Penguin
Recent Changes
Blame: named.conf(5)
EditPageHistoryDiffInfoLikePages
Annotated edit history of named.conf(5) version 2, including all changes. View license author blame.
Rev Author # Line
1 perry 1 ----
2 __NAME__
3
4
5 named.conf - configuration file for
6 named(8)
7 __OVERVIEW__
8
9
10 BIND 8 is much more configurable than previous release of
11 BIND. There are entirely new areas of configuration, such as
12 access control lists and categorized logging. Many options
13 that previously applied to all zones can now be used
14 selectively. These features, plus a consideration of future
15 configuration needs led to the creation of a new configura-
16 tion file format.
17
18
19 __General Syntax__
20
21
22 A BIND 8 configuration consists of two general features,
23 statements and comments. All statements end with a semi-
24 colon. Many statements can contain substatements, which are
25 each also terminated with a semicolon.
26
27
28 The following statements are supported:
29 logging
30
31
32 specifies what the server logs, and where the log messagesare sent optionscontrols global server configuration options and setsdefaults for other statements zonedefines a zone acldefines a named IP address matching list, for access con-trol and other uses keyspecifies key information for use in authentication andauthorization trusted-keysdefines DNSSEC keys that are preconfigured into the serverand implicitly trusted serversets certain configuration options for individual remoteservers controlsdeclares control channels to be used by the ndc utility includeincludes another fileThe logging and options statements may only occur once perconfiguration, while the rest may appear numerous times.Further detail on each statement is provided in individualsections below.Comments may appear anywhere that whitespace may appear in aBIND configuration file. To appeal to programmers of allkinds, they can be written in C, C++, or shell/perl con-structs.C-style comments start with the two characters / (slash, star) and end with / (star, slash). Because they are com- pletely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines.
33
34
35 C-style comments cannot be nested. For example, the follow-
36 ing is not valid because the entire comment ends with the
37 first /:
38
39
40 / This is the start of a comment.
41 This is still part of the comment.
42 / This is an incorrect attempt at nesting a comment. /
43 This is no longer in any comment. /
44 C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair. For example:
45
46
47 // This is the start of a comment. The next line
48 // is a new comment, even though it is logically
49 // part of the previous comment.
50 Shell-style (or perl-style, if you prefer) comments start with the character # (hash or pound or number or octothorpe or whatever) and continue to the end of the physical line, like C++ comments. For example:
51
52
53 # This is the start of a comment. The next line
54 # is a new comment, even though it is logically
55 # part of the previous comment.
56 ''WARNING'': you cannot use the ; (semicolon) character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement, so whatever follows it will be interpreted as the start of the next statement.
57
58
59 __Converting from BIND 4.9.x__
60
61
62 BIND 4.9.x configuration files can be converted to the new
63 format by using src/bin/named/named-bootconf, a
64 shell script that is part of the BIND 8.2.x source
65 kit.
66 __DOCUMENTATION DEFINITIONS__
67
68
69 Described below are elements used throughout the BIND con-
70 figuration file documentation. Elements which are only
71 associated with one statement are described only in the sec-
72 tion describing that statement.
73 '' acl_name''
74
75
76 The name of an ''address_match_list'' as defined by the aclstatement.'' address_match_list''A list of one or more '' ip_addr'', '' ip_prefix'', ''key_id'', or''acl_name'' elements, as described in the __ADDRESS MATCH LISTS__section.'' dotted-decimal''One or more integers valued 0 through 255 separated only bydots (``.''), such as 123, 45.67 or 89.123.45.67.
77
78
79 ''domain_name''
80 A quoted string which will be used as a DNS name, for exam-
81 ple my.test.domain.
82
83
84 ''path_name''
85 A quoted string which will be used as a pathname, such as
86 zones/master/my.test.domain.
87
88
89 ''ip_addr''
90 An IP address in with exactly four elements in
91 ''dotted-decimal'' notation.
92
93
94 ''ip_port''
95 An IP port ''number''. ''number is limited to''
96 0 through 65535, with values below 1024
97 typically restricted to root-owned processes. In some cases
98 an asterisk (``'') character can be used as a placeholder to
99 select a random high-numbered port.
100
101
102 ''ip_prefix''
103 An IP network specified in ''dotted-decimal'' form,
104 followed by ``/'' and then the number of bits in the
105 netmask. E.g. 127/8 is the network
106 127.0.0.0 with netmask 255.0.0.0.
107 1.2.3.0/28 is network 1.2.3.0 with netmask
108 255.255.255.240.
109
110
111 ''key_name''
112 A string representing the name of a shared key, to be used
113 for transaction security.
114
115
116 ''number''
117 A non-negative integer with an entire range limited by the
118 range of a C language signed integer (2,147,483,647 on a
119 machine with 32 bit integers). Its acceptable value might
120 further be limited by the context in which it is
121 used.
122
123
124 ''size_spec''
125 A ''number'', the word unlimited, or the word
126 default.
127
128
129 The maximum value of ''size_spec'' is that of unsigned
130 long integers on the machine. unlimited requests
131 unlimited use, or the maximum available amount.
132 default uses the limit that was in force when the
133 server was started.
134
135
136 A ''number'' can optionally be followed by a scaling
137 factor: K or k for kilobytes, M
138 or m for megabytes, and G or g
139 for gigabytes, which scale by 1024, 10241024, and
140 102410241024 respectively.
141
142
143 Integer storage overflow is currently silently ignored dur-
144 ing conversion of scaled values, resulting in values less
145 than intended, possibly even negative. Using
146 unlimited is the best way to safely set a really
147 large number.
148
149
150 ''yes_or_no''
151 Either yes or no. The words true
152 and false are also accepted, as are the numbers
153 1 and 0.
154
155
156 __ADDRESS MATCH LISTS__
157
158
159 __Syntax__
160
161
162 ''address_match_list'' = 1''address_match_element
163 address_match_element'' = [[ ''address_match_list'' /
164 '' ip_address'' / ''ip_prefix'' /
165 '' acl_name'' / ''key_id'' )
166 ''
167
168
169 __Definition and Usage__
170
171
172 Address match lists are primarily used to determine access
173 control for various server operations. They are also used to
174 define priorities for querying other nameservers and to set
175 the addresses on which named will listen for queries. The
176 elements which constitute an address match list can be any
177 of the following:
178 an ''ip-address'' (in ''dotted-decimal'' notation,
179
180
181 an ''ip-prefix'' (in the '/'-notation),A ''key_id'', as defined by the key statement,the name of an address match list previously defined withthe acl statement, oranother ''address_match_list''.Elements can be negated with a leading exclamation mark(``!''), and the match list names any, none, localhost and localnets are predefined. More information on those names can be found in the description of the acl statement.
182
183
184 The addition of the key clause made the name of this syntac-
185 tic element something of a misnomer, since security keys can
186 be used to validate access without regard to a host or net-
187 work address. Nonetheless, the term ``address match list''
188 is still used throughout the documentation.
189
190
191 When a given IP address or prefix is compared to an address
192 match list, the list is traversed in order until an element
193 matches. The interpretation of a match depends on whether
194 the list is being used for access control, defining
195 listen-on ports, or as a topology, and whether the element
196 was negated.
