys with the KSK bit set) will be used
- to sign the DNSKEY RRset at the zone apex. Zone-signing
- keys (keys without the KSK bit set) will be used to sign
- the remainder of the zone, but not the DNSKEY RRset.
- This is similar to the
- <span><strong class="command">dnssec-signzone -x</strong></span> command line option.
- </p>
- <p>
- The default is <span><strong class="command">no</strong></span>. If
- <span><strong class="command">update-check-ksk</strong></span> is set to
- <code class="literal">no</code>, this option is ignored.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
- <dd><p>
- Try to refresh the zone using TCP if UDP queries fail.
- For BIND 8 compatibility, the default is
- <span><strong class="command">yes</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
- <dd>
- <p>
- Allow a dynamic zone to transition from secure to
- insecure (i.e., signed to unsigned) by deleting all
- of the DNSKEY records. The default is <span><strong class="command">no</strong></span>.
- If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset
- at the zone apex is deleted, all RRSIG and NSEC records
- will be removed from the zone as well.
- </p>
- <p>
- If the zone uses NSEC3, then it is also necessary to
- delete the NSEC3PARAM RRset from the zone apex; this will
- cause the removal of all corresponding NSEC3 records.
- (It is expected that this requirement will be eliminated
- in a future release.)
- </p>
- <p>
- Note that if a zone has been configured with
- <span><strong class="command">auto-dnssec maintain</strong></span> and the
- private keys remain accessible in the key repository,
- then the zone will be automatically signed again the
- next time <span><strong class="command">named</strong></span> is started.
- </p>
- </dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2583643"></a>Forwarding</h4></div></div></div>
- <p>
- The forwarding facility can be used to create a large site-wide
- cache on a few servers, reducing traffic over links to external
- name servers. It can also be used to allow queries by servers that
- do not have direct access to the Internet, but wish to look up
- exterior
- names anyway. Forwarding occurs only on those queries for which
- the server is not authoritative and does not have the answer in
- its cache.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
- <dd><p>
- This option is only meaningful if the
- forwarders list is not empty. A value of <code class="varname">first</code>,
- the default, causes the server to query the forwarders
- first — and
- if that doesn't answer the question, the server will then
- look for
- the answer itself. If <code class="varname">only</code> is
- specified, the
- server will only query the forwarders.
- </p></dd>
- <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
- <dd><p>
- Specifies the IP addresses to be used
- for forwarding. The default is the empty list (no
- forwarding).
- </p></dd>
- </dl></div>
- <p>
- Forwarding can also be configured on a per-domain basis, allowing
- for the global forwarding options to be overridden in a variety
- of ways. You can set particular domains to use different
- forwarders,
- or have a different <span><strong class="command">forward only/first</strong></span> behavior,
- or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
- Statement Grammar">the section called “<span><strong class="command">zone</strong></span>
- Statement Grammar”</a>.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2583702"></a>Dual-stack Servers</h4></div></div></div>
- <p>
- Dual-stack servers are used as servers of last resort to work
- around
- problems in reachability due the lack of support for either IPv4
- or IPv6
- on the host machine.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
- <dd><p>
- Specifies host names or addresses of machines with access to
- both IPv4 and IPv6 transports. If a hostname is used, the
- server must be able
- to resolve the name using only the transport it has. If the
- machine is dual
- stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
- access to a transport has been disabled on the command line
- (e.g. <span><strong class="command">named -4</strong></span>).
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="access_control"></a>Access Control</h4></div></div></div>
- <p>
- Access to the server can be restricted based on the IP address
- of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for
- details on how to specify IP address lists.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
- <dd><p>
- Specifies which hosts are allowed to
- notify this server, a slave, of zone changes in addition
- to the zone masters.
- <span><strong class="command">allow-notify</strong></span> may also be
- specified in the
- <span><strong class="command">zone</strong></span> statement, in which case
- it overrides the
- <span><strong class="command">options allow-notify</strong></span>
- statement. It is only meaningful
- for a slave zone. If not specified, the default is to
- process notify messages
- only from a zone's master.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
- <dd>
- <p>
- Specifies which hosts are allowed to ask ordinary
- DNS questions. <span><strong class="command">allow-query</strong></span> may
- also be specified in the <span><strong class="command">zone</strong></span>
- statement, in which case it overrides the
- <span><strong class="command">options allow-query</strong></span> statement.
- If not specified, the default is to allow queries
- from all hosts.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- <span><strong class="command">allow-query-cache</strong></span> is now
- used to specify access to the cache.
- </p>
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
- <dd>
- <p>
- Specifies which local addresses can accept ordinary
- DNS questions. This makes it possible, for instance,
- to allow queries on internal-facing interfaces but
- disallow them on external-facing ones, without
- necessarily knowing the internal network's addresses.
- </p>
- <p>
- <span><strong class="command">allow-query-on</strong></span> may
- also be specified in the <span><strong class="command">zone</strong></span>
- statement, in which case it overrides the
- <span><strong class="command">options allow-query-on</strong></span> statement.
- </p>
- <p>
- If not specified, the default is to allow queries
- on all addresses.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- <span><strong class="command">allow-query-cache</strong></span> is
- used to specify access to the cache.
- </p>
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
- <dd><p>
- Specifies which hosts are allowed to get answers
- from the cache. If <span><strong class="command">allow-query-cache</strong></span>
- is not set then <span><strong class="command">allow-recursion</strong></span>
- is used if set, otherwise <span><strong class="command">allow-query</strong></span>
- is used if set unless <span><strong class="command">recursion no;</strong></span> is
- set in which case <span><strong class="command">none;</strong></span> is used,
- otherwise the default (<span><strong class="command">localnets;</strong></span>
- <span><strong class="command">localhost;</strong></span>) is used.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
- <dd><p>
- Specifies which local addresses can give answers
- from the cache. If not specified, the default is
- to allow cache queries on any address,
- <span><strong class="command">localnets</strong></span> and
- <span><strong class="command">localhost</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
- <dd><p>
- Specifies which hosts are allowed to make recursive
- queries through this server. If
- <span><strong class="command">allow-recursion</strong></span> is not set
- then <span><strong class="command">allow-query-cache</strong></span> is
- used if set, otherwise <span><strong class="command">allow-query</strong></span>
- is used if set, otherwise the default
- (<span><strong class="command">localnets;</strong></span>
- <span><strong class="command">localhost;</strong></span>) is used.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
- <dd><p>
- Specifies which local addresses can accept recursive
- queries. If not specified, the default is to allow
- recursive queries on all addresses.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
- <dd><p>
- Specifies which hosts are allowed to
- submit Dynamic DNS updates for master zones. The default is
- to deny
- updates from all hosts. Note that allowing updates based
- on the requestor's IP address is insecure; see
- <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
- <dd>
- <p>
- Specifies which hosts are allowed to
- submit Dynamic DNS updates to slave zones to be forwarded to
- the
- master. The default is <strong class="userinput"><code>{ none; }</code></strong>,
- which
- means that no update forwarding will be performed. To
- enable
- update forwarding, specify
- <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
- Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
- <strong class="userinput"><code>{ any; }</code></strong> is usually
- counterproductive, since
- the responsibility for update access control should rest
- with the
- master server, not the slaves.
- </p>
- <p>
- Note that enabling the update forwarding feature on a slave
- server
- may expose master servers relying on insecure IP address
- based
- access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a>
- for more details.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
- <dd><p>
- This option was introduced for the smooth transition from
- AAAA
- to A6 and from "nibble labels" to binary labels.
- However, since both A6 and binary labels were then
- deprecated,
- this option was also deprecated.
- It is now ignored with some warning messages.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
- <dd><p>
- Specifies which hosts are allowed to
- receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
- also be specified in the <span><strong class="command">zone</strong></span>
- statement, in which
- case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
- If not specified, the default is to allow transfers to all
- hosts.
- </p></dd>
- <dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
- <dd><p>
- Specifies a list of addresses that the
- server will not accept queries from or use to resolve a
- query. Queries
- from these addresses will not be responded to. The default
- is <strong class="userinput"><code>none</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt>
- <dd><p>
- Specifies a list of addresses to which
- <span><strong class="command">filter-aaaa-on-v4</strong></span>
- is applies. The default is <strong class="userinput"><code>any</code></strong>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt>
- <dd><p>
- The amount of time the resolver will spend attempting
- to resolve a recursive query before failing. The
- default is <code class="literal">10</code> and the maximum is
- <code class="literal">30</code>. Setting it to <code class="literal">0</code>
- will result in the default being used.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2584322"></a>Interfaces</h4></div></div></div>
- <p>
- The interfaces and ports that the server will answer queries
- from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
- an optional port and an <code class="varname">address_match_list</code>.
- The server will listen on all interfaces allowed by the address
- match list. If a port is not specified, port 53 will be used.
- </p>
- <p>
- Multiple <span><strong class="command">listen-on</strong></span> statements are
- allowed.
- For example,
- </p>
- <pre class="programlisting">listen-on { 5.6.7.8; };
- listen-on port 1234 { !1.2.3.4; 1.2/16; };
- </pre>
- <p>
- will enable the name server on port 53 for the IP address
- 5.6.7.8, and on port 1234 of an address on the machine in net
- 1.2 that is not 1.2.3.4.
- </p>
- <p>
- If no <span><strong class="command">listen-on</strong></span> is specified, the
- server will listen on port 53 on all IPv4 interfaces.
- </p>
- <p>
- The <span><strong class="command">listen-on-v6</strong></span> option is used to
- specify the interfaces and the ports on which the server will
- listen
- for incoming queries sent using IPv6.
- </p>
- <p>
- When </p>
- <pre class="programlisting">{ any; }</pre>
- <p> is
- specified
- as the <code class="varname">address_match_list</code> for the
- <span><strong class="command">listen-on-v6</strong></span> option,
- the server does not bind a separate socket to each IPv6 interface
- address as it does for IPv4 if the operating system has enough API
- support for IPv6 (specifically if it conforms to RFC 3493 and RFC
- 3542).
- Instead, it listens on the IPv6 wildcard address.
- If the system only has incomplete API support for IPv6, however,
- the behavior is the same as that for IPv4.
- </p>
- <p>
- A list of particular IPv6 addresses can also be specified, in
- which case
- the server listens on a separate socket for each specified
- address,
- regardless of whether the desired API is supported by the system.
- </p>
- <p>
- Multiple <span><strong class="command">listen-on-v6</strong></span> options can
- be used.
- For example,
- </p>
- <pre class="programlisting">listen-on-v6 { any; };
- listen-on-v6 port 1234 { !2001:db8::/32; any; };
- </pre>
- <p>
- will enable the name server on port 53 for any IPv6 addresses
- (with a single wildcard socket),
- and on port 1234 of IPv6 addresses that is not in the prefix
- 2001:db8::/32 (with separate sockets for each matched address.)
- </p>
- <p>
- To make the server not listen on any IPv6 address, use
- </p>
- <pre class="programlisting">listen-on-v6 { none; };
- </pre>
- <p>
- If no <span><strong class="command">listen-on-v6</strong></span> option is
- specified, the server will not listen on any IPv6 address
- unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
- invoked. If <span><strong class="command">-6</strong></span> is specified then
- <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="query_address"></a>Query Address</h4></div></div></div>
- <p>
- If the server doesn't know the answer to a question, it will
- query other name servers. <span><strong class="command">query-source</strong></span> specifies
- the address and port used for such queries. For queries sent over
- IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
- If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted,
- a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>)
- will be used.
- </p>
- <p>
- If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
- a random port number from a pre-configured
- range is picked up and will be used for each query.
- The port range(s) is that specified in
- the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4)
- and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6)
- options, excluding the ranges specified in
- the <span><strong class="command">avoid-v4-udp-ports</strong></span>
- and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively.
- </p>
- <p>
- The defaults of the <span><strong class="command">query-source</strong></span> and
- <span><strong class="command">query-source-v6</strong></span> options
- are:
- </p>
- <pre class="programlisting">query-source address * port *;
- query-source-v6 address * port *;
- </pre>
- <p>
- If <span><strong class="command">use-v4-udp-ports</strong></span> or
- <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified,
- <span><strong class="command">named</strong></span> will check if the operating
- system provides a programming interface to retrieve the
- system's default range for ephemeral ports.
- If such an interface is available,
- <span><strong class="command">named</strong></span> will use the corresponding system
- default range; otherwise, it will use its own defaults:
- </p>
- <pre class="programlisting">use-v4-udp-ports { range 1024 65535; };
- use-v6-udp-ports { range 1024 65535; };
- </pre>
- <p>
- Note: make sure the ranges be sufficiently large for
- security. A desirable size depends on various parameters,
- but we generally recommend it contain at least 16384 ports
- (14 bits of entropy).
- Note also that the system's default range when used may be
- too small for this purpose, and that the range may even be
- changed while <span><strong class="command">named</strong></span> is running; the new
- range will automatically be applied when <span><strong class="command">named</strong></span>
- is reloaded.
- It is encouraged to
- configure <span><strong class="command">use-v4-udp-ports</strong></span> and
- <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the
- ranges are sufficiently large and are reasonably
- independent from the ranges used by other applications.
- </p>
- <p>
- Note: the operational configuration
- where <span><strong class="command">named</strong></span> runs may prohibit the use
- of some ports. For example, UNIX systems will not allow
- <span><strong class="command">named</strong></span> running without a root privilege
- to use ports less than 1024.
- If such ports are included in the specified (or detected)
- set of query ports, the corresponding query attempts will
- fail, resulting in resolution failures or delay.
- It is therefore important to configure the set of ports
- that can be safely used in the expected operational environment.
- </p>
- <p>
- The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and
- <span><strong class="command">avoid-v6-udp-ports</strong></span> options
- are:
- </p>
- <pre class="programlisting">avoid-v4-udp-ports {};
- avoid-v6-udp-ports {};
- </pre>
- <p>
- Note: BIND 9.5.0 introduced
- the <span><strong class="command">use-queryport-pool</strong></span>
- option to support a pool of such random ports, but this
- option is now obsolete because reusing the same ports in
- the pool may not be sufficiently secure.
- For the same reason, it is generally strongly discouraged to
- specify a particular port for the
- <span><strong class="command">query-source</strong></span> or
- <span><strong class="command">query-source-v6</strong></span> options;
- it implicitly disables the use of randomized port numbers.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
- <dd><p>
- This option is obsolete.
- </p></dd>
- <dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
- <dd><p>
- This option is obsolete.
- </p></dd>
- <dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
- <dd><p>
- This option is obsolete.
- </p></dd>
- </dl></div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- The address specified in the <span><strong class="command">query-source</strong></span> option
- is used for both UDP and TCP queries, but the port applies only
- to UDP queries. TCP queries always use a random
- unprivileged port.
- </p>
- </div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- Solaris 2.5.1 and earlier does not support setting the source
- address for TCP sockets.
- </p>
- </div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- See also <span><strong class="command">transfer-source</strong></span> and
- <span><strong class="command">notify-source</strong></span>.
- </p>
- </div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
- <p>
- <acronym class="acronym">BIND</acronym> has mechanisms in place to
- facilitate zone transfers
- and set limits on the amount of load that transfers place on the
- system. The following options apply to zone transfers.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
- <dd><p>
- Defines a global list of IP addresses of name servers
- that are also sent NOTIFY messages whenever a fresh copy of
- the
- zone is loaded, in addition to the servers listed in the
- zone's NS records.
- This helps to ensure that copies of the zones will
- quickly converge on stealth servers.
- Optionally, a port may be specified with each
- <span><strong class="command">also-notify</strong></span> address to send
- the notify messages to a port other than the
- default of 53.
- If an <span><strong class="command">also-notify</strong></span> list
- is given in a <span><strong class="command">zone</strong></span> statement,
- it will override
- the <span><strong class="command">options also-notify</strong></span>
- statement. When a <span><strong class="command">zone notify</strong></span>
- statement
- is set to <span><strong class="command">no</strong></span>, the IP
- addresses in the global <span><strong class="command">also-notify</strong></span> list will
- not be sent NOTIFY messages for that zone. The default is
- the empty
- list (no global notification list).
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
- <dd><p>
- Inbound zone transfers running longer than
- this many minutes will be terminated. The default is 120
- minutes
- (2 hours). The maximum value is 28 days (40320 minutes).
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
- <dd><p>
- Inbound zone transfers making no progress
- in this many minutes will be terminated. The default is 60
- minutes
- (1 hour). The maximum value is 28 days (40320 minutes).
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
- <dd><p>
- Outbound zone transfers running longer than
- this many minutes will be terminated. The default is 120
- minutes
- (2 hours). The maximum value is 28 days (40320 minutes).
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
- <dd><p>
- Outbound zone transfers making no progress
- in this many minutes will be terminated. The default is 60
- minutes (1
- hour). The maximum value is 28 days (40320 minutes).
- </p></dd>
- <dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
- <dd>
- <p>
- Slave servers will periodically query master
- servers to find out if zone serial numbers have
- changed. Each such query uses a minute amount of
- the slave server's network bandwidth. To limit
- the amount of bandwidth used, BIND 9 limits the
- rate at which queries are sent. The value of the
- <span><strong class="command">serial-query-rate</strong></span> option, an
- integer, is the maximum number of queries sent
- per second. The default is 20.
- </p>
- <p>
- In addition to controlling the rate SOA refresh
- queries are issued at
- <span><strong class="command">serial-query-rate</strong></span> also controls
- the rate at which NOTIFY messages are sent from
- both master and slave zones.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
- <dd><p>
- In BIND 8, the <span><strong class="command">serial-queries</strong></span>
- option
- set the maximum number of concurrent serial number queries
- allowed to be outstanding at any given time.
