version 2, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
---- |
|
|
2 |
__NAME__ |
|
|
3 |
|
|
|
4 |
|
|
|
5 |
named.conf - configuration file for |
|
|
6 |
named(8) |
|
|
7 |
__OVERVIEW__ |
|
|
8 |
|
|
|
9 |
|
|
|
10 |
BIND 8 is much more configurable than previous release of |
|
|
11 |
BIND. There are entirely new areas of configuration, such as |
|
|
12 |
access control lists and categorized logging. Many options |
|
|
13 |
that previously applied to all zones can now be used |
|
|
14 |
selectively. These features, plus a consideration of future |
|
|
15 |
configuration needs led to the creation of a new configura- |
|
|
16 |
tion file format. |
|
|
17 |
|
|
|
18 |
|
|
|
19 |
__General Syntax__ |
|
|
20 |
|
|
|
21 |
|
|
|
22 |
A BIND 8 configuration consists of two general features, |
|
|
23 |
statements and comments. All statements end with a semi- |
|
|
24 |
colon. Many statements can contain substatements, which are |
|
|
25 |
each also terminated with a semicolon. |
|
|
26 |
|
|
|
27 |
|
|
|
28 |
The following statements are supported: |
|
|
29 |
logging |
|
|
30 |
|
|
|
31 |
|
|
|
32 |
specifies what the server logs, and where the log messagesare sent optionscontrols global server configuration options and setsdefaults for other statements zonedefines a zone acldefines a named IP address matching list, for access con-trol and other uses keyspecifies key information for use in authentication andauthorization trusted-keysdefines DNSSEC keys that are preconfigured into the serverand implicitly trusted serversets certain configuration options for individual remoteservers controlsdeclares control channels to be used by the ndc utility includeincludes another fileThe logging and options statements may only occur once perconfiguration, while the rest may appear numerous times.Further detail on each statement is provided in individualsections below.Comments may appear anywhere that whitespace may appear in aBIND configuration file. To appeal to programmers of allkinds, they can be written in C, C++, or shell/perl con-structs.C-style comments start with the two characters / (slash, star) and end with / (star, slash). Because they are com- pletely delimited with these characters, they can be used to comment only a portion of a line or to span multiple lines. |
|
|
33 |
|
|
|
34 |
|
|
|
35 |
C-style comments cannot be nested. For example, the follow- |
|
|
36 |
ing is not valid because the entire comment ends with the |
|
|
37 |
first /: |
|
|
38 |
|
|
|
39 |
|
|
|
40 |
/ This is the start of a comment. |
|
|
41 |
This is still part of the comment. |
|
|
42 |
/ This is an incorrect attempt at nesting a comment. / |
|
|
43 |
This is no longer in any comment. / |
|
|
44 |
C++-style comments start with the two characters // (slash, slash) and continue to the end of the physical line. They cannot be continued across multiple physical lines; to have one logical comment span multiple lines, each line must use the // pair. For example: |
|
|
45 |
|
|
|
46 |
|
|
|
47 |
// This is the start of a comment. The next line |
|
|
48 |
// is a new comment, even though it is logically |
|
|
49 |
// part of the previous comment. |
|
|
50 |
Shell-style (or perl-style, if you prefer) comments start with the character # (hash or pound or number or octothorpe or whatever) and continue to the end of the physical line, like C++ comments. For example: |
|
|
51 |
|
|
|
52 |
|
|
|
53 |
# This is the start of a comment. The next line |
|
|
54 |
# is a new comment, even though it is logically |
|
|
55 |
# part of the previous comment. |
|
|
56 |
''WARNING'': you cannot use the ; (semicolon) character to start a comment such as you would in a zone file. The semicolon indicates the end of a configuration statement, so whatever follows it will be interpreted as the start of the next statement. |
|
|
57 |
|
|
|
58 |
|
|
|
59 |
__Converting from BIND 4.9.x__ |
|
|
60 |
|
|
|
61 |
|
|
|
62 |
BIND 4.9.x configuration files can be converted to the new |
|
|
63 |
format by using src/bin/named/named-bootconf, a |
|
|
64 |
shell script that is part of the BIND 8.2.x source |
|
|
65 |
kit. |
|
|
66 |
__DOCUMENTATION DEFINITIONS__ |
|
|
67 |
|
|
|
68 |
|
|
|
69 |
Described below are elements used throughout the BIND con- |
|
|
70 |
figuration file documentation. Elements which are only |
|
|
71 |
associated with one statement are described only in the sec- |
|
|
72 |
tion describing that statement. |
|
|
73 |
'' acl_name'' |
|
|
74 |
|
|
|
75 |
|
|
|
76 |
The name of an ''address_match_list'' as defined by the aclstatement.'' address_match_list''A list of one or more '' ip_addr'', '' ip_prefix'', ''key_id'', or''acl_name'' elements, as described in the __ADDRESS MATCH LISTS__section.'' dotted-decimal''One or more integers valued 0 through 255 separated only bydots (``.''), such as 123, 45.67 or 89.123.45.67. |
|
|
77 |
|
|
|
78 |
|
|
|
79 |
''domain_name'' |
|
|
80 |
A quoted string which will be used as a DNS name, for exam- |
|
|
81 |
ple my.test.domain. |
|
|
82 |
|
|
|
83 |
|
|
|
84 |
''path_name'' |
|
|
85 |
A quoted string which will be used as a pathname, such as |
|
|
86 |
zones/master/my.test.domain. |
|
|
87 |
|
|
|
88 |
|
|
|
89 |
''ip_addr'' |
|
|
90 |
An IP address in with exactly four elements in |
|
|
91 |
''dotted-decimal'' notation. |
|
|
92 |
|
|
|
93 |
|
|
|
94 |
''ip_port'' |
|
|
95 |
An IP port ''number''. ''number is limited to'' |
|
|
96 |
0 through 65535, with values below 1024 |
|
|
97 |
typically restricted to root-owned processes. In some cases |
|
|
98 |
an asterisk (``'') character can be used as a placeholder to |
|
|
99 |
select a random high-numbered port. |
|
|
100 |
|
|
|
101 |
|
|
|
102 |
''ip_prefix'' |
|
|
103 |
An IP network specified in ''dotted-decimal'' form, |
|
|
104 |
followed by ``/'' and then the number of bits in the |
|
|
105 |
netmask. E.g. 127/8 is the network |
|
|
106 |
127.0.0.0 with netmask 255.0.0.0. |
|
|
107 |
1.2.3.0/28 is network 1.2.3.0 with netmask |
|
|
108 |
255.255.255.240. |
|
|
109 |
|
|
|
110 |
|
|
|
111 |
''key_name'' |
|
|
112 |
A string representing the name of a shared key, to be used |
|
|
113 |
for transaction security. |
|
|
114 |
|
|
|
115 |
|
|
|
116 |
''number'' |
|
|
117 |
A non-negative integer with an entire range limited by the |
|
|
118 |
range of a C language signed integer (2,147,483,647 on a |
|
|
119 |
machine with 32 bit integers). Its acceptable value might |
|
|
120 |
further be limited by the context in which it is |
|
|
121 |
used. |
|
|
122 |
|
|
|
123 |
|
|
|
124 |
''size_spec'' |
|
|
125 |
A ''number'', the word unlimited, or the word |
|
|
126 |
default. |
|
|
127 |
|
|
|
128 |
|
|
|
129 |
The maximum value of ''size_spec'' is that of unsigned |
|
|
130 |
long integers on the machine. unlimited requests |
|
|
131 |
unlimited use, or the maximum available amount. |
|
|
132 |
default uses the limit that was in force when the |
|
|
133 |
server was started. |
|
|
134 |
|
|
|
135 |
|
|
|
136 |
A ''number'' can optionally be followed by a scaling |
|
|
137 |
factor: K or k for kilobytes, M |
|
|
138 |
or m for megabytes, and G or g |
|
|
139 |
for gigabytes, which scale by 1024, 10241024, and |
|
|
140 |
102410241024 respectively. |
|
|
141 |
|
|
|
142 |
|
|
|
143 |
Integer storage overflow is currently silently ignored dur- |
|
|
144 |
ing conversion of scaled values, resulting in values less |
|
|
145 |
than intended, possibly even negative. Using |
|
|
146 |
unlimited is the best way to safely set a really |
|
|
147 |
large number. |
|
|
148 |
|
|
|
149 |
|
|
|
150 |
''yes_or_no'' |
|
|
151 |
Either yes or no. The words true |
|
|
152 |
and false are also accepted, as are the numbers |
|
|
153 |
1 and 0. |
|
|
154 |
|
|
|
155 |
|
|
|
156 |
__ADDRESS MATCH LISTS__ |
|
|
157 |
|
|
|
158 |
|
|
|
159 |
__Syntax__ |
|
|
160 |
|
|
|
161 |
|
|
|
162 |
''address_match_list'' = 1''address_match_element |
|
|
163 |
address_match_element'' = [[ ''address_match_list'' / |
|
|
164 |
'' ip_address'' / ''ip_prefix'' / |
|
|
165 |
'' acl_name'' / ''key_id'' ) |
|
|
166 |
'' |
|
|
167 |
|
|
|
168 |
|
|
|
169 |
__Definition and Usage__ |
|
|
170 |
|
|
|
171 |
|
|
|
172 |
Address match lists are primarily used to determine access |
|
|
173 |
control for various server operations. They are also used to |
|
|
174 |
define priorities for querying other nameservers and to set |
|
|
175 |
the addresses on which named will listen for queries. The |
|
|
176 |
elements which constitute an address match list can be any |
|
|
177 |
of the following: |
|
|
178 |
an ''ip-address'' (in ''dotted-decimal'' notation, |
|
|
179 |
|
|
|
180 |
|
|
|
181 |
an ''ip-prefix'' (in the '/'-notation),A ''key_id'', as defined by the key statement,the name of an address match list previously defined withthe acl statement, oranother ''address_match_list''.Elements can be negated with a leading exclamation mark(``!''), and the match list names any, none, localhost and localnets are predefined. More information on those names can be found in the description of the acl statement. |
|
|
182 |
|
|
|
183 |
|
|
|
184 |
The addition of the key clause made the name of this syntac- |
|
|
185 |
tic element something of a misnomer, since security keys can |
|
|
186 |
be used to validate access without regard to a host or net- |
|
|
187 |
work address. Nonetheless, the term ``address match list'' |
|
|
188 |
is still used throughout the documentation. |
|
|
189 |
|
|
|
190 |
|
|
|
191 |
When a given IP address or prefix is compared to an address |
|
|
192 |
match list, the list is traversed in order until an element |
|
|
193 |
