diff options
author | peter <peter@FreeBSD.org> | 1999-11-30 02:43:11 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 1999-11-30 02:43:11 +0000 |
commit | 4ef23ce6957fc75fc005885496d605fed48213e1 (patch) | |
tree | 7828b08c74ef918938b1b853c98f0cb41edac52c /contrib/bind/doc/man/named.conf.5 | |
parent | 67e0f3ce71726dc4058c2f80a813341a59244dbd (diff) | |
download | FreeBSD-src-4ef23ce6957fc75fc005885496d605fed48213e1.zip FreeBSD-src-4ef23ce6957fc75fc005885496d605fed48213e1.tar.gz |
Import bind v8.2.2.p5, minus the crypto for the time being. The bind
package does have BXA export approval, but the licensing strings on the
dnssafe code are a bit unpleasant. The crypto is easy to restore and bind
will run without it - just without full dnssec support.
Obtained from: The Internet Software Consortium (www.isc.org)
Diffstat (limited to 'contrib/bind/doc/man/named.conf.5')
-rw-r--r-- | contrib/bind/doc/man/named.conf.5 | 2355 |
1 files changed, 2355 insertions, 0 deletions
diff --git a/contrib/bind/doc/man/named.conf.5 b/contrib/bind/doc/man/named.conf.5 new file mode 100644 index 0000000..44f1ec9 --- /dev/null +++ b/contrib/bind/doc/man/named.conf.5 @@ -0,0 +1,2355 @@ +.\" Copyright (c) 1999 by Internet Software Consortium +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS +.\" ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE +.\" CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +.\" SOFTWARE. + +.Dd January 7, 1999 +.Dt NAMED.CONF 5 +.Os BSD 4 + +.Sh NAME +.Nm named.conf +.Nd configuration file for +.Xr named 8 + +.Sh OVERVIEW + +BIND 8 is much more configurable than previous release of BIND. There +are entirely new areas of configuration, such as access control lists +and categorized logging. Many options that previously applied to all +zones can now be used selectively. These features, plus a +consideration of future configuration needs led to the creation of a +new configuration file format. + +.Ss General Syntax + +A BIND 8 configuration consists of two general features, statements +and comments. All statements end with a semicolon. Many statements +can contain substatements, which are each also terminated with a +semicolon. + +.Pp +The following statements are supported: +.Bl -tag -width 1 +.It Ic logging +specifies what the server logs, and where the log messages are sent + +.It Ic options +controls global server configuration options and sets defaults for other +statements + +.It Ic zone +defines a zone + +.It Ic acl +defines a named IP address matching list, for access control and other uses + +.It Ic key +specifies key information for use in authentication and authorization + +.It Ic trusted-keys +defines DNSSEC keys that are preconfigured into the server and implicitly +trusted + +.It Ic server +sets certain configuration options for individual remote servers + +.It Ic controls +declares control channels to be used by the +.Nm ndc +utility + +.It Ic include +includes another file + +.El + +The +.Ic logging +and +.Ic options +statements may only occur once per configuration, while the rest may +appear numerous times. Further detail on each statement is provided +in individual sections below. + +Comments may appear anywhere that whitespace may appear in a BIND +configuration file. To appeal to programmers of all kinds, they can +be written in C, C++, or shell/perl constructs. + +C-style comments start with the two characters +.Li /* +(slash, star) and end with +.Li */ +(star, slash). +Because they are completely delimited with these characters, +they can be used to comment only a portion of a line or to span +multiple lines. + +C-style comments cannot be nested. For example, the following is +not valid because the entire comment ends with the first +.Li */ : + +.Bd -literal -offset indent +/* This is the start of a comment. + This is still part of the comment. +/* This is an incorrect attempt at nesting a comment. */ + This is no longer in any comment. */ +.Ed + +C++-style comments start with the two characters +.Li // +(slash, slash) and continue to the end of the physical line. +They cannot be continued across multiple physical lines; to have +one logical comment span multiple lines, each line must use the +.Li // +pair. For example: + +.Bd -literal -offset indent +// This is the start of a comment. The next line +// is a new comment, even though it is logically +// part of the previous comment. +.Ed + +Shell-style (or perl-style, if you prefer) comments start with the +character +.Li # +(hash or pound or number or octothorpe or whatever) and continue to +the end of the physical line, like C++ comments. For example: + +.Bd -literal -offset indent +# This is the start of a comment. The next line +# is a new comment, even though it is logically +# part of the previous comment. +.Ed + +.Em WARNING: +you cannot use the +.Li ; +(semicolon) character to start a comment such as you would in a zone +file. The semicolon indicates the end of a configuration statement, +so whatever follows it will be interpreted as the start of the next +statement. + +.Ss Converting from BIND 4.9.x + +.Pp +BIND 4.9.x configuration files can be converted to the new format +by using +.Pa src/bin/named/named-bootconf , +a shell script that is part of the BIND 8.2.x source kit. + +.Sh DOCUMENTATION DEFINITIONS + +Described below are elements used throughout the BIND configuration +file documentation. Elements which are only associated with one +statement are described only in the section describing that statement. + +.Bl -tag -width 1 +.It Va acl_name +The name of an +.Va address_match_list +as defined by the +.Ic acl +statement. + +.It Va address_match_list +A list of one or more +.Va ip_addr , +.Va ip_prefix , +.Va key_id , +or +.Va acl_name +elements, as described in the +.Sx ADDRESS MATCH LISTS +section. + +.It Va dotted-decimal +One or more integers valued 0 through 255 separated only by dots +(``.''), such as +.Li 123 , +.Li 45.67 +or +.Li 89.123.45.67 . + +.It Va domain_name +A quoted string which will be used as a DNS name, for example +.Qq Li my.test.domain . + +.It Va path_name +A quoted string which will be used as a pathname, such as +.Qq Li zones/master/my.test.domain . + +.It Va ip_addr +An IP address in with exactly four elements in +.Va dotted-decimal +notation. + +.It Va ip_port +An IP port +.Va number . +.Va number is limited to +.Li 0 +through +.Li 65535 , +with values below 1024 typically restricted to +root-owned processes. In some cases an asterisk (``*'') character +can be used as a placeholder to select a random high-numbered port. + +.It Va ip_prefix +An IP network specified in +.Va dotted-decimal +form, followed by ``/'' +and then the number of bits in the netmask. E.g. +.Li 127/8 +is +the network +.Li 127.0.0.0 +with netmask +.Li 255.0.0.0 . +.Li 1.2.3.0/28 +is network +.Li 1.2.3.0 +with netmask +.Li 255.255.255.240. + +.It Va key_name +A string representing the name of a shared key, to be used for transaction +security. + +.It Va number +A non-negative integer with an entire range limited by the range of a +C language signed integer (2,147,483,647 on a machine with 32 bit +integers). Its acceptable value might further be limited by the +context in which it is used. + +.It Va size_spec +A +.Va number , +the word +.Li unlimited , +or the word +.Li default . + +.Pp +The maximum value of +.Va size_spec +is that of unsigned long integers on the machine. +.Li unlimited +requests unlimited use, or the maximum available amount. +.Li default +uses the limit that was in force when the server was started. + +.Pp +A +.Va number +can optionally be followed by a scaling factor: +.Li K +or +.Li k +for kilobytes, +.Li M +or +.Li m +for megabytes, and +.Li G +or +.Li g +for gigabytes, which scale by 1024, 1024*1024, and 1024*1024*1024 +respectively. + +.Pp +Integer storage overflow is currently silently ignored during +conversion of scaled values, resulting in values less than intended, +possibly even negative. Using +.Li unlimited +is the best way to safely set a really large number. + +.It Va yes_or_no +Either +.Li yes +or +.Li no . +The words +.Li true +and +.Li false +are also accepted, as are the numbers +.Li 1 and +.Li 0 . + +.El + +.Sh ADDRESS MATCH LISTS +.Ss Syntax + +.Bd -literal +\fIaddress_match_list\fR = 1\&*\fIaddress_match_element\fR + +\fIaddress_match_element\fR = [ \&"!