197
198
199 When used as an access control list, a non-negated match
200 allows access and a negated match denies access. If there is
201 no match at all in the list, access is denied. The clauses
202 allow-query, allow-transfer, allow-update, allow-recursion,
203 and blackhole all use address match lists like this.
204 Similarly, the listen-on option will cause the server to not
205 accept queries on any of the machine's addresses which do
206 not match the list.
207
208
209 When used with the topology option, a non-negated match
210 returns a distance based on its position on the list (the
211 closer the match is to the start of the list, the shorter
212 the distance is between it and the server). A negated match
213 will be assigned the maximum distance from the server. If
214 there is no match, the address will get a distance which is
215 further than any non-negated list element, and closer than
216 any negated element.
217
218
219 Because of the first-match aspect of the algorithm, an ele-
220 ment that defines a subset of another element in the list
221 should come before the broader element, regardless of
222 whether either is negated. For example, in 1.2.3/24;
223 !1.2.3.13 the 1.2.3.13 element is completely useless,
224 because the algorithm will match any lookup for 1.2.3.13 to
225 the 1.2.3/24 element. Using !1.2.3.13; 1.2.3/24
226 fixes that problem by having 1.2.3.13 blocked by the nega-
227 tion but all other 1.2.3. hosts fall through.
228
229
230 __THE LOGGING STATEMENT__
231
232
233 __Syntax__
234
235
236 logging {
237 [[ channel ''channel_name'' {
238 ( file ''path_name''
239 [[ versions ( ''number'' | unlimited ) ]
240 [[ size ''size_spec'' ]
241 | syslog ( kern | user | mail | daemon | auth | syslog | lpr |
242 news | uucp | cron | authpriv | ftp |
243 local0 | local1 | local2 | local3 |
244 local4 | local5 | local6 | local7 )
245 | null );
246
247
248 [[ severity ( critical | error | warning | notice |
249 info | debug [[ ''level'' ] | dynamic ); ]
250 [[ print-category ''yes_or_no''; ]
251 [[ print-severity ''yes_or_no''; ]
252 [[ print-time ''yes_or_no''; ]
253 }; ]
254
255
256 [[ category ''category_name'' {''
257 channel_name''; [[ ''channel_name''; ... ]
258 }; ]
259 ...
260 };
261
262
263 __Definition and Usage__
264
265
266 The logging statement configures a wide variety of logging
267 options for the nameserver. Its channel phrase associates
268 output methods, format options and severity levels with a
269 name that can then be used with the category phrase to
270 select how various classes of messages are
271 logged.
272
273
274 Only one logging statement is used to define as many chan-
275 nels and categories as are wanted. If there are multiple
276 logging statements in a configuration, the first defined
277 determines the logging, and warnings are issued for the oth-
278 ers. If there is no logging statement, the logging configu-
279 ration will be:
280
281
282 logging {
283 category default { default_syslog; default_debug; };
284 category panic { default_syslog; default_stderr; };
285 category packet { default_debug; };
286 category eventlib { default_debug; };
287 };
288 The logging configuration is established as soon as the logging statement is parsed. If you want to redirect mes- sages about processing of the entire configuration file, the logging statement must appear first. Even if you do not redirect configuration file parsing messages, we recommend always putting the logging statement first so that this rule need not be consciously recalled if you ever do need want the parser's messages relocated.
289
290
291 __The channel phrase__
292
293
294 All log output goes to one or more ``channels''; you can
295 make as many of them as you want.
296
297
298 Every channel definition must include a clause that says
299 whether messages selected for the channel go to a file, to a
300 particular syslog facility, or are discarded. It can
301 optionally also limit the message severity level that will
302 be accepted by the channel (default is info), and
303 whether to include a time stamp generated by named, the
304 category name, or severity level. The default is not to
305 include any of those three.
306
307
308 The word null as the destination option for the
309 channel will cause all messages sent to it to be discarded;
310 other options for the channel are meaningless.
311
312
313 The file clause can include limitations both on how large
314 the file is allowed to become, and how many versions of the
315 file will be saved each time the file is
316 opened.
317
318
319 The size option for files is simply a hard ceiling on log
320 growth. If the file ever exceeds the size, then named will
321 just not write anything more to it until the file is
322 reopened; exceeding the size does not automatically trigger
323 a reopen. The default behavior is to not limit the size of
324 the file.
325
326
327 If you use the version logfile option, then named will
328 retain that many backup versions of the file by renaming
329 them when opening. For example, if you choose to keep 3 old
330 versions of the file lamers.log then just before it is
331 opened lamers.log.1 is renamed to lames.log.2, lamers.log.0
332 is renamed to lamers.log.1, and lamers.log is renamed to
333 lamers.log.0. No rolled versions are kept by default; any
334 existing log file is simply appended. The unlimited
335 keyword is synonymous with 99 in current BIND
336 releases. Example usage of size and versions
337 options:
338
339
340 channel an_example_level {
341 file
342 The argument for the syslog clause is a syslog facility as described in the syslog(3) manual page. How syslogd will handle messages sent to this facility is described in the syslog.conf(5) manual page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored.
343
344
345 The severity clause works like syslog's ``priorities'',
346 except that they can also be used if you are writing
347 straight to a file rather than using syslog. Messages which
348 are not at least of the severity level given will not be
349 selected for the channel; messages of higher severity levels
350 will be accepted.
351
352
353 If you are using syslog, then the syslog.conf
354 priorities will also determine what eventually passes
355 through. For example, defining a channel facility and
356 severity as daemon and debug but only
357 logging daemon.warning via syslog.conf
358 will cause messages of severity info and
359 notice to be dropped. If the situation were
360 reversed, with named writing messages of only
361 warning or higher, then syslogd would print all
362 messages it received from the channel.
363
364
365 The server can supply extensive debugging information when
366 it is in debugging mode. If the server's global debug level
367 is greater than zero, then debugging mode will be active.
368 The global debug level is set either by starting the named
369 server with the -d flag followed by a positive integer, or
370 by sending the running server the SIGUSR1 signal
371 (for exam- ple, by using ndc trace). The global debug level
372 can be set to zero, and debugging mode turned off, by
373 sending the server the SIGUSR2 signal (as with ndc
374 notrace). All debug- ging messages in the server have a
375 debug level, and higher debug levels give more more detailed
376 output. Channels that specify a specific debug severity,
377 e.g.
378
379
380 channel specific_debug_level {
381 file
382 will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debug- ging level. Channels with dynamic severity use the server's global level to determine what messages to print.
383
384
385 If print-time has been turned on, then the date and time
386 will be logged. print-time may be specified for a syslog
387 channel, but is usually pointless since syslog also prints
388 the date and time. If print-category is requested, then the
389 category of the message will be logged as well. Finally, if
390 print-severity is on, then the severity level of the message
391 will be logged. The print- options may be used in any com-
392 bination, and will always be printed in the following order:
393 time, category, severity. Here is an example where all three
394 print- options are on:
395
396
397 28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries.
398 There are four predefined channels that are used for named 's default logging as follows. How they are used used is described in the next section, __The category phrase__.
399
400
401 channel default_syslog {
402 syslog daemon; # send to syslog's daemon facility
403 severity info; # only send priority info and higher
404 };
405 channel default_debug {
406 file
407 Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at chan- nels you have defined.
