diff options
| author | peter <peter@FreeBSD.org> | 2008-07-12 05:00:28 +0000 |
|---|---|---|
| committer | peter <peter@FreeBSD.org> | 2008-07-12 05:00:28 +0000 |
| commit | ba8f85b49c38af7bc2a9acdef5dcde2de008d25e (patch) | |
| tree | ceac31a567976fd5866cb5791b059781f6e045de /contrib/bind9/doc/arm/Bv9ARM.ch06.html | |
| parent | 0f328cea2580ffb8f9e363be671a517787111472 (diff) | |
| download | FreeBSD-src-ba8f85b49c38af7bc2a9acdef5dcde2de008d25e.zip FreeBSD-src-ba8f85b49c38af7bc2a9acdef5dcde2de008d25e.tar.gz | |
Flatten bind9 vendor work area
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch06.html')
| -rw-r--r-- | contrib/bind9/doc/arm/Bv9ARM.ch06.html | 7114 |
1 files changed, 0 insertions, 7114 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html deleted file mode 100644 index d829a17..0000000 --- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html +++ /dev/null @@ -1,7114 +0,0 @@ -<!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> -<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.73 2007/10/31 01:35:58 marka Exp $ --> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> -<title>Chapter 6. BIND 9 Configuration Reference</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> -<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> -<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> -<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> -</head> -<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> -<div class="navheader"> -<table width="100%" summary="Navigation header"> -<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr> -<tr> -<td width="20%" align="left"> -<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td> -<th width="60%" align="center"> </th> -<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a> -</td> -</tr> -</table> -<hr> -</div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div> -<div class="toc"> -<p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> -<dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573480">Comment Syntax</a></span></dt> -</dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> -<dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574092"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574282"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574726"><span><strong class="command">include</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574749"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574771"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574930"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575056"><span><strong class="command">logging</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576406"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576480"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576544"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576587"><span><strong class="command">masters</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576602"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and - Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585361"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585410"><span><strong class="command">trusted-keys</strong></span> Statement Definition - and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585490"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> - Statement Grammar</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586798"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> -</dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589080">Zone File</a></span></dt> -<dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591101">Discussion of MX Records</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591653">Inverse Mapping in IPv4</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591848">Other Zone File Directives</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592173"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> -</dl></dd> -</dl> -</div> -<p> - <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar - to <acronym class="acronym">BIND</acronym> 8; however, there are a few new - areas - of configuration, such as views. <acronym class="acronym">BIND</acronym> - 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym> - 9, although more complex configurations should be reviewed to check - if they can be more efficiently implemented using the new features - found in <acronym class="acronym">BIND</acronym> 9. - </p> -<p> - <acronym class="acronym">BIND</acronym> 4 configuration files can be - converted to the new format - using the shell script - <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>. - </p> -<div class="sect1" lang="en"> -<div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div> -<p> - Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration - file documentation: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="varname">acl_name</code> - </p> - </td> -<td> - <p> - The name of an <code class="varname">address_match_list</code> as - defined by the <span><strong class="command">acl</strong></span> statement. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">address_match_list</code> - </p> - </td> -<td> - <p> - A list of one or more - <code class="varname">ip_addr</code>, - <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, - or <code class="varname">acl_name</code> elements, see - <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">masters_list</code> - </p> - </td> -<td> - <p> - A named list of one or more <code class="varname">ip_addr</code> - with optional <code class="varname">key_id</code> and/or - <code class="varname">ip_port</code>. - A <code class="varname">masters_list</code> may include other - <code class="varname">masters_lists</code>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">domain_name</code> - </p> - </td> -<td> - <p> - A quoted string which will be used as - a DNS name, for example "<code class="literal">my.test.domain</code>". - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">dotted_decimal</code> - </p> - </td> -<td> - <p> - One to four integers valued 0 through - 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, - <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">ip4_addr</code> - </p> - </td> -<td> - <p> - An IPv4 address with exactly four elements - in <code class="varname">dotted_decimal</code> notation. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">ip6_addr</code> - </p> - </td> -<td> - <p> - An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>. - IPv6 scoped addresses that have ambiguity on their scope - zones must be - disambiguated by an appropriate zone ID with the percent - character - (`%') as delimiter. - It is strongly recommended to use string zone names rather - than - numeric identifiers, in order to be robust against system - configuration changes. - However, since there is no standard mapping for such names - and - identifier values, currently only interface names as link - identifiers - are supported, assuming one-to-one mapping between - interfaces and links. - For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the - link attached to the interface <span><strong class="command">ne0</strong></span> - can be specified as <span><strong class="command">fe80::1%ne0</strong></span>. - Note that on most systems link-local addresses always have - the - ambiguity, and need to be disambiguated. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">ip_addr</code> - </p> - </td> -<td> - <p> - An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">ip_port</code> - </p> - </td> -<td> - <p> - An IP port <code class="varname">number</code>. - The <code class="varname">number</code> is limited to 0 - through 65535, with values - below 1024 typically restricted to use by processes running - as root. - In some cases, an asterisk (`*') character can be used as a - placeholder to - select a random high-numbered port. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">ip_prefix</code> - </p> - </td> -<td> - <p> - An IP network specified as an <code class="varname">ip_addr</code>, - followed by a slash (`/') and then the number of bits in the - netmask. - Trailing zeros in a <code class="varname">ip_addr</code> - may omitted. - For example, <span><strong class="command">127/8</strong></span> is the - network <span><strong class="command">127.0.0.0</strong></span> with - netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is - network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">key_id</code> - </p> - </td> -<td> - <p> - A <code class="varname">domain_name</code> representing - the name of a shared key, to be used for transaction - security. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">key_list</code> - </p> - </td> -<td> - <p> - A list of one or more - <code class="varname">key_id</code>s, - separated by semicolons and ending with a semicolon. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">number</code> - </p> - </td> -<td> - <p> - A non-negative 32-bit integer - (i.e., a number between 0 and 4294967295, inclusive). - Its acceptable value might further - be limited by the context in which it is used. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">path_name</code> - </p> - </td> -<td> - <p> - A quoted string which will be used as - a pathname, such as <code class="filename">zones/master/my.test.domain</code>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">size_spec</code> - </p> - </td> -<td> - <p> - A number, the word <strong class="userinput"><code>unlimited</code></strong>, - or the word <strong class="userinput"><code>default</code></strong>. - </p> - <p> - An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited - use, or the maximum available amount. A <code class="varname">default size_spec</code> uses - the limit that was in force when the server was started. - </p> - <p> - A <code class="varname">number</code> can optionally be - followed by a scaling factor: - <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> - for kilobytes, - <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> - for megabytes, and - <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes, - which scale by 1024, 1024*1024, and 1024*1024*1024 - respectively. - </p> - <p> - The value must be representable as a 64-bit unsigned integer - (0 to 18446744073709551615, inclusive). - Using <code class="varname">unlimited</code> is the best - way - to safely set a really large number. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">yes_or_no</code> - </p> - </td> -<td> - <p> - Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>. - The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are - also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> - and <strong class="userinput"><code>0</code></strong>. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">dialup_option</code> - </p> - </td> -<td> - <p> - One of <strong class="userinput"><code>yes</code></strong>, - <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>, - <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or - <strong class="userinput"><code>passive</code></strong>. - When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>, - <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong> - are restricted to slave and stub zones. - </p> - </td> -</tr> -</tbody> -</table></div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2573277"></a>Syntax</h4></div></div></div> -<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; - [<span class="optional"> address_match_list_element; ... </span>] -<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | - key key_id | acl_name | { address_match_list } ) -</pre> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2573305"></a>Definition and Usage</h4></div></div></div> -<p> - Address match lists are primarily used to determine access - control for various server operations. They are also used in - the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span> - statements. The elements - which constitute an address match list can be any of the - following: - </p> -<div class="itemizedlist"><ul type="disc"> -<li>an IP address (IPv4 or IPv6)</li> -<li>an IP prefix (in `/' notation)</li> -<li> - a key ID, as defined by the <span><strong class="command">key</strong></span> - statement - </li> -<li>the name of an address match list defined with - the <span><strong class="command">acl</strong></span> statement - </li> -<li>a nested address match list enclosed in braces</li> -</ul></div> -<p> - Elements can be negated with a leading exclamation mark (`!'), - and the match list names "any", "none", "localhost", and - "localnets" - are predefined. More information on those names can be found in - the description of the acl statement. - </p> -<p> - The addition of the key clause made the name of this syntactic - element something of a misnomer, since security keys can be used - to validate access without regard to a host or network address. - Nonetheless, - the term "address match list" is still used throughout the - documentation. - </p> -<p> - When a given IP address or prefix is compared to an address - match list, the list is traversed in order until an element - matches. - The