matches. The interpretation of a match depends on whether |
|
|
194 |
the list is being used for access control, defining |
|
|
195 |
listen-on ports, or as a topology, and whether the element |
|
|
196 |
was negated. |
|
|
197 |
|
|
|
198 |
|
|
|
199 |
When used as an access control list, a non-negated match |
|
|
200 |
allows access and a negated match denies access. If there is |
|
|
201 |
no match at all in the list, access is denied. The clauses |
|
|
202 |
allow-query, allow-transfer, allow-update, allow-recursion, |
|
|
203 |
and blackhole all use address match lists like this. |
|
|
204 |
Similarly, the listen-on option will cause the server to not |
|
|
205 |
accept queries on any of the machine's addresses which do |
|
|
206 |
not match the list. |
|
|
207 |
|
|
|
208 |
|
|
|
209 |
When used with the topology option, a non-negated match |
|
|
210 |
returns a distance based on its position on the list (the |
|
|
211 |
closer the match is to the start of the list, the shorter |
|
|
212 |
the distance is between it and the server). A negated match |
|
|
213 |
will be assigned the maximum distance from the server. If |
|
|
214 |
there is no match, the address will get a distance which is |
|
|
215 |
further than any non-negated list element, and closer than |
|
|
216 |
any negated element. |
|
|
217 |
|
|
|
218 |
|
|
|
219 |
Because of the first-match aspect of the algorithm, an ele- |
|
|
220 |
ment that defines a subset of another element in the list |
|
|
221 |
should come before the broader element, regardless of |
|
|
222 |
whether either is negated. For example, in 1.2.3/24; |
|
|
223 |
!1.2.3.13 the 1.2.3.13 element is completely useless, |
|
|
224 |
because the algorithm will match any lookup for 1.2.3.13 to |
|
|
225 |
the 1.2.3/24 element. Using !1.2.3.13; 1.2.3/24 |
|
|
226 |
fixes that problem by having 1.2.3.13 blocked by the nega- |
|
|
227 |
tion but all other 1.2.3. hosts fall through. |
|
|
228 |
|
|
|
229 |
|
|
|
230 |
__THE LOGGING STATEMENT__ |
|
|
231 |
|
|
|
232 |
|
|
|
233 |
__Syntax__ |
|
|
234 |
|
|
|
235 |
|
|
|
236 |
logging { |
|
|
237 |
[[ channel ''channel_name'' { |
|
|
238 |
( file ''path_name'' |
|
|
239 |
[[ versions ( ''number'' | unlimited ) ] |
|
|
240 |
[[ size ''size_spec'' ] |
|
|
241 |
| syslog ( kern | user | mail | daemon | auth | syslog | lpr | |
|
|
242 |
news | uucp | cron | authpriv | ftp | |
|
|
243 |
local0 | local1 | local2 | local3 | |
|
|
244 |
local4 | local5 | local6 | local7 ) |
|
|
245 |
| null ); |
|
|
246 |
|
|
|
247 |
|
|
|
248 |
[[ severity ( critical | error | warning | notice | |
|
|
249 |
info | debug [[ ''level'' ] | dynamic ); ] |
|
|
250 |
[[ print-category ''yes_or_no''; ] |
|
|
251 |
[[ print-severity ''yes_or_no''; ] |
|
|
252 |
[[ print-time ''yes_or_no''; ] |
|
|
253 |
}; ] |
|
|
254 |
|
|
|
255 |
|
|
|
256 |
[[ category ''category_name'' {'' |
|
|
257 |
channel_name''; [[ ''channel_name''; ... ] |
|
|
258 |
}; ] |
|
|
259 |
... |
|
|
260 |
}; |
|
|
261 |
|
|
|
262 |
|
|
|
263 |
__Definition and Usage__ |
|
|
264 |
|
|
|
265 |
|
|
|
266 |
The logging statement configures a wide variety of logging |
|
|
267 |
options for the nameserver. Its channel phrase associates |
|
|
268 |
output methods, format options and severity levels with a |
|
|
269 |
name that can then be used with the category phrase to |
|
|
270 |
select how various classes of messages are |
|
|
271 |
logged. |
|
|
272 |
|
|
|
273 |
|
|
|
274 |
Only one logging statement is used to define as many chan- |
|
|
275 |
nels and categories as are wanted. If there are multiple |
|
|
276 |
logging statements in a configuration, the first defined |
|
|
277 |
determines the logging, and warnings are issued for the oth- |
|
|
278 |
ers. If there is no logging statement, the logging configu- |
|
|
279 |
ration will be: |
|
|
280 |
|
|
|
281 |
|
|
|
282 |
logging { |
|
|
283 |
category default { default_syslog; default_debug; }; |
|
|
284 |
category panic { default_syslog; default_stderr; }; |
|
|
285 |
category packet { default_debug; }; |
|
|
286 |
category eventlib { default_debug; }; |
|
|
287 |
}; |
|
|
288 |
The logging configuration is established as soon as the logging statement is parsed. If you want to redirect mes- sages about processing of the entire configuration file, the logging statement must appear first. Even if you do not redirect configuration file parsing messages, we recommend always putting the logging statement first so that this rule need not be consciously recalled if you ever do need want the parser's messages relocated. |
|
|
289 |
|
|
|
290 |
|
|
|
291 |
__The channel phrase__ |
|
|
292 |
|
|
|
293 |
|
|
|
294 |
All log output goes to one or more ``channels''; you can |
|
|
295 |
make as many of them as you want. |
|
|
296 |
|
|
|
297 |
|
|
|
298 |
Every channel definition must include a clause that says |
|
|
299 |
whether messages selected for the channel go to a file, to a |
|
|
300 |
particular syslog facility, or are discarded. It can |
|
|
301 |
optionally also limit the message severity level that will |
|
|
302 |
be accepted by the channel (default is info), and |
|
|
303 |
whether to include a time stamp generated by named, the |
|
|
304 |
category name, or severity level. The default is not to |
|
|
305 |
include any of those three. |
|
|
306 |
|
|
|
307 |
|
|
|
308 |
The word null as the destination option for the |
|
|
309 |
channel will cause all messages sent to it to be discarded; |
|
|
310 |
other options for the channel are meaningless. |
|
|
311 |
|
|
|
312 |
|
|
|
313 |
The file clause can include limitations both on how large |
|
|
314 |
the file is allowed to become, and how many versions of the |
|
|
315 |
file will be saved each time the file is |
|
|
316 |
opened. |
|
|
317 |
|
|
|
318 |
|
|
|
319 |
The size option for files is simply a hard ceiling on log |
|
|
320 |
growth. If the file ever exceeds the size, then named will |
|
|
321 |
just not write anything more to it until the file is |
|
|
322 |
reopened; exceeding the size does not automatically trigger |
|
|
323 |
a reopen. The default behavior is to not limit the size of |
|
|
324 |
the file. |
|
|
325 |
|
|
|
326 |
|
|
|
327 |
If you use the version logfile option, then named will |
|
|
328 |
retain that many backup versions of the file by renaming |
|
|
329 |
them when opening. For example, if you choose to keep 3 old |
|
|
330 |
versions of the file lamers.log then just before it is |
|
|
331 |
opened lamers.log.1 is renamed to lames.log.2, lamers.log.0 |
|
|
332 |
is renamed to lamers.log.1, and lamers.log is renamed to |
|
|
333 |
lamers.log.0. No rolled versions are kept by default; any |
|
|
334 |
existing log file is simply appended. The unlimited |
|
|
335 |
keyword is synonymous with 99 in current BIND |
|
|
336 |
releases. Example usage of size and versions |
|
|
337 |
options: |
|
|
338 |
|
|
|
339 |
|
|
|
340 |
channel an_example_level { |
|
|
341 |
file |
|
|
342 |
The argument for the syslog clause is a syslog facility as described in the syslog(3) manual page. How syslogd will handle messages sent to this facility is described in the syslog.conf(5) manual page. If you have a system which uses a very old version of syslog that only uses two arguments to the openlog() function, then this clause is silently ignored. |
|
|
343 |
|
|
|
344 |
|
|
|
345 |
The severity clause works like syslog's ``priorities'', |
|
|
346 |
except that they can also be used if you are writing |
|
|
347 |
straight to a file rather than using syslog. Messages which |
|
|
348 |
are not at least of the severity level given will not be |
|
|
349 |
selected for the channel; messages of higher severity levels |
|
|
350 |
will be accepted. |
|
|
351 |
|
|
|
352 |
|
|
|
353 |
If you are using syslog, then the syslog.conf |
|
|
354 |
priorities will also determine what eventually passes |
|
|
355 |
through. For example, defining a channel facility and |
|
|
356 |
severity as daemon and debug but only |
|
|
357 |
logging daemon.warning via syslog.conf |
|
|
358 |
will cause messages of severity info and |
|
|
359 |
notice to be dropped. If the situation were |
|
|
360 |
reversed, with named writing messages of only |
|
|
361 |
warning or higher, then syslogd would print all |
|
|
362 |
messages it received from the channel. |
|
|
363 |
|
|
|
364 |
|
|
|
365 |
The server can supply extensive debugging information when |
|
|
366 |
it is in debugging mode. If the server's global debug level |
|
|
367 |
is greater than zero, then debugging mode will be active. |
|
|
368 |
The global debug level is set either by starting the named |
|
|
369 |
server with the -d flag followed by a positive integer, or |
|
|
370 |
by sending the running server the SIGUSR1 signal |
|
|
371 |
(for exam- ple, by using ndc trace). The global debug level |
|
|
372 |
can be set to zero, and debugging mode turned off, by |
|
|
373 |
sending the server the SIGUSR2 signal (as with ndc |
|
|
374 |
notrace). All debug- ging messages in the server have a |
|
|
375 |
debug level, and higher debug levels give more more detailed |
|
|
376 |
output. Channels that specify a specific debug severity, |
|
|
377 |
e.g. |
|
|
378 |
|
|
|
379 |
|
|
|
380 |
channel specific_debug_level { |
|
|
381 |
file |
|
|
382 |
will get debugging output of level 3 or less any time the server is in debugging mode, regardless of the global debug- ging level. Channels with dynamic severity use the server's global level to determine what messages to print. |
|
|
383 |
|
|
|
384 |
|
|
|
385 |
If print-time has been turned on, then the date and time |
|
|
386 |
will be logged. print-time may be specified for a syslog |