408
409
410 __The category phrase__
411
412
413 There are many categories, so you can send the logs you want
414 to see wherever you want, without seeing logs you don't
415 want. If you don't specify a list of channels for a cate-
416 gory, then log messages in that category will be sent to the
417 default category instead. If you don't specify a
418 default category, the following ``default default'' is
419 used:
420
421
422 category default { default_syslog; default_debug; };
423 As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following:
424
425
426 channel my_security_channel {
427 file
428 To discard all messages in a category, specify the null channel:
429
430
431 category lame-servers { null; };
432 category cname { null; };
433 The following categories are available:
434 default
435
436
437 The catch-all. Many things still aren't classified intocategories, and they all end up here. Also, if you don'tspecify any channels for a category, the default categoryis used instead. If you do not define the default cate-gory, the following definition is used:category default { default_syslog; default_debug; };config
438 High-level configuration file processing.
439
440
441 parser
442 Low-level configuration file processing.
443
444
445 queries
446 A short log message is generated for every query the server
447 receives.
448
449
450 lame-servers
451 Messages like ``Lame server on ...''
452
453
454 statistics
455 Statistics.
456
457
458 panic
459 If the server has to shut itself down due to an internal
460 problem, it will log the problem in this category as well as
461 in the problem's native category. If you do not define the
462 panic category, the following definition is used:
463 category panic { default_syslog; default_stderr;
464 };
465
466
467 update
468 Dynamic updates.
469
470
471 ncache
472 Negative caching.
473
474
475 xfer-in
476 Zone transfers the server is receiving.
477
478
479 xfer-out
480 Zone transfers the server is sending.
481
482
483 db
484 All database operations.
485
486
487 eventlib
488 Debugging info from the event system. Only one channel may
489 be specified for this category, and it must be a file chan-
490 nel. If you do not define the eventlib category, the fol-
491 lowing definition is used: category eventlib {
492 default_debug; };
493
494
495 packet
496 Dumps of packets received and sent. Only one channel may be
497 specified for this category, and it must be a file chan-
498 nel. If you do not define the packet category, the follow-
499 ing definition is used: category packet { default_debug;
500 };
501
502
503 notify
504 The NOTIFY protocol.
505
506
507 cname
508 Messages like ``... points to a CNAME''.
509
510
511 security
512 Approved/unapproved requests.
513
514
515 os
516 Operating system problems.
517
518
519 insist
520 Internal consistency check failures.
521
522
523 maintenance
524 Periodic maintenance events.
525
526
527 load
528 Zone loading messages.
529
530
531 response-checks
532 Messages arising from response checking, such as ``Mal-
533 formed response ...'', ``wrong ans. name ...'', ``unrelated
534 additional info ...'', ``invalid RR type ...'', and ``bad
535 referral ...''.
536
537
538 __THE OPTIONS STATEMENT__
539
540
541 __Syntax__
542
543
544 options {
545 [[ hostname ''hostname_string''; ]
546 [[ version ''version_string''; ]
547 [[ directory ''path_name''; ]
548 [[ named-xfer ''path_name''; ]
549 [[ dump-file ''path_name''; ]
550 [[ memstatistics-file ''path_name''; ]
551 [[ pid-file ''path_name''; ]
552 [[ statistics-file ''path_name''; ]
553 [[ auth-nxdomain ''yes_or_no''; ]
554 [[ deallocate-on-exit ''yes_or_no''; ]
555 [[ dialup ''yes_or_no''; ]
556 [[ fake-iquery ''yes_or_no''; ]
557 [[ fetch-glue ''yes_or_no''; ]
558 [[ has-old-clients ''yes_or_no''; ]
559 [[ host-statistics ''yes_or_no''; ]
560 [[ host-statistics-max ''number''; ]
561 [[ multiple-cnames ''yes_or_no''; ]
562 [[ notify ''yes_or_no''; ]
563 [[ suppress-initial-notify ''yes_or_no''; ]
564 [[ recursion ''yes_or_no''; ]
565 [[ rfc2308-type1 ''yes_or_no''; ]
566 [[ use-id-pool ''yes_or_no''; ]
567 [[ treat-cr-as-space ''yes_or_no''; ]
568 [[ also-notify ''yes_or_no''; ]
569 [[ forward ( only | first ); ]
570 [[ forwarders { [[ ''in_addr'' ; [[ ''in_addr'' ; ... ] ] }; ]
571 [[ check-names ( master | slave | response ) ( warn | fail | ignore); ]
572 [[ allow-query { ''address_match_list'' }; ]
573 [[ allow-recursion { ''address_match_list'' }; ]
574 [[ allow-transfer { ''address_match_list'' }; ]
575 [[ blackhole { ''address_match_list'' }; ]
576 [[ listen-on [[ port ''ip_port'' ] { ''address_match_list'' }; ]
577 [[ query-source [[ address ( ''ip_addr'' | ) ]
578 [[ port ( ''ip_port'' | ) ] ; ]
579 [[ lame-ttl ''number''; ]
580 [[ max-transfer-time-in ''number''; ]
581 [[ max-ncache-ttl ''number''; ]
582 [[ min-roots ''number''; ]
583 [[ serial-queries ''number''; ]
584 [[ transfer-format ( one-answer | many-answers ); ]
585 [[ transfers-in ''number''; ]
586 [[ transfers-out ''number''; ]
587 [[ transfers-per-ns ''number''; ]
588 [[ transfer-source ''ip_addr''; ]
589 [[ maintain-ixfr-base ''yes_or_no''; ]
590 [[ max-ixfr-log-size ''number''; ]
591 [[ coresize ''size_spec'' ; ]
592 [[ datasize ''size_spec'' ; ]
593 [[ files ''size_spec'' ; ]
594 [[ stacksize ''size_spec'' ; ]
595 [[ cleaning-interval ''number''; ]
596 [[ heartbeat-interval ''number''; ]
597 [[ interface-interval ''number''; ]
598 [[ statistics-interval ''number''; ]
599 [[ topology { ''address_match_list'' }; ]
600 [[ sortlist { ''address_match_list'' }; ]
601 [[ rrset-order { ''order_spec'' ; [[ ''order_spec'' ; ... ] }; ]
602 [[ preferred-glue ( A | AAAA ); ]
603 };
604
605
606 __Definition and Usage__
607
608
609 The options statement sets up global options to be used by
610 BIND. This statement may appear at only once in a configura-
611 tion file; if more than one occurrence is found, the first
612 occurrence determines the actual options used, and a warning
613 will be generated. If there is no options statement, an
614 options block with each option set to its default will be
615 used.
616
617
618 __Server Information__
619 hostname
620
621
622 This defaults to the hostname of the machine hosting thenameserver as found by gethostname(). Its prime purpose isto be able to identify which of a number of anycast serversis actually answering your queries by sending a txt queryfor hostname.bind in class chaos to the anycast server and geting back a unique name. Setting the hostname to a empty string (
623
624
625 version
626 The version the server should report via the ndc command or
627 via a query of name version.bind in class chaos.
628 The default is the real version number of ths server, but
629 some server operators prefer the string ( surely you must be
630 joking ).
631
632
633 __Pathnames__
634
635
636 directory
637 The working directory of the server. Any non-absolute
638 pathnames in the configuration file will be taken as rela-
639 tive to this directory. The default location for most server
640 output files (e.g. named.run) is this directory. If
641 a directory is not specified, the working directory defaults
642 to ., the directory from which the server was
643 started. The directory specified should be an absolute
644 path.