- BIND 9 does not limit the number of outstanding
- serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
- Instead, it limits the rate at which the queries are sent
- as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
- <dd><p>
- Zone transfers can be sent using two different formats,
- <span><strong class="command">one-answer</strong></span> and
- <span><strong class="command">many-answers</strong></span>.
- The <span><strong class="command">transfer-format</strong></span> option is used
- on the master server to determine which format it sends.
- <span><strong class="command">one-answer</strong></span> uses one DNS message per
- resource record transferred.
- <span><strong class="command">many-answers</strong></span> packs as many resource
- records as possible into a message.
- <span><strong class="command">many-answers</strong></span> is more efficient, but is
- only supported by relatively new slave servers,
- such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
- 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards.
- The <span><strong class="command">many-answers</strong></span> format is also supported by
- recent Microsoft Windows nameservers.
- The default is <span><strong class="command">many-answers</strong></span>.
- <span><strong class="command">transfer-format</strong></span> may be overridden on a
- per-server basis by using the <span><strong class="command">server</strong></span>
- statement.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
- <dd><p>
- The maximum number of inbound zone transfers
- that can be running concurrently. The default value is <code class="literal">10</code>.
- Increasing <span><strong class="command">transfers-in</strong></span> may
- speed up the convergence
- of slave zones, but it also may increase the load on the
- local system.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
- <dd><p>
- The maximum number of outbound zone transfers
- that can be running concurrently. Zone transfer requests in
- excess
- of the limit will be refused. The default value is <code class="literal">10</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
- <dd><p>
- The maximum number of inbound zone transfers
- that can be concurrently transferring from a given remote
- name server.
- The default value is <code class="literal">2</code>.
- Increasing <span><strong class="command">transfers-per-ns</strong></span>
- may
- speed up the convergence of slave zones, but it also may
- increase
- the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
- be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
- of the <span><strong class="command">server</strong></span> statement.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
- <dd>
- <p><span><strong class="command">transfer-source</strong></span>
- determines which local address will be bound to IPv4
- TCP connections used to fetch zones transferred
- inbound by the server. It also determines the
- source IPv4 address, and optionally the UDP port,
- used for the refresh queries and forwarded dynamic
- updates. If not set, it defaults to a system
- controlled value which will usually be the address
- of the interface "closest to" the remote end. This
- address must appear in the remote end's
- <span><strong class="command">allow-transfer</strong></span> option for the
- zone being transferred, if one is specified. This
- statement sets the
- <span><strong class="command">transfer-source</strong></span> for all zones,
- but can be overridden on a per-view or per-zone
- basis by including a
- <span><strong class="command">transfer-source</strong></span> statement within
- the <span><strong class="command">view</strong></span> or
- <span><strong class="command">zone</strong></span> block in the configuration
- file.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
- <dd><p>
- The same as <span><strong class="command">transfer-source</strong></span>,
- except zone transfers are performed using IPv6.
- </p></dd>
- <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
- <dd>
- <p>
- An alternate transfer source if the one listed in
- <span><strong class="command">transfer-source</strong></span> fails and
- <span><strong class="command">use-alt-transfer-source</strong></span> is
- set.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- If you do not wish the alternate transfer source
- to be used, you should set
- <span><strong class="command">use-alt-transfer-source</strong></span>
- appropriately and you should not depend upon
- getting an answer back to the first refresh
- query.
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
- <dd><p>
- An alternate transfer source if the one listed in
- <span><strong class="command">transfer-source-v6</strong></span> fails and
- <span><strong class="command">use-alt-transfer-source</strong></span> is
- set.
- </p></dd>
- <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
- <dd><p>
- Use the alternate transfer sources or not. If views are
- specified this defaults to <span><strong class="command">no</strong></span>
- otherwise it defaults to
- <span><strong class="command">yes</strong></span> (for BIND 8
- compatibility).
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
- <dd>
- <p><span><strong class="command">notify-source</strong></span>
- determines which local source address, and
- optionally UDP port, will be used to send NOTIFY
- messages. This address must appear in the slave
- server's <span><strong class="command">masters</strong></span> zone clause or
- in an <span><strong class="command">allow-notify</strong></span> clause. This
- statement sets the <span><strong class="command">notify-source</strong></span>
- for all zones, but can be overridden on a per-zone or
- per-view basis by including a
- <span><strong class="command">notify-source</strong></span> statement within
- the <span><strong class="command">zone</strong></span> or
- <span><strong class="command">view</strong></span> block in the configuration
- file.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- Solaris 2.5.1 and earlier does not support setting the
- source address for TCP sockets.
- </p>
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
- <dd><p>
- Like <span><strong class="command">notify-source</strong></span>,
- but applies to notify messages sent to IPv6 addresses.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2585531"></a>UDP Port Lists</h4></div></div></div>
- <p>
- <span><strong class="command">use-v4-udp-ports</strong></span>,
- <span><strong class="command">avoid-v4-udp-ports</strong></span>,
- <span><strong class="command">use-v6-udp-ports</strong></span>, and
- <span><strong class="command">avoid-v6-udp-ports</strong></span>
- specify a list of IPv4 and IPv6 UDP ports that will be
- used or not used as source ports for UDP messages.
- See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the
- available ports are determined.
- For example, with the following configuration
- </p>
- <pre class="programlisting">
- use-v6-udp-ports { range 32768 65535; };
- avoid-v6-udp-ports { 40000; range 50000 60000; };
- </pre>
- <p>
- UDP ports of IPv6 messages sent
- from <span><strong class="command">named</strong></span> will be in one
- of the following ranges: 32768 to 39999, 40001 to 49999,
- and 60001 to 65535.
- </p>
- <p>
- <span><strong class="command">avoid-v4-udp-ports</strong></span> and
- <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used
- to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a
- port that is blocked by your firewall or a port that is
- used by other applications;
- if a query went out with a source port blocked by a
- firewall, the
- answer would not get by the firewall and the name server would
- have to query again.
- Note: the desired range can also be represented only with
- <span><strong class="command">use-v4-udp-ports</strong></span> and
- <span><strong class="command">use-v6-udp-ports</strong></span>, and the
- <span><strong class="command">avoid-</strong></span> options are redundant in that
- sense; they are provided for backward compatibility and
- to possibly simplify the port specification.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2585591"></a>Operating System Resource Limits</h4></div></div></div>
- <p>
- The server's usage of many system resources can be limited.
- Scaled values are allowed when specifying resource limits. For
- example, <span><strong class="command">1G</strong></span> can be used instead of
- <span><strong class="command">1073741824</strong></span> to specify a limit of
- one
- gigabyte. <span><strong class="command">unlimited</strong></span> requests
- unlimited use, or the
- maximum available amount. <span><strong class="command">default</strong></span>
- uses the limit
- that was in force when the server was started. See the description
- of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>.
- </p>
- <p>
- The following options set operating system resource limits for
- the name server process. Some operating systems don't support
- some or
- any of the limits. On such systems, a warning will be issued if
- the
- unsupported limit is used.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
- <dd><p>
- The maximum size of a core dump. The default
- is <code class="literal">default</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
- <dd><p>
- The maximum amount of data memory the server
- may use. The default is <code class="literal">default</code>.
- This is a hard limit on server memory usage.
- If the server attempts to allocate memory in excess of this
- limit, the allocation will fail, which may in turn leave
- the server unable to perform DNS service. Therefore,
- this option is rarely useful as a way of limiting the
- amount of memory used by the server, but it can be used
- to raise an operating system data size limit that is
- too small by default. If you wish to limit the amount
- of memory used by the server, use the
- <span><strong class="command">max-cache-size</strong></span> and
- <span><strong class="command">recursive-clients</strong></span>
- options instead.
- </p></dd>
- <dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
- <dd><p>
- The maximum number of files the server
- may have open concurrently. The default is <code class="literal">unlimited</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
- <dd><p>
- The maximum amount of stack memory the server
- may use. The default is <code class="literal">default</code>.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div>
- <p>
- The following options set limits on the server's
- resource consumption that are enforced internally by the
- server rather than the operating system.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
- <dd><p>
- This option is obsolete; it is accepted
- and ignored for BIND 8 compatibility. The option
- <span><strong class="command">max-journal-size</strong></span> performs a
- similar function in BIND 9.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
- <dd><p>
- Sets a maximum size for each journal file
- (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file
- approaches
- the specified size, some of the oldest transactions in the
- journal
- will be automatically removed. The default is
- <code class="literal">unlimited</code>.
- This may also be set on a per-zone basis.
- </p></dd>
- <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
- <dd><p>
- In BIND 8, specifies the maximum number of host statistics
- entries to be kept.
- Not implemented in BIND 9.
- </p></dd>
- <dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
- <dd><p>
- The maximum number of simultaneous recursive lookups
- the server will perform on behalf of clients. The default
- is
- <code class="literal">1000</code>. Because each recursing
- client uses a fair
- bit of memory, on the order of 20 kilobytes, the value of
- the
- <span><strong class="command">recursive-clients</strong></span> option may
- have to be decreased
- on hosts with limited memory.
- </p></dd>
- <dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
- <dd><p>
- The maximum number of simultaneous client TCP
- connections that the server will accept.
- The default is <code class="literal">100</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt>
- <dd>
- <p>
- The number of file descriptors reserved for TCP, stdio,
- etc. This needs to be big enough to cover the number of
- interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
- to provide room for outgoing TCP queries and incoming zone
- transfers. The default is <code class="literal">512</code>.
- The minimum value is <code class="literal">128</code> and the
- maximum value is <code class="literal">128</code> less than
- maxsockets (-S). This option may be removed in the future.
- </p>
- <p>
- This option has little effect on Windows.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
- <dd><p>
- The maximum amount of memory to use for the
- server's cache, in bytes.
- When the amount of data in the cache
- reaches this limit, the server will cause records to expire
- prematurely based on an LRU based strategy so that
- the limit is not exceeded.
- A value of 0 is special, meaning that
- records are purged from the cache only when their
- TTLs expire.
- Another special keyword <strong class="userinput"><code>unlimited</code></strong>
- means the maximum value of 32-bit unsigned integers
- (0xffffffff), which may not have the same effect as
- 0 on machines that support more than 32 bits of
- memory space.
- Any positive values less than 2MB will be ignored reset
- to 2MB.
- In a server with multiple views, the limit applies
- separately to the cache of each view.
- The default is 0.
- </p></dd>
- <dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
- <dd><p>
- The listen queue depth. The default and minimum is 3.
- If the kernel supports the accept filter "dataready" this
- also controls how
- many TCP connections that will be queued in kernel space
- waiting for
- some data before being passed to accept. Values less than 3
- will be
- silently raised.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2586082"></a>Periodic Task Intervals</h4></div></div></div>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
- <dd><p>
- This interval is effectively obsolete. Previously,
- the server would remove expired resource records
- from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
- <acronym class="acronym">BIND</acronym> 9 now manages cache
- memory in a more sophisticated manner and does not
- rely on the periodic cleaning any more.
- Specifying this option therefore has no effect on
- the server's behavior.
- </p></dd>
- <dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
- <dd><p>
- The server will perform zone maintenance tasks
- for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
- interval expires. The default is 60 minutes. Reasonable
- values are up
- to 1 day (1440 minutes). The maximum value is 28 days
- (40320 minutes).
- If set to 0, no zone maintenance for these zones will occur.
- </p></dd>
- <dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
- <dd><p>
- The server will scan the network interface list
- every <span><strong class="command">interface-interval</strong></span>
- minutes. The default
- is 60 minutes. The maximum value is 28 days (40320 minutes).
- If set to 0, interface scanning will only occur when
- the configuration file is loaded. After the scan, the
- server will
- begin listening for queries on any newly discovered
- interfaces (provided they are allowed by the
- <span><strong class="command">listen-on</strong></span> configuration), and
- will
- stop listening on interfaces that have gone away.
- </p></dd>
- <dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
- <dd>
- <p>
- Name server statistics will be logged
- every <span><strong class="command">statistics-interval</strong></span>
- minutes. The default is
- 60. The maximum value is 28 days (40320 minutes).
- If set to 0, no statistics will be logged.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- Not yet implemented in
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </div>
- </dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="topology"></a>Topology</h4></div></div></div>
- <p>
- All other things being equal, when the server chooses a name
- server
- to query from a list of name servers, it prefers the one that is
- topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
- takes an <span><strong class="command">address_match_list</strong></span> and
- interprets it
- in a special way. Each top-level list element is assigned a
- distance.
- Non-negated elements get a distance based on their position in the
- list, where the closer the match is to the start of the list, the
- shorter the distance is between it and the server. A negated match
- will be assigned the maximum distance from the server. If there
- is no match, the address will get a distance which is further than
- any non-negated list element, and closer than any negated element.
- For example,
- </p>
- <pre class="programlisting">topology {
- 10/8;
- !1.2.3/24;
- { 1.2/16; 3/8; };
- };</pre>
- <p>
- will prefer servers on network 10 the most, followed by hosts
- on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
- exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
- is preferred least of all.
- </p>
- <p>
- The default topology is
- </p>
- <pre class="programlisting"> topology { localhost; localnets; };
- </pre>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- The <span><strong class="command">topology</strong></span> option
- is not implemented in <acronym class="acronym">BIND</acronym> 9.
- </p>
- </div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
- <p>
- The response to a DNS query may consist of multiple resource
- records (RRs) forming a resource records set (RRset).
- The name server will normally return the
- RRs within the RRset in an indeterminate order
- (but see the <span><strong class="command">rrset-order</strong></span>
- statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>).
- The client resolver code should rearrange the RRs as appropriate,
- that is, using any addresses on the local net in preference to
- other addresses.
- However, not all resolvers can do this or are correctly
- configured.
- When a client is using a local server, the sorting can be performed
- in the server, based on the client's address. This only requires
- configuring the name servers, not all the clients.
- </p>
- <p>
- The <span><strong class="command">sortlist</strong></span> statement (see below)
- takes
- an <span><strong class="command">address_match_list</strong></span> and
- interprets it even
- more specifically than the <span><strong class="command">topology</strong></span>
- statement
- does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>).
- Each top level statement in the <span><strong class="command">sortlist</strong></span> must
- itself be an explicit <span><strong class="command">address_match_list</strong></span> with
- one or two elements. The first element (which may be an IP
- address,
- an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
- of each top level list is checked against the source address of
- the query until a match is found.
- </p>
- <p>
- Once the source address of the query has been matched, if
- the top level statement contains only one element, the actual
- primitive
- element that matched the source address is used to select the
- address
- in the response to move to the beginning of the response. If the
- statement is a list of two elements, then the second element is
- treated the same as the <span><strong class="command">address_match_list</strong></span> in
- a <span><strong class="command">topology</strong></span> statement. Each top
- level element
- is assigned a distance and the address in the response with the
- minimum
- distance is moved to the beginning of the response.
- </p>
- <p>
- In the following example, any queries received from any of
- the addresses of the host itself will get responses preferring
- addresses
- on any of the locally connected networks. Next most preferred are
- addresses
- on the 192.168.1/24 network, and after that either the
- 192.168.2/24
- or
- 192.168.3/24 network with no preference shown between these two
- networks. Queries received from a host on the 192.168.1/24 network
- will prefer other addresses on that network to the 192.168.2/24
- and
- 192.168.3/24 networks. Queries received from a host on the
- 192.168.4/24
- or the 192.168.5/24 network will only prefer other addresses on
- their directly connected networks.
- </p>
- <pre class="programlisting">sortlist {
- // IF the local host
- // THEN first fit on the following nets
- { localhost;
- { localnets;
- 192.168.1/24;
- { 192.168.2/24; 192.168.3/24; }; }; };
- // IF on class C 192.168.1 THEN use .1, or .2 or .3
- { 192.168.1/24;
- { 192.168.1/24;
- { 192.168.2/24; 192.168.3/24; }; }; };
- // IF on class C 192.168.2 THEN use .2, or .1 or .3
- { 192.168.2/24;
- { 192.168.2/24;
- { 192.168.1/24; 192.168.3/24; }; }; };
- // IF on class C 192.168.3 THEN use .3, or .1 or .2
- { 192.168.3/24;
- { 192.168.3/24;
- { 192.168.1/24; 192.168.2/24; }; }; };
- // IF .4 or .5 THEN prefer that net
- { { 192.168.4/24; 192.168.5/24; };
- };
- };</pre>
- <p>
- The following example will give reasonable behavior for the
- local host and hosts on directly connected networks. It is similar
- to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent
- to queries from the local host will favor any of the directly
- connected
- networks. Responses sent to queries from any other hosts on a
- directly
- connected network will prefer addresses on that same network.
- Responses
- to other queries will not be sorted.
- </p>
- <pre class="programlisting">sortlist {
- { localhost; localnets; };
- { localnets; };
- };
- </pre>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
- <p>
- When multiple records are returned in an answer it may be
- useful to configure the order of the records placed into the
- response.
- The <span><strong class="command">rrset-order</strong></span> statement permits
- configuration
- of the ordering of the records in a multiple record response.
- See also the <span><strong class="command">sortlist</strong></span> statement,
- <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>.
- </p>
- <p>
- An <span><strong class="command">order_spec</strong></span> is defined as
- follows:
- </p>
- <p>
- [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>]
- [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>]
- [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>]
- order <em class="replaceable"><code>ordering</code></em>
- </p>
- <p>
- If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
- If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
- If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk).
- </p>
- <p>
- The legal values for <span><strong class="command">ordering</strong></span> are:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">fixed</strong></span></p>
- </td>
- <td>
- <p>
- Records are returned in the order they
- are defined in the zone file.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">random</strong></span></p>
- </td>
- <td>
- <p>
- Records are returned in some random order.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">cyclic</strong></span></p>
- </td>
- <td>
- <p>
- Records are returned in a cyclic round-robin order.