|
|
387 |
channel, but is usually pointless since syslog also prints |
|
|
388 |
the date and time. If print-category is requested, then the |
|
|
389 |
category of the message will be logged as well. Finally, if |
|
|
390 |
print-severity is on, then the severity level of the message |
|
|
391 |
will be logged. The print- options may be used in any com- |
|
|
392 |
bination, and will always be printed in the following order: |
|
|
393 |
time, category, severity. Here is an example where all three |
|
|
394 |
print- options are on: |
|
|
395 |
|
|
|
396 |
|
|
|
397 |
28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries. |
|
|
398 |
There are four predefined channels that are used for named 's default logging as follows. How they are used used is described in the next section, __The category phrase__. |
|
|
399 |
|
|
|
400 |
|
|
|
401 |
channel default_syslog { |
|
|
402 |
syslog daemon; # send to syslog's daemon facility |
|
|
403 |
severity info; # only send priority info and higher |
|
|
404 |
}; |
|
|
405 |
channel default_debug { |
|
|
406 |
file |
|
|
407 |
Once a channel is defined, it cannot be redefined. Thus you cannot alter the built-in channels directly, but you can modify the default logging by pointing categories at chan- nels you have defined. |
|
|
408 |
|
|
|
409 |
|
|
|
410 |
__The category phrase__ |
|
|
411 |
|
|
|
412 |
|
|
|
413 |
There are many categories, so you can send the logs you want |
|
|
414 |
to see wherever you want, without seeing logs you don't |
|
|
415 |
want. If you don't specify a list of channels for a cate- |
|
|
416 |
gory, then log messages in that category will be sent to the |
|
|
417 |
default category instead. If you don't specify a |
|
|
418 |
default category, the following ``default default'' is |
|
|
419 |
used: |
|
|
420 |
|
|
|
421 |
|
|
|
422 |
category default { default_syslog; default_debug; }; |
|
|
423 |
As an example, let's say you want to log security events to a file, but you also want keep the default logging behavior. You'd specify the following: |
|
|
424 |
|
|
|
425 |
|
|
|
426 |
channel my_security_channel { |
|
|
427 |
file |
|
|
428 |
To discard all messages in a category, specify the null channel: |
|
|
429 |
|
|
|
430 |
|
|
|
431 |
category lame-servers { null; }; |
|
|
432 |
category cname { null; }; |
|
|
433 |
The following categories are available: |
|
|
434 |
default |
|
|
435 |
|
|
|
436 |
|
|
|
437 |
The catch-all. Many things still aren't classified intocategories, and they all end up here. Also, if you don'tspecify any channels for a category, the default categoryis used instead. If you do not define the default cate-gory, the following definition is used:category default { default_syslog; default_debug; };config |
|
|
438 |
High-level configuration file processing. |
|
|
439 |
|
|
|
440 |
|
|
|
441 |
parser |
|
|
442 |
Low-level configuration file processing. |
|
|
443 |
|
|
|
444 |
|
|
|
445 |
queries |
|
|
446 |
A short log message is generated for every query the server |
|
|
447 |
receives. |
|
|
448 |
|
|
|
449 |
|
|
|
450 |
lame-servers |
|
|
451 |
Messages like ``Lame server on ...'' |
|
|
452 |
|
|
|
453 |
|
|
|
454 |
statistics |
|
|
455 |
Statistics. |
|
|
456 |
|
|
|
457 |
|
|
|
458 |
panic |
|
|
459 |
If the server has to shut itself down due to an internal |
|
|
460 |
problem, it will log the problem in this category as well as |
|
|
461 |
in the problem's native category. If you do not define the |
|
|
462 |
panic category, the following definition is used: |
|
|
463 |
category panic { default_syslog; default_stderr; |
|
|
464 |
}; |
|
|
465 |
|
|
|
466 |
|
|
|
467 |
update |
|
|
468 |
Dynamic updates. |
|
|
469 |
|
|
|
470 |
|
|
|
471 |
ncache |
|
|
472 |
Negative caching. |
|
|
473 |
|
|
|
474 |
|
|
|
475 |
xfer-in |
|
|
476 |
Zone transfers the server is receiving. |
|
|
477 |
|
|
|
478 |
|
|
|
479 |
xfer-out |
|
|
480 |
Zone transfers the server is sending. |
|
|
481 |
|
|
|
482 |
|
|
|
483 |
db |
|
|
484 |
All database operations. |
|
|
485 |
|
|
|
486 |
|
|
|
487 |
eventlib |
|
|
488 |
Debugging info from the event system. Only one channel may |
|
|
489 |
be specified for this category, and it must be a file chan- |
|
|
490 |
nel. If you do not define the eventlib category, the fol- |
|
|
491 |
lowing definition is used: category eventlib { |
|
|
492 |
default_debug; }; |
|
|
493 |
|
|
|
494 |
|
|
|
495 |
packet |
|
|
496 |
Dumps of packets received and sent. Only one channel may be |
|
|
497 |
specified for this category, and it must be a file chan- |
|
|
498 |
nel. If you do not define the packet category, the follow- |
|
|
499 |
ing definition is used: category packet { default_debug; |
|
|
500 |
}; |
|
|
501 |
|
|
|
502 |
|
|
|
503 |
notify |
|
|
504 |
The NOTIFY protocol. |
|
|
505 |
|
|
|
506 |
|
|
|
507 |
cname |
|
|
508 |
Messages like ``... points to a CNAME''. |
|
|
509 |
|
|
|
510 |
|
|
|
511 |
security |
|
|
512 |
Approved/unapproved requests. |
|
|
513 |
|
|
|
514 |
|
|
|
515 |
os |
|
|
516 |
Operating system problems. |
|
|
517 |
|
|
|
518 |
|
|
|
519 |
insist |
|
|
520 |
Internal consistency check failures. |
|
|
521 |
|
|
|
522 |
|
|
|
523 |
maintenance |
|
|
524 |
Periodic maintenance events. |
|
|
525 |
|
|
|
526 |
|
|
|
527 |
load |
|
|
528 |
Zone loading messages. |
|
|
529 |
|
|
|
530 |
|
|
|
531 |
response-checks |
|
|
532 |
Messages arising from response checking, such as ``Mal- |
|
|
533 |
formed response ...'', ``wrong ans. name ...'', ``unrelated |
|
|
534 |
additional info ...'', ``invalid RR type ...'', and ``bad |
|
|
535 |
referral ...''. |
|
|
536 |
|
|
|
537 |
|
|
|
538 |
__THE OPTIONS STATEMENT__ |
|
|
539 |
|
|
|
540 |
|
|
|
541 |
__Syntax__ |
|
|
542 |
|
|
|
543 |
|
|
|
544 |
options { |
|
|
545 |
[[ hostname ''hostname_string''; ] |
|
|
546 |
[[ version ''version_string''; ] |
|
|
547 |
[[ directory ''path_name''; ] |
|
|
548 |
[[ named-xfer ''path_name''; ] |
|
|
549 |
[[ dump-file ''path_name''; ] |
|
|
550 |
[[ memstatistics-file ''path_name''; ] |
|
|
551 |
[[ pid-file ''path_name''; ] |
|
|
552 |
[[ statistics-file ''path_name''; ] |
|
|
553 |
[[ auth-nxdomain ''yes_or_no''; ] |
|
|
554 |
[[ deallocate-on-exit ''yes_or_no''; ] |
|
|
555 |
[[ dialup ''yes_or_no''; ] |
|
|
556 |
[[ fake-iquery ''yes_or_no''; ] |
|
|
557 |
[[ fetch-glue ''yes_or_no''; ] |
|
|
558 |
[[ has-old-clients ''yes_or_no''; ] |
|
|
559 |
[[ host-statistics ''yes_or_no''; ] |
|
|
560 |
[[ host-statistics-max ''number''; ] |
|
|
561 |
[[ multiple-cnames ''yes_or_no''; ] |
|
|
562 |
[[ notify ''yes_or_no''; ] |
|
|
563 |
[[ suppress-initial-notify ''yes_or_no''; ] |
|
|
564 |
[[ recursion ''yes_or_no''; ] |
|
|
565 |
[[ rfc2308-type1 ''yes_or_no''; ] |
|
|
566 |
[[ use-id-pool ''yes_or_no''; ] |
|
|
567 |
[[ treat-cr-as-space ''yes_or_no''; ] |
|
|
568 |
[[ also-notify ''yes_or_no''; ] |
|
|
569 |
[[ forward ( only | first ); ] |
|
|
570 |
[[ forwarders { [[ ''in_addr'' ; [[ ''in_addr'' ; ... ] ] }; ] |
|
|
571 |
[[ check-names ( master | slave | response ) ( warn | fail | ignore); ] |
|
|
572 |
[[ allow-query { ''address_match_list'' }; ] |
|
|
573 |
[[ allow-recursion { ''address_match_list'' }; ] |
|
|
574 |
[[ allow-transfer { ''address_match_list'' }; ] |
|
|
575 |
[[ blackhole { ''address_match_list'' }; ] |
|
|
576 |
[[ listen-on [[ port ''ip_port'' ] { ''address_match_list'' }; ] |
|
|
577 |
[[ query-source [[ address ( ''ip_addr'' | ) ] |
|
|
578 |
[[ port ( ''ip_port'' | ) ] ; ] |
|
|
579 |
[[ lame-ttl ''number''; ] |
|
|
580 |
[[ max-transfer-time-in ''number''; ] |
|
|
581 |
[[ max-ncache-ttl ''number''; ] |
|
|
582 |
[[ min-roots ''number''; ] |
|
|
583 |
[[ serial-queries ''number''; ] |
|
|
584 |
[[ transfer-format ( one-answer | many-answers ); ] |
|
|
585 |
[[ transfers-in ''number''; ] |
|
|
586 |
[[ transfers-out ''number''; ] |
|
|
587 |
[[ transfers-per-ns ''number''; ] |
|
|
588 |
[[ transfer-source ''ip_addr''; ] |
|
|
589 |
[[ maintain-ixfr-base ''yes_or_no''; ] |
|
|
590 |
[[ max-ixfr-log-size ''number''; ] |
|
|
591 |
[[ coresize ''size_spec'' ; ] |
|
|
592 |
[[ datasize ''size_spec'' ; ] |
|
|
593 |
[[ files ''size_spec'' ; ] |
|
|
594 |
[[ stacksize ''size_spec'' ; ] |
|
|
595 |
[[ cleaning-interval ''number''; ] |
|
|
596 |
[[ heartbeat-interval ''number''; ] |
|
|
597 |
[[ interface-interval ''number''; ] |
|
|
598 |
[[ statistics-interval ''number''; ] |
|
|
599 |
[[ topology { ''address_match_list'' }; ] |
|
|
600 |
[[ sortlist { ''address_match_list'' }; ] |
|
|
601 |
[[ rrset-order { ''order_spec'' ; [[ ''order_spec'' ; ... ] }; ] |
|
|
602 |
[[ preferred-glue ( A | AAAA ); ] |
|
|
603 |
}; |
|
|
604 |
|
|
|
605 |
|
|
|
606 |
__Definition and Usage__ |
|
|
607 |
|
|
|
608 |
|
|
|
609 |
The options statement sets up global options to be used by |
|
|
610 |
BIND. This statement may appear at only once in a configura- |
|
|
611 |
tion file; if more than one occurrence is found, the first |
|
|
612 |
occurrence determines the actual options used, and a warning |
|
|
613 |
will be generated. If there is no options statement, an |
|
|
614 |
options block with each option set to its default will be |
|
|
615 |
used. |
|
|
616 |
|
|
|
617 |
|
|
|
618 |
__Server Information__ |
|
|
619 |
hostname |
|
|
620 |
|
|
|
621 |
|
|
|
622 |
This defaults to the hostname of the machine hosting thenameserver as found by gethostname(). Its prime purpose isto be able to identify which of a number of anycast serversis actually answering your queries by sending a txt queryfor hostname.bind in class chaos to the anycast server and geting back a unique name. Setting the hostname to a empty string ( |