\&" ] ( \fIaddress_match_list\fR / + \fIip_address\fR / \fIip_prefix\fR / + \fIacl_name\fR / \&"key \&" \fIkey_id\fR ) \&";\&" +.Ed + +.Ss Definition and Usage + +Address match lists are primarily used to determine access control for +various server operations. They are also used to define priorities +for querying other nameservers and to set the addresses on which +.Nm named +will listen for queries. +The elements which constitute an address match list can be any +of the following: + +.Bl -bullet +.It +an +.Va ip-address +(in +.Va dotted-decimal +notation, +.It +an +.Va ip-prefix +(in the '/'-notation), +.It +A +.Va key_id , +as defined by the +.Ic key +statement, +.It +the name of an address match list previously defined with +the +.Ic acl +statement, or +.It +another +.Va address_match_list . +.El + +.Pp +Elements can be negated with a leading exclamation mark (``!''), and +the match list names +.Li any , +.Li none , +.Li localhost +and +.Li localnets +are predefined. More information on those names can be found in the +description of the +.Ic acl +statement. + +.Pp +The addition of the +.Ic key +clause made the name of this syntactic element something of a +misnomer, since security keys can be used to validate access without +regard to a host or network address. Nonetheless, the term ``address +match list'' is still used throughout the documentation. + +.Pp +When a given IP address or prefix is compared to an address match +list, the list is traversed in order until an element matches. The +interpretation of a match depends on whether the list is being used +for access control, defining +.Ic listen-on +ports, or as a topology, and whether the element was +negated. + +.Pp +When used as an access control list, a non-negated match allows access +and a negated match denies access. If there is no match at all in the +list, access is denied. The clauses +.Ic allow-query , +.Ic allow-transfer , +.Ic allow-update , +.Ic allow-recursion , +and +.Ic blackhole +all use address match lists like this. Similarly, the +.Ic listen-on +option will cause the server to not accept queries on any of the +machine's addresses which do not match the list. + +.Pp +When used with the +.Ic topology +option, a non-negated match returns a distance based on its position on +the list (the closer the match is to the start of the list, the +shorter the distance is between it and the server). A negated match +will be assigned the maximum distance from the server. If there is no +match, the address will get a distance which is further than any +non-negated list element, and closer than any negated element. + +.Pp +Because of the first-match aspect of the algorithm, an element that +defines a subset of another element in the list should come before the +broader element, regardless of whether either is negated. For +example, in +.Dl 1.2.3/24; !1.2.3.13 +the 1.2.3.13 element is completely useless, because the algorithm will +match any lookup for 1.2.3.13 to the 1.2.3/24 element. Using +.Dl !1.2.3.13; 1.2.3/24 +fixes that problem by having 1.2.3.13 blocked by the negation but all +other 1.2.3.* hosts fall through. + +.Sh THE LOGGING STATEMENT +.Ss Syntax + +.Bd -literal +logging { + [ channel \fIchannel_name\fR { + ( file \fIpath_name\fR + [ versions ( \fInumber\fR | unlimited ) ] + [ size \fIsize_spec\fR ] + | syslog ( kern | user | mail | daemon | auth | syslog | lpr | + news | uucp | cron | authpriv | ftp | + local0 | local1 | local2 | local3 | + local4 | local5 | local6 | local7 ) + | null ); + + [ severity ( critical | error | warning | notice | + info | debug [ \fIlevel\fR ] | dynamic ); ] + [ print-category \fIyes_or_no\fR; ] + [ print-severity \fIyes_or_no\fR; ] + [ print-time \fIyes_or_no\fR; ] + }; ] + + [ category \fIcategory_name\fR { + \fIchannel_name\fR; [ \fIchannel_name\fR; ... ] + }; ] + ... +}; +.Ed + +.Ss Definition and Usage + +The +.Ic logging +statement configures a wide variety of logging options for the nameserver. +Its +.Ic channel +phrase associates output methods, format options and +severity levels with a name that can then be used with the +.Ic category +phrase to select how various classes of messages are logged. + +.Pp +Only one +.Ic logging +statement is used to define as many channels and categories as are wanted. +If there are multiple logging statements in a configuration, the first +defined determines the logging, and warnings are issued for the +others. If there is no logging statement, the logging configuration +will be: + +.Bd -literal + logging { + category default { default_syslog; default_debug; }; + category panic { default_syslog; default_stderr; }; + category packet { default_debug; }; + category eventlib { default_debug; }; + }; +.Ed + +The logging configuration is established as soon as the +.Ic logging +statement is parsed. If you want to redirect +messages about processing of the entire configuration file, the +.Ic logging +statement must appear first. Even if you do not +redirect configuration file parsing messages, we recommend +always putting the +.Ic logging +statement first so that this rule need not be consciously recalled if +you ever do need want the parser's messages relocated. + +.Ss The channel phrase + +All log output goes to one or more ``channels''; you can make as many +of them as you want. + +.Pp +Every channel definition must include a clause that says whether +messages selected for the channel go to a file, to a particular syslog +facility, or are discarded. It can optionally also limit the message +severity level that will be accepted by the channel (default is +.Li info ) , +and whether to include a time stamp generated by +.Nm named , +the category name, or severity level. The default is not to include +any of those three. + +.Pp +The word +.Li null +as the destination option for the +channel will cause all messages sent to it to be discarded; other +options for the channel are meaningless. + +.Pp +The +.Ic file +clause can include limitations both on how +large the file is allowed to become, and how many versions of the file +will be saved each time the file is opened. + +.Pp +The +.Ic size +option for files is simply a hard ceiling on +log growth. If the file ever exceeds the size, then +.Nm named +will just not write anything more to it until the file is reopened; +exceeding the size does not automatically trigger a reopen. The +default behavior is to not limit the size of the file. + +.Pp +If you use the +.Ic version +logfile option, then +.Nm named +will retain that many backup versions of the file +by renaming them when opening. For example, if you choose to keep 3 +old versions of the file lamers.log then just before it is opened +lamers.log.1 is renamed to lames.log.2, lamers.log.0 is renamed to +lamers.log.1, and lamers.log is renamed to lamers.log.0. No rolled +versions are kept by default; any existing log file is simply appended. +The +.Li unlimited +keyword is synonymous with +.Li 99 +in current BIND releases. Example usage of size and versions options: + +.Bd -literal + channel an_example_level { + file "lamers.log" versions 3 size 20m; + print-time yes; + print-category yes; + }; +.Ed + +.Pp +The argument for the +.Ic syslog +clause is a syslog facility as described in the +.Xr syslog 3 +manual page. How +.Nm syslogd +will handle messages sent to this facility is described in the +.Xr syslog.conf 5 +manual page. If you have a system which uses a very old version of +syslog that only uses two arguments to the +.Fn openlog() +function, then this clause is silently ignored. + +.Pp +The +.Ic severity +clause works like syslog's ``priorities'', except that they can also be +used if you are writing straight to a file rather than using +syslog. Messages which are not at least of the severity level given +will not be selected for the channel; messages of higher severity +levels will be accepted. + +.Pp +If you are using syslog, then the +.Pa syslog.conf +priorities will also determine what eventually passes through. +For example, defining a channel facility and severity as +.Li daemon +and +.Li debug +but only logging +.Li daemon.warning +via +.Pa syslog.conf +will cause messages of severity +.Li info +and +.Li notice +to be dropped. If the situation were reversed, with +.Nm named +writing messages of only +.Li warning +or higher, then +.Nm syslogd +would print all messages it received from the channel. + +.Pp +The server can supply extensive debugging information when it is in +debugging mode. If the server's global debug level is greater than +zero, then debugging mode will be active. The global debug level is +set either by starting the +.Nm named +server with the +.Fl d +flag followed by a positive integer, or by sending the running server the +.Dv SIGUSR1 +signal (for example, by using +.Ic ndc trace ) . +The global debug level can be set to +zero, and debugging mode turned off, by sending the server the +.Dv SIGUSR2 +signal (as with +.Ic ndc notrace ) . +All debugging messages in the server have a +debug level, and higher debug levels give more more detailed output. +Channels that specify a specific debug severity, e.g. + +.Bd -literal + channel specific_debug_level { + file \&"foo\&"; + severity debug 3; + }; +.Ed + +will get debugging output of level 3 or less any time the +server is in debugging mode, regardless of the global debugging level. +Channels with +.Li dynamic +severity use the server's global level to determine what messages to +print. + +.Pp +If +.Ic print-time +has been turned on, then the date and time will be logged. +.Ic print-time +may be specified for a syslog channel, but is usually pointless since +syslog also prints the date and time. +If +.Ic print-category +is requested, then the category of the message will be logged as well. +Finally, if +.Ic print-severity +is on, then the severity level of the message will be logged. The +.Ic print- +options may be used +in any combination, and will always be printed in the following order: +time, category, severity. Here is an example where all three +.Ic print- +options are on: + +.Bd -literal + 28-Apr-1997 15:05:32.863 default: notice: Ready to answer queries. +.Ed + +.Pp +There are four predefined channels that are used for +.Nm named 's +default logging as follows. How they are used +used is described in the next section, +.Sx The category phrase. + +.Bd -literal + channel default_syslog { + syslog daemon; # send to syslog's daemon facility + severity info; # only send priority info and higher + }; + + channel default_debug { + file \&"named.run\&"; # write to named.run in the working directory + # Note: stderr is used instead of \&"named.run\&" + # if the server is started with the -f option. + severity dynamic; # log at the server's current debug level + }; + + channel default_stderr { # writes to stderr + file \&"<stderr>\&"; # this is illustrative only; there's currently + # no way of specifying an internal file + # descriptor in the configuration language. + severity info; # only send priority info and higher + }; + + channel null { + null; # toss anything sent to this channel + }; +.Ed + +Once a channel is defined, it cannot be redefined. Thus you cannot +alter the built-in channels directly, but you can modify the default +logging by pointing categories at channels you have defined. + +.Ss The category phrase + +There are many categories, so you can send the logs you want to see +wherever you want, without seeing logs you don't want. If you don't +specify a list of channels for a category, then log messages in that +category will be sent to the +.Li default +category instead. +If you don't specify a default category, the following ``default +default'' is used: + +.Bd -literal + category default { default_syslog; default_debug; }; +.Ed + +As an example, let's say you want to log security events to a file, +but you also want keep the default logging behavior. You'd specify +the following: + +.Bd -literal + channel my_security_channel { + file \&"my_security_file\&"; + severity info; + }; + category security { my_security_channel; + default_syslog; default_debug; }; +.Ed + +To discard all messages in a category, specify the +.Li null +channel: + +.Bd -literal + category lame-servers { null; }; + category cname { null; }; +.Ed + +The following categories are available: + +.Bl -tag -width 1 +.It Ic default +The catch-all. Many things still aren't classified into categories, +and they all end up here. Also, if you don't specify any channels for +a category, the default category is used instead. If you do not +define the default category, the following definition is used: +.Dl category default { default_syslog; default_debug; }; + +.It Ic config +High-level configuration file processing. + +.It Ic parser +Low-level configuration file processing. + +.It Ic queries +A short log message is generated for every query the server receives. + +.It Ic lame-servers +Messages like ``Lame server on ...'' + +.It Ic statistics +Statistics. + +.It Ic panic +If the server has to shut itself down due to an internal problem, it +will log the problem in this category as well as in the problem's native +category. If you do not define the panic category, the following definition +is used: +.Dl category panic { default_syslog; default_stderr; }; + +.It Ic update +Dynamic updates. + +.It Ic ncache +Negative caching. + +.It Ic xfer-in +Zone transfers the server is receiving. + +.It Ic xfer-out +Zone transfers the server is sending. + +.It Ic db +All database operations. + +.It Ic eventlib +Debugging info from the event system. Only one channel may be specified for +this category, and it must be a file channel. If you do not define the +eventlib category, the following definition is used: +.Dl category eventlib { default_debug; }; + +.It Ic packet +Dumps of packets received and sent. Only one channel may be specified for +this category, and it must be a file channel. If you do not define the +packet category, the following definition is used: +.Dl category packet { default_debug; }; + +.It Ic notify +The NOTIFY protocol. + +.It Ic cname +Messages like ``... points to a CNAME''. + +.It Ic security +Approved/unapproved requests. + +.It Ic os +Operating system problems. + +.It Ic insist +Internal consistency check failures. + +.It Ic maintenance +Periodic maintenance events. + +.It Ic load +Zone loading messages. + +.It Ic response-checks +Messages arising from response checking, such as +``Malformed response ...'', ``wrong ans. name ...'', +``unrelated additional info ...'', ``invalid RR type ...'', +and ``bad referral ...''. + +.El + +.Sh THE OPTIONS STATEMENT +.Ss Syntax + +.Bd -literal +options { + [ version \fIversion_string\fR; ] + [ directory \fIpath_name\fR; ] + [ named-xfer \fIpath_name\fR; ] + [ dump-file \fIpath_name\fR; ] + [ memstatistics-file \fIpath_name\fR; ] + [ pid-file \fIpath_name\fR; ] + [ statistics-file \fIpath_name\fR; ] + [ auth-nxdomain \fIyes_or_no\fR; ] + [ deallocate-on-exit \fIyes_or_no\fR; ] + [ dialup \fIyes_or_no\fR; ] + [ fake-iquery \fIyes_or_no\fR; ] + [ fetch-glue \fIyes_or_no\fR; ] + [ has-old-clients \fIyes_or_no\fR; ] + [ host-statistics \fIyes_or_no\fR; ] + [ multiple-cnames \fIyes_or_no\fR; ] + [ notify \fIyes_or_no\fR; ] + [ recursion \fIyes_or_no\fR; ] + [ rfc2308-type1 \fIyes_or_no\fR; ] + [ use-id-pool \fIyes_or_no\fR; ] + [ treat-cr-as-space \fIyes_or_no\fR; ] + [ also-notify \fIyes_or_no\fR; ] + [ forward ( only | first ); ] + [ forwarders { [ \fIin_addr\fR ; [ \fIin_addr\fR ; ... ] ] }; ] + [ check-names ( master | slave | response ) ( warn | fail | ignore); ] + [ allow-query { \fIaddress_match_list\fR }; ] + [ allow-recursion { \fIaddress_match_list\fR }; ] + [ allow-transfer { \fIaddress_match_list\fR }; ] + [ blackhole { \fIaddress_match_list\fR }; ] + [ listen-on [ port \fIip_port\fR ] { \fIaddress_match_list\fR }; ] + [ query-source [ address ( \fIip_addr\fR | * ) ] + [ port ( \fIip_port\fR | * ) ] ; ] + [ lame-ttl \fInumber\fR; ] + [ max-transfer-time-in \fInumber\fR; ] + [ max-ncache-ttl \fInumber\fR; ] + [ min-roots \fInumber\fR; ] + [ serial-queries \fInumber\fR; ] + [ transfer-format ( one-answer | many-answers ); ] + [ transfers-in \fInumber\fR; ] + [ transfers-out \fInumber\fR; ] + [ transfers-per-ns \fInumber\fR; ] + [ transfer-source \fIip_addr\fR; ] + [ maintain-ixfr-base \fIyes_or_no\fR; ] + [ max-ixfr-log-size \fInumber\fR; ] + [ coresize \fIsize_spec\fR ; ] + [ datasize \fIsize_spec\fR ; ] + [ files \fIsize_spec\fR ; ] + [ stacksize \fIsize_spec\fR ; ] + [ cleaning-interval \fInumber\fR; ] + [ heartbeat-interval \fInumber\fR; ] + [ interface-interval \fInumber\fR; ] + [ statistics-interval \fInumber\fR; ] + [ topology { \fIaddress_match_list\fR }; ] + [ sortlist { \fIaddress_match_list|fR }; ] + [ rrset-order { \fIorder_spec\fR ; [ \fIorder_spec\fR ; ... [ [ }; +}; +.Ed + +.Ss Definition and Usage + +The options statement sets up global options to be used by +BIND. This statement may appear at only once in a +configuration file; if more than one occurrence is found, the +first occurrence determines the actual options used, +and a warning will be generated. If there is no options statement, +an options block with each option set to its default will be used. + +.Ss Pathnames + +.Bl -tag -width 1 + +.It Ic version +The version the server should report via the ndc command or via a query of +name +.Pa version.bind +in class chaos. The default is the real version number of ths server, +but some server operators prefer the string ( +.Ic surely you must be joking +). + +.It Ic directory +The working directory of the server. Any non-absolute +pathnames in the configuration file will be taken as relative to this +directory. The default location for most server output files +(e.g. +.Pa named.run ) +is this directory. If a directory is not +specified, the working directory defaults to +.Pa . , +the directory from which the +server was started. The directory specified should be an absolute path. + +.It Ic named-xfer +The pathname to the named-xfer program that the server uses for +inbound zone transfers. If not specified, the default is +system dependent (e.g. +.Pa /usr/sbin/named-xfer +). + +.It Ic dump-file +The pathname of the file the server dumps the database to when it +receives +.Dv SIGINT +signal (as sent by +.Ic ndc dumpdb +). If not specified, the default is +.Pa named_dump.db . + +.It Ic memstatistics-file +The pathname of the file the server writes memory usage statistics to +on exit, if +.Ic deallocate-on-exit +is +.Li yes . +If not specified, the default is +.Pa named.memstats . + +.It Ic pid-file +The pathname of the file the server writes its process ID in. If not +specified, the default is operating system dependent, but is usually +.Pa /var/run/named.pid +or +.Pa /etc/named.pid . +The pid-file is used by programs like +.Nm ndc +that want to send signals to the running nameserver. + +.It Ic statistics-file +The pathname of the file the server appends statistics to when it +receives +.Dv SIGILL +signal (from +.Ic ndc stats ) . +If not specified, the default is +.Pa named.stats . +.El + +.Ss Boolean Options + +.Bl -tag -width 1 +.It Ic auth-nxdomain +If +.Li yes , +then the +.Li AA +bit is always set on +.Dv NXDOMAIN +responses, even if the server is not actually authoritative. +The default is +.Li yes . +Do not turn off +.Ic auth-nxdomain +unless you are sure you know what you are +doing, as some older software won't like it. + +.It Ic deallocate-on-exit +If +.Li yes , +then when the server exits it will painstakingly deallocate every +object it allocated, and then write a memory usage report to the +.Ic memstatistics-file . +The default is +.Li no , +because it is faster to let the operating system clean up. +.Ic deallocate-on-exit +is handy for detecting memory leaks. + +.It Ic dialup +If +.Li yes , +then the server treats all zones as if they are doing zone transfers +across a dial on demand dialup link, which can be brought up by +traffic originating from this server. This has different effects +according to zone type and concentrates the zone maintenance so that +it all happens in a short interval, once every +.Ic heartbeat-interval +and hopefully during the one call. +It also suppresses some of the normal zone maintenance traffic. +The default is +.Li no . +The +.Ic dialup +option may also be specified in the +.Ic zone +statement, in which +case it overrides the +.Ic options dialup +statement. + +.Pp +If the zone is a +.Ic master +then the server will send out +.Dv NOTIFY +request to all the slaves. +This will trigger the zone up to date checking in the slave (providing +it supports +.Dv NOTIFY ) +allowing the slave +to verify the zone while the call us up. + +.Pp +If the zone is a +.Ic slave +or +.Ic stub +then the server will suppress the zone regular zone up to date queries +and only perform the when the +.Ic heartbeat-interval +expires. + +.It Ic fake-iquery +If +.Li yes , +the server will simulate the obsolete DNS query type +.Dv IQUERY . +The default is +.Li no . + +.It Ic fetch-glue +If +.Li yes +(the default), the server will fetch ``glue'' resource +records it doesn't have when constructing the additional data section of +a response. +.Ic fetch-glue no +can be used in conjunction with +.Ic recursion no +to prevent the server's cache from growing or +becoming corrupted (at the cost of requiring more work from the client). + +.It Ic has-old-clients +Setting the option to +.Li yes , +is equivalent to setting the following three options: +.Ic auth-nxdomain yes ;, +.Ic maintain-ixfr-base yes ;, +and +.Ic rfc2308-type1 no ; +. The use of +.Ic has-old-clients +with +.Ic auth-nxdomain , +.Ic maintain-ixfr-base , +and +.Ic rfc2308-type1 +is order dependant. + +.It Ic host-statistics +If +.Li yes , +then statistics are kept for every host that the the nameserver +interacts with. The default is +.Li no . +.Em Note: +turning on +.Ic host-statistics +can consume huge amounts of memory. + +.It Ic maintain-ixfr-base +If +.Li yes , +statistics are kept for every host that the nameserver interacts with. The default is +.Li no . +.Em Note: +turning on +.Li host-statistics +can consume huge amounts of memory. + +.It Ic multiple-cnames +If +.Li yes , +then multiple CNAME resource records will be +allowed for a domain name. The default is +.Li no . +Allowing multiple CNAME records is against standards and is not recommended. +Multiple CNAME support is available because previous versions of BIND +allowed multiple CNAME records, and these records have been used for load +balancing by a number of sites. + +.It Ic notify +If +.Li yes +(the default), DNS NOTIFY messages are sent when a +zone the server is authoritative for changes. The use of NOTIFY +speeds convergence between the master and its slaves. Slave servers +that receive a NOTIFY message and understand it will contact the +master server for the zone and see if they need to do a zone transfer, and +if they do, they will initiate it immediately. The +.Ic notify +option may also be specified in the +.Ic zone +statement, in which case it overrides the +.Ic options notify +statement. + +.It Ic recursion +If +.Li yes , +and a DNS query requests recursion, then the +server will attempt to do all the work required to answer the query. +If recursion is not on, the server will return a referral to the +client if it doesn't know the answer. The default is +.Li yes . +See also +.Ic fetch-glue +above. + +.It Ic rfc2308-type1 +If +.Li yes, +the server will send NS records along with the SOA record for negative +answers. You need to set this to no if you have an old BIND server using +you as a forwarder that does not understand negative answers which contain +both SOA and NS records or you have an old version of sendmail. The correct +fix is to upgrade the broken server or sendmail. The default is +.Li no . + +.It Ic use-id-pool +If +.Li yes, +the server will keep track of its own outstanding query ID's to avoid duplication +and increase randomness. This will result in 128KB more memory being consumed +by the server. The default is +.Li no . + +.It Ic treat-cr-as-space +If +.Li yes, +the server will treat CR characters the same way it treats a space +or tab. This may be necessary when loading zone files on a UNIX system +that were generated on an NT or DOS machine. The default is +.Li no . + + +.El + +.Ss Also-Notify + +.Ic also-notify + +Defines a global list of IP addresses that also get sent NOTIFY messages +whenever a fresh copy of the zone is loaded. This helps to ensure that copies of +the zones will