- </p>
- <p>
- If <acronym class="acronym">BIND</acronym> is configured with the
- "--enable-fixed-rrset" option at compile time, then
- the initial ordering of the RRset will match the
- one specified in the zone file.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- For example:
- </p>
- <pre class="programlisting">rrset-order {
- class IN type A name "host.example.com" order random;
- order cyclic;
- };
- </pre>
- <p>
- will cause any responses for type A records in class IN that
- have "<code class="literal">host.example.com</code>" as a
- suffix, to always be returned
- in random order. All other records are returned in cyclic order.
- </p>
- <p>
- If multiple <span><strong class="command">rrset-order</strong></span> statements
- appear,
- they are not combined — the last one applies.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- In this release of <acronym class="acronym">BIND</acronym> 9, the
- <span><strong class="command">rrset-order</strong></span> statement does not support
- "fixed" ordering by default. Fixed ordering can be enabled
- at compile time by specifying "--enable-fixed-rrset" on
- the "configure" command line.
- </p>
- </div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="tuning"></a>Tuning</h4></div></div></div>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
- <dd>
- <p>
- Sets the number of seconds to cache a
- lame server indication. 0 disables caching. (This is
- <span class="bold"><strong>NOT</strong></span> recommended.)
- The default is <code class="literal">600</code> (10 minutes) and the
- maximum value is
- <code class="literal">1800</code> (30 minutes).
- </p>
- <p>
- Lame-ttl also controls the amount of time DNSSEC
- validation failures are cached. There is a minimum
- of 30 seconds applied to bad cache entries if the
- lame-ttl is set to less than 30 seconds.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
- <dd><p>
- To reduce network traffic and increase performance,
- the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
- used to set a maximum retention time for these answers in
- the server
- in seconds. The default
- <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
- <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed
- 7 days and will
- be silently truncated to 7 days if set to a greater value.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
- <dd><p>
- Sets the maximum time for which the server will
- cache ordinary (positive) answers. The default is
- one week (7 days).
- A value of zero may cause all queries to return
- SERVFAIL, because of lost caches of intermediate
- RRsets (such as NS and glue AAAA/A records) in the
- resolution process.
- </p></dd>
- <dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
- <dd>
- <p>
- The minimum number of root servers that
- is required for a request for the root servers to be
- accepted. The default
- is <strong class="userinput"><code>2</code></strong>.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- Not implemented in <acronym class="acronym">BIND</acronym> 9.
- </p>
- </div>
- </dd>
- <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
- <dd>
- <p>
- Specifies the number of days into the future when
- DNSSEC signatures automatically generated as a
- result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There
- is an optional second field which specifies how
- long before expiry that the signatures will be
- regenerated. If not specified, the signatures will
- be regenerated at 1/4 of base interval. The second
- field is specified in days if the base interval is
- greater than 7 days otherwise it is specified in hours.
- The default base interval is <code class="literal">30</code> days
- giving a re-signing interval of 7 1/2 days. The maximum
- values are 10 years (3660 days).
- </p>
- <p>
- The signature inception time is unconditionally
- set to one hour before the current time to allow
- for a limited amount of clock skew.
- </p>
- <p>
- The <span><strong class="command">sig-validity-interval</strong></span>
- should be, at least, several multiples of the SOA
- expire interval to allow for reasonable interaction
- between the various timer and expiry dates.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
- <dd><p>
- Specify the maximum number of nodes to be
- examined in each quantum when signing a zone with
- a new DNSKEY. The default is
- <code class="literal">100</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
- <dd><p>
- Specify a threshold number of signatures that
- will terminate processing a quantum when signing
- a zone with a new DNSKEY. The default is
- <code class="literal">10</code>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
- <dd>
- <p>
- Specify a private RDATA type to be used when generating
- key signing records. The default is
- <code class="literal">65534</code>.
- </p>
- <p>
- It is expected that this parameter may be removed
- in a future version once there is a standard type.
- </p>
- </dd>
- <dt>
- <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
- </dt>
- <dd>
- <p>
- These options control the server's behavior on refreshing a
- zone
- (querying for SOA changes) or retrying failed transfers.
- Usually the SOA values for the zone are used, but these
- values
- are set by the master, giving slave server administrators
- little
- control over their contents.
- </p>
- <p>
- These options allow the administrator to set a minimum and
- maximum
- refresh and retry time either per-zone, per-view, or
- globally.
- These options are valid for slave and stub zones,
- and clamp the SOA refresh and retry times to the specified
- values.
- </p>
- <p>
- The following defaults apply.
- <span><strong class="command">min-refresh-time</strong></span> 300 seconds,
- <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds
- (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds,
- and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds
- (2 weeks).
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
- <dd>
- <p>
- Sets the advertised EDNS UDP buffer size in bytes
- to control the size of packets received.
- Valid values are 512 to 4096 (values outside this range
- will be silently adjusted). The default value
- is 4096. The usual reason for setting
- <span><strong class="command">edns-udp-size</strong></span> to a non-default
- value is to get UDP answers to pass through broken
- firewalls that block fragmented packets and/or
- block UDP packets that are greater than 512 bytes.
- </p>
- <p>
- <span><strong class="command">named</strong></span> will fallback to using 512 bytes
- if it get a series of timeout at the initial value. 512
- bytes is not being offered to encourage sites to fix their
- firewalls. Small EDNS UDP sizes will result in the
- excessive use of TCP.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
- <dd>
- <p>
- Sets the maximum EDNS UDP message size
- <span><strong class="command">named</strong></span> will send in bytes.
- Valid values are 512 to 4096 (values outside this
- range will be silently adjusted). The default
- value is 4096. The usual reason for setting
- <span><strong class="command">max-udp-size</strong></span> to a non-default
- value is to get UDP answers to pass through broken
- firewalls that block fragmented packets and/or
- block UDP packets that are greater than 512 bytes.
- This is independent of the advertised receive
- buffer (<span><strong class="command">edns-udp-size</strong></span>).
- </p>
- <p>
- Setting this to a low value will encourage additional
- TCP traffic to the nameserver.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
- <dd><p>Specifies
- the file format of zone files (see
- <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>).
- The default value is <code class="constant">text</code>, which is the
- standard textual representation. Files in other formats
- than <code class="constant">text</code> are typically expected
- to be generated by the <span><strong class="command">named-compilezone</strong></span> tool.
- Note that when a zone file in a different format than
- <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span>
- may omit some of the checks which would be performed for a
- file in the <code class="constant">text</code> format. In particular,
- <span><strong class="command">check-names</strong></span> checks do not apply
- for the <code class="constant">raw</code> format. This means
- a zone file in the <code class="constant">raw</code> format
- must be generated with the same check level as that
- specified in the <span><strong class="command">named</strong></span> configuration
- file. This statement sets the
- <span><strong class="command">masterfile-format</strong></span> for all zones,
- but can be overridden on a per-zone or per-view basis
- by including a <span><strong class="command">masterfile-format</strong></span>
- statement within the <span><strong class="command">zone</strong></span> or
- <span><strong class="command">view</strong></span> block in the configuration
- file.
- </p></dd>
- <dt>
- <a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
- </dt>
- <dd>
- <p>These set the
- initial value (minimum) and maximum number of recursive
- simultaneous clients for any given query
- (<qname,qtype,qclass>) that the server will accept
- before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to
- self tune this value and changes will be logged. The
- default values are 10 and 100.
- </p>
- <p>
- This value should reflect how many queries come in for
- a given name in the time it takes to resolve that name.
- If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
- assume that it is dealing with a non-responsive zone
- and will drop additional queries. If it gets a response
- after dropping queries, it will raise the estimate. The
- estimate will then be lowered in 20 minutes if it has
- remained unchanged.
- </p>
- <p>
- If <span><strong class="command">clients-per-query</strong></span> is set to zero,
- then there is no limit on the number of clients per query
- and no queries will be dropped.
- </p>
- <p>
- If <span><strong class="command">max-clients-per-query</strong></span> is set to zero,
- then there is no upper bound other than imposed by
- <span><strong class="command">recursive-clients</strong></span>.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
- <dd>
- <p>
- The delay, in seconds, between sending sets of notify
- messages for a zone. The default is five (5) seconds.
- </p>
- <p>
- The overall rate that NOTIFY messages are sent for all
- zones is controlled by <span><strong class="command">serial-query-rate</strong></span>.
- </p>
- </dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="builtin"></a>Built-in server information zones</h4></div></div></div>
- <p>
- The server provides some helpful diagnostic information
- through a number of built-in zones under the
- pseudo-top-level-domain <code class="literal">bind</code> in the
- <span><strong class="command">CHAOS</strong></span> class. These zones are part
- of a
- built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of
- class
- <span><strong class="command">CHAOS</strong></span> which is separate from the
- default view of
- class <span><strong class="command">IN</strong></span>; therefore, any global
- server options
- such as <span><strong class="command">allow-query</strong></span> do not apply
- the these zones.
- If you feel the need to disable these zones, use the options
- below, or hide the built-in <span><strong class="command">CHAOS</strong></span>
- view by
- defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
- that matches all clients.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
- <dd><p>
- The version the server should report
- via a query of the name <code class="literal">version.bind</code>
- with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
- The default is the real version number of this server.
- Specifying <span><strong class="command">version none</strong></span>
- disables processing of the queries.
- </p></dd>
- <dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
- <dd><p>
- The hostname the server should report via a query of
- the name <code class="filename">hostname.bind</code>
- with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
- This defaults to the hostname of the machine hosting the
- name server as
- found by the gethostname() function. The primary purpose of such queries
- is to
- identify which of a group of anycast servers is actually
- answering your queries. Specifying <span><strong class="command">hostname none;</strong></span>
- disables processing of the queries.
- </p></dd>
- <dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
- <dd><p>
- The ID the server should report when receiving a Name
- Server Identifier (NSID) query, or a query of the name
- <code class="filename">ID.SERVER</code> with type
- <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
- The primary purpose of such queries is to
- identify which of a group of anycast servers is actually
- answering your queries. Specifying <span><strong class="command">server-id none;</strong></span>
- disables processing of the queries.
- Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
- use the hostname as found by the gethostname() function.
- The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="empty"></a>Built-in Empty Zones</h4></div></div></div>
- <p>
- Named has some built-in empty zones (SOA and NS records only).
- These are for zones that should normally be answered locally
- and which queries should not be sent to the Internet's root
- servers. The official servers which cover these namespaces
- return NXDOMAIN responses to these queries. In particular,
- these cover the reverse namespaces for addresses from
- RFC 1918, RFC 4193, and RFC 5737. They also include the
- reverse namespace for IPv6 local address (locally assigned),
- IPv6 link local addresses, the IPv6 loopback address and the
- IPv6 unknown address.
- </p>
- <p>
- Named will attempt to determine if a built-in zone already exists
- or is active (covered by a forward-only forwarding declaration)
- and will not create an empty zone in that case.
- </p>
- <p>
- The current list of empty zones is:
- </p>
- <div class="itemizedlist"><ul type="disc">
- <li>10.IN-ADDR.ARPA</li>
- <li>16.172.IN-ADDR.ARPA</li>
- <li>17.172.IN-ADDR.ARPA</li>
- <li>18.172.IN-ADDR.ARPA</li>
- <li>19.172.IN-ADDR.ARPA</li>
- <li>20.172.IN-ADDR.ARPA</li>
- <li>21.172.IN-ADDR.ARPA</li>
- <li>22.172.IN-ADDR.ARPA</li>
- <li>23.172.IN-ADDR.ARPA</li>
- <li>24.172.IN-ADDR.ARPA</li>
- <li>25.172.IN-ADDR.ARPA</li>
- <li>26.172.IN-ADDR.ARPA</li>
- <li>27.172.IN-ADDR.ARPA</li>
- <li>28.172.IN-ADDR.ARPA</li>
- <li>29.172.IN-ADDR.ARPA</li>
- <li>30.172.IN-ADDR.ARPA</li>
- <li>31.172.IN-ADDR.ARPA</li>
- <li>168.192.IN-ADDR.ARPA</li>
- <li>0.IN-ADDR.ARPA</li>
- <li>127.IN-ADDR.ARPA</li>
- <li>254.169.IN-ADDR.ARPA</li>
- <li>2.0.192.IN-ADDR.ARPA</li>
- <li>100.51.198.IN-ADDR.ARPA</li>
- <li>113.0.203.IN-ADDR.ARPA</li>
- <li>255.255.255.255.IN-ADDR.ARPA</li>
- <li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
- <li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li>
- <li>8.B.D.0.1.0.0.2.IP6.ARPA</li>
- <li>D.F.IP6.ARPA</li>
- <li>8.E.F.IP6.ARPA</li>
- <li>9.E.F.IP6.ARPA</li>
- <li>A.E.F.IP6.ARPA</li>
- <li>B.E.F.IP6.ARPA</li>
- </ul></div>
- <p>
- </p>
- <p>
- Empty zones are settable at the view level and only apply to
- views of class IN. Disabled empty zones are only inherited
- from options if there are no disabled empty zones specified
- at the view level. To override the options list of disabled
- zones, you can disable the root zone at the view level, for example:
- </p>
- <pre class="programlisting">
- disable-empty-zone ".";
- </pre>
- <p>
- </p>
- <p>
- If you are using the address ranges covered here, you should
- already have reverse zones covering the addresses you use.
- In practice this appears to not be the case with many queries
- being made to the infrastructure servers for names in these
- spaces. So many in fact that sacrificial servers were needed
- to be deployed to channel the query load away from the
- infrastructure servers.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- The real parent servers for these zones should disable all
- empty zone under the parent zone they serve. For the real
- root servers, this is all built-in empty zones. This will
- enable them to return referrals to deeper in the tree.
- </div>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt>
- <dd><p>
- Specify what server name will appear in the returned
- SOA record for empty zones. If none is specified, then
- the zone's name will be used.
- </p></dd>
- <dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt>
- <dd><p>
- Specify what contact name will appear in the returned
- SOA record for empty zones. If none is specified, then
- "." will be used.
- </p></dd>
- <dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
- <dd><p>
- Enable or disable all empty zones. By default, they
- are enabled.
- </p></dd>
- <dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
- <dd><p>
- Disable individual empty zones. By default, none are
- disabled. This option can be specified multiple times.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="acache"></a>Additional Section Caching</h4></div></div></div>
- <p>
- The additional section cache, also called <span><strong class="command">acache</strong></span>,
- is an internal cache to improve the response performance of BIND 9.
- When additional section caching is enabled, BIND 9 will
- cache an internal short-cut to the additional section content for
- each answer RR.
- Note that <span><strong class="command">acache</strong></span> is an internal caching
- mechanism of BIND 9, and is not related to the DNS caching
- server function.
- </p>
- <p>
- Additional section caching does not change the
- response content (except the RRsets ordering of the additional
- section, see below), but can improve the response performance
- significantly.
- It is particularly effective when BIND 9 acts as an authoritative
- server for a zone that has many delegations with many glue RRs.
- </p>
- <p>
- In order to obtain the maximum performance improvement
- from additional section caching, setting
- <span><strong class="command">additional-from-cache</strong></span>
- to <span><strong class="command">no</strong></span> is recommended, since the current
- implementation of <span><strong class="command">acache</strong></span>
- does not short-cut of additional section information from the
- DNS cache data.
- </p>
- <p>
- One obvious disadvantage of <span><strong class="command">acache</strong></span> is
- that it requires much more
- memory for the internal cached data.
- Thus, if the response performance does not matter and memory
- consumption is much more critical, the
- <span><strong class="command">acache</strong></span> mechanism can be
- disabled by setting <span><strong class="command">acache-enable</strong></span> to
- <span><strong class="command">no</strong></span>.
- It is also possible to specify the upper limit of memory
- consumption
- for acache by using <span><strong class="command">max-acache-size</strong></span>.
- </p>
- <p>
- Additional section caching also has a minor effect on the
- RRset ordering in the additional section.
- Without <span><strong class="command">acache</strong></span>,
- <span><strong class="command">cyclic</strong></span> order is effective for the additional
- section as well as the answer and authority sections.
- However, additional section caching fixes the ordering when it
- first caches an RRset for the additional section, and the same
- ordering will be kept in succeeding responses, regardless of the
- setting of <span><strong class="command">rrset-order</strong></span>.
- The effect of this should be minor, however, since an
- RRset in the additional section
- typically only contains a small number of RRs (and in many cases
- it only contains a single RR), in which case the
- ordering does not matter much.
- </p>
- <p>
- The following is a summary of options related to
- <span><strong class="command">acache</strong></span>.
- </p>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt>
- <dd><p>
- If <span><strong class="command">yes</strong></span>, additional section caching is
- enabled. The default value is <span><strong class="command">no</strong></span>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt>
- <dd><p>
- The server will remove stale cache entries, based on an LRU
- based
- algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes.
- The default is 60 minutes.
- If set to 0, no periodic cleaning will occur.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt>
- <dd><p>
- The maximum amount of memory in bytes to use for the server's acache.
- When the amount of data in the acache reaches this limit,
- the server
- will clean more aggressively so that the limit is not
- exceeded.
- In a server with multiple views, the limit applies
- separately to the
- acache of each view.
- The default is <code class="literal">16M</code>.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2588188"></a>Content Filtering</h4></div></div></div>
- <p>
- <acronym class="acronym">BIND</acronym> 9 provides the ability to filter
- out DNS responses from external DNS servers containing
- certain types of data in the answer section.
- Specifically, it can reject address (A or AAAA) records if
- the corresponding IPv4 or IPv6 addresses match the given
- <code class="varname">address_match_list</code> of the
- <span><strong class="command">deny-answer-addresses</strong></span> option.