|
|
623 |
|
|
|
624 |
|
|
|
625 |
version |
|
|
626 |
The version the server should report via the ndc command or |
|
|
627 |
via a query of name version.bind in class chaos. |
|
|
628 |
The default is the real version number of ths server, but |
|
|
629 |
some server operators prefer the string ( surely you must be |
|
|
630 |
joking ). |
|
|
631 |
|
|
|
632 |
|
|
|
633 |
__Pathnames__ |
|
|
634 |
|
|
|
635 |
|
|
|
636 |
directory |
|
|
637 |
The working directory of the server. Any non-absolute |
|
|
638 |
pathnames in the configuration file will be taken as rela- |
|
|
639 |
tive to this directory. The default location for most server |
|
|
640 |
output files (e.g. named.run) is this directory. If |
|
|
641 |
a directory is not specified, the working directory defaults |
|
|
642 |
to ., the directory from which the server was |
|
|
643 |
started. The directory specified should be an absolute |
|
|
644 |
path. |
|
|
645 |
|
|
|
646 |
|
|
|
647 |
named-xfer |
|
|
648 |
The pathname to the named-xfer program that the server uses |
|
|
649 |
for inbound zone transfers. If not specified, the default is |
|
|
650 |
system dependent (e.g. /usr/sbin/named-xfer |
|
|
651 |
). |
|
|
652 |
|
|
|
653 |
|
|
|
654 |
dump-file |
|
|
655 |
The pathname of the file the server dumps the database to |
|
|
656 |
when it receives SIGINT signal (as sent by ndc |
|
|
657 |
dumpdb ). If not specified, the default is |
|
|
658 |
named_dump.db. |
|
|
659 |
|
|
|
660 |
|
|
|
661 |
memstatistics-file |
|
|
662 |
The pathname of the file the server writes memory usage |
|
|
663 |
statistics to on exit, if deallocate-on-exit is |
|
|
664 |
yes. If not specified, the default is |
|
|
665 |
named.memstats. |
|
|
666 |
|
|
|
667 |
|
|
|
668 |
pid-file |
|
|
669 |
The pathname of the file the server writes its process ID |
|
|
670 |
in. If not specified, the default is operating system |
|
|
671 |
dependent, but is usually /var/run/named.pid or |
|
|
672 |
/etc/named.pid. The pid-file is used by programs |
|
|
673 |
like ndc that want to send signals to the running |
|
|
674 |
nameserver. |
|
|
675 |
|
|
|
676 |
|
|
|
677 |
statistics-file |
|
|
678 |
The pathname of the file the server appends statistics to |
|
|
679 |
when it receives SIGILL signal (from ndc stats). If |
|
|
680 |
not specified, the default is |
|
|
681 |
named.stats. |
|
|
682 |
|
|
|
683 |
|
|
|
684 |
__Boolean Options__ |
|
|
685 |
|
|
|
686 |
|
|
|
687 |
auth-nxdomain |
|
|
688 |
If yes, then the AA bit is always set on |
|
|
689 |
NXDOMAIN responses, even if the server is not |
|
|
690 |
actually authorita- tive. The default is yes. Do |
|
|
691 |
not turn off auth-nxdomain unless you are sure you know what |
|
|
692 |
you are doing, as some older software won't like |
|
|
693 |
it. |
|
|
694 |
|
|
|
695 |
|
|
|
696 |
deallocate-on-exit |
|
|
697 |
If yes, then when the server exits it will |
|
|
698 |
painstakingly deallocate every object it allocated, and then |
|
|
699 |
write a mem- ory usage report to the memstatistics-file. The |
|
|
700 |
default is no, because it is faster to let the |
|
|
701 |
operating system clean up. deallocate-on-exit is handy for |
|
|
702 |
detecting memory leaks. |
|
|
703 |
|
|
|
704 |
|
|
|
705 |
dialup |
|
|
706 |
If yes, then the server treats all zones as if they |
|
|
707 |
are doing zone transfers across a dial on demand dialup |
|
|
708 |
link, which can be brought up by traffic originating from |
|
|
709 |
this server. This has different effects according to zone |
|
|
710 |
type and concentrates the zone maintenance so that it all |
|
|
711 |
hap- pens in a short interval, once every heartbeat-interval |
|
|
712 |
and hopefully during the one call. It also suppresses some |
|
|
713 |
of the normal zone maintenance traffic. The default is |
|
|
714 |
no. The dialup option may also be specified in the |
|
|
715 |
zone state- ment, in which case it overrides the options |
|
|
716 |
dialup state- ment. |
|
|
717 |
|
|
|
718 |
|
|
|
719 |
If the zone is a master then the server will send out |
|
|
720 |
NOTIFY request to all the slaves. This will trigger |
|
|
721 |
the zone up to date checking in the slave (providing it sup- |
|
|
722 |
ports NOTIFY) allowing the slave to verify the zone |
|
|
723 |
while the call us up. |
|
|
724 |
|
|
|
725 |
|
|
|
726 |
If the zone is a slave or stub then the server will sup- |
|
|
727 |
press the zone regular zone up to date queries and only |
|
|
728 |
perform the when the heartbeat-interval |
|
|
729 |
expires. |
|
|
730 |
|
|
|
731 |
|
|
|
732 |
fake-iquery |
|
|
733 |
If yes, the server will simulate the obsolete DNS |
|
|
734 |
query type IQUERY. The default is |
|
|
735 |
no. |
|
|
736 |
|
|
|
737 |
|
|
|
738 |
fetch-glue |
|
|
739 |
If yes (the default), the server will fetch |
|
|
740 |
``glue'' resource records it doesn't have when constructing |
|
|
741 |
the additional data section of a response. fetch-glue no can |
|
|
742 |
be used in conjunction with recursion no to prevent the |
|
|
743 |
server's cache from growing or becoming corrupted (at the |
|
|
744 |
cost of requiring more work from the client). |
|
|
745 |
|
|
|
746 |
|
|
|
747 |
has-old-clients |
|
|
748 |
Setting the option to yes, is equivalent to setting |
|
|
749 |
the following three options: auth-nxdomain yes;, |
|
|
750 |
maintain-ixfr-base yes;, and rfc2308-type1 no; |
|
|
751 |
|
|
|
752 |
|
|
|
753 |
The use of has-old-clients with auth-nxdomain, |
|
|
754 |
maintain-ixfr-base, and rfc2308-type1 is order |
|
|
755 |
dependant. |
|
|
756 |
|
|
|
757 |
|
|
|
758 |
host-statistics |
|
|
759 |
If yes, then statistics are kept for every host |
|
|
760 |
that the the nameserver interacts with. The default is |
|
|
761 |
no. ''Note'': turning on host-statistics can |
|
|
762 |
consume huge amounts of mem- ory. |
|
|
763 |
|
|
|
764 |
|
|
|
765 |
maintain-ixfr-base |
|
|
766 |
If yes, a IXFR database file is kept for all |
|
|
767 |
dynamicaly updated zones. This enables the server to answer |
|
|
768 |
IXFR queries which can speed up zone transfers enormously. |
|
|
769 |
The default is no. |
|
|
770 |
|
|
|
771 |
|
|
|
772 |
multiple-cnames |
|
|
773 |
If yes, then multiple CNAME resource records will |
|
|
774 |
be allowed for a domain name. The default is no. |
|
|
775 |
Allowing multiple CNAME records is against standards and is |
|
|
776 |
not rec- ommended. Multiple CNAME support is available |
|
|
777 |
because pre- vious versions of BIND allowed multiple CNAME |
|
|
778 |
records, and these records have been used for load balancing |
|
|
779 |
by a number of sites. |
|
|
780 |
|
|
|
781 |
|
|
|
782 |
notify |
|
|
783 |
If yes (the default), DNS NOTIFY messages are sent |
|
|
784 |
when a zone the server is authoritative for changes. The use |
|
|
785 |
of NOTIFY speeds convergence between the master and its |
|
|
786 |
slaves. Slave servers that receive a NOTIFY message and |
|
|
787 |
understand it will contact the master server for the zone |
|
|
788 |
and see if they need to do a zone transfer, and if they do, |
|
|
789 |
they will initiate it immediately. The notify option may |
|
|
790 |
also be specified in the zone statement, in which case it |
|
|
791 |
overrides the options notify statement. |
|
|
792 |
|
|
|
793 |
|
|
|
794 |
suppress-initial-notify |
|
|
795 |
If yes, suppress the initial notify messages when |
|
|
796 |
the server first loads. The default is |
|
|
797 |
no. |
|
|
798 |
|
|
|
799 |
|
|
|
800 |
recursion |
|
|
801 |
If yes, and a DNS query requests recursion, then |
|
|
802 |
the server will attempt to do all the work required to |
|
|
803 |
answer the query. If recursion is not on, the server will |
|
|
804 |
return a referral to the client if it doesn't know the |
|
|
805 |
answer. The default is yes. See also fetch-glue |
|
|
806 |
above. |
|
|
807 |
|
|
|
808 |
|
|
|
809 |
rfc2308-type1 |
|
|
810 |
If yes, the server will send NS records along with |
|
|
811 |
the SOA record for negative answers. You need to set this to |
|
|
812 |
no if you have an old BIND server using you as a forwarder |
|
|
813 |
that does not understand negative answers which contain both |
|
|
814 |
SOA and NS records or you have an old version of sendmail. |
|
|
815 |
The correct fix is to upgrade the broken server or sendmail. |
|
|
816 |
The default is no. |
|
|
817 |
|
|
|
818 |
|
|
|
819 |
use-id-pool |
|
|
820 |
If yes, the server will keep track of its own |
|
|
821 |
outstanding query ID's to avoid duplication and increase |
|
|
822 |
randomness. This will result in 128KB more memory being |
|
|
823 |
consumed by the server. The default is |
|
|
824 |
no. |
|
|
825 |
|
|
|
826 |
|
|
|
827 |
treat-cr-as-space |
|
|
828 |
If yes, the server will treat CR characters the |
|
|
829 |
same way it treats a space or tab. This may be necessary |
|
|
830 |
when loading zone files on a UNIX system that were generated |
|
|
831 |
on an NT or DOS machine. The default is |
|
|
832 |
no. |
|
|
833 |
|
|
|
834 |
|
|
|
835 |
__Also-Notify__ |
|
|
836 |
also-notify |
|
|
837 |
|
|
|
838 |
|
|
|
839 |
Defines a global list of IP addresses that also get sent |
|
|
840 |
NOTIFY messages whenever a fresh copy of the zone is loaded. |
|
|
841 |
This helps to ensure that copies of the zones will quickly |
|
|
842 |
converge on ``stealth'' servers. If an also-notify list is |
|
|
843 |
given in a zone statement, it will override the options |
|
|
844 |
also-notify statement. When a zone notify statement is set |
|
|
845 |
to no, the IP addresses in the global also-notify list will |
|
|
846 |
not get sent NOTIFY messages for that zone. The default is |