645
646
647 named-xfer
648 The pathname to the named-xfer program that the server uses
649 for inbound zone transfers. If not specified, the default is
650 system dependent (e.g. /usr/sbin/named-xfer
651 ).
652
653
654 dump-file
655 The pathname of the file the server dumps the database to
656 when it receives SIGINT signal (as sent by ndc
657 dumpdb ). If not specified, the default is
658 named_dump.db.
659
660
661 memstatistics-file
662 The pathname of the file the server writes memory usage
663 statistics to on exit, if deallocate-on-exit is
664 yes. If not specified, the default is
665 named.memstats.
666
667
668 pid-file
669 The pathname of the file the server writes its process ID
670 in. If not specified, the default is operating system
671 dependent, but is usually /var/run/named.pid or
672 /etc/named.pid. The pid-file is used by programs
673 like ndc that want to send signals to the running
674 nameserver.
675
676
677 statistics-file
678 The pathname of the file the server appends statistics to
679 when it receives SIGILL signal (from ndc stats). If
680 not specified, the default is
681 named.stats.
682
683
684 __Boolean Options__
685
686
687 auth-nxdomain
688 If yes, then the AA bit is always set on
689 NXDOMAIN responses, even if the server is not
690 actually authorita- tive. The default is yes. Do
691 not turn off auth-nxdomain unless you are sure you know what
692 you are doing, as some older software won't like
693 it.
694
695
696 deallocate-on-exit
697 If yes, then when the server exits it will
698 painstakingly deallocate every object it allocated, and then
699 write a mem- ory usage report to the memstatistics-file. The
700 default is no, because it is faster to let the
701 operating system clean up. deallocate-on-exit is handy for
702 detecting memory leaks.
703
704
705 dialup
706 If yes, then the server treats all zones as if they
707 are doing zone transfers across a dial on demand dialup
708 link, which can be brought up by traffic originating from
709 this server. This has different effects according to zone
710 type and concentrates the zone maintenance so that it all
711 hap- pens in a short interval, once every heartbeat-interval
712 and hopefully during the one call. It also suppresses some
713 of the normal zone maintenance traffic. The default is
714 no. The dialup option may also be specified in the
715 zone state- ment, in which case it overrides the options
716 dialup state- ment.
717
718
719 If the zone is a master then the server will send out
720 NOTIFY request to all the slaves. This will trigger
721 the zone up to date checking in the slave (providing it sup-
722 ports NOTIFY) allowing the slave to verify the zone
723 while the call us up.
724
725
726 If the zone is a slave or stub then the server will sup-
727 press the zone regular zone up to date queries and only
728 perform the when the heartbeat-interval
729 expires.
730
731
732 fake-iquery
733 If yes, the server will simulate the obsolete DNS
734 query type IQUERY. The default is
735 no.
736
737
738 fetch-glue
739 If yes (the default), the server will fetch
740 ``glue'' resource records it doesn't have when constructing
741 the additional data section of a response. fetch-glue no can
742 be used in conjunction with recursion no to prevent the
743 server's cache from growing or becoming corrupted (at the
744 cost of requiring more work from the client).
745
746
747 has-old-clients
748 Setting the option to yes, is equivalent to setting
749 the following three options: auth-nxdomain yes;,
750 maintain-ixfr-base yes;, and rfc2308-type1 no;
751
752
753 The use of has-old-clients with auth-nxdomain,
754 maintain-ixfr-base, and rfc2308-type1 is order
755 dependant.
756
757
758 host-statistics
759 If yes, then statistics are kept for every host
760 that the the nameserver interacts with. The default is
761 no. ''Note'': turning on host-statistics can
762 consume huge amounts of mem- ory.
763
764
765 maintain-ixfr-base
766 If yes, a IXFR database file is kept for all
767 dynamicaly updated zones. This enables the server to answer
768 IXFR queries which can speed up zone transfers enormously.
769 The default is no.
770
771
772 multiple-cnames
773 If yes, then multiple CNAME resource records will
774 be allowed for a domain name. The default is no.
775 Allowing multiple CNAME records is against standards and is
776 not rec- ommended. Multiple CNAME support is available
777 because pre- vious versions of BIND allowed multiple CNAME
778 records, and these records have been used for load balancing
779 by a number of sites.
780
781
782 notify
783 If yes (the default), DNS NOTIFY messages are sent
784 when a zone the server is authoritative for changes. The use
785 of NOTIFY speeds convergence between the master and its
786 slaves. Slave servers that receive a NOTIFY message and
787 understand it will contact the master server for the zone
788 and see if they need to do a zone transfer, and if they do,
789 they will initiate it immediately. The notify option may
790 also be specified in the zone statement, in which case it
791 overrides the options notify statement.
792
793
794 suppress-initial-notify
795 If yes, suppress the initial notify messages when
796 the server first loads. The default is
797 no.
798
799
800 recursion
801 If yes, and a DNS query requests recursion, then
802 the server will attempt to do all the work required to
803 answer the query. If recursion is not on, the server will
804 return a referral to the client if it doesn't know the
805 answer. The default is yes. See also fetch-glue
806 above.
807
808
809 rfc2308-type1
810 If yes, the server will send NS records along with
811 the SOA record for negative answers. You need to set this to
812 no if you have an old BIND server using you as a forwarder
813 that does not understand negative answers which contain both
814 SOA and NS records or you have an old version of sendmail.
815 The correct fix is to upgrade the broken server or sendmail.
816 The default is no.
817
818
819 use-id-pool
820 If yes, the server will keep track of its own
821 outstanding query ID's to avoid duplication and increase
822 randomness. This will result in 128KB more memory being
823 consumed by the server. The default is
824 no.
825
826
827 treat-cr-as-space
828 If yes, the server will treat CR characters the
829 same way it treats a space or tab. This may be necessary
830 when loading zone files on a UNIX system that were generated
831 on an NT or DOS machine. The default is
832 no.
833
834
835 __Also-Notify__
836 also-notify
837
838
839 Defines a global list of IP addresses that also get sent
840 NOTIFY messages whenever a fresh copy of the zone is loaded.
841 This helps to ensure that copies of the zones will quickly
842 converge on ``stealth'' servers. If an also-notify list is
843 given in a zone statement, it will override the options
844 also-notify statement. When a zone notify statement is set
845 to no, the IP addresses in the global also-notify list will
846 not get sent NOTIFY messages for that zone. The default is
847 the empty list (no global notification list).
848
849
850 __Forwarding__
851 The forwarding facility can be used to create a large
852 site-wide cache on a few servers, reducing traffic over
853 links to external nameservers. It can also be used to allow
854 queries by servers that do not have direct access to the
855 Internet, but wish to look up exterior names anyway. For-
856 warding occurs only on those queries for which the server is
857 not authoritative and does not have the answer in its
858 cache.
859
860
861 forward
862 This option is only meaningful if the forwarders list is not
863 empty. A value of first, the default, causes the
864 server to query the forwarders first, and if that doesn't
865 answer the question the server will then look for the answer
866 itself. If only is specified, the server will only
867 query the forwarders.
868
869
870 forwarders
871 Specifies the IP addresses to be used for forwarding. The
872 default is the empty list (no forwarding).