- It can also reject CNAME or DNAME records if the "alias"
- name (i.e., the CNAME alias or the substituted query name
- due to DNAME) matches the
- given <code class="varname">namelist</code> of the
- <span><strong class="command">deny-answer-aliases</strong></span> option, where
- "match" means the alias name is a subdomain of one of
- the <code class="varname">name_list</code> elements.
- If the optional <code class="varname">namelist</code> is specified
- with <span><strong class="command">except-from</strong></span>, records whose query name
- matches the list will be accepted regardless of the filter
- setting.
- Likewise, if the alias name is a subdomain of the
- corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span>
- filter will not apply;
- for example, even if "example.com" is specified for
- <span><strong class="command">deny-answer-aliases</strong></span>,
- </p>
- <pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre>
- <p>
- returned by an "example.com" server will be accepted.
- </p>
- <p>
- In the <code class="varname">address_match_list</code> of the
- <span><strong class="command">deny-answer-addresses</strong></span> option, only
- <code class="varname">ip_addr</code>
- and <code class="varname">ip_prefix</code>
- are meaningful;
- any <code class="varname">key_id</code> will be silently ignored.
- </p>
- <p>
- If a response message is rejected due to the filtering,
- the entire message is discarded without being cached, and
- a SERVFAIL error will be returned to the client.
- </p>
- <p>
- This filtering is intended to prevent "DNS rebinding attacks," in
- which an attacker, in response to a query for a domain name the
- attacker controls, returns an IP address within your own network or
- an alias name within your own domain.
- A naive web browser or script could then serve as an
- unintended proxy, allowing the attacker
- to get access to an internal node of your local network
- that couldn't be externally accessed otherwise.
- See the paper available at
- <a href="" target="_top">
- http://portal.acm.org/citation.cfm?id=1315245.1315298
- </a>
- for more details about the attacks.
- </p>
- <p>
- For example, if you own a domain named "example.net" and
- your internal network uses an IPv4 prefix 192.0.2.0/24,
- you might specify the following rules:
- </p>
- <pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; };
- deny-answer-aliases { "example.net"; };
- </pre>
- <p>
- If an external attacker lets a web browser in your local
- network look up an IPv4 address of "attacker.example.com",
- the attacker's DNS server would return a response like this:
- </p>
- <pre class="programlisting">attacker.example.com. A 192.0.2.1</pre>
- <p>
- in the answer section.
- Since the rdata of this record (the IPv4 address) matches
- the specified prefix 192.0.2.0/24, this response will be
- ignored.
- </p>
- <p>
- On the other hand, if the browser looks up a legitimate
- internal web server "www.example.net" and the
- following response is returned to
- the <acronym class="acronym">BIND</acronym> 9 server
- </p>
- <pre class="programlisting">www.example.net. A 192.0.2.2</pre>
- <p>
- it will be accepted since the owner name "www.example.net"
- matches the <span><strong class="command">except-from</strong></span> element,
- "example.net".
- </p>
- <p>
- Note that this is not really an attack on the DNS per se.
- In fact, there is nothing wrong for an "external" name to
- be mapped to your "internal" IP address or domain name
- from the DNS point of view.
- It might actually be provided for a legitimate purpose,
- such as for debugging.
- As long as the mapping is provided by the correct owner,
- it is not possible or does not make sense to detect
- whether the intent of the mapping is legitimate or not
- within the DNS.
- The "rebinding" attack must primarily be protected at the
- application that uses the DNS.
- For a large site, however, it may be difficult to protect
- all possible applications at once.
- This filtering feature is provided only to help such an
- operational environment;
- it is generally discouraged to turn it on unless you are
- very sure you have no other choice and the attack is a
- real threat for your applications.
- </p>
- <p>
- Care should be particularly taken if you want to use this
- option for addresses within 127.0.0.0/8.
- These addresses are obviously "internal", but many
- applications conventionally rely on a DNS mapping from
- some name to such an address.
- Filtering out DNS records containing this address
- spuriously can break such applications.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2588379"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div>
- <p>
- <acronym class="acronym">BIND</acronym> 9 includes an intentionally limited
- mechanism to modify DNS responses for recursive requests
- somewhat similar to email anti-spam DNS blacklists.
- Responses can be changed to deny the existence of domains(NXDOMAIN),
- deny the existence of IP addresses for domains (NODATA),
- or contain other IP addresses or data.
- </p>
- <p>
- The actions encoded in a response policy zone (RPZ) are applied
- only to queries that ask for recursion (RD=1).
- Response policy zones are named in the
- <span><strong class="command">response-policy</strong></span> option for the view or among the
- global options if there is no response-policy option for the view.
- RPZs are ordinary DNS zones containing RRsets
- that can be queried normally if allowed.
- It is usually best to restrict those queries with something like
- <span><strong class="command">allow-query { localhost; };</strong></span>.
- </p>
- <p>
- There are four kinds of RPZ records, QNAME, IP, NSIP,
- and NSDNAME.
- QNAME records are applied to query names of requests and targets
- of CNAME records resolved to generate the response.
- The owner name of a QNAME RPZ record is the query name relativized
- to the RPZ.
- </p>
- <p>
- The second kind of RPZ record, an IP policy record,
- is triggered by addresses in A and AAAA records
- for the ANSWER sections of responses.
- IP policy records have owner names that are
- subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized to the
- RPZ origin name and encode an IP address or address block.
- IPv4 addresses are encoded as
- <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>.
- The prefix length must be between 1 and 32.
- All four bytes, B4, B3, B2, and B1, must be present.
- B4 is the decimal value of the least significant byte of the
- IPv4 address as in IN-ADDR.ARPA.
- IPv6 addresses are encoded in a format similar to the standard
- IPv6 text representation,
- <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>.
- Each of W8,...,W1 is a one to four digit hexadecimal number
- representing 16 bits of the IPv6 address as in the standard text
- representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA.
- All 8 words must be present except when consecutive
- zero words are replaced with <strong class="userinput"><code>.zz.</code></strong>
- analogous to double colons (::) in standard IPv6 text encodings.
- The prefix length must be between 1 and 128.
- </p>
- <p>
- NSDNAME policy records match names of authoritative servers
- for the query name, a parent of the query name, a CNAME,
- or a parent of a CNAME.
- They are encoded as subdomains of
- <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized
- to the RPZ origin name.
- </p>
- <p>
- NSIP policy records match IP addresses in A and AAAA RRsets
- for domains that can be checked against NSDNAME policy records.
- The are encoded like IP policies except as subdomains of
- <strong class="userinput"><code>rpz-nsip</code></strong>.
- </p>
- <p>
- The query response is checked against all RPZs, so
- two or more policy records can apply to a single response.
- Because DNS responses can be rewritten according by at most a
- single policy record, a single policy (other than
- <span><strong class="command">DISABLED</strong></span> policies) must be chosen.
- Policies are chosen in the following order:
- </p>
- <div class="itemizedlist"><ul type="disc">
- <li>Among applicable zones, use the RPZ that appears first
- in the response-policy option.
- </li>
- <li>Prefer QNAME to IP to NSDNAME to NSIP policy records
- in a single RPZ
- </li>
- <li>Among applicable NSDNAME policy records, prefer the
- policy record that matches the lexically smallest name
- </li>
- <li>Among IP or NSIP policy records, prefer the record
- with the longest prefix.
- </li>
- <li>Among records with the same prefex length,
- prefer the IP or NSIP policy record that matches
- the smallest IP address.
- </li>
- </ul></div>
- <p>
- </p>
- <p>
- When the processing of a response is restarted to resolve
- DNAME or CNAME records and an applicable policy record set has
- not been found,
- all RPZs are again consulted for the DNAME or CNAME names
- and addresses.
- </p>
- <p>
- Authority verification issues and variations in authority data
- can cause inconsistent results for NSIP and NSDNAME policy records.
- Glue NS records often differ from authoritative NS records.
- So they are available
- only when <acronym class="acronym">BIND</acronym> is built with the
- <strong class="userinput"><code>--enable-rpz-nsip</code></strong> or
- <strong class="userinput"><code>--enable-rpz-nsdname</code></strong> options
- on the "configure" command line.
- </p>
- <p>
- RPZ record sets are special CNAME records or one or more
- of any types of DNS record except DNAME or DNSSEC.
- Except when a policy record is a CNAME, there can be more
- more than one record and more than one type
- in a set of policy records.
- Except for three kinds of CNAME records that are illegal except
- in policy zones, the records in a set are used in the response as if
- their owner name were the query name. They are copied to the
- response as dictated by their types.
- </p>
- <div class="itemizedlist"><ul type="disc">
- <li>A CNAME whose target is the root domain (.)
- specifies the <span><strong class="command">NXDOMAIN</strong></span> policy,
- which generates an NXDOMAIN response.
- </li>
- <li>A CNAME whose target is the wildcard top-level
- domain (*.) specifies the <span><strong class="command">NODATA</strong></span> policy,
- which rewrites the response to NODATA or ANCOUNT=1.
- </li>
- <li>A CNAME whose target is a wildcard hostname such
- as *.example.com is used normally after the astrisk (*)
- has been replaced with the query name.
- These records are usually resolved with ordinary CNAMEs
- outside the policy zones. They can be useful for logging.
- </li>
- <li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified
- by a CNAME whose target is the variable part of its own
- owner name. It causes the response to not be rewritten
- and is most often used to "poke holes" in policies for
- CIDR blocks.
- </li>
- </ul></div>
- <p>
- </p>
- <p>
- The policies specified in individual records
- in an RPZ can be overridden with a <span><strong class="command">policy</strong></span> clause
- in the <span><strong class="command">response-policy</strong></span> option.
- An organization using an RPZ provided by another organization might
- use this mechanism to redirect domains to its own walled garden.
- </p>
- <div class="itemizedlist"><ul type="disc">
- <li>
- <span><strong class="command">GIVEN</strong></span> says "do not override."
- </li>
- <li>
- <span><strong class="command">DISABLED</strong></span> causes policy records to do
- nothing but log what they might have done.
- The response to the DNS query will be written according to
- any matching policy records that are not disabled.
- Policy zones overridden with <span><strong class="command">DISABLED</strong></span> should
- appear first, because they will often not be logged
- if a higher precedence policy is found first.
- </li>
- <li>
- <span><strong class="command">PASSTHRU</strong></span> causes all policy records
- to act as if they were CNAME records with targets the variable
- part of their owner name. They protect the response from
- being changed.
- </li>
- <li>
- <span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records
- to specify NXDOMAIN policies.
- </li>
- <li>
- <span><strong class="command">NODATA</strong></span> overrides with the
- NODATA policy
- </li>
- <li>
- <span><strong class="command">CNAME domain</strong></span> causes all RPZ
- policy records to act as if they were "cname domain" records.
- </li>
- </ul></div>
- <p>
- </p>
- <p>
- For example, you might use this option statement
- </p>
- <pre class="programlisting"> response-policy { zone "badlist"; };</pre>
- <p>
- and this zone statement
- </p>
- <pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre>
- <p>
- with this zone file
- </p>
- <pre class="programlisting">$TTL 1H
- @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
- NS LOCALHOST.
- ; QNAME policy records. There are no periods (.) after the owner names.
- nxdomain.domain.com CNAME . ; NXDOMAIN policy
- nodata.domain.com CNAME *. ; NODATA policy
- bad.domain.com A 10.0.0.1 ; redirect to a walled garden
- AAAA 2001:2::1
- ; do not rewrite (PASSTHRU) OK.DOMAIN.COM
- ok.domain.com CNAME ok.domain.com.
- bzone.domain.com CNAME garden.example.com.
- ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com
- *.bzone.domain.com CNAME *.garden.example.com.
- ; IP policy records that rewrite all answers for 127/8 except 127.0.0.1
- 8.0.0.0.127.rpz-ip CNAME .
- 32.1.0.0.127.rpz-ip CNAME 32.1.0.0.127. ; PASSTHRU for 127.0.0.1
- ; NSDNAME and NSIP policy records
- ns.domain.com.rpz-nsdname CNAME .
- 48.zz.2.2001.rpz-nsip CNAME .
- </pre>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> {
- [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
- [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
- [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]
- [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
- [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
- [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">server</strong></span> statement defines
- characteristics
- to be associated with a remote name server. If a prefix length is
- specified, then a range of servers is covered. Only the most
- specific
- server clause applies regardless of the order in
- <code class="filename">named.conf</code>.
- </p>
- <p>
- The <span><strong class="command">server</strong></span> statement can occur at
- the top level of the
- configuration file or inside a <span><strong class="command">view</strong></span>
- statement.
- If a <span><strong class="command">view</strong></span> statement contains
- one or more <span><strong class="command">server</strong></span> statements, only
- those
- apply to the view and any top-level ones are ignored.
- If a view contains no <span><strong class="command">server</strong></span>
- statements,
- any top-level <span><strong class="command">server</strong></span> statements are
- used as
- defaults.
- </p>
- <p>
- If you discover that a remote server is giving out bad data,
- marking it as bogus will prevent further queries to it. The
- default
- value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.
- </p>
- <p>
- The <span><strong class="command">provide-ixfr</strong></span> clause determines
- whether
- the local server, acting as master, will respond with an
- incremental
- zone transfer when the given remote server, a slave, requests it.
- If set to <span><strong class="command">yes</strong></span>, incremental transfer
- will be provided
- whenever possible. If set to <span><strong class="command">no</strong></span>,
- all transfers
- to the remote server will be non-incremental. If not set, the
- value
- of the <span><strong class="command">provide-ixfr</strong></span> option in the
- view or
- global options block is used as a default.
- </p>
- <p>
- The <span><strong class="command">request-ixfr</strong></span> clause determines
- whether
- the local server, acting as a slave, will request incremental zone
- transfers from the given remote server, a master. If not set, the
- value of the <span><strong class="command">request-ixfr</strong></span> option in
- the view or
- global options block is used as a default.
- </p>
- <p>
- IXFR requests to servers that do not support IXFR will
- automatically
- fall back to AXFR. Therefore, there is no need to manually list
- which servers support IXFR and which ones do not; the global
- default
- of <span><strong class="command">yes</strong></span> should always work.
- The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
- <span><strong class="command">request-ixfr</strong></span> clauses is
- to make it possible to disable the use of IXFR even when both
- master
- and slave claim to support it, for example if one of the servers
- is buggy and crashes or corrupts data when IXFR is used.
- </p>
- <p>
- The <span><strong class="command">edns</strong></span> clause determines whether
- the local server will attempt to use EDNS when communicating
- with the remote server. The default is <span><strong class="command">yes</strong></span>.
- </p>
- <p>
- The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
- that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
- Valid values are 512 to 4096 bytes (values outside this range will be
- silently adjusted). This option is useful when you wish to
- advertises a different value to this server than the value you
- advertise globally, for example, when there is a firewall at the
- remote site that is blocking large replies.
- </p>
- <p>
- The <span><strong class="command">max-udp-size</strong></span> option sets the
- maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid
- values are 512 to 4096 bytes (values outside this range will
- be silently adjusted). This option is useful when you
- know that there is a firewall that is blocking large
- replies from <span><strong class="command">named</strong></span>.
- </p>
- <p>
- The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
- uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
- as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
- more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym>
- 8.x, and patched versions of <acronym class="acronym">BIND</acronym>
- 4.9.5. You can specify which method
- to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
- If <span><strong class="command">transfer-format</strong></span> is not
- specified, the <span><strong class="command">transfer-format</strong></span>
- specified
- by the <span><strong class="command">options</strong></span> statement will be
- used.
- </p>
- <p><span><strong class="command">transfers</strong></span>
- is used to limit the number of concurrent inbound zone
- transfers from the specified server. If no
- <span><strong class="command">transfers</strong></span> clause is specified, the
- limit is set according to the
- <span><strong class="command">transfers-per-ns</strong></span> option.
- </p>
- <p>
- The <span><strong class="command">keys</strong></span> clause identifies a
- <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
- to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>)
- when talking to the remote server.
- When a request is sent to the remote server, a request signature
- will be generated using the key specified here and appended to the
- message. A request originating from the remote server is not
- required
- to be signed by this key.
- </p>
- <p>
- Although the grammar of the <span><strong class="command">keys</strong></span>
- clause
- allows for multiple keys, only a single key per server is
- currently
- supported.
- </p>
- <p>
- The <span><strong class="command">transfer-source</strong></span> and
- <span><strong class="command">transfer-source-v6</strong></span> clauses specify
- the IPv4 and IPv6 source
- address to be used for zone transfer with the remote server,
- respectively.
- For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
- be specified.
- Similarly, for an IPv6 remote server, only
- <span><strong class="command">transfer-source-v6</strong></span> can be
- specified.
- For more details, see the description of
- <span><strong class="command">transfer-source</strong></span> and
- <span><strong class="command">transfer-source-v6</strong></span> in
- <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p>
- <p>
- The <span><strong class="command">notify-source</strong></span> and
- <span><strong class="command">notify-source-v6</strong></span> clauses specify the
- IPv4 and IPv6 source address to be used for notify
- messages sent to remote servers, respectively. For an
- IPv4 remote server, only <span><strong class="command">notify-source</strong></span>
- can be specified. Similarly, for an IPv6 remote server,
- only <span><strong class="command">notify-source-v6</strong></span> can be specified.