|
|
847 |
the empty list (no global notification list). |
|
|
848 |
|
|
|
849 |
|
|
|
850 |
__Forwarding__ |
|
|
851 |
The forwarding facility can be used to create a large |
|
|
852 |
site-wide cache on a few servers, reducing traffic over |
|
|
853 |
links to external nameservers. It can also be used to allow |
|
|
854 |
queries by servers that do not have direct access to the |
|
|
855 |
Internet, but wish to look up exterior names anyway. For- |
|
|
856 |
warding occurs only on those queries for which the server is |
|
|
857 |
not authoritative and does not have the answer in its |
|
|
858 |
cache. |
|
|
859 |
|
|
|
860 |
|
|
|
861 |
forward |
|
|
862 |
This option is only meaningful if the forwarders list is not |
|
|
863 |
empty. A value of first, the default, causes the |
|
|
864 |
server to query the forwarders first, and if that doesn't |
|
|
865 |
answer the question the server will then look for the answer |
|
|
866 |
itself. If only is specified, the server will only |
|
|
867 |
query the forwarders. |
|
|
868 |
|
|
|
869 |
|
|
|
870 |
forwarders |
|
|
871 |
Specifies the IP addresses to be used for forwarding. The |
|
|
872 |
default is the empty list (no forwarding). |
|
|
873 |
|
|
|
874 |
|
|
|
875 |
Forwarding can also be configured on a per-zone basis, |
|
|
876 |
allowing for the global forwarding options to be overridden |
|
|
877 |
in a variety of ways. You can set particular zones to use |
|
|
878 |
different forwarders, or have different forward only/first |
|
|
879 |
behavior, or to not forward at all. See __THE ZONE |
|
|
880 |
STATEMENT__ section for more information. |
|
|
881 |
|
|
|
882 |
|
|
|
883 |
Future versions of BIND 8 will provide a more powerful for- |
|
|
884 |
warding system. The syntax described above will continue to |
|
|
885 |
be supported. |
|
|
886 |
|
|
|
887 |
|
|
|
888 |
__Name Checking__ |
|
|
889 |
The server can check domain names based upon their expected |
|
|
890 |
client contexts. For example, a domain name used as a host- |
|
|
891 |
name can be checked for compliance with the RFCs defining |
|
|
892 |
valid hostnames. |
|
|
893 |
|
|
|
894 |
|
|
|
895 |
Three checking methods are available: |
|
|
896 |
|
|
|
897 |
|
|
|
898 |
ignore |
|
|
899 |
No checking is done. |
|
|
900 |
|
|
|
901 |
|
|
|
902 |
warn |
|
|
903 |
Names are checked against their expected client contexts. |
|
|
904 |
Invalid names are logged, but processing continues nor- |
|
|
905 |
mally. |
|
|
906 |
|
|
|
907 |
|
|
|
908 |
fail |
|
|
909 |
Names are checked against their expected client contexts. |
|
|
910 |
Invalid names are logged, and the offending data is |
|
|
911 |
rejected. |
|
|
912 |
|
|
|
913 |
|
|
|
914 |
The server can check names three areas: master zone files, |
|
|
915 |
slave zone files, and in responses to queries the server has |
|
|
916 |
initiated. If check-names response fail has been specified, |
|
|
917 |
and answering the client's question would require sending an |
|
|
918 |
invalid name to the client, the server will send a |
|
|
919 |
REFUSED response code to the client. |
|
|
920 |
|
|
|
921 |
|
|
|
922 |
The defaults are: |
|
|
923 |
|
|
|
924 |
|
|
|
925 |
check-names master fail; |
|
|
926 |
check-names slave warn; |
|
|
927 |
check-names response ignore; |
|
|
928 |
check-names may also be specified in the zone statement, in which case it overrides the options check-names statement. When used in a zone statement, the area is not specified (because it can be deduced from the zone type). |
|
|
929 |
|
|
|
930 |
|
|
|
931 |
__Access Control__ |
|
|
932 |
|
|
|
933 |
|
|
|
934 |
Access to the server can be restricted based on the IP |
|
|
935 |
address of the requesting system or via shared secret keys. |
|
|
936 |
See __ADDRESS MATCH LISTS__ for details on how to specify |
|
|
937 |
access criteria. |
|
|
938 |
allow-query |
|
|
939 |
|
|
|
940 |
|
|
|
941 |
Specifies which hosts are allowed to ask ordinary ques-tions. allow-query may also be specified in the zonestatement, in which case it overrides the optionsallow-query statement. If not specified, the default is toallow queries from all hosts. allow-recursion Specifies which hosts are allowed to ask recursive ques-tions. If not specified, the default is to allow recur-sive queries from all hosts. allow-transfer Specifies which hosts are allowed to receive zone trans-fers from the server. allow-transfer may also be speci-fied in the zone statement, in which case it overrides theoptions allow-transfer statement. If not specified, thedefault is to allow transfers from all hosts. blackhole Specifies a list of addresses that the server will notaccept queries from or use to resolve a query. Queriesfrom these addresses will not be responded to.__Interfaces__The interfaces and ports that the server will answer queriesfrom may be specified using the listen-on option. listen-ontakes an optional port, and an address match list. Theserver will listen on all interfaces allowed by the addressmatch list. If a port is not specified, port 53 will beused.Multiple listen-on statements are allowed. For example, listen-on { 5.6.7.8; }; |
|
|
942 |
listen-on port 1234 { !1.2.3.4; 1.2/16; }; |
|
|
943 |
will enable the nameserver on port 53 for the IP address 5.6.7.8, and on port 1234 of an address on the machine in net 1.2 that is not 1.2.3.4. |
|
|
944 |
|
|
|
945 |
|
|
|
946 |
If no listen-on is specified, the server will listen on port |
|
|
947 |
53 on all interfaces. |
|
|
948 |
|
|
|
949 |
|
|
|
950 |
__Query Address__ |
|
|
951 |
|
|
|
952 |
|
|
|
953 |
If the server doesn't know the answer to a question, it will |
|
|
954 |
query other nameservers. query-source specifies the address |
|
|
955 |
and port used for such queries. If address is or is omit- |
|
|
956 |
ted, a wildcard IP address ( INADDR_ANY) will be |
|
|
957 |
used. If ''port'' is or is omitted, a random unprivileged |
|
|
958 |
port will be used. The default is |
|
|
959 |
|
|
|
960 |
|
|
|
961 |
query-source address port ; |
|
|
962 |
|
|
|
963 |
|
|
|
964 |
Note: query-source currently applies only to UDP queries; |
|
|
965 |
TCP queries always use a wildcard IP address and a random |
|
|
966 |
unprivileged port. |
|
|
967 |
|
|
|
968 |
|
|
|
969 |
__Zone Transfers__ |
|
|
970 |
max-transfer-time-in |
|
|
971 |
|
|
|
972 |
|
|
|
973 |
Inbound zone transfers ( named-xfer processes) runninglonger than this many minutes will be terminated. Thedefault is 120 minutes (2 hours). transfer-formatThe server supports two zone transfer methods. one-answer uses one DNS message per resource record transferred. many-answers packs as many resource records as possible into a message. many-answers is more efficient, but is only known to be understood by BIND 8.1 and patched ver- sions of BIND 4.9.5. The default is one-answer. transfer-format may be overridden on a per-server basis by using the server statement. |
|
|
974 |
|
|
|
975 |
|
|
|
976 |
transfers-in |
|
|
977 |
The maximum number of inbound zone transfers that can be |
|
|
978 |
running concurrently. The default value is 10. Increasing |
|
|
979 |
transfers-in may speed up the convergence of slave zones, |
|
|
980 |
but it also may increase the load on the local |
|
|
981 |
system. |
|
|
982 |
|
|
|
983 |
|
|
|
984 |
transfers-out |
|
|
985 |
This option will be used in the future to limit the number |
|
|
986 |
of concurrent outbound zone transfers. It is checked for |
|
|
987 |
syntax, but is otherwise ignored. |
|
|
988 |
|
|
|
989 |
|
|
|
990 |
transfers-per-ns |
|
|
991 |
The maximum number of inbound zone transfers ( named-xfer |
|
|
992 |
processes) that can be concurrently transferring from a |
|
|
993 |
given remote nameserver. The default value is 2. Increas- |
|
|
994 |
ing transfers-per-ns may speed up the convergence of slave |
|
|
995 |
zones, but it also may increase the load on the remote |
|
|
996 |
nameserver. transfers-per-ns may be overridden on a |
|
|
997 |
per-server basis by using the transfers phrase of the server |
|
|
998 |
statement. |
|
|
999 |
|
|
|
1000 |
|
|
|
1001 |
transfer-source |
|
|
1002 |
transfer-source determines which local address will be bound |
|
|
1003 |
to the TCP connection used to fetch all zones trans- ferred |
|
|
1004 |
inbound by the server. If not set, it defaults to a system |
|
|
1005 |
controlled value which will usually be the address of the |
|
|
1006 |
interface ``closest to`` the remote end. This address must |
|
|
1007 |
appear in the remote end's allow-transfer option for the |
|
|
1008 |
zones being transferred, if one is speci- fied. This |
|
|
1009 |
statement sets the transfer-source for all zones, but can be |
|
|
1010 |
overriden on a per-zone basis by includinga transfer-source |
|
|
1011 |
statement within the zone block in the configuration |
|
|
1012 |
file. |
|
|
1013 |
|
|
|
1014 |
|
|
|
1015 |
__Resource Limits__ |
|
|
1016 |
The server's usage of many system resources can be limited. |
|
|
1017 |
Some operating systems don't support some of the limits. On |
|
|
1018 |
such systems, a warning will be issued if the unsupported |
|
|
1019 |
limit is used. Some operating systems don't support limit- |
|
|
1020 |
ing resources, and on these systems a cannot set resource |
|
|
1021 |
limits on this system message will be logged. |
|
|
1022 |
|
|
|
1023 |
|
|
|
1024 |
Scaled values are allowed when specifying resource limits. |
|
|
1025 |
For example, 1G can be used instead of |
|
|
1026 |
1073741824 to specify a limit of one gigabyte. |
|
|
1027 |
unlimited requests unlimited use, or the maximum |
|
|
1028 |
available amount. default uses the limit that was |