873
874
875 Forwarding can also be configured on a per-zone basis,
876 allowing for the global forwarding options to be overridden
877 in a variety of ways. You can set particular zones to use
878 different forwarders, or have different forward only/first
879 behavior, or to not forward at all. See __THE ZONE
880 STATEMENT__ section for more information.
881
882
883 Future versions of BIND 8 will provide a more powerful for-
884 warding system. The syntax described above will continue to
885 be supported.
886
887
888 __Name Checking__
889 The server can check domain names based upon their expected
890 client contexts. For example, a domain name used as a host-
891 name can be checked for compliance with the RFCs defining
892 valid hostnames.
893
894
895 Three checking methods are available:
896
897
898 ignore
899 No checking is done.
900
901
902 warn
903 Names are checked against their expected client contexts.
904 Invalid names are logged, but processing continues nor-
905 mally.
906
907
908 fail
909 Names are checked against their expected client contexts.
910 Invalid names are logged, and the offending data is
911 rejected.
912
913
914 The server can check names three areas: master zone files,
915 slave zone files, and in responses to queries the server has
916 initiated. If check-names response fail has been specified,
917 and answering the client's question would require sending an
918 invalid name to the client, the server will send a
919 REFUSED response code to the client.
920
921
922 The defaults are:
923
924
925 check-names master fail;
926 check-names slave warn;
927 check-names response ignore;
928 check-names may also be specified in the zone statement, in which case it overrides the options check-names statement. When used in a zone statement, the area is not specified (because it can be deduced from the zone type).
929
930
931 __Access Control__
932
933
934 Access to the server can be restricted based on the IP
935 address of the requesting system or via shared secret keys.
936 See __ADDRESS MATCH LISTS__ for details on how to specify
937 access criteria.
938 allow-query
939
940
941 Specifies which hosts are allowed to ask ordinary ques-tions. allow-query may also be specified in the zonestatement, in which case it overrides the optionsallow-query statement. If not specified, the default is toallow queries from all hosts. allow-recursion Specifies which hosts are allowed to ask recursive ques-tions. If not specified, the default is to allow recur-sive queries from all hosts. allow-transfer Specifies which hosts are allowed to receive zone trans-fers from the server. allow-transfer may also be speci-fied in the zone statement, in which case it overrides theoptions allow-transfer statement. If not specified, thedefault is to allow transfers from all hosts. blackhole Specifies a list of addresses that the server will notaccept queries from or use to resolve a query. Queriesfrom these addresses will not be responded to.__Interfaces__The interfaces and ports that the server will answer queriesfrom may be specified using the listen-on option. listen-ontakes an optional port, and an address match list. Theserver will listen on all interfaces allowed by the addressmatch list. If a port is not specified, port 53 will beused.Multiple listen-on statements are allowed. For example, listen-on { 5.6.7.8; };
942 listen-on port 1234 { !1.2.3.4; 1.2/16; };
943 will enable the nameserver on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4.
944
945
946 If no listen-on is specified, the server will listen on port
947 53 on all interfaces.
948
949
950 __Query Address__
951
952
953 If the server doesn't know the answer to a question, it will
954 query other nameservers. query-source specifies the address
955 and port used for such queries. If address is or is omit-
956 ted, a wildcard IP address ( INADDR_ANY) will be
957 used. If ''port'' is or is omitted, a random unprivileged
958 port will be used. The default is
959
960
961 query-source address port ;
962
963
964 Note: query-source currently applies only to UDP queries;
965 TCP queries always use a wildcard IP address and a random
966 unprivileged port.
967
968
969 __Zone Transfers__
970 max-transfer-time-in
971
972
973 Inbound zone transfers ( named-xfer processes) runninglonger than this many minutes will be terminated. Thedefault is 120 minutes (2 hours). transfer-formatThe server supports two zone transfer methods. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched ver- sions of BIND 4.9.5. The default is one-answer. transfer-format may be overridden on a per-server basis by using the server statement.
974
975
976 transfers-in
977 The maximum number of inbound zone transfers that can be
978 running concurrently. The default value is 10. Increasing
979 transfers-in may speed up the convergence of slave zones,
980 but it also may increase the load on the local
981 system.
982
983
984 transfers-out
985 This option will be used in the future to limit the number
986 of concurrent outbound zone transfers. It is checked for
987 syntax, but is otherwise ignored.
988
989
990 transfers-per-ns
991 The maximum number of inbound zone transfers ( named-xfer
992 processes) that can be concurrently transferring from a
993 given remote nameserver. The default value is 2. Increas-
994 ing transfers-per-ns may speed up the convergence of slave
995 zones, but it also may increase the load on the remote
996 nameserver. transfers-per-ns may be overridden on a
997 per-server basis by using the transfers phrase of the server
998 statement.
999
1000
1001 transfer-source
1002 transfer-source determines which local address will be bound
1003 to the TCP connection used to fetch all zones trans- ferred
1004 inbound by the server. If not set, it defaults to a system
1005 controlled value which will usually be the address of the
1006 interface ``closest to`` the remote end. This address must
1007 appear in the remote end's allow-transfer option for the
1008 zones being transferred, if one is speci- fied. This
1009 statement sets the transfer-source for all zones, but can be
1010 overriden on a per-zone basis by includinga transfer-source
1011 statement within the zone block in the configuration
1012 file.
1013
1014
1015 __Resource Limits__
1016 The server's usage of many system resources can be limited.
1017 Some operating systems don't support some of the limits. On
1018 such systems, a warning will be issued if the unsupported
1019 limit is used. Some operating systems don't support limit-
1020 ing resources, and on these systems a cannot set resource
1021 limits on this system message will be logged.
1022
1023
1024 Scaled values are allowed when specifying resource limits.
1025 For example, 1G can be used instead of
1026 1073741824 to specify a limit of one gigabyte.
1027 unlimited requests unlimited use, or the maximum
1028 available amount. default uses the limit that was
1029 in force when the server was started. See the def- inition
1030 of ''size_spec'' in the __DOCUMENTATION DEFINITIONS__
1031 sec- tion for more details.
1032
1033
1034 coresize
1035 The maximum size of a core dump. The default value is
1036 default.
1037
1038
1039 datasize
1040 The maximum amount of data memory the server may use. The
1041 default value is default.
1042
1043
1044 files
1045 The maximum number of files the server may have open con-
1046 currently. The default value is unlimited. Note
1047 that on some operating systems the server cannot set an
1048 unlimited value and cannot determine the maximum number of
1049 open files the kernel can support. On such systems, choosing
1050 unlimited will cause the server to use the larger
1051 of the ''rlim_max'' from getrlimit(RLIMIT_NOFILE) and the
1052 value returned by sysconf(_SC_OPEN_MAX). If the actual
1053 kernel limit is larger than this value, use limit files to
1054 specify the limit explicitly.
1055
1056
1057 max-ixfr-log-size
1058 The max-ixfr-log-size will be used in a future
1059 release of the server to limit the size of the transaction
1060 log kept for Incremental Zone Transfer.
1061
1062
1063 stacksize
1064 The maximum amount of stack memory the server may use. The
1065 default value is default.