- </p>
- <p>
- The <span><strong class="command">query-source</strong></span> and
- <span><strong class="command">query-source-v6</strong></span> clauses specify the
- IPv4 and IPv6 source address to be used for queries
- sent to remote servers, respectively. For an IPv4
- remote server, only <span><strong class="command">query-source</strong></span> can
- be specified. Similarly, for an IPv6 remote server,
- only <span><strong class="command">query-source-v6</strong></span> can be specified.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
- [ inet ( ip_addr | * ) [ port ip_port ]
- [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
- [ inet ...; ]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2589481"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
- Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">statistics-channels</strong></span> statement
- declares communication channels to be used by system
- administrators to get access to statistics information of
- the name server.
- </p>
- <p>
- This statement intends to be flexible to support multiple
- communication protocols in the future, but currently only
- HTTP access is supported.
- It requires that BIND 9 be compiled with libxml2;
- the <span><strong class="command">statistics-channels</strong></span> statement is
- still accepted even if it is built without the library,
- but any HTTP access will fail with an error.
- </p>
- <p>
- An <span><strong class="command">inet</strong></span> control channel is a TCP socket
- listening at the specified <span><strong class="command">ip_port</strong></span> on the
- specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
- address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
- interpreted as the IPv4 wildcard address; connections will be
- accepted on any of the system's IPv4 addresses.
- To listen on the IPv6 wildcard address,
- use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
- </p>
- <p>
- If no port is specified, port 80 is used for HTTP channels.
- The asterisk "<code class="literal">*</code>" cannot be used for
- <span><strong class="command">ip_port</strong></span>.
- </p>
- <p>
- The attempt of opening a statistics channel is
- restricted by the optional <span><strong class="command">allow</strong></span> clause.
- Connections to the statistics channel are permitted based on the
- <span><strong class="command">address_match_list</strong></span>.
- If no <span><strong class="command">allow</strong></span> clause is present,
- <span><strong class="command">named</strong></span> accepts connection
- attempts from any address; since the statistics may
- contain sensitive internal information, it is highly
- recommended to restrict the source of connection requests
- appropriately.
- </p>
- <p>
- If no <span><strong class="command">statistics-channels</strong></span> statement is present,
- <span><strong class="command">named</strong></span> will not open any communication channels.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
- <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
- [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2589689"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">trusted-keys</strong></span> statement defines
- DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the
- public key for a non-authoritative zone is known, but
- cannot be securely obtained through DNS, either because
- it is the DNS root zone or because its parent zone is
- unsigned. Once a key has been configured as a trusted
- key, it is treated as if it had been validated and
- proven secure. The resolver attempts DNSSEC validation
- on all DNS data in subdomains of a security root.
- </p>
- <p>
- All keys (and corresponding zones) listed in
- <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless
- of what parent zones say. Similarly for all keys listed in
- <span><strong class="command">trusted-keys</strong></span> only those keys are
- used to validate the DNSKEY RRset. The parent's DS RRset
- will not be used.
- </p>
- <p>
- The <span><strong class="command">trusted-keys</strong></span> statement can contain
- multiple key entries, each consisting of the key's
- domain name, flags, protocol, algorithm, and the Base-64
- representation of the key data.
- Spaces, tabs, newlines and carriage returns are ignored
- in the key data, so the configuration may be split up into
- multiple lines.
- </p>
- <p>
- <span><strong class="command">trusted-keys</strong></span> may be set at the top level
- of <code class="filename">named.conf</code> or within a view. If it is
- set in both places, they are additive: keys defined at the top
- level are inherited by all views, but keys defined in a view
- are only used within that view.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2589736"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">managed-keys</strong></span> {
- <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
- [<span class="optional"> <em class="replaceable"><code>string</code></em> initial-key <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition
- and Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">managed-keys</strong></span> statement, like
- <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC
- security roots. The difference is that
- <span><strong class="command">managed-keys</strong></span> can be kept up to date
- automatically, without intervention from the resolver
- operator.
- </p>
- <p>
- Suppose, for example, that a zone's key-signing
- key was compromised, and the zone owner had to revoke and
- replace the key. A resolver which had the old key in a
- <span><strong class="command">trusted-keys</strong></span> statement would be
- unable to validate this zone any longer; it would
- reply with a SERVFAIL response code. This would
- continue until the resolver operator had updated the
- <span><strong class="command">trusted-keys</strong></span> statement with the new key.
- </p>
- <p>
- If, however, the zone were listed in a
- <span><strong class="command">managed-keys</strong></span> statement instead, then the
- zone owner could add a "stand-by" key to the zone in advance.
- <span><strong class="command">named</strong></span> would store the stand-by key, and
- when the original key was revoked, <span><strong class="command">named</strong></span>
- would be able to transition smoothly to the new key. It would
- also recognize that the old key had been revoked, and cease
- using that key to validate answers, minimizing the damage that
- the compromised key could do.
- </p>
- <p>
- A <span><strong class="command">managed-keys</strong></span> statement contains a list of
- the keys to be managed, along with information about how the
- keys are to be initialized for the first time. The only
- initialization method currently supported (as of
- <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>.
- This means the <span><strong class="command">managed-keys</strong></span> statement must
- contain a copy of the initializing key. (Future releases may
- allow keys to be initialized by other methods, eliminating this
- requirement.)
- </p>
- <p>
- Consequently, a <span><strong class="command">managed-keys</strong></span> statement
- appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing
- in the presence of the second field, containing the keyword
- <code class="literal">initial-key</code>. The difference is, whereas the
- keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be
- trusted until they are removed from
- <code class="filename">named.conf</code>, an initializing key listed
- in a <span><strong class="command">managed-keys</strong></span> statement is only trusted
- <span class="emphasis"><em>once</em></span>: for as long as it takes to load the
- managed key database and start the RFC 5011 key maintenance
- process.
- </p>
- <p>
- The first time <span><strong class="command">named</strong></span> runs with a managed key
- configured in <code class="filename">named.conf</code>, it fetches the
- DNSKEY RRset directly from the zone apex, and validates it
- using the key specified in the <span><strong class="command">managed-keys</strong></span>
- statement. If the DNSKEY RRset is validly signed, then it is
- used as the basis for a new managed keys database.
- </p>
- <p>
- From that point on, whenever <span><strong class="command">named</strong></span> runs, it
- sees the <span><strong class="command">managed-keys</strong></span> statement, checks to
- make sure RFC 5011 key maintenance has already been initialized
- for the specified domain, and if so, it simply moves on. The
- key specified in the <span><strong class="command">managed-keys</strong></span> is not
- used to validate answers; it has been superseded by the key or
- keys stored in the managed keys database.
- </p>
- <p>
- The next time <span><strong class="command">named</strong></span> runs after a name
- has been <span class="emphasis"><em>removed</em></span> from the
- <span><strong class="command">managed-keys</strong></span> statement, the corresponding
- zone will be removed from the managed keys database,
- and RFC 5011 key maintenance will no longer be used for that
- domain.
- </p>
- <p>
- <span><strong class="command">named</strong></span> only maintains a single managed keys
- database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>,
- <span><strong class="command">managed-keys</strong></span> may only be set at the top
- level of <code class="filename">named.conf</code>, not within a view.
- </p>
- <p>
- In the current implementation, the managed keys database is
- stored as a master-format zone file called
- <code class="filename">managed-keys.bind</code>. When the key database
- is changed, the zone is updated. As with any other dynamic
- zone, changes will be written into a journal file,
- <code class="filename">managed-keys.bind.jnl</code>. They are committed
- to the master file as soon as possible afterward; in the case
- of the managed key database, this will usually occur within 30
- seconds. So, whenever <span><strong class="command">named</strong></span> is using
- automatic key maintenance, those two files can be expected to
- exist in the working directory. (For this reason among others,
- the working directory should be always be writable by
- <span><strong class="command">named</strong></span>.)
- </p>
- <p>
- If the <span><strong class="command">dnssec-lookaside</strong></span> option is
- set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span>
- will automatically initialize a managed key for the
- zone <code class="literal">dlv.isc.org</code>. The key that is
- used to initialize the key maintenance process is built
- into <span><strong class="command">named</strong></span>, and can be overridden
- from <span><strong class="command">bindkeys-file</strong></span>.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em>
- [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- match-clients { <em class="replaceable"><code>address_match_list</code></em> };
- match-destinations { <em class="replaceable"><code>address_match_list</code></em> };
- match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
- [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
- [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2590162"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
- <p>
- The <span><strong class="command">view</strong></span> statement is a powerful
- feature
- of <acronym class="acronym">BIND</acronym> 9 that lets a name server
- answer a DNS query differently
- depending on who is asking. It is particularly useful for
- implementing
- split DNS setups without having to run multiple servers.
- </p>
- <p>
- Each <span><strong class="command">view</strong></span> statement defines a view
- of the
- DNS namespace that will be seen by a subset of clients. A client
- matches
- a view if its source IP address matches the
- <code class="varname">address_match_list</code> of the view's
- <span><strong class="command">match-clients</strong></span> clause and its
- destination IP address matches
- the <code class="varname">address_match_list</code> of the
- view's
- <span><strong class="command">match-destinations</strong></span> clause. If not
- specified, both
- <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
- default to matching all addresses. In addition to checking IP
- addresses
- <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
- can also take <span><strong class="command">keys</strong></span> which provide an
- mechanism for the
- client to select the view. A view can also be specified
- as <span><strong class="command">match-recursive-only</strong></span>, which
- means that only recursive
- requests from matching clients will match that view.
- The order of the <span><strong class="command">view</strong></span> statements is
- significant —
- a client request will be resolved in the context of the first
- <span><strong class="command">view</strong></span> that it matches.
- </p>
- <p>
- Zones defined within a <span><strong class="command">view</strong></span>
- statement will
- only be accessible to clients that match the <span><strong class="command">view</strong></span>.
- By defining a zone of the same name in multiple views, different
- zone data can be given to different clients, for example,
- "internal"
- and "external" clients in a split DNS setup.
- </p>
- <p>
- Many of the options given in the <span><strong class="command">options</strong></span> statement
- can also be used within a <span><strong class="command">view</strong></span>
- statement, and then
- apply only when resolving queries with that view. When no
- view-specific
- value is given, the value in the <span><strong class="command">options</strong></span> statement
- is used as a default. Also, zone options can have default values
- specified
- in the <span><strong class="command">view</strong></span> statement; these
- view-specific defaults
- take precedence over those in the <span><strong class="command">options</strong></span> statement.
- </p>
- <p>
- Views are class specific. If no class is given, class IN
- is assumed. Note that all non-IN views must contain a hint zone,
- since only the IN class has compiled-in default hints.
- </p>
- <p>
- If there are no <span><strong class="command">view</strong></span> statements in
- the config
- file, a default view that matches any client is automatically
- created
- in class IN. Any <span><strong class="command">zone</strong></span> statements
- specified on
- the top level of the configuration file are considered to be part
- of
- this default view, and the <span><strong class="command">options</strong></span>
- statement will
- apply to the default view. If any explicit <span><strong class="command">view</strong></span>
- statements are present, all <span><strong class="command">zone</strong></span>
- statements must
- occur inside <span><strong class="command">view</strong></span> statements.
- </p>
- <p>
- Here is an example of a typical split DNS setup implemented
- using <span><strong class="command">view</strong></span> statements:
- </p>
- <pre class="programlisting">view "internal" {
- // This should match our internal networks.
- match-clients { 10.0.0.0/8; };
- // Provide recursive service to internal
- // clients only.
- recursion yes;
- // Provide a complete view of the example.com
- // zone including addresses of internal hosts.
- zone "example.com" {
- type master;
- file "example-internal.db";
- };
- };
- view "external" {
- // Match all clients not matched by the
- // previous view.
- match-clients { any; };
- // Refuse recursive service to external clients.
- recursion no;
- // Provide a restricted view of the example.com
- // zone containing only publicly accessible hosts.
- zone "example.com" {
- type master;
- file "example-external.db";
- };
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
- Statement Grammar</h3></div></div></div>
- <pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type master;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
- [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
- [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
- [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
- [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>]
- [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
- [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>]
- [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- };
- zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type slave;
- [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>]
- [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ;
- [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
- [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
- [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
- [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
- [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
- [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
- [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- };
- zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type hint;
- file <em class="replaceable"><code>string</code></em> ;
- [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented.
- };
- zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type stub;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
- [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
- [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em>
- [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>]
- [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
- [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
- [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>)
- [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
- [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
- [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
- [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- };
- zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type static-stub;
- [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
- [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>]
- [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>]
- [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- };
- zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type forward;
- [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
- [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
- [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
- };
- zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
- type delegation-only;
- };
- </pre>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2591713"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2591720"></a>Zone Types</h4></div></div></div>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="varname">master</code>
- </p>
- </td>
- <td>
- <p>
- The server has a master copy of the data
- for the zone and will be able to provide authoritative
- answers for
- it.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">slave</code>
- </p>
- </td>
- <td>
- <p>
- A slave zone is a replica of a master
- zone. The <span><strong class="command">masters</strong></span> list
- specifies one or more IP addresses
- of master servers that the slave contacts to update
- its copy of the zone.
- Masters list elements can also be names of other
- masters lists.
- By default, transfers are made from port 53 on the
- servers; this can
- be changed for all servers by specifying a port number
- before the
- list of IP addresses, or on a per-server basis after
- the IP address.
- Authentication to the master can also be done with
- per-server TSIG keys.
- If a file is specified, then the
- replica will be written to this file whenever the zone
- is changed,
- and reloaded from this file on a server restart. Use
- of a file is
- recommended, since it often speeds server startup and
- eliminates
- a needless waste of bandwidth. Note that for large
- numbers (in the
- tens or hundreds of thousands) of zones per server, it
- is best to
- use a two-level naming scheme for zone filenames. For
- example,
- a slave server for the zone <code class="literal">example.com</code> might place
- the zone contents into a file called
- <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
- just the first two letters of the zone name. (Most
- operating systems
- behave very slowly if you put 100000 files into
- a single directory.)
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">stub</code>
- </p>
- </td>
- <td>
- <p>
- A stub zone is similar to a slave zone,
- except that it replicates only the NS records of a
- master zone instead
- of the entire zone. Stub zones are not a standard part
- of the DNS;
- they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation.
- </p>
- <p>
- Stub zones can be used to eliminate the need for glue
- NS record
- in a parent zone at the expense of maintaining a stub
- zone entry and
- a set of name server addresses in <code class="filename">named.conf</code>.
- This usage is not recommended for new configurations,
- and BIND 9
- supports it only in a limited way.
- In <acronym class="acronym">BIND</acronym> 4/8, zone
- transfers of a parent zone
- included the NS records from stub children of that
- zone. This meant
- that, in some cases, users could get away with
- configuring child stubs
- only in the master server for the parent zone. <acronym class="acronym">BIND</acronym>
- 9 never mixes together zone data from different zones
- in this
- way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent
- zone has child stub zones configured, all the slave
- servers for the
- parent zone also need to have the same child stub
- zones
- configured.
- </p>
- <p>
- Stub zones can also be used as a way of forcing the
- resolution
- of a given domain to use a particular set of
- authoritative servers.
- For example, the caching name servers on a private
- network using
- RFC1918 addressing may be configured with stub zones
- for
- <code class="literal">10.in-addr.arpa</code>
- to use a set of internal name servers as the
- authoritative
- servers for that domain.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">static-stub</code>
- </p>
- </td>
- <td>
- <p>
- A static-stub zone is similar to a stub zone
- with the following exceptions:
- the zone data is statically configured, rather
- than transferred from a master server;
- when recursion is necessary for a query that
- matches a static-stub zone, the locally
- configured data (nameserver names and glue addresses)
- is always used even if different authoritative
- information is cached.
- </p>
- <p>
- Zone data is configured via the
- <span><strong class="command">server-addresses</strong></span> and
- <span><strong class="command">server-names</strong></span> zone options.
- </p>
- <p>
- The zone data is maintained in the form of NS
- and (if necessary) glue A or AAAA RRs
- internally, which can be seen by dumping zone
- databases by <span><strong class="command">rndc dumpdb -all</strong></span>.
- The configured RRs are considered local configuration
- parameters rather than public data.
- Non recursive queries (i.e., those with the RD
- bit off) to a static-stub zone are therefore
- prohibited and will be responded with REFUSED.
- </p>
- <p>
- Since the data is statically configured, no
- zone maintenance action takes place for a static-stub
- zone.
- For example, there is no periodic refresh
- attempt, and an incoming notify message
- will be rejected with an rcode of NOTAUTH.
- </p>
- <p>
- Each static-stub zone is configured with
- internally generated NS and (if necessary)
- glue A or AAAA RRs
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">forward</code>
- </p>
- </td>
- <td>
- <p>
- A "forward zone" is a way to configure
- forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement
- of type <span><strong class="command">forward</strong></span> can
- contain a <span><strong class="command">forward</strong></span>
- and/or <span><strong class="command">forwarders</strong></span>
- statement,
- which will apply to queries within the domain given by
- the zone
- name. If no <span><strong class="command">forwarders</strong></span>
- statement is present or
- an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
- forwarding will be done for the domain, canceling the
- effects of
- any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
- if you want to use this type of zone to change the
- behavior of the
- global <span><strong class="command">forward</strong></span> option
- (that is, "forward first"
- to, then "forward only", or vice versa, but want to
- use the same
- servers as set globally) you need to re-specify the
- global forwarders.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">hint</code>
- </p>
- </td>
- <td>
- <p>
- The initial set of root name servers is
- specified using a "hint zone". When the server starts
- up, it uses
- the root hints to find a root name server and get the
- most recent
- list of root name servers. If no hint zone is
- specified for class
- IN, the server uses a compiled-in default set of root
- servers hints.
- Classes other than IN have no built-in defaults hints.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">delegation-only</code>
- </p>
- </td>
- <td>
- <p>
- This is used to enforce the delegation-only
- status of infrastructure zones (e.g. COM,
- NET, ORG). Any answer that is received
- without an explicit or implicit delegation
- in the authority section will be treated
- as NXDOMAIN. This does not apply to the
- zone apex. This should not be applied to
- leaf zones.