|
|
1029 |
in force when the server was started. See the def- inition |
|
|
1030 |
of ''size_spec'' in the __DOCUMENTATION DEFINITIONS__ |
|
|
1031 |
sec- tion for more details. |
|
|
1032 |
|
|
|
1033 |
|
|
|
1034 |
coresize |
|
|
1035 |
The maximum size of a core dump. The default value is |
|
|
1036 |
default. |
|
|
1037 |
|
|
|
1038 |
|
|
|
1039 |
datasize |
|
|
1040 |
The maximum amount of data memory the server may use. The |
|
|
1041 |
default value is default. |
|
|
1042 |
|
|
|
1043 |
|
|
|
1044 |
files |
|
|
1045 |
The maximum number of files the server may have open con- |
|
|
1046 |
currently. The default value is unlimited. Note |
|
|
1047 |
that on some operating systems the server cannot set an |
|
|
1048 |
unlimited value and cannot determine the maximum number of |
|
|
1049 |
open files the kernel can support. On such systems, choosing |
|
|
1050 |
unlimited will cause the server to use the larger |
|
|
1051 |
of the ''rlim_max'' from getrlimit(RLIMIT_NOFILE) and the |
|
|
1052 |
value returned by sysconf(_SC_OPEN_MAX). If the actual |
|
|
1053 |
kernel limit is larger than this value, use limit files to |
|
|
1054 |
specify the limit explicitly. |
|
|
1055 |
|
|
|
1056 |
|
|
|
1057 |
max-ixfr-log-size |
|
|
1058 |
The max-ixfr-log-size will be used in a future |
|
|
1059 |
release of the server to limit the size of the transaction |
|
|
1060 |
log kept for Incremental Zone Transfer. |
|
|
1061 |
|
|
|
1062 |
|
|
|
1063 |
stacksize |
|
|
1064 |
The maximum amount of stack memory the server may use. The |
|
|
1065 |
default value is default. |
|
|
1066 |
|
|
|
1067 |
|
|
|
1068 |
__Periodic Task Intervals__ |
|
|
1069 |
|
|
|
1070 |
|
|
|
1071 |
cleaning-interval |
|
|
1072 |
The server will remove expired resource records from the |
|
|
1073 |
cache every cleaning-interval minutes. The default is 60 |
|
|
1074 |
minutes. If set to 0, no periodic cleaning will |
|
|
1075 |
occur. |
|
|
1076 |
|
|
|
1077 |
|
|
|
1078 |
heartbeat-interval |
|
|
1079 |
The server will perform zone maintenance tasks for all zones |
|
|
1080 |
marked dialup yes whenever this interval expires. The |
|
|
1081 |
default is 60 minutes. Reasonable values are up to 1 day |
|
|
1082 |
(1440 minutes). If set to 0, no zone maintenance for these |
|
|
1083 |
zones will occur. |
|
|
1084 |
|
|
|
1085 |
|
|
|
1086 |
interface-interval |
|
|
1087 |
The server will scan the network interface list every |
|
|
1088 |
interface-interval minutes. The default is 60 minutes. If |
|
|
1089 |
set to 0, interface scanning will only occur when the con- |
|
|
1090 |
figuration file is loaded. After the scan, listeners will be |
|
|
1091 |
started on any new interfaces (provided they are allowed by |
|
|
1092 |
the listen-on configuration). Listeners on interfaces that |
|
|
1093 |
have gone away will be cleaned up. |
|
|
1094 |
|
|
|
1095 |
|
|
|
1096 |
statistics-interval |
|
|
1097 |
Nameserver statistics will be logged every |
|
|
1098 |
statistics-interval minutes. The default is 60. If set to 0, |
|
|
1099 |
no statistics will be logged. |
|
|
1100 |
|
|
|
1101 |
|
|
|
1102 |
__Topology__ |
|
|
1103 |
All other things being equal, when the server chooses a |
|
|
1104 |
nameserver to query from a list of nameservers, it prefers |
|
|
1105 |
the one that is topologically closest to itself. The |
|
|
1106 |
topology statement takes an address match list and inter- |
|
|
1107 |
prets it in a special way. Each top-level list element is |
|
|
1108 |
assigned a distance. Non-negated elements get a distance |
|
|
1109 |
based on their position in the list, where the closer the |
|
|
1110 |
match is to the start of the list, the shorter the distance |
|
|
1111 |
is between it and the server. A negated match will be |
|
|
1112 |
assigned the maximum distance from the server. If there is |
|
|
1113 |
no match, the address will get a distance which is further |
|
|
1114 |
than any non-negated list element, and closer than any |
|
|
1115 |
negated element. For example, |
|
|
1116 |
|
|
|
1117 |
|
|
|
1118 |
topology { |
|
|
1119 |
10/8; |
|
|
1120 |
!1.2.3/24; |
|
|
1121 |
{ 1.2/16; 3/8; }; |
|
|
1122 |
}; |
|
|
1123 |
will prefer servers on network 10 the most, followed by hosts on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least of all. |
|
|
1124 |
|
|
|
1125 |
|
|
|
1126 |
The default topology is |
|
|
1127 |
|
|
|
1128 |
|
|
|
1129 |
topology { localhost; localnets; }; |
|
|
1130 |
|
|
|
1131 |
|
|
|
1132 |
__Resource Record sorting__ |
|
|
1133 |
|
|
|
1134 |
|
|
|
1135 |
When returning multiple RRs, the nameserver will normally |
|
|
1136 |
return them in Round Robin, i.e. after each request, the |
|
|
1137 |
first RR is put to the end of the list. As the order of RRs |
|
|
1138 |
is not defined, this should not cause any |
|
|
1139 |
problems. |
|
|
1140 |
|
|
|
1141 |
|
|
|
1142 |
The client resolver code should re-arrange the RRs as appro- |
|
|
1143 |
priate, i.e. using any addresses on the local net in prefer- |
|
|
1144 |
ence to other addresses. However, not all resolvers can do |
|
|
1145 |
this, or are not correctly configured. |
|
|
1146 |
|
|
|
1147 |
|
|
|
1148 |
When a client is using a local server, the sorting can be |
|
|
1149 |
performed in the server, based on the client's address. This |
|
|
1150 |
only requires configuring the nameservers, not all the |
|
|
1151 |
clients. |
|
|
1152 |
|
|
|
1153 |
|
|
|
1154 |
The sortlist statement takes an address match list and |
|
|
1155 |
interprets it even more specially than the topology state- |
|
|
1156 |
ment does. |
|
|
1157 |
|
|
|
1158 |
|
|
|
1159 |
Each top level statement in the sortlist must itself be an |
|
|
1160 |
explicit address match list with one or two elements. The |
|
|
1161 |
first element (which may be an IP address, an IP prefix, an |
|
|
1162 |
ACL name or nested address match list) of each top level |
|
|
1163 |
list is checked against the source address of the query |
|
|
1164 |
until a match is found. |
|
|
1165 |
|
|
|
1166 |
|
|
|
1167 |
Once the source address of the query has been matched, if |
|
|
1168 |
the top level statement contains only one element, the |
|
|
1169 |
actual primitive element that matched the source address is |
|
|
1170 |
used to select the address in the response to move to the |
|
|
1171 |
beginning of the response. If the statement is a list of two |
|
|
1172 |
elements, the second element is treated like the address |
|
|
1173 |
match list in a topology statement. Each top level element |
|
|
1174 |
is assigned a distance and the address in the response with |
|
|
1175 |
the minimum distance is moved to the beginning of the |
|
|
1176 |
response. |
|
|
1177 |
|
|
|
1178 |
|
|
|
1179 |
In the following example, any queries received from any of |
|
|
1180 |
the addresses of the host itself will get responses prefer- |
|
|
1181 |
ring addresses on any of the locally connected networks. |
|
|
1182 |
Next most preferred are addresses on the 192.168.1/24 net- |
|
|
1183 |
work, and after that either the 192.168.2/24 or 192.168.3/24 |
|
|
1184 |
network with no preference shown between these two networks. |
|
|
1185 |
Queries received from a host on the 192.168.1/24 network |
|
|
1186 |
will prefer other addresses on that network to the |
|
|
1187 |
192.168.2/24 and 192.168.3/24 networks. Queries received |
|
|
1188 |
from a host on the 192.168.4/24 or the 192.168.5/24 network |
|
|
1189 |
will only prefer other addresses on their directly connected |
|
|
1190 |
networks. |
|
|
1191 |
|
|
|
1192 |
|
|
|
1193 |
sortlist { |
|
|
1194 |
{ localhost; // IF the local host |
|
|
1195 |
{ localnets; // THEN first fit on the |
|
|
1196 |
192.168.1/24; // following nets |
|
|
1197 |
{ 192,168.2/24; 192.168.3/24; }; }; }; |
|
|
1198 |
{ 192.168.1/24; // IF on class C 192.168.1 |
|
|
1199 |
{ 192.168.1/24; // THEN use .1, or .2 or .3 |
|
|
1200 |
{ 192.168.2/24; 192.168.3/24; }; }; }; |
|
|
1201 |
{ 192.168.2/24; // IF on class C 192.168.2 |
|
|
1202 |
{ 192.168.2/24; // THEN use .2, or .1 or .3 |
|
|
1203 |
{ 192.168.1/24; 192.168.3/24; }; }; }; |
|
|
1204 |
{ 192.168.3/24; // IF on class C 192.168.3 |
|
|
1205 |
{ 192.168.3/24; // THEN use .3, or .1 or .2 |
|
|
1206 |
{ 192.168.1/24; 192.168.2/24; }; }; }; |
|
|
1207 |
{ { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net |
|
|
1208 |
}; |
|
|
1209 |
}; |
|
|
1210 |
The following example will give reasonable behaviour for the local host and hosts on directly connected networks. It is similar to the behavior of the address sort in BIND 4.9.x. Responses sent to queries from the local host will favor any of the directly connected networks. Responses sent to queries from any other hosts on a directly connected network will prefer addresses on that same network. Responses to other queries will not be sorted. |
|
|
1211 |
|
|
|
1212 |
|
|
|
1213 |
sortlist { |
|
|
1214 |
{ localhost; localnets; }; |
|
|
1215 |
{ localnets; }; |
|
|
1216 |
}; |
|
|
1217 |
|
|
|
1218 |
|
|
|
1219 |
__RRset Ordering__ |
|
|
1220 |
|
|
|
1221 |
|
|
|
1222 |
When multiple records are returned in an answer it may be |
|
|
1223 |
useful to configure the order the records are placed into |
|
|
1224 |
the response. For example the records for a zone might be |
|
|
1225 |
configured to always be returned in the order they are |
|
|
1226 |
defined in the zone file. Or perhaps a random shuffle of the |
|
|
1227 |
records as they are returned is wanted. The rrset-order |
|
|
1228 |
statement permits configuration of the ordering made of the |
|
|
1229 |
records in a multiple record response. The default, if no |
|
|
1230 |