quickly converge on ``stealth'' servers. If an +.Ic also-notify +list is given in a +.Ic zone +statement, it will override the +.Ic options also-notify +statement. When a +.Ic zone notify +statement is set to +.Ic no , +the IP addresses in +the global +.Ic also-notify +list will not get sent NOTIFY messages for that zone. +The default is the empty list (no global notification list). + +.Ss Forwarding + +.Pp +The forwarding facility can be used to create a large site-wide +cache on a few servers, reducing traffic over links to external +nameservers. It can also be used to allow queries by servers that do +not have direct access to the Internet, but wish to look up exterior +names anyway. Forwarding occurs only on those queries for which the +server is not authoritative and does not have the answer in its cache. + +.Bl -tag -width 1 +.It Ic forward +This option is only meaningful if the +.Ic forwarders +list is +not empty. A value of +.Li first , +the default, causes the +server to query the forwarders first, and if that doesn't answer the +question the server will then look for the answer itself. If +.Li only +is specified, the server will only query the forwarders. + +.It Ic forwarders +Specifies the IP addresses to be used for forwarding. The default is the +empty list (no forwarding). +.El + +.Pp +Forwarding can also be configured on a per-zone basis, allowing for +the global forwarding options to be overridden in a variety of ways. +You can set particular zones to use different forwarders, or have +different +.Ic forward only/first +behavior, or to not forward +at all. See +.Sx THE ZONE STATEMENT +section for more information. + +.Pp +Future versions of BIND 8 will provide a more powerful forwarding +system. The syntax described above will continue to be supported. + +.Ss Name Checking + +The server can check domain names based upon their expected client contexts. +For example, a domain name used as a hostname can be checked for compliance +with the RFCs defining valid hostnames. + +.Pp +Three checking methods are available: + +.Bl -tag -width 1 +.It Ic ignore +No checking is done. + +.It Ic warn +Names are checked against their expected client contexts. Invalid names are +logged, but processing continues normally. + +.It Ic fail +Names are checked against their expected client contexts. Invalid names are +logged, and the offending data is rejected. +.El + +.Pp +The server can check names three areas: master zone files, slave +zone files, and in responses to queries the server has initiated. If +.Ic check-names response fail +has been specified, and +answering the client's question would require sending an invalid name +to the client, the server will send a +.Dv REFUSED +response code to the client. + +.Pp +The defaults are: + +.Bd -literal + check-names master fail; + check-names slave warn; + check-names response ignore; +.Ed + +.Pp +.Ic check-names +may also be specified in the +.Ic zone +statement, in which case it overrides the +.Ic options check-names +statement. When used in a +.Ic zone +statement, the area is not specified (because it can be deduced from +the zone type). + +.Ss Access Control + +.Pp +Access to the server can be restricted based on the IP address of the +requesting system or via shared secret keys. See +.Sx ADDRESS MATCH LISTS +for details on how to specify access criteria. + +.Bl -tag -width 1 +.It Ic allow-query +Specifies which hosts are allowed to ask ordinary questions. +.Ic allow-query +may also be specified in the +.Ic zone +statement, in which case it overrides the +.Ic options allow-query +statement. If not specified, the default is + +.Bl -tag -width 1 +.It Ic allow-recursion +Specifies which hosts are allowed to ask recursive questions. +.Ic allow-recursion +may also be specified in the +.Ic zone +statement, in which case it overrides the +.Ic options allow-recursion +statement. If not specified, the default is to allow recursive queries +from all hosts. + +.It Ic allow-transfer +Specifies which hosts are allowed to receive zone transfers from the +server. +.Ic allow-transfer +may also be specified in the +.Ic zone +statement, in which case it overrides the +.Ic options allow-transfer +statement. If not specified, the default +is to allow transfers from all hosts. + +.It Ic blackhole +Specifies a list of addresses that the server will not accept queries from +or use to resolve a query. Queries from these addresses will not be +responded to. +.El + +.Ss Interfaces + +.Pp +The interfaces and ports that the server will answer queries from may +be specified using the +.Ic listen-on +option. +.Ic listen-on +takes an optional port, and an address match list. +The server will listen on all interfaces allowed by the address match +list. If a port is not specified, port 53 will be used. + +.Pp +Multiple +.Ic listen-on +statements are allowed. For example, + +.Bd -literal + listen-on { 5.6.7.8; }; + listen-on port 1234 { !1.2.3.4; 1.2/16; }; +.Ed + +will enable the nameserver on port 53 for the IP address 5.6.7.8, and +on port 1234 of an address on the machine in net 1.2 that is not +1.2.3.4. + +.Pp +If no +.Ic listen-on +is specified, the server will listen on port +53 on all interfaces. + +.Ss Query Address + +.Pp +If the server doesn't know the answer to a question, it will query +other nameservers. +.Ic query-source +specifies the address and port used for such queries. If +.Ic address +is +.Li * +or is omitted, a wildcard IP address +( +.Dv INADDR_ANY ) +will be used. If +.Va port +is +.Li * +or is omitted, a random unprivileged port will be used. +The default is +.Dl query-source address * port *; + +.Pp +Note: +.Ic query-source +currently applies only to UDP queries; +TCP queries always use a wildcard IP address and a random unprivileged +port. + +.Ss Zone Transfers + +.Bl -tag -width 1 +.It Ic max-transfer-time-in +Inbound zone transfers ( +.Nm named-xfer +processes) running +longer than this many minutes will be terminated. +The default is 120 minutes (2 hours). + +.It Ic transfer-format +The server supports two zone transfer methods. +.Li one-answer +uses one DNS message per resource record +transferred. +.Li many-answers +packs as many resource records +as possible into a message. +.Li many-answers +is more efficient, but is only known to be understood by BIND 8.1 and +patched versions of BIND 4.9.5. The default is +.Li one-answer . +.Ic transfer-format +may be overridden on a per-server basis by using the +.Ic server +statement. + +.It Ic transfers-in +The maximum number of inbound zone transfers that can be running +concurrently. The default value is 10. Increasing +.Ic transfers-in +may speed up the convergence of slave zones, +but it also may increase the load on the local system. + +.It Ic transfers-out +This option will be used in the future to limit the number of +concurrent outbound zone transfers. It is checked for syntax, but is +otherwise ignored. + +.It Ic transfers-per-ns +The maximum number of inbound zone transfers ( +.Nm named-xfer +processes) that can be concurrently transferring from a given remote +nameserver. The default value is 2. Increasing +.Ic transfers-per-ns +may speed up the convergence of slave zones, but it also may increase +the load on the remote nameserver. +.Ic transfers-per-ns +may be overridden on a per-server basis by using the +.Ic transfers +phrase of the +.Ic server +statement. + +.It Ic transfer-source +.Nm transfer-source +determines which local address will be bound to the TCP connection used to fetch all zones +transferred inbound by the server. If not set, it defaults to a system controlled value which will usually be the address of the interface ``closest to`` the remote end. This +address must appear in the remote end's +.Nm allow-transfer +option for the zones being transferred, if one is specified. This statement sets the +.Nm transfer-source +for all zones, but can be overriden on a per-zone basis by includinga +.Nm transfer-source +statement within the zone block in the configuration file. +.El + +.Ss Resource Limits + +.Pp +The server's usage of many system resources can be limited. Some +operating systems don't support some of the limits. On such systems, +a warning will be issued if