- </p>
- <p>
- <code class="varname">delegation-only</code> has no
- effect on answers received from forwarders.
- </p>
- <p>
- See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2592402"></a>Class</h4></div></div></div>
- <p>
- The zone's name may optionally be followed by a class. If
- a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
- is assumed. This is correct for the vast majority of cases.
- </p>
- <p>
- The <code class="literal">hesiod</code> class is
- named for an information service from MIT's Project Athena. It
- is
- used to share information about various systems databases, such
- as users, groups, printers and so on. The keyword
- <code class="literal">HS</code> is
- a synonym for hesiod.
- </p>
- <p>
- Another MIT development is Chaosnet, a LAN protocol created
- in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2592503"></a>Zone Options</h4></div></div></div>
- <div class="variablelist"><dl>
- <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
- <dd><p>
- See the description of <span><strong class="command">allow-transfer</strong></span>
- in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
- <dd><p>
- See the description of <span><strong class="command">allow-update</strong></span>
- in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
- <dd><p>
- Specifies a "Simple Secure Update" policy. See
- <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
- <dd><p>
- See the description of <span><strong class="command">allow-update-forwarding</strong></span>
- in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
- <dd><p>
- Only meaningful if <span><strong class="command">notify</strong></span>
- is
- active for this zone. The set of machines that will
- receive a
- <code class="literal">DNS NOTIFY</code> message
- for this zone is made up of all the listed name servers
- (other than
- the primary master) for the zone plus any IP addresses
- specified
- with <span><strong class="command">also-notify</strong></span>. A port
- may be specified
- with each <span><strong class="command">also-notify</strong></span>
- address to send the notify
- messages to a port other than the default of 53.
- <span><strong class="command">also-notify</strong></span> is not
- meaningful for stub zones.
- The default is the empty list.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
- <dd><p>
- This option is used to restrict the character set and
- syntax of
- certain domain names in master files and/or DNS responses
- received from the
- network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span>
- zones the default is <span><strong class="command">warn</strong></span>.
- It is not implemented for <span><strong class="command">hint</strong></span> zones.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
- <dd>
- <p>
- Specify the type of database to be used for storing the
- zone data. The string following the <span><strong class="command">database</strong></span> keyword
- is interpreted as a list of whitespace-delimited words.
- The first word
- identifies the database type, and any subsequent words are
- passed
- as arguments to the database to be interpreted in a way
- specific
- to the database type.
- </p>
- <p>
- The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's
- native in-memory
- red-black-tree database. This database does not take
- arguments.
- </p>
- <p>
- Other values are possible if additional database drivers
- have been linked into the server. Some sample drivers are
- included
- with the distribution but none are linked in by default.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
- <dd>
- <p>
- The flag only applies to hint and stub zones. If set
- to <strong class="userinput"><code>yes</code></strong>, then the zone will also be
- treated as if it is also a delegation-only type zone.
- </p>
- <p>
- See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
- <dd><p>
- Only meaningful if the zone has a forwarders
- list. The <span><strong class="command">only</strong></span> value causes
- the lookup to fail
- after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
- allow a normal lookup to be tried.
- </p></dd>
- <dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
- <dd><p>
- Used to override the list of global forwarders.
- If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
- no forwarding is done for the zone and the global options are
- not used.
- </p></dd>
- <dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
- <dd><p>
- Was used in <acronym class="acronym">BIND</acronym> 8 to
- specify the name
- of the transaction log (journal) file for dynamic update
- and IXFR.
- <acronym class="acronym">BIND</acronym> 9 ignores the option
- and constructs the name of the journal
- file by appending "<code class="filename">.jnl</code>"
- to the name of the
- zone file.
- </p></dd>
- <dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
- <dd><p>
- Was an undocumented option in <acronym class="acronym">BIND</acronym> 8.
- Ignored in <acronym class="acronym">BIND</acronym> 9.
- </p></dd>
- <dt><span class="term"><span><strong class="command">journal</strong></span></span></dt>
- <dd><p>
- Allow the default journal's filename to be overridden.
- The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
- This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">notify-to-soa</strong></span> in
- <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
- <dd><p>
- In <acronym class="acronym">BIND</acronym> 8, this option was
- intended for specifying
- a public zone key for verification of signatures in DNSSEC
- signed
- zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures
- on load and ignores the option.
- </p></dd>
- <dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
- <dd><p>
- If <strong class="userinput"><code>yes</code></strong>, the server will keep
- statistical
- information for this zone, which can be dumped to the
- <span><strong class="command">statistics-file</strong></span> defined in
- the server options.
- </p></dd>
- <dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt>
- <dd>
- <p>
- Only meaningful for static-stub zones.
- This is a list of IP addresses to which queries
- should be sent in recursive resolution for the
- zone.
- A non empty list for this option will internally
- configure the apex NS RR with associated glue A or
- AAAA RRs.
- </p>
- <p>
- For example, if "example.com" is configured as a
- static-stub zone with 192.0.2.1 and 2001:db8::1234
- in a <span><strong class="command">server-addresses</strong></span> option,
- the following RRs will be internally configured.
- </p>
- <pre class="programlisting">example.com. NS example.com.
- example.com. A 192.0.2.1
- example.com. AAAA 2001:db8::1234</pre>
- <p>
- These records are internally used to resolve
- names under the static-stub zone.
- For instance, if the server receives a query for
- "www.example.com" with the RD bit on, the server
- will initiate recursive resolution and send
- queries to 192.0.2.1 and/or 2001:db8::1234.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt>
- <dd>
- <p>
- Only meaningful for static-stub zones.
- This is a list of domain names of nameservers that
- act as authoritative servers of the static-stub
- zone.
- These names will be resolved to IP addresses when
- <span><strong class="command">named</strong></span> needs to send queries to
- these servers.
- To make this supplemental resolution successful,
- these names must not be a subdomain of the origin
- name of static-stub zone.
- That is, when "example.net" is the origin of a
- static-stub zone, "ns.example" and
- "master.example.com" can be specified in the
- <span><strong class="command">server-names</strong></span> option, but
- "ns.example.net" cannot, and will be rejected by
- the configuration parser.
- </p>
- <p>
- A non empty list for this option will internally
- configure the apex NS RR with the specified names.
- For example, if "example.com" is configured as a
- static-stub zone with "ns1.example.net" and
- "ns2.example.net"
- in a <span><strong class="command">server-names</strong></span> option,
- the following RRs will be internally configured.
- </p>
- <pre class="programlisting">example.com. NS ns1.example.net.
- example.com. NS ns2.example.net.
- </pre>
- <p>
- These records are internally used to resolve
- names under the static-stub zone.
- For instance, if the server receives a query for
- "www.example.com" with the RD bit on, the server
- initiate recursive resolution,
- resolve "ns1.example.net" and/or
- "ns2.example.net" to IP addresses, and then send
- queries to (one or more of) these addresses.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>.
- </p></dd>
- <dt>
- <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
- </dt>
- <dd><p>
- See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
- <strong class="userinput"><code>master</code></strong> and
- <strong class="userinput"><code>slave</code></strong> choices are not
- available at the zone level.)
- </p></dd>
- <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and
- Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and
- Usage”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt>
- <dd>
- <p>
- Zones configured for dynamic DNS may also use this
- option to allow varying levels of automatic DNSSEC key
- management. There are three possible settings:
- </p>
- <p>
- <span><strong class="command">auto-dnssec allow;</strong></span> permits
- keys to be updated and the zone fully re-signed
- whenever the user issues the command <span><strong class="command">rndc sign
- <em class="replaceable"><code>zonename</code></em></strong></span>.
- </p>
- <p>
- <span><strong class="command">auto-dnssec maintain;</strong></span> includes the
- above, but also automatically adjusts the zone's DNSSEC
- keys on schedule, according to the keys' timing metadata
- (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and
- <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command
- <span><strong class="command">rndc sign
- <em class="replaceable"><code>zonename</code></em></strong></span> causes
- <span><strong class="command">named</strong></span> to load keys from the key
- repository and sign the zone with all keys that are
- active.
- <span><strong class="command">rndc loadkeys
- <em class="replaceable"><code>zonename</code></em></strong></span> causes
- <span><strong class="command">named</strong></span> to load keys from the key
- repository and schedule key maintenance events to occur
- in the future, but it does not sign the full zone
- immediately. Note: once keys have been loaded for a
- zone the first time, the repository will be searched
- for changes periodically, regardless of whether
- <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck
- interval is hard-coded to
- one hour.
- </p>
- <p>
- <span><strong class="command">auto-dnssec create;</strong></span> includes the
- above, but also allows <span><strong class="command">named</strong></span>
- to create new keys in the key repository when needed.
- (NOTE: This option is not yet implemented; the syntax is
- being reserved for future use.)
- </p>
- <p>
- The default setting is <span><strong class="command">auto-dnssec off</strong></span>.
- </p>
- </dd>
- <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
- <dd><p>
- See the description of <span><strong class="command">multi-master</strong></span> in
- <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt>
- <dd><p>
- See the description of <span><strong class="command">masterfile-format</strong></span>
- in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>.
- </p></dd>
- <dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt>
- <dd><p>
- See the description of
- <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>.
- </p></dd>
- </dl></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
- <p><acronym class="acronym">BIND</acronym> 9 supports two alternative
- methods of granting clients the right to perform
- dynamic updates to a zone, configured by the
- <span><strong class="command">allow-update</strong></span> and
- <span><strong class="command">update-policy</strong></span> option, respectively.
- </p>
- <p>
- The <span><strong class="command">allow-update</strong></span> clause works the
- same way as in previous versions of <acronym class="acronym">BIND</acronym>.
- It grants given clients the permission to update any
- record of any name in the zone.
- </p>
- <p>
- The <span><strong class="command">update-policy</strong></span> clause
- allows more fine-grained control over what updates are
- allowed. A set of rules is specified, where each rule
- either grants or denies permissions for one or more
- names to be updated by one or more identities. If
- the dynamic update request message is signed (that is,
- it includes either a TSIG or SIG(0) record), the
- identity of the signer can be determined.
- </p>
- <p>
- Rules are specified in the <span><strong class="command">update-policy</strong></span>
- zone option, and are only meaningful for master zones.
- When the <span><strong class="command">update-policy</strong></span> statement
- is present, it is a configuration error for the
- <span><strong class="command">allow-update</strong></span> statement to be
- present. The <span><strong class="command">update-policy</strong></span> statement
- only examines the signer of a message; the source
- address is not relevant.
- </p>
- <p>
- There is a pre-defined <span><strong class="command">update-policy</strong></span>
- rule which can be switched on with the command
- <span><strong class="command">update-policy local;</strong></span>.
- Switching on this rule in a zone causes
- <span><strong class="command">named</strong></span> to generate a TSIG session
- key and place it in a file, and to allow that key
- to update the zone. (By default, the file is
- <code class="filename">/var/run/named/session.key</code>, the key
- name is "local-ddns" and the key algorithm is HMAC-SHA256,
- but these values are configurable with the
- <span><strong class="command">session-keyfile</strong></span>,
- <span><strong class="command">session-keyname</strong></span> and
- <span><strong class="command">session-keyalg</strong></span> options, respectively).
- </p>
- <p>
- A client running on the local system, and with appropriate
- permissions, may read that file and use the key to sign update
- requests. The zone's update policy will be set to allow that
- key to change any record within the zone. Assuming the
- key name is "local-ddns", this policy is equivalent to:
- </p>
- <pre class="programlisting">update-policy { grant local-ddns zonesub any; };
- </pre>
- <p>
- The command <span><strong class="command">nsupdate -l</strong></span> sends update
- requests to localhost, and signs them using the session key.
- </p>
- <p>
- Other rule definitions look like this:
- </p>
- <pre class="programlisting">
- ( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
- </pre>
- <p>
- Each rule grants or denies privileges. Once a message has
- successfully matched a rule, the operation is immediately
- granted or denied and no further rules are examined. A rule
- is matched when the signer matches the identity field, the
- name matches the name field in accordance with the nametype
- field, and the type matches the types specified in the type
- field.
- </p>
- <p>
- No signer is required for <em class="replaceable"><code>tcp-self</code></em>
- or <em class="replaceable"><code>6to4-self</code></em> however the standard
- reverse mapping / prefix conversion must match the identity
- field.
- </p>
- <p>
- The identity field specifies a name or a wildcard
- name. Normally, this is the name of the TSIG or
- SIG(0) key used to sign the update request. When a
- TKEY exchange has been used to create a shared secret,
- the identity of the shared secret is the same as the
- identity of the key used to authenticate the TKEY
- exchange. TKEY is also the negotiation method used
- by GSS-TSIG, which establishes an identity that is
- the Kerberos principal of the client, such as
- <strong class="userinput"><code>"user@host.domain"</code></strong>. When the
- <em class="replaceable"><code>identity</code></em> field specifies
- a wildcard name, it is subject to DNS wildcard
- expansion, so the rule will apply to multiple identities.
- The <em class="replaceable"><code>identity</code></em> field must
- contain a fully-qualified domain name.
- </p>
- <p>
- For nametypes <code class="varname">krb5-self</code>,
- <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>,
- and <code class="varname">ms-subdomain</code> the
- <em class="replaceable"><code>identity</code></em> field specifies
- the Windows or Kerberos realm of the machine belongs to.
- </p>
- <p>
- The <em class="replaceable"><code>nametype</code></em> field has 13
- values:
- <code class="varname">name</code>, <code class="varname">subdomain</code>,
- <code class="varname">wildcard</code>, <code class="varname">self</code>,
- <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
- <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
- <code class="varname">krb5-subdomain</code>,
- <code class="varname">ms-subdomain</code>,
- <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>,
- <code class="varname">zonesub</code>, and <code class="varname">external</code>.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="varname">name</code>
- </p>
- </td>
- <td>
- <p>
- Exact-match semantics. This rule matches
- when the name being updated is identical
- to the contents of the
- <em class="replaceable"><code>name</code></em> field.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">subdomain</code>
- </p>
- </td>
- <td>
- <p>
- This rule matches when the name being updated
- is a subdomain of, or identical to, the
- contents of the <em class="replaceable"><code>name</code></em>
- field.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">zonesub</code>
- </p>
- </td>
- <td>
- <p>
- This rule is similar to subdomain, except that
- it matches when the name being updated is a
- subdomain of the zone in which the
- <span><strong class="command">update-policy</strong></span> statement
- appears. This obviates the need to type the zone
- name twice, and enables the use of a standard
- <span><strong class="command">update-policy</strong></span> statement in
- multiple zones without modification.
- </p>
- <p>
- When this rule is used, the
- <em class="replaceable"><code>name</code></em> field is omitted.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">wildcard</code>
- </p>
- </td>
- <td>
- <p>
- The <em class="replaceable"><code>name</code></em> field
- is subject to DNS wildcard expansion, and
- this rule matches when the name being updated
- name is a valid expansion of the wildcard.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">self</code>
- </p>
- </td>
- <td>
- <p>
- This rule matches when the name being updated
- matches the contents of the
- <em class="replaceable"><code>identity</code></em> field.
- The <em class="replaceable"><code>name</code></em> field
- is ignored, but should be the same as the
- <em class="replaceable"><code>identity</code></em> field.
- The <code class="varname">self</code> nametype is
- most useful when allowing using one key per
- name to update, where the key has the same
- name as the name to be updated. The
- <em class="replaceable"><code>identity</code></em> would
- be specified as <code class="constant">*</code> (an asterisk) in
- this case.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">selfsub</code>
- </p>
- </td>
- <td>
- <p>
- This rule is similar to <code class="varname">self</code>
- except that subdomains of <code class="varname">self</code>
- can also be updated.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">selfwild</code>
- </p>
- </td>
- <td>
- <p>
- This rule is similar to <code class="varname">self</code>
- except that only subdomains of
- <code class="varname">self</code> can be updated.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ms-self</code>
- </p>
- </td>
- <td>
- <p>
- This rule takes a Windows machine principal
- (machine$@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
- to update machine.realm. The REALM to be matched
- is specified in the <font color="red"><replacable>identity</replacable></font>
- field.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">ms-subdomain</code>
- </p>
- </td>
- <td>
- <p>
- This rule takes a Windows machine principal
- (machine$@REALM) for machine in REALM and
- converts it to machine.realm allowing the machine
- to update subdomains of machine.realm. The REALM
- to be matched is specified in the
- <font color="red"><replacable>identity</replacable></font> field.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">krb5-self</code>
- </p>
- </td>
- <td>
- <p>
- This rule takes a Kerberos machine principal
- (host/machine@REALM) for machine in REALM and
- and converts it machine.realm allowing the machine
- to update machine.realm. The REALM to be matched
- is specified in the <font color="red"><replacable>identity</replacable></font>
- field.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">krb5-subdomain</code>
- </p>
- </td>
- <td>
- <p>
- This rule takes a Kerberos machine principal
- (host/machine@REALM) for machine in REALM and
- converts it to machine.realm allowing the machine
- to update subdomains of machine.realm. The REALM
- to be matched is specified in the
- <font color="red"><replacable>identity</replacable></font> field.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">tcp-self</code>
- </p>
- </td>
- <td>
- <p>
- Allow updates that have been sent via TCP and
- for which the standard mapping from the initiating
- IP address into the IN-ADDR.ARPA and IP6.ARPA
- namespaces match the name to be updated.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- It is theoretically possible to spoof these TCP
- sessions.