ordering is defined, is a cyclic ordering (round |
|
|
1231 |
robin). |
|
|
1232 |
|
|
|
1233 |
|
|
|
1234 |
An order_spec is defined as follows: |
|
|
1235 |
|
|
|
1236 |
|
|
|
1237 |
[[ ''class class_name'' ][[ ''type type_name'' ][[ ''name'' ''order'' ordering |
|
|
1238 |
|
|
|
1239 |
|
|
|
1240 |
If no class is specified, the default is ANY. If no |
|
|
1241 |
Ictype is specified, the default is ANY. If no name |
|
|
1242 |
is specified, the default is |
|
|
1243 |
|
|
|
1244 |
|
|
|
1245 |
The legal values for ordering are: |
|
|
1246 |
fixed |
|
|
1247 |
|
|
|
1248 |
|
|
|
1249 |
Records are returned in the order they are defined inthe zone file.randomRecords are returned in some random order.cyclicRecords are returned in a round-robin order.For example:rrset-order { |
|
|
1250 |
class IN type A name |
|
|
1251 |
will cause any responses for type A records in class IN that have |
|
|
1252 |
|
|
|
1253 |
|
|
|
1254 |
If multiple rrset-order statements appear, they are not com- |
|
|
1255 |
bined--the last one applies. |
|
|
1256 |
|
|
|
1257 |
|
|
|
1258 |
If no rrset-order statement is specified, a default one |
|
|
1259 |
of: |
|
|
1260 |
|
|
|
1261 |
|
|
|
1262 |
rrset-order { class ANY type ANY name |
|
|
1263 |
is used. |
|
|
1264 |
|
|
|
1265 |
|
|
|
1266 |
__Glue Ordering__ |
|
|
1267 |
|
|
|
1268 |
|
|
|
1269 |
When running a root nameserver it is sometimes necessary to |
|
|
1270 |
ensure that other nameservers that are priming are success- |
|
|
1271 |
ful. This requires that glue A records for at least of the |
|
|
1272 |
nameservers are returned in the answer to a priming query. |
|
|
1273 |
This can be achieved by setting preferred-glue A; which will |
|
|
1274 |
add A records before other types in the additional |
|
|
1275 |
section. |
|
|
1276 |
|
|
|
1277 |
|
|
|
1278 |
__Tuning__ |
|
|
1279 |
lame-ttl |
|
|
1280 |
|
|
|
1281 |
|
|
|
1282 |
Sets the number of seconds to cache a lame server indica-tion. 0 disables caching. Default is 600 (10 minutes).Maximum value is 1800 (30 minutes) max-ncache-ttlTo reduce network traffic and increase performance theserver store negative answers. max-ncache-ttl is used toset a maximum retention time for these answers in theserver is seconds. The default max-ncache-ttl is 10800seconds (3 hours). max-ncache-ttl cannot exceed the maxi-mum retention time for ordinary (positive) answers (7 days)and will be silently truncated to 7 days if set to a valuewhich is greater that 7 days. min-rootsThe minimum number of root servers that is required for arequest for the root servers to be accepted. Default is 2.__THE ZONE STATEMENT__ |
|
|
1283 |
|
|
|
1284 |
|
|
|
1285 |
__Syntax__ |
|
|
1286 |
|
|
|
1287 |
|
|
|
1288 |
zone ''domain_name'' [[ ( in | hs | hesiod | chaos ) ] { |
|
|
1289 |
type master; |
|
|
1290 |
file ''path_name''; |
|
|
1291 |
[[ check-names ( warn | fail | ignore ); ] |
|
|
1292 |
[[ allow-update { ''address_match_list'' }; ] |
|
|
1293 |
[[ allow-query { ''address_match_list'' }; ] |
|
|
1294 |
[[ allow-transfer { ''address_match_list'' }; ] |
|
|
1295 |
[[ forward ( only | first ); ] |
|
|
1296 |
[[ forwarders { [[ ''ip_addr'' ; [[ ''ip_addr'' ; ... ] ] }; ] |
|
|
1297 |
[[ dialup ''yes_or_no''; ] |
|
|
1298 |
[[ notify ''yes_or_no''; ] |
|
|
1299 |
[[ also-notify { ''ip_addr''; [[ ''ip_addr''; ... ] }; |
|
|
1300 |
[[ pubkey ''number number number string''; ] |
|
|
1301 |
}; |
|
|
1302 |
|
|
|
1303 |
|
|
|
1304 |
zone ''domain_name'' [[ ( in | hs | hesiod | chaos ) ] |
|
|
1305 |
{ |
|
|
1306 |
type ( slave | stub ); |
|
|
1307 |
[[ file ''path_name''; ] |
|
|
1308 |
masters [[ port ''ip_port'' ] { ''ip_addr'' [[ key |
|
|
1309 |
''key_id'' ]; [[ ... ] }; |
|
|
1310 |
[[ check-names ( warn | fail | ignore ); ] |
|
|
1311 |
[[ allow-update { ''address_match_list'' }; ] |
|
|
1312 |
[[ allow-query { ''address_match_list'' }; ] |
|
|
1313 |
[[ allow-transfer { ''address_match_list'' }; ] |
|
|
1314 |
[[ forward ( only | first ); ] |
|
|
1315 |
[[ forwarders { [[ ''ip_addr'' ; [[ ''ip_addr'' ; ... ] ] |
|
|
1316 |
}; ] |
|
|
1317 |
[[ transfer-source ''ip_addr''; ] |
|
|
1318 |
[[ max-transfer-time-in ''number''; ] |
|
|
1319 |
[[ notify ''yes_or_no''; ] |
|
|
1320 |
[[ also-notify { ''ip_addr''; [[ ''ip_addr''; ... ] |
|
|
1321 |
}; |
|
|
1322 |
[[ pubkey ''number number number string''; ] |
|
|
1323 |
}; |
|
|
1324 |
|
|
|
1325 |
|
|
|
1326 |
zone ''domain_name'' [[ ( in | hs | hesiod | chaos ) ] |
|
|
1327 |
{ |
|
|
1328 |
type forward; |
|
|
1329 |
[[ forward ( only | first ); ] |
|
|
1330 |
[[ forwarders { [[ ''ip_addr'' ; [[ ''ip_addr'' ; ... ] ] |
|
|
1331 |
}; ] |
|
|
1332 |
[[ check-names ( warn | fail | ignore ); ] |
|
|
1333 |
}; |
|
|
1334 |
|
|
|
1335 |
|
|
|
1336 |
zone |
|
|
1337 |
type hint; |
|
|
1338 |
file ''path_name''; |
|
|
1339 |
[[ check-names ( warn | fail | ignore ); ] |
|
|
1340 |
}; |
|
|
1341 |
|
|
|
1342 |
|
|
|
1343 |
__Definition and Usage__ |
|
|
1344 |
|
|
|
1345 |
|
|
|
1346 |
The zone statement is used to define how information about |
|
|
1347 |
particular DNS zones is managed by the server. There are |
|
|
1348 |
five different zone types. |
|
|
1349 |
master |
|
|
1350 |
|
|
|
1351 |
|
2 |
perry |
1352 |
The server has a master copy of the data for the zone andwill be able to provide authoritative answers for it. slaveA slave zone is a replica of a master zone. The masterslist specifies one or more IP addresses that the slave con-tacts to update its copy of the zone. If a port is speci-fied then checks to see if the zone is current and zonetransfers will be done to the port given. If file is speci-fied, then the replica will be written to the named file.Use of the file clause is highly recommended, since itoften speeds server startup and eliminates a needless wasteof bandwidth. stubA stub zone is like a slave zone, except that it replicatesonly the NS records of a master zone instead of the entirezone. forwardA forward zone is used to direct all queries in it to otherservers, as described in __ THE OPTIONS STATEMENT__ section.The specification of options in such a zone will overrideany global options declared in the options statement.If either no forwarders clause is present in the zone or anempty list for forwarders is given, then no forwarding willbe done for the zone, cancelling the effects of anyforwarders in the options statement. Thus if you want touse this type of zone to change only the behavior of theglobal forward option, and not the servers used, then youalso need to respecify the global forwarders. hintThe initial set of root nameservers is specified using ahint zone. When the server starts up, it uses the roothints to find a root nameserver and get the most recentlist of root nameservers.Note: previous releases of BIND used the term primary for amaster zone, secondary for a slave zone, and cache for ahint zone.__Classes__The zone's name may optionally be followed by a class. If aclass is not specified, class in (for __Options__ check-namesSee the subsection on __ Name Checking__ in __ THE OPTIONSSTATEMENT__. allow-querySee the description of allow-query in the __Access Control__subsection of __THE OPTIONS STATEMENT__. allow-updateSpecifies which hosts are allowed to submit Dynamic DNSupdates to the server. The default is to deny updates fromall hosts. allow-transferSee the description of allow-transfer in the __Access Control__subsection of __THE OPTIONS STATEMENT__. transfer-sourcetransfer-source determines which local address will bebound to the TCP connection used to fetch this zone. Ifnot set, it defaults to a system controlled value whichwill usually be the address of the interface ``closest to''the remote end. This address must appear in the remoteend's allow-transfer option for this zone if one is speci-fied. max-transfer-time-inSee the description of max-transfer-time-in in the __!ZoneTransfers__ subsection of __THE OPTIONS STATEMENT__. dialupSee the description of dialup in the __Boolean Options__ sub-section of __THE OPTIONS STATEMENT__. notifySee the description of __notify__ in the __Boolean Options__ sub-section of the __THE OPTIONS STATEMENT__. also-notifyalso-notify is only meaningful if notify is active for thiszone. The set of machines that will receive a DNS NOTIFYmessage for this zone is made up of all the listed name-servers for the zone (other than the primary master) plusany IP addresses specified with also-notify. also-notifyis not meaningful for stub zones. The default is the emptylist. forwardforward is only meaningful if the zone has a forwarderslist. The only value causes the lookup to fail after tryingthe forwarders and getting no answer, while first wouldallow a normal lookup to be tried. forwardersThe forwarders option in a zone is used to override thelist of global forwarders. If it is not specified in azone of type forward, ''no'' forwarding is done for the zone;the global options are not used. pubkeyThe DNSSEC flags, protocol, and algorithm are specified, aswell as a base-64 encoded string representing the key.__THE ACL STATEMENT__ |
1 |
perry |
1353 |
|
|
|
1354 |
|
|
|
1355 |
__Syntax__ |
|
|
1356 |
|
|
|
1357 |
|
|
|
1358 |
acl ''name'' {'' |
|
|
1359 |
address_match_list'' |
|
|
1360 |
}; |
|
|
1361 |
|
|
|
1362 |
|
|
|
1363 |
__Definition and Usage__ |
|
|
1364 |
|
|
|
1365 |
|
|
|
1366 |
The acl statement creates a named address match list. It |
|
|
1367 |
gets its name from a primary use of address match lists: |
|
|
1368 |
Access Control Lists (ACLs). |
|
|
1369 |
|
|
|
1370 |
|
|
|
1371 |
Note that an address match list's name must be defined with |
|
|
1372 |