1066
1067
1068 __Periodic Task Intervals__
1069
1070
1071 cleaning-interval
1072 The server will remove expired resource records from the
1073 cache every cleaning-interval minutes. The default is 60
1074 minutes. If set to 0, no periodic cleaning will
1075 occur.
1076
1077
1078 heartbeat-interval
1079 The server will perform zone maintenance tasks for all zones
1080 marked dialup yes whenever this interval expires. The
1081 default is 60 minutes. Reasonable values are up to 1 day
1082 (1440 minutes). If set to 0, no zone maintenance for these
1083 zones will occur.
1084
1085
1086 interface-interval
1087 The server will scan the network interface list every
1088 interface-interval minutes. The default is 60 minutes. If
1089 set to 0, interface scanning will only occur when the con-
1090 figuration file is loaded. After the scan, listeners will be
1091 started on any new interfaces (provided they are allowed by
1092 the listen-on configuration). Listeners on interfaces that
1093 have gone away will be cleaned up.
1094
1095
1096 statistics-interval
1097 Nameserver statistics will be logged every
1098 statistics-interval minutes. The default is 60. If set to 0,
1099 no statistics will be logged.
1100
1101
1102 __Topology__
1103 All other things being equal, when the server chooses a
1104 nameserver to query from a list of nameservers, it prefers
1105 the one that is topologically closest to itself. The
1106 topology statement takes an address match list and inter-
1107 prets it in a special way. Each top-level list element is
1108 assigned a distance. Non-negated elements get a distance
1109 based on their position in the list, where the closer the
1110 match is to the start of the list, the shorter the distance
1111 is between it and the server. A negated match will be
1112 assigned the maximum distance from the server. If there is
1113 no match, the address will get a distance which is further
1114 than any non-negated list element, and closer than any
1115 negated element. For example,
1116
1117
1118 topology {
1119 10/8;
1120 !1.2.3/24;
1121 { 1.2/16; 3/8; };
1122 };
1123 will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all.
1124
1125
1126 The default topology is
1127
1128
1129 topology { localhost; localnets; };
1130
1131
1132 __Resource Record sorting__
1133
1134
1135 When returning multiple RRs, the nameserver will normally
1136 return them in Round Robin, i.e. after each request, the
1137 first RR is put to the end of the list. As the order of RRs
1138 is not defined, this should not cause any
1139 problems.
1140
1141
1142 The client resolver code should re-arrange the RRs as appro-
1143 priate, i.e. using any addresses on the local net in prefer-
1144 ence to other addresses. However, not all resolvers can do
1145 this, or are not correctly configured.
1146
1147
1148 When a client is using a local server, the sorting can be
1149 performed in the server, based on the client's address. This
1150 only requires configuring the nameservers, not all the
1151 clients.
1152
1153
1154 The sortlist statement takes an address match list and
1155 interprets it even more specially than the topology state-
1156 ment does.
1157
1158
1159 Each top level statement in the sortlist must itself be an
1160 explicit address match list with one or two elements. The
1161 first element (which may be an IP address, an IP prefix, an
1162 ACL name or nested address match list) of each top level
1163 list is checked against the source address of the query
1164 until a match is found.
1165
1166
1167 Once the source address of the query has been matched, if
1168 the top level statement contains only one element, the
1169 actual primitive element that matched the source address is
1170 used to select the address in the response to move to the
1171 beginning of the response. If the statement is a list of two
1172 elements, the second element is treated like the address
1173 match list in a topology statement. Each top level element
1174 is assigned a distance and the address in the response with
1175 the minimum distance is moved to the beginning of the
1176 response.
1177
1178
1179 In the following example, any queries received from any of
1180 the addresses of the host itself will get responses prefer-
1181 ring addresses on any of the locally connected networks.
1182 Next most preferred are addresses on the 192.168.1/24 net-
1183 work, and after that either the 192.168.2/24 or 192.168.3/24
1184 network with no preference shown between these two networks.
1185 Queries received from a host on the 192.168.1/24 network
1186 will prefer other addresses on that network to the
1187 192.168.2/24 and 192.168.3/24 networks. Queries received
1188 from a host on the 192.168.4/24 or the 192.168.5/24 network
1189 will only prefer other addresses on their directly connected
1190 networks.
1191
1192
1193 sortlist {
1194 { localhost; // IF the local host
1195 { localnets; // THEN first fit on the
1196 192.168.1/24; // following nets
1197 { 192,168.2/24; 192.168.3/24; }; }; };
1198 { 192.168.1/24; // IF on class C 192.168.1
1199 { 192.168.1/24; // THEN use .1, or .2 or .3
1200 { 192.168.2/24; 192.168.3/24; }; }; };
1201 { 192.168.2/24; // IF on class C 192.168.2
1202 { 192.168.2/24; // THEN use .2, or .1 or .3
1203 { 192.168.1/24; 192.168.3/24; }; }; };
1204 { 192.168.3/24; // IF on class C 192.168.3
1205 { 192.168.3/24; // THEN use .3, or .1 or .2
1206 { 192.168.1/24; 192.168.2/24; }; }; };
1207 { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net
1208 };
1209 };
1210 The following example will give reasonable behaviour for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted.
1211
1212
1213 sortlist {
1214 { localhost; localnets; };
1215 { localnets; };
1216 };
1217
1218
1219 __RRset Ordering__
1220
1221
1222 When multiple records are returned in an answer it may be
1223 useful to configure the order the records are placed into
1224 the response. For example the records for a zone might be
1225 configured to always be returned in the order they are
1226 defined in the zone file. Or perhaps a random shuffle of the
1227 records as they are returned is wanted. The rrset-order
1228 statement permits configuration of the ordering made of the
1229 records in a multiple record response. The default, if no
1230 ordering is defined, is a cyclic ordering (round
1231 robin).
1232
1233
1234 An order_spec is defined as follows:
1235
1236
1237 [[ ''class class_name'' ][[ ''type type_name'' ][[ ''name'' ''order'' ordering
1238
1239
1240 If no class is specified, the default is ANY. If no
1241 Ictype is specified, the default is ANY. If no name
1242 is specified, the default is
1243
1244
1245 The legal values for ordering are:
1246 fixed
1247
1248
1249 Records are returned in the order they are defined inthe zone file.randomRecords are returned in some random order.cyclicRecords are returned in a round-robin order.For example:rrset-order {
1250 class IN type A name
1251 will cause any responses for type A records in class IN that have
1252
1253
1254 If multiple rrset-order statements appear, they are not com-
1255 bined--the last one applies.
1256
1257
1258 If no rrset-order statement is specified, a default one
1259 of:
1260
1261
1262 rrset-order { class ANY type ANY name
1263 is used.
1264
1265
1266 __Glue Ordering__
1267
1268
1269 When running a root nameserver it is sometimes necessary to
1270 ensure that other nameservers that are priming are success-
1271 ful. This requires that glue A records for at least of the
1272 nameservers are returned in the answer to a priming query.
1273 This can be achieved by setting preferred-glue A; which will
1274 add A records before other types in the additional
1275 section.