- </div>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">6to4-self</code>
- </p>
- </td>
- <td>
- <p>
- Allow the 6to4 prefix to be update by any TCP
- connection from the 6to4 network or from the
- corresponding IPv4 address. This is intended
- to allow NS or DNAME RRsets to be added to the
- reverse tree.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- It is theoretically possible to spoof these TCP
- sessions.
- </div>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="varname">external</code>
- </p>
- </td>
- <td>
- <p>
- This rule allows <span><strong class="command">named</strong></span>
- to defer the decision of whether to allow a
- given update to an external daemon.
- </p>
- <p>
- The method of communicating with the daemon is
- specified in the <em class="replaceable"><code>identity</code></em>
- field, the format of which is
- "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>",
- where <em class="replaceable"><code>path</code></em> is the location
- of a UNIX-domain socket. (Currently, "local" is the
- only supported mechanism.)
- </p>
- <p>
- Requests to the external daemon are sent over the
- UNIX-domain socket as datagrams with the following
- format:
- </p>
- <pre class="programlisting">
- Protocol version number (4 bytes, network byte order, currently 1)
- Request length (4 bytes, network byte order)
- Signer (null-terminated string)
- Name (null-terminated string)
- TCP source address (null-terminated string)
- Rdata type (null-terminated string)
- Key (null-terminated string)
- TKEY token length (4 bytes, network byte order)
- TKEY token (remainder of packet)</pre>
- <p>
- The daemon replies with a four-byte value in
- network byte order, containing either 0 or 1; 0
- indicates that the specified update is not
- permitted, and 1 indicates that it is.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- In all cases, the <em class="replaceable"><code>name</code></em>
- field must specify a fully-qualified domain name.
- </p>
- <p>
- If no types are explicitly specified, this rule matches
- all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
- may be specified by name, including "ANY" (ANY matches
- all types except NSEC and NSEC3, which can never be
- updated). Note that when an attempt is made to delete
- all records associated with a name, the rules are
- checked for each existing record type.
- </p>
- </div>
- </div>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="id2595116"></a>Zone File</h2></div></div></div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
- <p>
- This section, largely borrowed from RFC 1034, describes the
- concept of a Resource Record (RR) and explains when each is used.
- Since the publication of RFC 1034, several new RRs have been
- identified
- and implemented in the DNS. These are also included.
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2595134"></a>Resource Records</h4></div></div></div>
- <p>
- A domain name identifies a node. Each node has a set of
- resource information, which may be empty. The set of resource
- information associated with a particular name is composed of
- separate RRs. The order of RRs in a set is not significant and
- need not be preserved by name servers, resolvers, or other
- parts of the DNS. However, sorting of multiple RRs is
- permitted for optimization purposes, for example, to specify
- that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>.
- </p>
- <p>
- The components of a Resource Record are:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- owner name
- </p>
- </td>
- <td>
- <p>
- The domain name where the RR is found.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- type
- </p>
- </td>
- <td>
- <p>
- An encoded 16-bit value that specifies
- the type of the resource record.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- TTL
- </p>
- </td>
- <td>
- <p>
- The time-to-live of the RR. This field
- is a 32-bit integer in units of seconds, and is
- primarily used by
- resolvers when they cache RRs. The TTL describes how
- long a RR can
- be cached before it should be discarded.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- class
- </p>
- </td>
- <td>
- <p>
- An encoded 16-bit value that identifies
- a protocol family or instance of a protocol.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- RDATA
- </p>
- </td>
- <td>
- <p>
- The resource data. The format of the
- data is type (and sometimes class) specific.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The following are <span class="emphasis"><em>types</em></span> of valid RRs:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- A
- </p>
- </td>
- <td>
- <p>
- A host address. In the IN class, this is a
- 32-bit IP address. Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- AAAA
- </p>
- </td>
- <td>
- <p>
- IPv6 address. Described in RFC 1886.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- A6
- </p>
- </td>
- <td>
- <p>
- IPv6 address. This can be a partial
- address (a suffix) and an indirection to the name
- where the rest of the
- address (the prefix) can be found. Experimental.
- Described in RFC 2874.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- AFSDB
- </p>
- </td>
- <td>
- <p>
- Location of AFS database servers.
- Experimental. Described in RFC 1183.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- APL
- </p>
- </td>
- <td>
- <p>
- Address prefix list. Experimental.
- Described in RFC 3123.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- CERT
- </p>
- </td>
- <td>
- <p>
- Holds a digital certificate.
- Described in RFC 2538.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- CNAME
- </p>
- </td>
- <td>
- <p>
- Identifies the canonical name of an alias.
- Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- DHCID
- </p>
- </td>
- <td>
- <p>
- Is used for identifying which DHCP client is
- associated with this name. Described in RFC 4701.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- DNAME
- </p>
- </td>
- <td>
- <p>
- Replaces the domain name specified with
- another name to be looked up, effectively aliasing an
- entire
- subtree of the domain name space rather than a single
- record
- as in the case of the CNAME RR.
- Described in RFC 2672.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- DNSKEY
- </p>
- </td>
- <td>
- <p>
- Stores a public key associated with a signed
- DNS zone. Described in RFC 4034.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- DS
- </p>
- </td>
- <td>
- <p>
- Stores the hash of a public key associated with a
- signed DNS zone. Described in RFC 4034.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- GPOS
- </p>
- </td>
- <td>
- <p>
- Specifies the global position. Superseded by LOC.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- HINFO
- </p>
- </td>
- <td>
- <p>
- Identifies the CPU and OS used by a host.
- Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- IPSECKEY
- </p>
- </td>
- <td>
- <p>
- Provides a method for storing IPsec keying material in
- DNS. Described in RFC 4025.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- ISDN
- </p>
- </td>
- <td>
- <p>
- Representation of ISDN addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- KEY
- </p>
- </td>
- <td>
- <p>
- Stores a public key associated with a
- DNS name. Used in original DNSSEC; replaced
- by DNSKEY in DNSSECbis, but still used with
- SIG(0). Described in RFCs 2535 and 2931.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- KX
- </p>
- </td>
- <td>
- <p>
- Identifies a key exchanger for this
- DNS name. Described in RFC 2230.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- LOC
- </p>
- </td>
- <td>
- <p>
- For storing GPS info. Described in RFC 1876.
- Experimental.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- MX
- </p>
- </td>
- <td>
- <p>
- Identifies a mail exchange for the domain with
- a 16-bit preference value (lower is better)
- followed by the host name of the mail exchange.
- Described in RFC 974, RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NAPTR
- </p>
- </td>
- <td>
- <p>
- Name authority pointer. Described in RFC 2915.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NSAP
- </p>
- </td>
- <td>
- <p>
- A network service access point.
- Described in RFC 1706.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NS
- </p>
- </td>
- <td>
- <p>
- The authoritative name server for the
- domain. Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NSEC
- </p>
- </td>
- <td>
- <p>
- Used in DNSSECbis to securely indicate that
- RRs with an owner name in a certain name interval do
- not exist in
- a zone and indicate what RR types are present for an
- existing name.
- Described in RFC 4034.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NSEC3
- </p>
- </td>
- <td>
- <p>
- Used in DNSSECbis to securely indicate that
- RRs with an owner name in a certain name
- interval do not exist in a zone and indicate
- what RR types are present for an existing
- name. NSEC3 differs from NSEC in that it
- prevents zone enumeration but is more
- computationally expensive on both the server
- and the client than NSEC. Described in RFC
- 5155.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NSEC3PARAM
- </p>
- </td>
- <td>
- <p>
- Used in DNSSECbis to tell the authoritative
- server which NSEC3 chains are available to use.
- Described in RFC 5155.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- NXT
- </p>
- </td>
- <td>
- <p>
- Used in DNSSEC to securely indicate that
- RRs with an owner name in a certain name interval do
- not exist in
- a zone and indicate what RR types are present for an
- existing name.
- Used in original DNSSEC; replaced by NSEC in
- DNSSECbis.
- Described in RFC 2535.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- PTR
- </p>
- </td>
- <td>
- <p>
- A pointer to another part of the domain
- name space. Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- PX
- </p>
- </td>
- <td>
- <p>
- Provides mappings between RFC 822 and X.400
- addresses. Described in RFC 2163.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- RP
- </p>
- </td>
- <td>
- <p>
- Information on persons responsible
- for the domain. Experimental. Described in RFC 1183.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- RRSIG
- </p>
- </td>
- <td>
- <p>
- Contains DNSSECbis signature data. Described
- in RFC 4034.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- RT
- </p>
- </td>
- <td>
- <p>
- Route-through binding for hosts that
- do not have their own direct wide area network
- addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- SIG
- </p>
- </td>
- <td>
- <p>
- Contains DNSSEC signature data. Used in
- original DNSSEC; replaced by RRSIG in
- DNSSECbis, but still used for SIG(0).
- Described in RFCs 2535 and 2931.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- SOA
- </p>
- </td>
- <td>
- <p>
- Identifies the start of a zone of authority.
- Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- SPF
- </p>
- </td>
- <td>
- <p>
- Contains the Sender Policy Framework information
- for a given email domain. Described in RFC 4408.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- SRV
- </p>
- </td>
- <td>
- <p>
- Information about well known network
- services (replaces WKS). Described in RFC 2782.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- SSHFP
- </p>
- </td>
- <td>
- <p>
- Provides a way to securely publish a secure shell key's
- fingerprint. Described in RFC 4255.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- TXT
- </p>
- </td>
- <td>
- <p>
- Text records. Described in RFC 1035.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- WKS
- </p>
- </td>
- <td>
- <p>
- Information about which well known
- network services, such as SMTP, that a domain
- supports. Historical.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- X25
- </p>
- </td>
- <td>
- <p>
- Representation of X.25 network addresses.
- Experimental. Described in RFC 1183.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The following <span class="emphasis"><em>classes</em></span> of resource records
- are currently valid in the DNS:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- IN
- </p>
- </td>
- <td>
- <p>
- The Internet.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- CH
- </p>
- </td>
- <td>
- <p>
- Chaosnet, a LAN protocol created at MIT in the
- mid-1970s.
- Rarely used for its historical purpose, but reused for
- BIND's
- built-in server information zones, e.g.,
- <code class="literal">version.bind</code>.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- HS
- </p>
- </td>
- <td>
- <p>
- Hesiod, an information service
- developed by MIT's Project Athena. It is used to share
- information
- about various systems databases, such as users,
- groups, printers
- and so on.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The owner name is often implicit, rather than forming an
- integral
- part of the RR. For example, many name servers internally form
- tree
- or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
- which is consistent for all RRs, and a variable part (RDATA)
- that
- fits the needs of the resource being described.
- </p>
- <p>
- The meaning of the TTL field is a time limit on how long an
- RR can be kept in a cache. This limit does not apply to
- authoritative
- data in zones; it is also timed out, but by the refreshing
- policies
- for the zone. The TTL is assigned by the administrator for the
- zone where the data originates. While short TTLs can be used to
- minimize caching, and a zero TTL prohibits caching, the
- realities
- of Internet performance suggest that these times should be on
- the
- order of days for the typical host. If a change can be
- anticipated,
- the TTL can be reduced prior to the change to minimize
- inconsistency
- during the change, and then increased back to its former value
- following
- the change.
- </p>
- <p>
- The data in the RDATA section of RRs is carried as a combination
- of binary strings and domain names. The domain names are
- frequently
- used as "pointers" to other data in the DNS.
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2596826"></a>Textual expression of RRs</h4></div></div></div>
- <p>
- RRs are represented in binary form in the packets of the DNS
- protocol, and are usually represented in highly encoded form
- when
- stored in a name server or resolver. In the examples provided
- in
- RFC 1034, a style similar to that used in master files was
- employed
- in order to show the contents of RRs. In this format, most RRs
- are shown on a single line, although continuation lines are
- possible
- using parentheses.
- </p>
- <p>
- The start of the line gives the owner of the RR. If a line
- begins with a blank, then the owner is assumed to be the same as
- that of the previous RR. Blank lines are often included for
- readability.
- </p>
- <p>
- Following the owner, we list the TTL, type, and class of the
- RR. Class and type use the mnemonics defined above, and TTL is
- an integer before the type field. In order to avoid ambiguity
- in
- parsing, type and class mnemonics are disjoint, TTLs are
- integers,
- and the type mnemonic is always last. The IN class and TTL
- values
- are often omitted from examples in the interests of clarity.
- </p>
- <p>
- The resource data or RDATA section of the RR are given using
- knowledge of the typical representation for the data.
- </p>
- <p>
- For example, we might show the RRs carried in a message as:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="literal">ISI.EDU.</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10 VENERA.ISI.EDU.</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10 VAXA.ISI.EDU</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="literal">VENERA.ISI.EDU</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">128.9.0.32</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.1.0.52</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="literal">VAXA.ISI.EDU</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.2.0.27</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">128.9.0.33</code>
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The MX RRs have an RDATA section which consists of a 16-bit
- number followed by a domain name. The address RRs use a
- standard
- IP address format to contain a 32-bit internet address.
- </p>
- <p>
- The above example shows six RRs, with two RRs at each of three
- domain names.
- </p>
- <p>
- Similarly we might see:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="literal">XX.LCS.MIT.EDU.</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.0.0.44</code>
- </p>
- </td>
- </tr>
- <tr>
- <td> </td>
- <td>
- <p>
- <code class="literal">CH A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">MIT.EDU. 2420</code>
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- This example shows two addresses for
- <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class.
- </p>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2597415"></a>Discussion of MX Records</h3></div></div></div>
- <p>
- As described above, domain servers store information as a
- series of resource records, each of which contains a particular
- piece of information about a given domain name (which is usually,
- but not always, a host). The simplest way to think of a RR is as
- a typed pair of data, a domain name matched with a relevant datum,
- and stored with some additional type information to help systems
- determine when the RR is relevant.
- </p>
- <p>
- MX records are used to control delivery of email. The data
- specified in the record is a priority and a domain name. The
- priority
- controls the order in which email delivery is attempted, with the
- lowest number first. If two priorities are the same, a server is
- chosen randomly. If no servers at a given priority are responding,
- the mail transport agent will fall back to the next largest
- priority.
- Priority numbers do not have any absolute meaning — they are
- relevant
- only respective to other MX records for that domain name. The
- domain
- name given is the machine to which the mail will be delivered.
- It <span class="emphasis"><em>must</em></span> have an associated address record
- (A or AAAA) — CNAME is not sufficient.
- </p>
- <p>
- For a given domain, if there is both a CNAME record and an
- MX record, the MX record is in error, and will be ignored.
- Instead,
- the mail will be delivered to the server specified in the MX
- record
- pointed to by the CNAME.
- For example:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- <col>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="literal">example.com.</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">mail.example.com.</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">mail2.example.com.</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p></p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">MX</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">20</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">mail.backup.org.</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="literal">mail.example.com.</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.0.0.1</code>
- </p>
- </td>
- <td>
- <p></p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="literal">mail2.example.com.</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">A</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">10.0.0.2</code>
- </p>
- </td>
- <td>
- <p></p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
- <code class="literal">mail2.example.com</code> (in
- any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
- be attempted.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
- <p>
- The time-to-live of the RR field is a 32-bit integer represented
- in units of seconds, and is primarily used by resolvers when they
- cache RRs. The TTL describes how long a RR can be cached before it
- should be discarded. The following three types of TTL are
- currently
- used in a zone file.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- SOA
- </p>
- </td>
- <td>
- <p>
- The last field in the SOA is the negative
- caching TTL. This controls how long other servers will
- cache no-such-domain
- (NXDOMAIN) responses from you.
- </p>
- <p>
- The maximum time for
- negative caching is 3 hours (3h).
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- $TTL
- </p>
- </td>
- <td>
- <p>
- The $TTL directive at the top of the
- zone file (before the SOA) gives a default TTL for every
- RR without
- a specific TTL set.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- RR TTLs
- </p>
- </td>
- <td>
- <p>
- Each RR can have a TTL as the second
- field in the RR, which will control how long other
- servers can cache
- the it.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- All of these TTLs default to units of seconds, though units
- can be explicitly specified, for example, <code class="literal">1h30m</code>.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2597962"></a>Inverse Mapping in IPv4</h3></div></div></div>
- <p>
- Reverse name resolution (that is, translation from IP address
- to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
- and PTR records. Entries in the in-addr.arpa domain are made in
- least-to-most significant order, read left to right. This is the
- opposite order to the way IP addresses are usually written. Thus,
- a machine with an IP address of 10.1.2.3 would have a
- corresponding
- in-addr.arpa name of
- 3.2.1.10.in-addr.arpa. This name should have a PTR resource record
- whose data field is the name of the machine or, optionally,
- multiple
- PTR records if the machine has more than one name. For example,
- in the [<span class="optional">example.com</span>] domain:
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <code class="literal">$ORIGIN</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">2.1.10.in-addr.arpa</code>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>
- <code class="literal">3</code>
- </p>
- </td>
- <td>
- <p>
- <code class="literal">IN PTR foo.example.com.</code>
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
- are for providing context to the examples only — they do not
- necessarily
- appear in the actual usage. They are only used here to indicate
- that the example is relative to the listed origin.
- </p>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2598157"></a>Other Zone File Directives</h3></div></div></div>
- <p>
- The Master File Format was initially defined in RFC 1035 and
- has subsequently been extended. While the Master File Format
- itself
- is class independent all records in a Master File must be of the
- same
- class.
- </p>
- <p>
- Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
- and <span><strong class="command">$TTL.</strong></span>
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2598180"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div>
- <p>
- When used in the label (or name) field, the asperand or
- at-sign (@) symbol represents the current origin.
- At the start of the zone file, it is the
- <<code class="varname">zone_name</code>> (followed by
- trailing dot).