acl before it can be used elsewhere; no forward references |
|
|
1373 |
are allowed. |
|
|
1374 |
|
|
|
1375 |
|
|
|
1376 |
The following ACLs are built-in: |
|
|
1377 |
any |
|
|
1378 |
|
|
|
1379 |
|
|
|
1380 |
Allows all hosts. noneDenies all hosts. localhostAllows the IP addresses of all interfaces on the system. localnetsAllows any host on a network for which the system has aninterface.__THE KEY STATEMENT__ |
|
|
1381 |
|
|
|
1382 |
|
|
|
1383 |
__Syntax__ |
|
|
1384 |
|
|
|
1385 |
|
|
|
1386 |
key ''key_id'' { |
|
|
1387 |
algorithm ''algorithm_id''; |
|
|
1388 |
secret ''secret_string''; |
|
|
1389 |
}; |
|
|
1390 |
|
|
|
1391 |
|
|
|
1392 |
__Definition and Usage__ |
|
|
1393 |
|
|
|
1394 |
|
|
|
1395 |
The key statement defines a key ID which can be used in a |
|
|
1396 |
server statement to associate a method of authentication |
|
|
1397 |
with a particular name server that is more rigorous than |
|
|
1398 |
simple IP address matching. A key ID must be created with |
|
|
1399 |
the key statement before it can be used in a server defini- |
|
|
1400 |
tion or an address match list. |
|
|
1401 |
|
|
|
1402 |
|
|
|
1403 |
The ''algorithm_id'' is a string that specifies a secu- |
|
|
1404 |
rity/authentication algorithm. ''secret_string'' is the |
|
|
1405 |
secret to be used by the algorithm, and is treated as a |
|
|
1406 |
base-64 encoded string. It should go without saying, but |
|
|
1407 |
probably can't, that if you have ''secret_string 's'' in |
|
|
1408 |
your named.conf, then it should not be readable by |
|
|
1409 |
anyone but the superuser. |
|
|
1410 |
__THE TRUSTED-KEYS STATEMENT__ |
|
|
1411 |
|
|
|
1412 |
|
|
|
1413 |
__Syntax__ |
|
|
1414 |
|
|
|
1415 |
|
|
|
1416 |
trusted-keys { |
|
|
1417 |
[[ ''domain_name flags protocol algorithm key''; ] |
|
|
1418 |
}; |
|
|
1419 |
|
|
|
1420 |
|
|
|
1421 |
__Definition and Usage__ |
|
|
1422 |
|
|
|
1423 |
|
|
|
1424 |
The trusted-keys statement is for use with DNSSEC-style |
|
|
1425 |
security, originally specified in RFC 2065. DNSSEC is meant |
|
|
1426 |
to provide three distinct services: key distribution, data |
|
|
1427 |
origin authentication, and transaction and request authenti- |
|
|
1428 |
cation. A complete description of DNSSEC and its use is |
|
|
1429 |
beyond the scope of this document, and readers interested in |
|
|
1430 |
more information should start with RFC 2065 and then con- |
|
|
1431 |
tinue with the Internet Drafts available at |
|
|
1432 |
http://www.ietf.org/ids.by.wg/dnssec.html. |
|
|
1433 |
|
|
|
1434 |
|
|
|
1435 |
Each trusted key is associated with a domain name. Its |
|
|
1436 |
attributes are the non-negative integral ''flags'', |
|
|
1437 |
''protocol'', and ''algorithm'', as well as a base-64 |
|
|
1438 |
encoded string repre- senting the ''key''. |
|
|
1439 |
|
|
|
1440 |
|
|
|
1441 |
Any number of trusted keys can be specified. |
|
|
1442 |
__THE SERVER STATEMENT__ |
|
|
1443 |
|
|
|
1444 |
|
|
|
1445 |
__Syntax__ |
|
|
1446 |
|
|
|
1447 |
|
|
|
1448 |
server ''ip_addr'' { |
|
|
1449 |
[[ bogus ''yes_or_no''; ] |
|
|
1450 |
[[ support-ixfr ''yes_or_no''; ] |
|
|
1451 |
[[ transfers ''number''; ] |
|
|
1452 |
[[ transfer-format ( one-answer | many-answers ); ] |
|
|
1453 |
[[ keys { ''key_id'' [[ ''key_id'' ... ] }; ] |
|
|
1454 |
}; |
|
|
1455 |
|
|
|
1456 |
|
|
|
1457 |
__Definition and Usage__ |
|
|
1458 |
|
|
|
1459 |
|
|
|
1460 |
The server statement defines the characteristics to be asso- |
|
|
1461 |
ciated with a remote name server. |
|
|
1462 |
|
|
|
1463 |
|
|
|
1464 |
If you discover that a server is giving out bad data, mark- |
|
|
1465 |
ing it as bogus will prevent further queries to it. The |
|
|
1466 |
default value of bogus is no. |
|
|
1467 |
|
|
|
1468 |
|
|
|
1469 |
If the server supports IXFR you can tell named to attempt to |
|
|
1470 |
perform a IXFR style zone transfer by specifing support-ixfr |
|
|
1471 |
yes. The default value of support-ixfr is |
|
|
1472 |
no. |
|
|
1473 |
|
|
|
1474 |
|
|
|
1475 |
The server supports two zone transfer methods. The first, |
|
|
1476 |
one-answer, uses one DNS message per resource record trans- |
|
|
1477 |
ferred. many-answers packs as many resource records as pos- |
|
|
1478 |
sible into a message. many-answers is more efficient, but is |
|
|
1479 |
only known to be understood by BIND 8.1 and patched ver- |
|
|
1480 |
sions of BIND 4.9.5. You can specify which method to use for |
|
|
1481 |
a server with the transfer-format option. If transfer-format |
|
|
1482 |
is not specified, the transfer-format speci- fied by the |
|
|
1483 |
options statement will be used. |
|
|
1484 |
|
|
|
1485 |
|
|
|
1486 |
The transfers will be used in a future release of the server |
|
|
1487 |
to limit the number of concurrent in-bound zone transfers |
|
|
1488 |
from the specified server. It is checked for syntax but is |
|
|
1489 |
otherwise ignored. |
|
|
1490 |
|
|
|
1491 |
|
|
|
1492 |
The keys clause is used to identify a ''key_id'' defined |
|
|
1493 |
by the key statement, to be used for transaction security |
|
|
1494 |
when talking to the remote server. The key statememnt must |
|
|
1495 |
come before the server statement that references |
|
|
1496 |
it. |
|
|
1497 |
|
|
|
1498 |
|
|
|
1499 |
The keys statement is intended for future use by the server. |
|
|
1500 |
It is checked for syntax but is otherwise |
|
|
1501 |
ignored. |
|
|
1502 |
__THE CONTROLS STATEMENT__ |
|
|
1503 |
|
|
|
1504 |
|
|
|
1505 |
__Syntax__ |
|
|
1506 |
|
|
|
1507 |
|
|
|
1508 |
controls { |
|
|
1509 |
[[ inet ''ip_addr'' |
|
|
1510 |
port ''ip_port'' |
|
|
1511 |
allow { ''address_match_list''; }; ] |
|
|
1512 |
[[ unix ''path_name'' |
|
|
1513 |
perm ''number'' |
|
|
1514 |
owner ''number'' |
|
|
1515 |
group ''number''; ] |
|
|
1516 |
}; |
|
|
1517 |
|
|
|
1518 |
|
|
|
1519 |
__Definition and Usage__ |
|
|
1520 |
|
|
|
1521 |
|
|
|
1522 |
The controls statement declares control channels to be used |
|
|
1523 |
by system administrators to affect the operation of the |
|
|
1524 |
local name server. These control channels are used by the |
|
|
1525 |
ndc utility to send commands to and retrieve non-DNS results |
|
|
1526 |
from a name server. |
|
|
1527 |
|
|
|
1528 |
|
|
|
1529 |
A unix control channel is a FIFO in the file system, and |
|
|
1530 |
access to it is controlled by normal file system permis- |
|
|
1531 |
sions. It is created by named with the specified file mode |
|
|
1532 |
bits (see chmod(1)), user and group owner. Note |
|
|
1533 |
that, unlike chmod, the mode bits specified for perm will |
|
|
1534 |
normally have a leading 0 so the number is |
|
|
1535 |
interpreted as octal. Also note that the user and group |
|
|
1536 |
ownership specified as owner and group must be given as |
|
|
1537 |
numbers, not names. It is recommended that the permissions |
|
|
1538 |
be restricted to adminis- trative personnel only, or else |
|
|
1539 |
any user on the system might be able to manage the local |
|
|
1540 |
name server. |
|
|
1541 |
|
|
|
1542 |
|
|
|
1543 |
An inet control channel is a TCP/IP socket accessible to the |
|
|
1544 |
Internet, created at the specified ''ip_port'' on the |
|
|
1545 |
specified ''ip_addr''. Modern telnet clients are capable |
|
|
1546 |
of speaking directly to these sockets, and the control |
|
|
1547 |
protocol is ARPAnet-style text. It is recommended that |
|
|
1548 |
127.0.0.1 be the only ''ip_addr'' used, and this only if |
|
|
1549 |
you trust all non-privi- leged users on the local host to |
|
|
1550 |
manage your name server. |
|
|
1551 |
__THE INCLUDE STATEMENT__ |
|
|
1552 |
|
|
|
1553 |
|
|
|
1554 |
__Syntax__ |
|
|
1555 |
|
|
|
1556 |
|
|
|
1557 |
include ''path_name''; |
|
|
1558 |
|
|
|
1559 |
|
|
|
1560 |
__Definition and Usage__ |
|
|
1561 |
|
|
|
1562 |
|
|
|
1563 |
The include statement inserts the specified file at the |
|
|
1564 |
point that the include statement is encountered. It cannot |
|
|
1565 |
be used within another statement, though, so a line such |
|
|
1566 |
as |
|
|
1567 |
|
|
|
1568 |
|
|
|
1569 |
acl internal_hosts { include internal_hosts.acl; |
|
|
1570 |
}; |
|
|
1571 |
|
|
|
1572 |
|
|
|
1573 |
is not allowed. |
|
|
1574 |
|
|
|
1575 |
|
|
|
1576 |
Use include to break the configuration up into easily-man- |
|
|
1577 |
aged chunks. For example: |
|
|
1578 |
|
|
|
1579 |
|
|
|
1580 |
include |
|
|
1581 |
could be used at the top of a BIND configuration file in order to include any ACL or key information. |
|
|
1582 |
|
|
|
1583 |
|
|
|
1584 |
Be careful not to type ``#include'', like you would in a C |
|
|
1585 |
program, because ``#'' is used to start a |
|
|
1586 |
comment. |
|
|
1587 |
__EXAMPLES__ |
|
|
1588 |
|
|
|
1589 |
|
|
|
1590 |
The simplest configuration file that is still realistically |
|
|
1591 |
useful is one which simply defines a hint zone that has a |
|
|
1592 |
full path to the root servers file. |
|
|
1593 |
|
|
|
1594 |
|
|
|
1595 |
zone |
|
|
1596 |
Here's a more typical real-world example. |
|
|
1597 |
|
|
|
1598 |
|
|
|
1599 |
/ |
|
|
1600 |
A simple BIND 8 configuration |
|
|
1601 |
/ |
|
|
1602 |
logging { |
|
|
1603 |
category lame-servers { null; }; |
|
|
1604 |
category cname { null; }; |
|
|
1605 |
}; |
|
|
1606 |
options { |
|
|
1607 |
directory |
|
|
1608 |
__FILES__ |
|
|
1609 |
/etc/bind/named.conf |
|
|
1610 |
|
|
|
1611 |
|
|
|
1612 |
The BIND 8 named configuration file. |
|
|
1613 |
|
|
|
1614 |
|
|
|
1615 |
__SEE ALSO__ |
|
|
1616 |
|
|
|
1617 |
|
2 |
perry |
1618 |
named(8), ndc(8), !NamedNotes |
1 |
perry |
1619 |
|
|
|
1620 |
|
2 |
perry |
1621 |
4th Berkeley !DistributionJanuary 7, 1999 1 |
1 |
perry |
1622 |
---- |