1276
1277
1278 __Tuning__
1279 lame-ttl
1280
1281
1282 Sets the number of seconds to cache a lame server indica-tion. 0 disables caching. Default is 600 (10 minutes).Maximum value is 1800 (30 minutes) max-ncache-ttlTo reduce network traffic and increase performance theserver store negative answers. max-ncache-ttl is used toset a maximum retention time for these answers in theserver is seconds. The default max-ncache-ttl is 10800seconds (3 hours). max-ncache-ttl cannot exceed the maxi-mum retention time for ordinary (positive) answers (7 days)and will be silently truncated to 7 days if set to a valuewhich is greater that 7 days. min-rootsThe minimum number of root servers that is required for arequest for the root servers to be accepted. Default is 2.__THE ZONE STATEMENT__
1283
1284
1285 __Syntax__
1286
1287
1288 zone ''domain_name'' [[ ( in | hs | hesiod | chaos ) ] {
1289 type master;
1290 file ''path_name'';
1291 [[ check-names ( warn | fail | ignore ); ]
1292 [[ allow-update { ''address_match_list'' }; ]
1293 [[ allow-query { ''address_match_list'' }; ]
1294 [[ allow-transfer { ''address_match_list'' }; ]
1295 [[ forward ( only | first ); ]
1296 [[ forwarders { [[ ''ip_addr'' ; [[ ''ip_addr'' ; ... ] ] }; ]
1297 [[ dialup ''yes_or_no''; ]
1298 [[ notify ''yes_or_no''; ]
1299 [[ also-notify { ''ip_addr''; [[ ''ip_addr''; ... ] };
1300 [[ pubkey ''number number number string''; ]
1301 };
1302
1303
1304 zone ''domain_name'' [[ ( in | hs | hesiod | chaos ) ]
1305 {
1306 type ( slave | stub );
1307 [[ file ''path_name''; ]
1308 masters [[ port ''ip_port'' ] { ''ip_addr'' [[ key
1309 ''key_id'' ]; [[ ... ] };
1310 [[ check-names ( warn | fail | ignore ); ]
1311 [[ allow-update { ''address_match_list'' }; ]
1312 [[ allow-query { ''address_match_list'' }; ]
1313 [[ allow-transfer { ''address_match_list'' }; ]
1314 [[ forward ( only | first ); ]
1315 [[ forwarders { [[ ''ip_addr'' ; [[ ''ip_addr'' ; ... ] ]
1316 }; ]
1317 [[ transfer-source ''ip_addr''; ]
1318 [[ max-transfer-time-in ''number''; ]
1319 [[ notify ''yes_or_no''; ]
1320 [[ also-notify { ''ip_addr''; [[ ''ip_addr''; ... ]
1321 };
1322 [[ pubkey ''number number number string''; ]
1323 };
1324
1325
1326 zone ''domain_name'' [[ ( in | hs | hesiod | chaos ) ]
1327 {
1328 type forward;
1329 [[ forward ( only | first ); ]
1330 [[ forwarders { [[ ''ip_addr'' ; [[ ''ip_addr'' ; ... ] ]
1331 }; ]
1332 [[ check-names ( warn | fail | ignore ); ]
1333 };
1334
1335
1336 zone
1337 type hint;
1338 file ''path_name'';
1339 [[ check-names ( warn | fail | ignore ); ]
1340 };
1341
1342
1343 __Definition and Usage__
1344
1345
1346 The zone statement is used to define how information about
1347 particular DNS zones is managed by the server. There are
1348 five different zone types.
1349 master
1350
1351
2 perry 1352 The server has a master copy of the data for the zone andwill be able to provide authoritative answers for it. slaveA slave zone is a replica of a master zone. The masterslist specifies one or more IP addresses that the slave con-tacts to update its copy of the zone. If a port is speci-fied then checks to see if the zone is current and zonetransfers will be done to the port given. If file is speci-fied, then the replica will be written to the named file.Use of the file clause is highly recommended, since itoften speeds server startup and eliminates a needless wasteof bandwidth. stubA stub zone is like a slave zone, except that it replicatesonly the NS records of a master zone instead of the entirezone. forwardA forward zone is used to direct all queries in it to otherservers, as described in __ THE OPTIONS STATEMENT__ section.The specification of options in such a zone will overrideany global options declared in the options statement.If either no forwarders clause is present in the zone or anempty list for forwarders is given, then no forwarding willbe done for the zone, cancelling the effects of anyforwarders in the options statement. Thus if you want touse this type of zone to change only the behavior of theglobal forward option, and not the servers used, then youalso need to respecify the global forwarders. hintThe initial set of root nameservers is specified using ahint zone. When the server starts up, it uses the roothints to find a root nameserver and get the most recentlist of root nameservers.Note: previous releases of BIND used the term primary for amaster zone, secondary for a slave zone, and cache for ahint zone.__Classes__The zone's name may optionally be followed by a class. If aclass is not specified, class in (for __Options__ check-namesSee the subsection on __ Name Checking__ in __ THE OPTIONSSTATEMENT__. allow-querySee the description of allow-query in the __Access Control__subsection of __THE OPTIONS STATEMENT__. allow-updateSpecifies which hosts are allowed to submit Dynamic DNSupdates to the server. The default is to deny updates fromall hosts. allow-transferSee the description of allow-transfer in the __Access Control__subsection of __THE OPTIONS STATEMENT__. transfer-sourcetransfer-source determines which local address will bebound to the TCP connection used to fetch this zone. Ifnot set, it defaults to a system controlled value whichwill usually be the address of the interface ``closest to''the remote end. This address must appear in the remoteend's allow-transfer option for this zone if one is speci-fied. max-transfer-time-inSee the description of max-transfer-time-in in the __!ZoneTransfers__ subsection of __THE OPTIONS STATEMENT__. dialupSee the description of dialup in the __Boolean Options__ sub-section of __THE OPTIONS STATEMENT__. notifySee the description of __notify__ in the __Boolean Options__ sub-section of the __THE OPTIONS STATEMENT__. also-notifyalso-notify is only meaningful if notify is active for thiszone. The set of machines that will receive a DNS NOTIFYmessage for this zone is made up of all the listed name-servers for the zone (other than the primary master) plusany IP addresses specified with also-notify. also-notifyis not meaningful for stub zones. The default is the emptylist. forwardforward is only meaningful if the zone has a forwarderslist. The only value causes the lookup to fail after tryingthe forwarders and getting no answer, while first wouldallow a normal lookup to be tried. forwardersThe forwarders option in a zone is used to override thelist of global forwarders. If it is not specified in azone of type forward, ''no'' forwarding is done for the zone;the global options are not used. pubkeyThe DNSSEC flags, protocol, and algorithm are specified, aswell as a base-64 encoded string representing the key.__THE ACL STATEMENT__
1 perry 1353
1354
1355 __Syntax__
1356
1357
1358 acl ''name'' {''
1359 address_match_list''
1360 };
1361
1362
1363 __Definition and Usage__
1364
1365
1366 The acl statement creates a named address match list. It
1367 gets its name from a primary use of address match lists:
1368 Access Control Lists (ACLs).
1369
1370
1371 Note that an address match list's name must be defined with
1372 acl before it can be used elsewhere; no forward references
1373 are allowed.