- </p>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2598196"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
- <p>
- Syntax: <span><strong class="command">$ORIGIN</strong></span>
- <em class="replaceable"><code>domain-name</code></em>
- [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
- </p>
- <p><span><strong class="command">$ORIGIN</strong></span>
- sets the domain name that will be appended to any
- unqualified records. When a zone is first read in there
- is an implicit <span><strong class="command">$ORIGIN</strong></span>
- <<code class="varname">zone_name</code>><span><strong class="command">.</strong></span>
- (followed by trailing dot).
- The current <span><strong class="command">$ORIGIN</strong></span> is appended to
- the domain specified in the <span><strong class="command">$ORIGIN</strong></span>
- argument if it is not absolute.
- </p>
- <pre class="programlisting">
- $ORIGIN example.com.
- WWW CNAME MAIN-SERVER
- </pre>
- <p>
- is equivalent to
- </p>
- <pre class="programlisting">
- WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
- </pre>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2598325"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
- <p>
- Syntax: <span><strong class="command">$INCLUDE</strong></span>
- <em class="replaceable"><code>filename</code></em>
- [<span class="optional">
- <em class="replaceable"><code>origin</code></em> </span>]
- [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]
- </p>
- <p>
- Read and process the file <code class="filename">filename</code> as
- if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is
- specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
- to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
- used.
- </p>
- <p>
- The origin and the current domain name
- revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
- the file has been read.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- <p>
- RFC 1035 specifies that the current origin should be restored
- after
- an <span><strong class="command">$INCLUDE</strong></span>, but it is silent
- on whether the current
- domain name should also be restored. BIND 9 restores both of
- them.
- This could be construed as a deviation from RFC 1035, a
- feature, or both.
- </p>
- </div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2598394"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
- <p>
- Syntax: <span><strong class="command">$TTL</strong></span>
- <em class="replaceable"><code>default-ttl</code></em>
- [<span class="optional">
- <em class="replaceable"><code>comment</code></em> </span>]
- </p>
- <p>
- Set the default Time To Live (TTL) for subsequent records
- with undefined TTLs. Valid TTLs are of the range 0-2147483647
- seconds.
- </p>
- <p><span><strong class="command">$TTL</strong></span>
- is defined in RFC 2308.
- </p>
- </div>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2598430"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
- <p>
- Syntax: <span><strong class="command">$GENERATE</strong></span>
- <em class="replaceable"><code>range</code></em>
- <em class="replaceable"><code>lhs</code></em>
- [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>]
- [<span class="optional"><em class="replaceable"><code>class</code></em></span>]
- <em class="replaceable"><code>type</code></em>
- <em class="replaceable"><code>rhs</code></em>
- [<span class="optional"><em class="replaceable"><code>comment</code></em></span>]
- </p>
- <p><span><strong class="command">$GENERATE</strong></span>
- is used to create a series of resource records that only
- differ from each other by an
- iterator. <span><strong class="command">$GENERATE</strong></span> can be used to
- easily generate the sets of records required to support
- sub /24 reverse delegations described in RFC 2317:
- Classless IN-ADDR.ARPA delegation.
- </p>
- <pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
- $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
- $GENERATE 1-127 $ CNAME $.0</pre>
- <p>
- is equivalent to
- </p>
- <pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
- 0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
- 1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
- 2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
- ...
- 127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
- </pre>
- <p>
- Generate a set of A and MX records. Note the MX's right hand
- side is a quoted string. The quotes will be stripped when the
- right hand side is processed.
- </p>
- <pre class="programlisting">
- $ORIGIN EXAMPLE.
- $GENERATE 1-127 HOST-$ A 1.2.3.$
- $GENERATE 1-127 HOST-$ MX "0 ."</pre>
- <p>
- is equivalent to
- </p>
- <pre class="programlisting">HOST-1.EXAMPLE. A 1.2.3.1
- HOST-1.EXAMPLE. MX 0 .
- HOST-2.EXAMPLE. A 1.2.3.2
- HOST-2.EXAMPLE. MX 0 .
- HOST-3.EXAMPLE. A 1.2.3.3
- HOST-3.EXAMPLE. MX 0 .
- ...
- HOST-127.EXAMPLE. A 1.2.3.127
- HOST-127.EXAMPLE. MX 0 .
- </pre>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p><span><strong class="command">range</strong></span></p>
- </td>
- <td>
- <p>
- This can be one of two forms: start-stop
- or start-stop/step. If the first form is used, then step
- is set to
- 1. All of start, stop and step must be positive.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">lhs</strong></span></p>
- </td>
- <td>
- <p>This
- describes the owner name of the resource records
- to be created. Any single <span><strong class="command">$</strong></span>
- (dollar sign)
- symbols within the <span><strong class="command">lhs</strong></span> string
- are replaced by the iterator value.
- To get a $ in the output, you need to escape the
- <span><strong class="command">$</strong></span> using a backslash
- <span><strong class="command">\</strong></span>,
- e.g. <span><strong class="command">\$</strong></span>. The
- <span><strong class="command">$</strong></span> may optionally be followed
- by modifiers which change the offset from the
- iterator, field width and base.
- Modifiers are introduced by a
- <span><strong class="command">{</strong></span> (left brace) immediately following the
- <span><strong class="command">$</strong></span> as
- <span><strong class="command">${offset[,width[,base]]}</strong></span>.
- For example, <span><strong class="command">${-20,3,d}</strong></span>
- subtracts 20 from the current value, prints the
- result as a decimal in a zero-padded field of
- width 3.
- Available output forms are decimal
- (<span><strong class="command">d</strong></span>), octal
- (<span><strong class="command">o</strong></span>), hexadecimal
- (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span>
- for uppercase) and nibble
- (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\
- for uppercase). The default modifier is
- <span><strong class="command">${0,0,d}</strong></span>. If the
- <span><strong class="command">lhs</strong></span> is not absolute, the
- current <span><strong class="command">$ORIGIN</strong></span> is appended
- to the name.
- </p>
- <p>
- In nibble mode the value will be treated as
- if it was a reversed hexadecimal string
- with each hexadecimal digit as a separate
- label. The width field includes the label
- separator.
- </p>
- <p>
- For compatibility with earlier versions,
- <span><strong class="command">$$</strong></span> is still recognized as
- indicating a literal $ in the output.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ttl</strong></span></p>
- </td>
- <td>
- <p>
- Specifies the time-to-live of the generated records. If
- not specified this will be inherited using the
- normal TTL inheritance rules.
- </p>
- <p><span><strong class="command">class</strong></span>
- and <span><strong class="command">ttl</strong></span> can be
- entered in either order.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">class</strong></span></p>
- </td>
- <td>
- <p>
- Specifies the class of the generated records.
- This must match the zone class if it is
- specified.
- </p>
- <p><span><strong class="command">class</strong></span>
- and <span><strong class="command">ttl</strong></span> can be
- entered in either order.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">type</strong></span></p>
- </td>
- <td>
- <p>
- Any valid type.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">rhs</strong></span></p>
- </td>
- <td>
- <p>
- <span><strong class="command">rhs</strong></span>, optionally, quoted string.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension
- and not part of the standard zone file format.
- </p>
- <p>
- BIND 8 does not support the optional TTL and CLASS fields.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="zonefile_format"></a>Additional File Formats</h3></div></div></div>
- <p>
- In addition to the standard textual format, BIND 9
- supports the ability to read or dump to zone files in
- other formats. The <code class="constant">raw</code> format is
- currently available as an additional format. It is a
- binary format representing BIND 9's internal data
- structure directly, thereby remarkably improving the
- loading time.
- </p>
- <p>
- For a primary server, a zone file in the
- <code class="constant">raw</code> format is expected to be
- generated from a textual zone file by the
- <span><strong class="command">named-compilezone</strong></span> command. For a
- secondary server or for a dynamic zone, it is automatically
- generated (if this format is specified by the
- <span><strong class="command">masterfile-format</strong></span> option) when
- <span><strong class="command">named</strong></span> dumps the zone contents after
- zone transfer or when applying prior updates.
- </p>
- <p>
- If a zone file in a binary format needs manual modification,
- it first must be converted to a textual form by the
- <span><strong class="command">named-compilezone</strong></span> command. All
- necessary modification should go to the text file, which
- should then be converted to the binary form by the
- <span><strong class="command">named-compilezone</strong></span> command again.
- </p>
- <p>
- Although the <code class="constant">raw</code> format uses the
- network byte order and avoids architecture-dependent
- data alignment so that it is as much portable as
- possible, it is primarily expected to be used inside
- the same single system. In order to export a zone
- file in the <code class="constant">raw</code> format or make a
- portable backup of the file, it is recommended to
- convert the file to the standard textual representation.
- </p>
- </div>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
- <p>
- <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
- information and provides several interfaces for users to
- get access to the statistics.
- The available statistics include all statistics counters
- that were available in <acronym class="acronym">BIND</acronym> 8 and
- are meaningful in <acronym class="acronym">BIND</acronym> 9,
- and other information that is considered useful.
- </p>
- <p>
- The statistics information is categorized into the following
- sections.
- </p>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>Incoming Requests</p>
- </td>
- <td>
- <p>
- The number of incoming DNS requests for each OPCODE.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Incoming Queries</p>
- </td>
- <td>
- <p>
- The number of incoming queries for each RR type.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Outgoing Queries</p>
- </td>
- <td>
- <p>
- The number of outgoing queries for each RR
- type sent from the internal resolver.
- Maintained per view.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Name Server Statistics</p>
- </td>
- <td>
- <p>
- Statistics counters about incoming request processing.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Zone Maintenance Statistics</p>
- </td>
- <td>
- <p>
- Statistics counters regarding zone maintenance
- operations such as zone transfers.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Resolver Statistics</p>
- </td>
- <td>
- <p>
- Statistics counters about name resolution
- performed in the internal resolver.
- Maintained per view.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Cache DB RRsets</p>
- </td>
- <td>
- <p>
- The number of RRsets per RR type and nonexistent
- names stored in the cache database.
- If the exclamation mark (!) is printed for a RR
- type, it means that particular type of RRset is
- known to be nonexistent (this is also known as
- "NXRRSET").
- Maintained per view.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p>Socket I/O Statistics</p>
- </td>
- <td>
- <p>
- Statistics counters about network related events.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- <p>
- A subset of Name Server Statistics is collected and shown
- per zone for which the server has the authority when
- <span><strong class="command">zone-statistics</strong></span> is set to
- <strong class="userinput"><code>yes</code></strong>.
- These statistics counters are shown with their zone and view
- names.
- In some cases the view names are omitted for the default view.
- </p>
- <p>
- There are currently two user interfaces to get access to the
- statistics.
- One is in the plain text format dumped to the file specified
- by the <span><strong class="command">statistics-file</strong></span> configuration option.
- The other is remotely accessible via a statistics channel
- when the <span><strong class="command">statistics-channels</strong></span> statement
- is specified in the configuration file
- (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.)
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="statsfile"></a>The Statistics File</h4></div></div></div>
- <p>
- The text format statistics dump begins with a line, like:
- </p>
- <p>
- <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
- </p>
- <p>
- The number in parentheses is a standard
- Unix-style timestamp, measured as seconds since January 1, 1970.
- Following
- that line is a set of statistics information, which is categorized
- as described above.
- Each section begins with a line, like:
- </p>
- <p>
- <span><strong class="command">++ Name Server Statistics ++</strong></span>
- </p>
- <p>
- Each section consists of lines, each containing the statistics
- counter value followed by its textual description.
- See below for available counters.
- For brevity, counters that have a value of 0 are not shown
- in the statistics file.
- </p>
- <p>
- The statistics dump ends with the line where the
- number is identical to the number in the beginning line; for example:
- </p>
- <p>
- <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
- <p>
- The following tables summarize statistics counters that
- <acronym class="acronym">BIND</acronym> 9 provides.
- For each row of the tables, the leftmost column is the
- abbreviated symbol name of that counter.
- These symbols are shown in the statistics information
- accessed via an HTTP statistics channel.
- The rightmost column gives the description of the counter,
- which is also shown in the statistics file
- (but, in this document, possibly with slight modification
- for better readability).
- Additional notes may also be provided in this column.
- When a middle column exists between these two columns,
- it gives the corresponding counter name of the
- <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
- </p>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2599384"></a>Name Server Statistics Counters</h4></div></div></div>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <span class="emphasis"><em>Symbol</em></span>
- </p>
- </td>
- <td>
- <p>
- <span class="emphasis"><em>BIND8 Symbol</em></span>
- </p>
- </td>
- <td>
- <p>
- <span class="emphasis"><em>Description</em></span>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">Requestv4</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RQ</strong></span></p>
- </td>
- <td>
- <p>
- IPv4 requests received.
- Note: this also counts non query requests.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">Requestv6</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RQ</strong></span></p>
- </td>
- <td>
- <p>
- IPv6 requests received.
- Note: this also counts non query requests.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ReqEdns0</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Requests with EDNS(0) received.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ReqBadEDNSVer</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Requests with unsupported EDNS version received.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ReqTSIG</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Requests with TSIG received.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ReqSIG0</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Requests with SIG(0) received.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ReqBadSIG</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Requests with invalid (TSIG or SIG(0)) signature.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">ReqTCP</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RTCP</strong></span></p>
- </td>
- <td>
- <p>
- TCP requests received.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">AuthQryRej</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RUQ</strong></span></p>
- </td>
- <td>
- <p>
- Authoritative (non recursive) queries rejected.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">RecQryRej</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RURQ</strong></span></p>
- </td>
- <td>
- <p>
- Recursive queries rejected.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">XfrRej</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RUXFR</strong></span></p>
- </td>
- <td>
- <p>
- Zone transfer requests rejected.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateRej</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RUUpd</strong></span></p>
- </td>
- <td>
- <p>
- Dynamic update requests rejected.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">Response</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">SAns</strong></span></p>
- </td>
- <td>
- <p>
- Responses sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">RespTruncated</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Truncated responses sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">RespEDNS0</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Responses with EDNS(0) sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">RespTSIG</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Responses with TSIG sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">RespSIG0</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Responses with SIG(0) sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QrySuccess</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in a successful answer.
- This means the query which returns a NOERROR response
- with at least one answer RR.
- This corresponds to the
- <span><strong class="command">success</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryAuthAns</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in authoritative answer.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryNoauthAns</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">SNaAns</strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in non authoritative answer.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryReferral</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in referral answer.
- This corresponds to the
- <span><strong class="command">referral</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryNxrrset</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in NOERROR responses with no data.
- This corresponds to the
- <span><strong class="command">nxrrset</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QrySERVFAIL</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">SFail</strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in SERVFAIL.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryFORMERR</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">SFErr</strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in FORMERR.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryNXDOMAIN</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">SNXD</strong></span></p>
- </td>
- <td>
- <p>
- Queries resulted in NXDOMAIN.
- This corresponds to the
- <span><strong class="command">nxdomain</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryRecursion</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RFwdQ</strong></span></p>
- </td>
- <td>
- <p>
- Queries which caused the server
- to perform recursion in order to find the final answer.
- This corresponds to the
- <span><strong class="command">recursion</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryDuplicate</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command">RDupQ</strong></span></p>
- </td>
- <td>
- <p>
- Queries which the server attempted to
- recurse but discovered an existing query with the same
- IP address, port, query ID, name, type and class
- already being processed.
- This corresponds to the
- <span><strong class="command">duplicate</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryDropped</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Recursive queries for which the server
- discovered an excessive number of existing
- recursive queries for the same name, type and
- class and were subsequently dropped.
- This is the number of dropped queries due to
- the reason explained with the
- <span><strong class="command">clients-per-query</strong></span>
- and
- <span><strong class="command">max-clients-per-query</strong></span>
- options
- (see the description about
- <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
- This corresponds to the
- <span><strong class="command">dropped</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">QryFailure</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Other query failures.
- This corresponds to the
- <span><strong class="command">failure</strong></span> counter
- of previous versions of
- <acronym class="acronym">BIND</acronym> 9.
- Note: this counter is provided mainly for
- backward compatibility with the previous versions.
- Normally a more fine-grained counters such as
- <span><strong class="command">AuthQryRej</strong></span> and
- <span><strong class="command">RecQryRej</strong></span>
- that would also fall into this counter are provided,
- and so this counter would not be of much
- interest in practice.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">XfrReqDone</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Requested zone transfers completed.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateReqFwd</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Update requests forwarded.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateRespFwd</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Update responses forwarded.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateFwdFail</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Dynamic update forward failed.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateDone</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Dynamic updates completed.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateFail</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Dynamic updates failed.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">UpdateBadPrereq</strong></span></p>
- </td>
- <td>
- <p><span><strong class="command"></strong></span></p>
- </td>
- <td>
- <p>
- Dynamic updates rejected due to prerequisite failure.
- </p>
- </td>
- </tr>
- </tbody>
- </table></div>
- </div>
- <div class="sect3" lang="en">
- <div class="titlepage"><div><div><h4 class="title">
- <a name="id2600857"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
- <div class="informaltable"><table border="1">
- <colgroup>
- <col>
- <col>
- </colgroup>
- <tbody>
- <tr>
- <td>
- <p>
- <span class="emphasis"><em>Symbol</em></span>
- </p>
- </td>
- <td>
- <p>
- <span class="emphasis"><em>Description</em></span>
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">NotifyOutv4</strong></span></p>
- </td>
- <td>
- <p>
- IPv4 notifies sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">NotifyOutv6</strong></span></p>
- </td>
- <td>
- <p>
- IPv6 notifies sent.
- </p>
- </td>
- </tr>
- <tr>
- <td>
- <p><span><strong class="command">NotifyInv4</strong></span></p>
- </td>
- <td>
- <p