the unsupported limit is used. Some +operating systems don't support limiting resources, and on these systems +a +.D1 cannot set resource limits on this system +message will +be logged. + +.Pp +Scaled values are allowed when specifying resource limits. For +example, +.Li 1G +can be used instead of +.Li 1073741824 +to specify a limit of one gigabyte. +.Li unlimited +requests unlimited use, or the maximum +available amount. +.Li default +uses the limit that was in +force when the server was started. +See the definition of +.Va size_spec +in the +.Sx DOCUMENTATION DEFINITIONS +section for more details. + +.Bl -tag -width 1 +.It Ic coresize +The maximum size of a core dump. The default value is +.Li default . + +.It Ic datasize +The maximum amount of data memory the server may use. The default +value is +.Li default . + +.It Ic files +The maximum number of files the server may have open concurrently. +The default value is +.Li unlimited . +Note that on some operating systems the server cannot set an unlimited +value and cannot determine the maximum number of open files the kernel +can support. On such systems, choosing +.Li unlimited +will cause the server to use +the larger of the +.Va rlim_max +from +.Fn getrlimit RLIMIT_NOFILE +and the value returned by +.Fn sysconf _SC_OPEN_MAX . +If the +actual kernel limit is larger than this value, use +.Ic limit files +to specify the limit explicitly. + +.It Ic max-ixfr-log-size +The +.Li max-ixfr-log-size +will be used in a future release of the server to limit the size of the transaction +log kept for Incremental Zone Transfer. + +.It Ic stacksize +The maximum amount of stack memory the server may use. The default value is +.Li default . +.El + +.Ss Periodic Task Intervals + +.Bl -tag -width 1 +.It Ic cleaning-interval +The server will remove expired resource records from the cache every + +.Ic cleaning-interval +minutes. The default is 60 minutes. If set +to 0, no periodic cleaning will occur. + +.It Ic heartbeat-interval +The server will perform zone maintenance tasks for all zones marked +.Ic dialup yes +whenever this interval expires. +The default is 60 minutes. Reasonable values are up to 1 day (1440 minutes). +If set to 0, no zone maintenance for these zones will occur. + +.It Ic interface-interval +The server will scan the network interface list every +.Ic interface-interval +minutes. The default is 60 minutes. +If set to 0, interface scanning will only occur when the configuration +file is loaded. After the scan, listeners will be started on any new +interfaces (provided they are allowed by the +.Ic listen-on +configuration). Listeners on interfaces that have gone away will be +cleaned up. + +.It Ic statistics-interval +Nameserver statistics will be logged every +.Ic statistics-interval +minutes. The default is 60. If set to 0, no statistics will be logged. +.El + +.Ss Topology + +.Pp +All other things being equal, when the server chooses a nameserver +to query from a list of nameservers, it prefers the one that is +topologically closest to itself. The +.Ic topology +statement takes an address match list and interprets it in a special way. +Each top-level list element is assigned a distance. +Non-negated elements get a distance based on +their position in the list, where the closer the match is to the start +of the list, the shorter the distance is between it and the server. A +negated match will be assigned the maximum distance from the server. +If there is no match, the address will get a distance which is further +than any non-negated list element, and closer than any negated +element. For example, + +.Bd -literal + topology { + 10/8; + !1.2.3/24; + { 1.2/16; 3/8; }; + }; +.Ed + +will prefer servers on network 10 the most, followed by hosts on +network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the exception +of hosts on network 1.2.3 (netmask 255.255.255.0), which is preferred least +of all. + +.Pp +The default topology is +.Dl topology { localhost; localnets; }; + +.Ss Resource Record sorting + +.Pp +When returning multiple RRs, the nameserver will normally return them in +.Ic Round Robin , +i.e. after each request, the first RR is put to the end of the list. +As the order of RRs is not defined, this should not cause any problems. + +The client resolver code should re-arrange the RRs as appropriate, i.e. using +any addresses on the local net in preference to other addresses. However, not all +resolvers can do this, or are not correctly configured. + +When a client is using a local server, the sorting can be performed in the server, +based on the client's address. This only requires configuring the nameservers, +not all the clients. + +The +.Ic sortlist +statement takes an address match list and interprets it even more +specially than the +.Ictopology +statement does. + +Each top level statement in the sortlist must itself be an explicit address match +list with one or two elements. The first element (which may be an IP address, +an IP prefix, an ACL name or nested address match list) of each top level list is +checked against the source address of the query until a match is found. + +Once the source address of the query has been matched, if the top level +statement contains only one element, the actual primitive element that +matched the source address is used to select the address in the response to +move to the beginning of the response. If the statement is a list of two elements, +the second element is treated like the address match list in a topology +statement. Each top level element is assigned a distance and the address in the +response with the minimum distance is moved to the beginning of the response. + +In the following example, any queries received from any of the addresses of the +host itself will get responses preferring addresses on any of the locally +connected networks. Next most preferred are addresses on the 192.168.1/24 +network, and after that either the 192.168.2/24 or 192.168.3/24 network with no +preference shown between these two networks. Queries received from a host on +the 192.168.1/24 network will prefer other addresses on that network to the +192.168.2/24 and 192.168.3/24 networks. Queries received from a host on the +192.168.4/24 or the 192.168.5/24 network will only prefer other addresses on +their directly connected networks. + +.Bd -literal +sortlist { + { localhost; // IF the local host + { localnets; // THEN first fit on the + 192.168.1/24; // following nets + { 192,168.2/24; 192.168.3/24; }; }; }; + { 192.168.1/24; // IF on class C 192.168.1 + { 192.168.1/24; // THEN use .1, or .2 or .3 + { 192.168.2/24; 192.168.3/24; }; }; }; + { 192.168.2/24; // IF on class C 192.168.2 + { 192.168.2/24; // THEN use .2, or .1 or .3 + { 192.168.1/24; 192.168.3/24; }; }; }; + { 192.168.3/24; // IF on class C 192.168.3 + { 192.168.3/24; // THEN use .3, or .1 or .2 + { 192.168.1/24; 192.168.2/24; }; }; }; + { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net + }; +}; +.Ed + +The following example will give reasonable behaviour for the local host and +hosts on directly connected networks. It is similar to the behavior of the +address sort in BIND 4.9.x. Responses sent to queries from the local host will +favor any of the directly connected networks. Responses sent to queries from +any other hosts on a directly connected network will prefer addresses on that +same network. Responses to other queries will not be sorted. + +.Bd -literal +sortlist { + { localhost; localnets; }; + { localnets; }; +}; +.Ed + +.Ss RRset Ordering + +.Pp +When multiple records are returned in an answer it may be useful to configure +the order the records are placed into the response. For example the records for +a zone might be configured to always be returned in the order they are defined +in the zone file. Or perhaps a random shuffle of the records as they are +returned is wanted. The rrset-order statement permits configuration of the +ordering made of the records in a multiple record response. The default, if no +ordering is defined, is a cyclic ordering (round robin). + +An +.Ic order_spec +is defined as follows: + +.Bd -literal + [ \fIclass class_name\fR ][ \fItype type_name\fR ][ \fIname\fR "FQDN" ] \fIorder\fR ordering +.Ed + +If no class is specified, the default is +.Ic ANY . +If no +.Li Ictype +is specified, the default is +.Ic ANY . +If no name is specified, the default is "*". + +The legal values for +.Ic ordering +are: + +.Bd -literal +.Ic fixed + Records are returned in the order they are defined in the zone file. +.Ic random + Records are returned in some random order. +.Ic cyclic + Records are returned in a round-robin order. + +For example: + + rrset-order { + class IN type A name "rc.vix.com" order random; + order cyclic; + }; +.Ed + +will cause any responses for type A records in class IN that have "rc.vix.com" as +a suffix, to always be returned in random order. All other records are returned +in cyclic order. + +If multiple +.Ic rrset-order +statements appear, they are not combined--the last one applies. + +If no +.Ic rrset-order +statement is specified, a default one of: + +.Bd -literal + rrset-order { class ANY type ANY name "*" order cyclic ; }; +.Ed + +is used. + +.Ss Tuning + +.Bl -tag -width 1 +.It Ic lame-ttl +Sets the number of seconds to cache a lame server indication. 