1374
1375
1376 The following ACLs are built-in:
1377 any
1378
1379
1380 Allows all hosts. noneDenies all hosts. localhostAllows the IP addresses of all interfaces on the system. localnetsAllows any host on a network for which the system has aninterface.__THE KEY STATEMENT__
1381
1382
1383 __Syntax__
1384
1385
1386 key ''key_id'' {
1387 algorithm ''algorithm_id'';
1388 secret ''secret_string'';
1389 };
1390
1391
1392 __Definition and Usage__
1393
1394
1395 The key statement defines a key ID which can be used in a
1396 server statement to associate a method of authentication
1397 with a particular name server that is more rigorous than
1398 simple IP address matching. A key ID must be created with
1399 the key statement before it can be used in a server defini-
1400 tion or an address match list.
1401
1402
1403 The ''algorithm_id'' is a string that specifies a secu-
1404 rity/authentication algorithm. ''secret_string'' is the
1405 secret to be used by the algorithm, and is treated as a
1406 base-64 encoded string. It should go without saying, but
1407 probably can't, that if you have ''secret_string 's'' in
1408 your named.conf, then it should not be readable by
1409 anyone but the superuser.
1410 __THE TRUSTED-KEYS STATEMENT__
1411
1412
1413 __Syntax__
1414
1415
1416 trusted-keys {
1417 [[ ''domain_name flags protocol algorithm key''; ]
1418 };
1419
1420
1421 __Definition and Usage__
1422
1423
1424 The trusted-keys statement is for use with DNSSEC-style
1425 security, originally specified in RFC 2065. DNSSEC is meant
1426 to provide three distinct services: key distribution, data
1427 origin authentication, and transaction and request authenti-
1428 cation. A complete description of DNSSEC and its use is
1429 beyond the scope of this document, and readers interested in
1430 more information should start with RFC 2065 and then con-
1431 tinue with the Internet Drafts available at
1432 http://www.ietf.org/ids.by.wg/dnssec.html.
1433
1434
1435 Each trusted key is associated with a domain name. Its
1436 attributes are the non-negative integral ''flags'',
1437 ''protocol'', and ''algorithm'', as well as a base-64
1438 encoded string repre- senting the ''key''.
1439
1440
1441 Any number of trusted keys can be specified.
1442 __THE SERVER STATEMENT__
1443
1444
1445 __Syntax__
1446
1447
1448 server ''ip_addr'' {
1449 [[ bogus ''yes_or_no''; ]
1450 [[ support-ixfr ''yes_or_no''; ]
1451 [[ transfers ''number''; ]
1452 [[ transfer-format ( one-answer | many-answers ); ]
1453 [[ keys { ''key_id'' [[ ''key_id'' ... ] }; ]
1454 };
1455
1456
1457 __Definition and Usage__
1458
1459
1460 The server statement defines the characteristics to be asso-
1461 ciated with a remote name server.
1462
1463
1464 If you discover that a server is giving out bad data, mark-
1465 ing it as bogus will prevent further queries to it. The
1466 default value of bogus is no.
1467
1468
1469 If the server supports IXFR you can tell named to attempt to
1470 perform a IXFR style zone transfer by specifing support-ixfr
1471 yes. The default value of support-ixfr is
1472 no.
1473
1474
1475 The server supports two zone transfer methods. The first,
1476 one-answer, uses one DNS message per resource record trans-
1477 ferred. many-answers packs as many resource records as pos-
1478 sible into a message. many-answers is more efficient, but is
1479 only known to be understood by BIND 8.1 and patched ver-
1480 sions of BIND 4.9.5. You can specify which method to use for
1481 a server with the transfer-format option. If transfer-format
1482 is not specified, the transfer-format speci- fied by the
1483 options statement will be used.
1484
1485
1486 The transfers will be used in a future release of the server
1487 to limit the number of concurrent in-bound zone transfers
1488 from the specified server. It is checked for syntax but is
1489 otherwise ignored.
1490
1491
1492 The keys clause is used to identify a ''key_id'' defined
1493 by the key statement, to be used for transaction security
1494 when talking to the remote server. The key statememnt must
1495 come before the server statement that references
1496 it.
1497
1498
1499 The keys statement is intended for future use by the server.
1500 It is checked for syntax but is otherwise
1501 ignored.
1502 __THE CONTROLS STATEMENT__
1503
1504
1505 __Syntax__
1506
1507
1508 controls {
1509 [[ inet ''ip_addr''
1510 port ''ip_port''
1511 allow { ''address_match_list''; }; ]
1512 [[ unix ''path_name''
1513 perm ''number''
1514 owner ''number''
1515 group ''number''; ]
1516 };
1517
1518
1519 __Definition and Usage__
1520
1521
1522 The controls statement declares control channels to be used
1523 by system administrators to affect the operation of the
1524 local name server. These control channels are used by the
1525 ndc utility to send commands to and retrieve non-DNS results
1526 from a name server.
1527
1528
1529 A unix control channel is a FIFO in the file system, and
1530 access to it is controlled by normal file system permis-
1531 sions. It is created by named with the specified file mode
1532 bits (see chmod(1)), user and group owner. Note
1533 that, unlike chmod, the mode bits specified for perm will
1534 normally have a leading 0 so the number is
1535 interpreted as octal. Also note that the user and group
1536 ownership specified as owner and group must be given as
1537 numbers, not names. It is recommended that the permissions
1538 be restricted to adminis- trative personnel only, or else
1539 any user on the system might be able to manage the local
1540 name server.
1541
1542
1543 An inet control channel is a TCP/IP socket accessible to the
1544 Internet, created at the specified ''ip_port'' on the
1545 specified ''ip_addr''. Modern telnet clients are capable
1546 of speaking directly to these sockets, and the control
1547 protocol is ARPAnet-style text. It is recommended that
1548 127.0.0.1 be the only ''ip_addr'' used, and this only if
1549 you trust all non-privi- leged users on the local host to
1550 manage your name server.
1551 __THE INCLUDE STATEMENT__
1552
1553
1554 __Syntax__
1555
1556
1557 include ''path_name'';
1558
1559
1560 __Definition and Usage__
1561
1562
1563 The include statement inserts the specified file at the
1564 point that the include statement is encountered. It cannot
1565 be used within another statement, though, so a line such
1566 as
1567
1568
1569 acl internal_hosts { include internal_hosts.acl;
1570 };
1571
1572
1573 is not allowed.
1574
1575
1576 Use include to break the configuration up into easily-man-
1577 aged chunks. For example:
1578
1579
1580 include
1581 could be used at the top of a BIND configuration file in order to include any ACL or key information.
1582
1583
1584 Be careful not to type ``#include'', like you would in a C
1585 program, because ``#'' is used to start a
1586 comment.
1587 __EXAMPLES__
1588
1589
1590 The simplest configuration file that is still realistically
1591 useful is one which simply defines a hint zone that has a
1592 full path to the root servers file.
1593
1594
1595 zone
1596 Here's a more typical real-world example.
1597
1598
1599 /
1600 A simple BIND 8 configuration
1601 /
1602 logging {
1603 category lame-servers { null; };
1604 category cname { null; };
1605 };
1606 options {
1607 directory
1608 __FILES__
1609 /etc/bind/named.conf
1610
1611
1612 The BIND 8 named configuration file.
1613
1614
1615 __SEE ALSO__
1616
1617
2 perry 1618 named(8), ndc(8), !NamedNotes
1 perry 1619
1620
2 perry 1621 4th Berkeley !DistributionJanuary 7, 1999 1
1 perry 1622 ----
This page is a man page (or other imported legacy content). We are unable to automatically determine the license status of this page.