0 disables +caching. Default is 600 (10 minutes). Maximum value is 1800 (30 minutes) +.It Ic max-ncache-ttl +To reduce network traffic and increase performance the server store negative +answers. +.Ic max-ncache-ttl +is used to set a maximum retention time +for these answers in the server is seconds. The default +.Ic max-ncache-ttl +is 10800 seconds (3 hours). +.Ic max-ncache-ttl +cannot exceed the maximum retention time for ordinary (positive) +answers (7 days) and will be silently truncated to 7 days if set to a +value which is greater that 7 days. +.It Ic min-roots +The minimum number of root servers that is required for a request for the root +servers to be accepted. Default is 2. +.El + +.Sh THE ZONE STATEMENT +.Ss Syntax + +.Bd -literal +zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] { + type master; + file \fIpath_name\fR; + [ check-names ( warn | fail | ignore ); ] + [ allow-update { \fIaddress_match_list\fR }; ] + [ allow-query { \fIaddress_match_list\fR }; ] + [ allow-transfer { \fIaddress_match_list\fR }; ] + [ dialup \fIyes_or_no\fR; ] + [ notify \fIyes_or_no\fR; ] + [ also-notify { \fIip_addr\fR; [ \fIip_addr\fR; ... ] }; + [ pubkey \fInumber\fR \fInumber\fR \fInumber\fR \fIstring\fR; ] +}; + +zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] { + type ( slave | stub ); + [ file \fIpath_name\fR; ] + masters [ port \fIip_port\fR ] { \fIip_addr\fR; [ \fIip_addr\fR; ... ] }; + [ check-names ( warn | fail | ignore ); ] + [ allow-update { \fIaddress_match_list\fR }; ] + [ allow-query { \fIaddress_match_list\fR }; ] + [ allow-transfer { \fIaddress_match_list\fR }; ] + [ transfer-source \fIip_addr\fR; ] + [ max-transfer-time-in \fInumber\fR; ] + [ notify \fIyes_or_no\fR; ] + [ also-notify { \fIip_addr\fR; [ \fIip_addr\fR; ... ] }; + [ pubkey \fInumber\fR \fInumber\fR \fInumber\fR \fIstring\fR; ] +}; + +zone \fIdomain_name\fR [ ( in | hs | hesiod | chaos ) ] { + type forward; + [ forward ( only | first ); ] + [ forwarders { [ \fIip_addr\fR ; [ \fIip_addr\fR ; ... ] ] }; ] + [ check-names ( warn | fail | ignore ); ] +}; + +zone \&".\&" [ ( in | hs | hesiod | chaos ) ] { + type hint; + file \fIpath_name\fR; + [ check-names ( warn | fail | ignore ); ] +}; +.Ed + +.Ss Definition and Usage + +The +.Ic zone +statement is used to define how information about particular DNS zones +is managed by the server. There are five different zone types. + +.Bl -tag -width 1 +.It Ic master +The server has a master copy of the data for the zone and will be able +to provide authoritative answers for it. + +.It Ic slave +A +.Ic slave +zone is a replica of a master zone. The +.Ic masters +list specifies one or more IP addresses that the slave contacts to +update its copy of the zone. If a +.Ic port +is specified then checks to see if the zone is current and zone transfers +will be done to the port given. If +.Ic file +is specified, then the replica will be written to the named file. +Use of the +.Ic file +clause is highly recommended, since it often speeds server startup +and eliminates a needless waste of bandwidth. + +.It Ic stub +A +.Ic stub +zone is like a slave zone, except that it replicates +only the NS records of a master zone instead of the entire zone. + +.It Ic forward +A +.Ic forward +zone is used to direct all queries in it to other servers, as described in +.Sx THE OPTIONS STATEMENT +section. The specification of options in such a zone will override +any global options declared in the +.Ic options +statement. + +.Pp +If either no +.Ic forwarders +clause is present in the zone or an empty list for +.Ic forwarders +is given, then no forwarding will be done for the zone, cancelling the +effects of any +.Ic forwarders +in the +.Ic options +statement. +Thus if you want to use this type of zone to change only the behavior of +the global +.Ic forward +option, and not the servers used, then you also need to respecify the +global forwarders. + +.It Ic hint +The initial set of root nameservers is specified using a +.Ic hint +zone. When the server starts up, it uses the root hints +to find a root nameserver and get the most recent list of root nameservers. +.El + +.Pp +Note: previous releases of BIND used the term +.Ic primary +for a master zone, +.Ic secondary +for a slave zone, and +.Ic cache +for a hint zone. + +.Ss Classes + +The zone's name may optionally be followed by a class. If a class is not +specified, class +.Ic in +(for "internet"), is assumed. This is correct for the vast majority +of cases. + +.Pp +The +.Ic hesiod +class is for an information service from MIT's Project Athena. It is +used to share information about various systems databases, such as +users, groups, printers and so on. More information can be found at +ftp://athena-dist.mit.edu/pub/ATHENA/usenix/athena_changes.PS. +The keyword +.Ic hs +is a synonym for +.Ic hesiod . + +.Pp +Another MIT development was CHAOSnet, a LAN protocol created in the +mid-1970s. It is still sometimes seen on LISP stations and other +hardware in the AI community, and zone data for it can be specified +with the +.Ic chaos +class. + +.Ss Options + +.Bl -tag -width 1 +.It Ic check-names +See the subsection on +.Sx Name Checking +in +.Sx THE OPTIONS STATEMENT . + +.It Ic allow-query +See the description of +.Ic allow-query +in the +.Sx Access Control +subsection of +.Sx THE OPTIONS STATEMENT . + +.It Ic allow-update +Specifies which hosts are allowed to submit Dynamic DNS updates to the +server. The default is to deny updates from all hosts. + +.It Ic allow-transfer +See the description of +.Ic allow-transfer +in the +.Sx Access Control +subsection of +.Sx THE OPTIONS STATEMENT . + +.It Ic transfer-source +.Ic transfer-source +determines which local address will be bound to the TCP connection +used to fetch this zone. If not set, it defaults to a system +controlled value which will usually be the address of the interface +``closest to'' the remote end. This address must appear in the remote end's +.Ic allow-transfer +option for this zone if one is specified. + +.It Ic max-transfer-time-in +See the description of +.Ic max-transfer-time-in +in the +.Sx Zone Transfers +subsection of +.Sx THE OPTIONS STATEMENT . + +.It Ic dialup +See the description of +.Ic dialup +in the +.Sx Boolean Options +subsection of +.Sx THE OPTIONS STATEMENT . + +.It Ic notify +See the description of +.Sx notify +in the +.Sx Boolean Options +subsection of the +.Sx THE OPTIONS STATEMENT . + +.It Ic also-notify +.Ic also-notify +is only meaningful if +.Ic notify +is active for this zone. +The set of machines that will receive a DNS NOTIFY message for this +zone is made up of all the listed nameservers for the zone (other than +the primary master) plus any IP addresses specified with +.Ic also-notify . +.Ic also-notify +is not meaningful for +.Ic stub +zones. The default is the empty list. + +.It Ic forward +.Ic forward +is only meaningful if the zone has a +.Ic forwarders +list. The +.Ic only +value causes the lookup to fail after trying the +.Ic forwarders +and getting no answer, while +.Ic first +would allow a normal lookup to be tried. + +.It Ic forwarders +The +.Ic forwarders +option in a zone is used to override the list of global forwarders. +If it is not specified in a zone of type +.Ic forward , +.Em no +forwarding is done for the zone; the global options are not used. + +.It Ic pubkey +The DNSSEC flags, protocol, and algorithm are specified, as well as a base-64 +encoded string representing the key. +.El + +.Sh THE ACL STATEMENT +.Ss Syntax + +.Bd -literal +acl \fIname\fR { + \fIaddress_match_list\fR +}; +.Ed + +.Ss Definition and Usage + +The +.Ic acl +statement creates a named address match list. +It gets its name from a primary use of address match lists: Access +Control Lists (ACLs). + +.Pp +Note that an address match list's name must be defined with +.Ic acl +before it can be used elsewhere; no forward +references are allowed. + +.Pp +The following ACLs are built-in: + +.Bl -tag -width 1 +.It Ic any +Allows all hosts. +.It Ic none +Denies all hosts. +.It Ic localhost +Allows the IP addresses of all interfaces on the system. +.It Ic localnets +Allows any host on a network for which the system has an interface. +.El + +.Sh THE KEY STATEMENT +.Ss Syntax + +.Bd -literal +key \fIkey_id\fR { + algorithm \fIalgorithm_id\fR; + secret \fIsecret_string\fR; +}; +.Ed + +.Ss Definition and Usage + +The +.Ic key +statement defines a key ID which can be used in a +.Ic server +statement to associate a method of authentication with a particular +name server that is more rigorous than simple IP address matching. +A key ID must be created with the +.Ic key +statement before it can be used in a +.Ic server +definition or an address match list. + +.Pp +The +.Va algorithm_id +is a string that specifies a +security/authentication algorithm. +.Va secret_string +is the secret to be used by the algorithm, +and is treated as a base-64 encoded string. +It should go without saying, but probably can't, +that if you have +.Va secret_string 's +in your +.Pa named.conf , +then it should not be readable by anyone but the superuser. + +.Sh THE TRUSTED-KEYS STATEMENT +.Ss Syntax + +.Bd -literal +trusted-keys { + [ \fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ] +}; +.Ed + +.Ss Definition and Usage + +The +.Ic trusted-keys +statement is for use with DNSSEC-style security, originally specified +in RFC 2065. DNSSEC is meant to +provide three distinct services: key distribution, data origin +authentication, and transaction and request authentication. A +complete description of DNSSEC and its use is beyond the scope of this +document, and readers interested in more information should start with +RFC 2065 and then continue with the Internet Drafts available at +http://www.ietf.org/ids.by.wg/dnssec.html. + +.Pp +Each trusted key is associated with a domain name. Its attributes are +the non-negative integral +.Va flags , +.Va protocol , +and +.Va algorithm , +as well as a base-64 encoded string representing the +.Va key . + +.Pp +Any number of trusted keys can be specified. + +.Sh THE SERVER STATEMENT +.Ss Syntax + +.Bd -literal +server \fIip_addr\fR { + [ bogus \fIyes_or_no\fR; ] + [ transfers \fInumber\fR; ] + [ transfer-format ( one-answer | many-answers ); ] + [ keys { \fIkey_id\fR [ \fIkey_id\fR ... ] }; ] +}; +.Ed + +.Ss Definition and Usage + +The server statement defines the characteristics to be +associated with a remote name server. + +.Pp +If you discover that a server is giving out bad data, marking it as +.Ic bogus +will prevent further queries to it. The default value of +.Ic bogus +is +.Li no . + +.Pp +The server supports two zone transfer methods. The first, +.Ic one-answer , +uses one DNS message per resource record transferred. +.Ic many-answers +packs as many resource records as possible into a message. +.Ic many-answers +is more efficient, but is only known to be understood by BIND 8.1 and +patched versions of BIND 4.9.5. You can specify which method to use +for a server with the +.Ic transfer-format +option. If +.Ic transfer-format +is not specified, the +.Ic transfer-format +specified by the +.Ic options +statement will be used. + +.Pp +The +.Ic transfers +will be used in a future release of the server to limit the number of +concurrent in-bound zone transfers from the specified server. It is +checked for syntax but is otherwise ignored. + +.Pp +The +.Ic keys +clause is used to identify a +.Va key_id +defined by the +.Ic key +statement, to be used for transaction security when talking to the +remote server. +The +.Ic key +statememnt must come before the +.Ic server +statement that references it. + +.Pp +The +.Ic keys +statement is intended for future use by the +server. It is checked for syntax but is otherwise ignored. + +.Sh THE CONTROLS STATEMENT +.Ss Syntax + +.Bd -literal +controls { + [ inet \fIip_addr\fR + port \fIip_port\fR + allow { \fIaddress_match_list\fR; }; ] + [ unix \fIpath_name\fR + perm \fInumber\fR + owner \fInumber\fR + group \fInumber\fR; ] +}; +.Ed + +.Ss Definition and Usage + +The +.Ic controls +statement declares control channels to be used by system +administrators to affect the operation of the local name server. +These control channels are used by the +.Nm ndc +utility to send commands +to and retrieve non-DNS results from a name server. + +.Pp +A +.Ic unix +control channel is a FIFO in the file system, and access to it is +controlled by normal file system permissions. It is created by +.Nm named +with the specified file mode bits (see +.Xr chmod 1 ) , +user and group owner. Note that, unlike +.Nm chmod , +the mode bits specified for +.Ic perm +will normally have a leading +.Li 0 +so the number is interpreted as octal. Also note that the user and +group ownership specified as +.Ic owner +and +.Ic group +must be given as numbers, not names. +It is recommended that the +permissions be restricted to administrative personnel only, or else any +user on the system might be able to manage the local name server. + +.Pp +An +.Ic inet +control channel is a TCP/IP socket accessible to the Internet, created +at the specified +.Va ip_port +on the specified +.Va ip_addr . +Modern +.Nm telnet +clients are capable of speaking directly to these +sockets, and the control protocol is ARPAnet-style text. +It is recommended that 127.0.0.1 be the only +.Va ip_addr +used, and this only if you trust all non-privileged users on the local +host to manage your name server. + +.Sh THE INCLUDE STATEMENT +.Ss Syntax + +.Bd -literal +include \fIpath_name\fR; +.Ed + +.Ss Definition and Usage + +The +.Ic include +statement inserts the specified file at the point that the +.Ic include +statement is encountered. It cannot be used within another statement, +though, so a line such as +.Dl acl internal_hosts { include "internal_hosts.acl"; }; +is not allowed. + +.Pp +Use +.Ic include +to break the configuration up into easily-managed chunks. +For example: + +.Bd -literal +include "/etc/security/keys.bind"; +include "/etc/acls.bind"; +.Ed + +could be used at the top of a BIND configuration file in order to +include any ACL or key information. + +.Pp +Be careful not to type +``#include'', like you would in a C program, because +``#'' is used to start a comment. + +.Sh EXAMPLES + +The simplest configuration file that is still realistically useful is +one which simply defines a hint zone that has a full path to the root +servers file. +.Bd -literal +zone \&".\&" in { + type hint; + file \&"/var/named/root.cache\&"; +}; +.Ed + +Here's a more typical real-world example. + +.Bd -literal +/* + * A simple BIND 8 configuration + */ + +logging { + category lame-servers { null; }; + category cname { null; }; +}; + +options { + directory \&"/var/named\&"; +}; + +controls { + inet * port 52 allow { any; }; // a bad idea + unix \&"/var/run/ndc\&" perm 0600 owner 0 group 0; // the default +}; + +zone \&"isc.org\&" in { + type master; + file \&"master/isc.org\&"; +}; + +zone \&"vix.com\&" in { + type slave; + file \&"slave/vix.com\&"; + masters { 10.0.0.53; }; +}; + +zone \&"0.0.127.in-addr.arpa\&" in { + type master; + file \&"master/127.0.0\&"; +}; + +zone \&".\&" in { + type hint; + file \&"root.cache\&"; +}; +.Ed + +.Sh FILES +.Bl -tag -width 1 -compact +.It Pa /etc/named.conf +The BIND 8 +.Nm named +configuration file. +.El + +.Sh SEE ALSO +.Xr named 8 , +.Xr ndc 8 |