interpretation of a match depends on whether the list is being - used - for access control, defining listen-on ports, or in a sortlist, - and whether the element was negated. - </p> -<p> - When used as an access control list, a non-negated match - allows access and a negated match denies access. If - there is no match, access is denied. The clauses - <span><strong class="command">allow-notify</strong></span>, - <span><strong class="command">allow-query</strong></span>, - <span><strong class="command">allow-query-cache</strong></span>, - <span><strong class="command">allow-transfer</strong></span>, - <span><strong class="command">allow-update</strong></span>, - <span><strong class="command">allow-update-forwarding</strong></span>, and - <span><strong class="command">blackhole</strong></span> all use address match - lists. Similarly, the listen-on option will cause the - server to not accept queries on any of the machine's - addresses which do not match the list. - </p> -<p> - Because of the first-match aspect of the algorithm, an element - that defines a subset of another element in the list should come - before the broader element, regardless of whether either is - negated. For - example, in - <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 - element is - completely useless because the algorithm will match any lookup for - 1.2.3.13 to the 1.2.3/24 element. - Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes - that problem by having 1.2.3.13 blocked by the negation but all - other 1.2.3.* hosts fall through. - </p> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2573480"></a>Comment Syntax</h3></div></div></div> -<p> - The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for - comments to appear - anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration - file. To appeal to programmers of all kinds, they can be written - in the C, C++, or shell/perl style. - </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2573495"></a>Syntax</h4></div></div></div> -<p> - </p> -<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> -<p> - </p> -<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre> -<p> - </p> -<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells and perl</pre> -<p> - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2573525"></a>Definition and Usage</h4></div></div></div> -<p> - Comments may appear anywhere that whitespace may appear in - a <acronym class="acronym">BIND</acronym> configuration file. - </p> -<p> - C-style comments start with the two characters /* (slash, - star) and end with */ (star, slash). Because they are completely - delimited with these characters, they can be used to comment only - a portion of a line or to span multiple lines. - </p> -<p> - C-style comments cannot be nested. For example, the following - is not valid because the entire comment ends with the first */: - </p> -<p> - -</p> -<pre class="programlisting">/* This is the start of a comment. - This is still part of the comment. -/* This is an incorrect attempt at nesting a comment. */ - This is no longer in any comment. */ -</pre> -<p> - - </p> -<p> - C++-style comments start with the two characters // (slash, - slash) and continue to the end of the physical line. They cannot - be continued across multiple physical lines; to have one logical - comment span multiple lines, each line must use the // pair. - </p> -<p> - For example: - </p> -<p> - -</p> -<pre class="programlisting">// This is the start of a comment. The next line -// is a new comment, even though it is logically -// part of the previous comment. -</pre> -<p> - - </p> -<p> - Shell-style (or perl-style, if you prefer) comments start - with the character <code class="literal">#</code> (number sign) - and continue to the end of the - physical line, as in C++ comments. - </p> -<p> - For example: - </p> -<p> - -</p> -<pre class="programlisting"># This is the start of a comment. The next line -# is a new comment, even though it is logically -# part of the previous comment. -</pre> -<p> - - </p> -<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Warning</h3> -<p> - You cannot use the semicolon (`;') character - to start a comment such as you would in a zone file. The - semicolon indicates the end of a configuration - statement. - </p> -</div> -</div> -</div> -</div> -<div class="sect1" lang="en"> -<div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div> -<p> - A <acronym class="acronym">BIND</acronym> 9 configuration consists of - statements and comments. - Statements end with a semicolon. Statements and comments are the - only elements that can appear without enclosing braces. Many - statements contain a block of sub-statements, which are also - terminated with a semicolon. - </p> -<p> - The following statements are supported: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p><span><strong class="command">acl</strong></span></p> - </td> -<td> - <p> - defines a named IP address - matching list, for access control and other uses. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">controls</strong></span></p> - </td> -<td> - <p> - declares control channels to be used - by the <span><strong class="command">rndc</strong></span> utility. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">include</strong></span></p> - </td> -<td> - <p> - includes a file. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">key</strong></span></p> - </td> -<td> - <p> - specifies key information for use in - authentication and authorization using TSIG. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">logging</strong></span></p> - </td> -<td> - <p> - specifies what the server logs, and where - the log messages are sent. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">lwres</strong></span></p> - </td> -<td> - <p> - configures <span><strong class="command">named</strong></span> to - also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>). - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">masters</strong></span></p> - </td> -<td> - <p> - defines a named masters list for - inclusion in stub and slave zone masters clauses. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">options</strong></span></p> - </td> -<td> - <p> - controls global server configuration - options and sets defaults for other statements. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">server</strong></span></p> - </td> -<td> - <p> - sets certain configuration options on - a per-server basis. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">trusted-keys</strong></span></p> - </td> -<td> - <p> - defines trusted DNSSEC keys. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">view</strong></span></p> - </td> -<td> - <p> - defines a view. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">zone</strong></span></p> - </td> -<td> - <p> - defines a zone. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - The <span><strong class="command">logging</strong></span> and - <span><strong class="command">options</strong></span> statements may only occur once - per - configuration. - </p> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574092"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { - address_match_list -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p> - The <span><strong class="command">acl</strong></span> statement assigns a symbolic - name to an address match list. It gets its name from a primary - use of address match lists: Access Control Lists (ACLs). - </p> -<p> - Note that an address match list's name must be defined - with <span><strong class="command">acl</strong></span> before it can be used - elsewhere; no - forward references are allowed. - </p> -<p> - The following ACLs are built-in: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p><span><strong class="command">any</strong></span></p> - </td> -<td> - <p> - Matches all hosts. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">none</strong></span></p> - </td> -<td> - <p> - Matches no hosts. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">localhost</strong></span></p> - </td> -<td> - <p> - Matches the IPv4 and IPv6 addresses of all network - interfaces on the system. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">localnets</strong></span></p> - </td> -<td> - <p> - Matches any host on an IPv4 or IPv6 network - for which the system has an interface. - Some systems do not provide a way to determine the prefix - lengths of - local IPv6 addresses. - In such a case, <span><strong class="command">localnets</strong></span> - only matches the local - IPv6 addresses, just like <span><strong class="command">localhost</strong></span>. - </p> - </td> -</tr> -</tbody> -</table></div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574282"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">controls</strong></span> { - [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> } - keys { <em class="replaceable"><code>key_list</code></em> }; ] - [ inet ...; ] - [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> keys { <em class="replaceable"><code>key_list</code></em> }; ] - [ unix ...; ] -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p> - The <span><strong class="command">controls</strong></span> statement declares control - channels to be used by system administrators to control the - operation of the name server. These control channels are - used by the <span><strong class="command">rndc</strong></span> utility to send - commands to and retrieve non-DNS results from a name server. - </p> -<p> - An <span><strong class="command">inet</strong></span> control channel is a TCP socket - listening at the specified <span><strong class="command">ip_port</strong></span> on the - specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 - address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is - interpreted as the IPv4 wildcard address; connections will be - accepted on any of the system's IPv4 addresses. - To listen on the IPv6 wildcard address, - use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. - If you will only use <span><strong class="command">rndc</strong></span> on the local host, - using the loopback address (<code class="literal">127.0.0.1</code> - or <code class="literal">::1</code>) is recommended for maximum security. - </p> -<p> - If no port is specified, port 953 is used. The asterisk - "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>. - </p> -<p> - The ability to issue commands over the control channel is - restricted by the <span><strong class="command">allow</strong></span> and - <span><strong class="command">keys</strong></span> clauses. - Connections to the control channel are permitted based on the - <span><strong class="command">address_match_list</strong></span>. This is for simple - IP address based filtering only; any <span><strong class="command">key_id</strong></span> - elements of the <span><strong class="command">address_match_list</strong></span> - are ignored. - </p> -<p> - A <span><strong class="command">unix</strong></span> control channel is a UNIX domain - socket listening at the specified path in the file system. - Access to the socket is specified by the <span><strong class="command">perm</strong></span>, - <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses. - Note on some platforms (SunOS and Solaris) the permissions - (<span><strong class="command">perm</strong></span>) are applied to the parent directory - as the permissions on the socket itself are ignored. - </p> -<p> - The primary authorization mechanism of the command - channel is the <span><strong class="command">key_list</strong></span>, which - contains a list of <span><strong class="command">key_id</strong></span>s. - Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span> - is authorized to execute commands over the control channel. - See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) - for information about configuring keys in <span><strong class="command">rndc</strong></span>. - </p> -<p> - If no <span><strong class="command">controls</strong></span> statement is present, - <span><strong class="command">named</strong></span> will set up a default - control channel listening on the loopback address 127.0.0.1 - and its IPv6 counterpart ::1. - In this case, and also when the <span><strong class="command">controls</strong></span> statement - is present but does not have a <span><strong class="command">keys</strong></span> clause, - <span><strong class="command">named</strong></span> will attempt to load the command channel key - from the file <code class="filename">rndc.key</code> in - <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> - was specified as when <acronym class="acronym">BIND</acronym> was built). - To create a <code class="filename">rndc.key</code> file, run - <strong class="userinput"><code>rndc-confgen -a</code></strong>. - </p> -<p> - The <code class="filename">rndc.key</code> feature was created to - ease the transition of systems from <acronym class="acronym">BIND</acronym> 8, - which did not have digital signatures on its command channel - messages and thus did not have a <span><strong class="command">keys</strong></span> clause. - - It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8 - configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged, - and still have <span><strong class="command">rndc</strong></span> work the same way - <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the - command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is - installed. - </p> -<p> - Since the <code class="filename">rndc.key</code> feature - is only intended to allow the backward-compatible usage of - <acronym class="acronym">BIND</acronym> 8 configuration files, this - feature does not - have a high degree of configurability. You cannot easily change - the key name or the size of the secret, so you should make a - <code class="filename">rndc.conf</code> with your own key if you - wish to change - those things. The <code class="filename">rndc.key</code> file - also has its - permissions set such that only the owner of the file (the user that - <span><strong class="command">named</strong></span> is running as) can access it. - If you - desire greater flexibility in allowing other users to access - <span><strong class="command">rndc</strong></span> commands, then you need to create - a - <code class="filename">rndc.conf</code> file and make it group - readable by a group - that contains the users who should have access. - </p> -<p> - To disable the command channel, use an empty - <span><strong class="command">controls</strong></span> statement: - <span><strong class="command">controls { };</strong></span>. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574711"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574726"></a><span><strong class="command">include</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p> - The <span><strong class="command">include</strong></span> statement inserts the - specified file at the point where the <span><strong class="command">include</strong></span> - statement is encountered. The <span><strong class="command">include</strong></span> - statement facilitates the administration of configuration - files - by permitting the reading or writing of some things but not - others. For example, the statement could include private keys - that are readable only by the name server. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574749"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> { - algorithm <em class="replaceable"><code>string</code></em>; - secret <em class="replaceable"><code>string</code></em>; -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574771"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> -<p> - The <span><strong class="command">key</strong></span> statement defines a shared - secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) - or the command channel - (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and - Usage”</a>). - </p> -<p> - The <span><strong class="command">key</strong></span> statement can occur at the - top level - of the configuration file or inside a <span><strong class="command">view</strong></span> - statement. Keys defined in top-level <span><strong class="command">key</strong></span> - statements can be used in all views. Keys intended for use in - a <span><strong class="command">controls</strong></span> statement - (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and - Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and - Usage”</a>) - must be defined at the top level. - </p> -<p> - The <em class="replaceable"><code>key_id</code></em>, also known as the - key name, is a domain name uniquely identifying the key. It can - be used in a <span><strong class="command">server</strong></span> - statement to cause requests sent to that - server to be signed with this key, or in address match lists to - verify that incoming requests have been signed with a key - matching this name, algorithm, and secret. - </p> -<p> - The <em class="replaceable"><code>algorithm_id</code></em> is a string - that specifies a security/authentication algorithm. Named - supports <code class="literal">hmac-md5</code>, - <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>, - <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code> - and <code class="literal">hmac-sha512</code> TSIG authentication. - Truncated hashes are supported by appending the minimum - number of required bits preceded by a dash, e.g. - <code class="literal">hmac-sha1-80</code>. The - <em class="replaceable"><code>secret_string</code></em> is the secret - to be used by the algorithm, and is treated as a base-64 - encoded string. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2574930"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"><span><strong class="command">logging</strong></span> { - [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { - ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em> - [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ] - [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ] - | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> - | <span><strong class="command">stderr</strong></span> - | <span><strong class="command">null</strong></span> ); - [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | - <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ] - [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] - }; ] - [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> { - <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ] - }; ] - ... -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2575056"></a><span><strong class="command">logging</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p> - The <span><strong class="command">logging</strong></span> statement configures a - wide - variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase - associates output methods, format options and severity levels with - a name that can then be used with the <span><strong class="command">category</strong></span> phrase - to select how various classes of messages are logged. - </p> -<p> - Only one <span><strong class="command">logging</strong></span> statement is used to - define - as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement, - the logging configuration will be: - </p> -<pre class="programlisting">logging { - category default { default_syslog; default_debug; }; - category unmatched { null; }; -}; -</pre> -<p> - In <acronym class="acronym">BIND</acronym> 9, the logging configuration - is only established when - the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was - established as soon as the <span><strong class="command">logging</strong></span> - statement - was parsed. When the server is starting up, all logging messages - regarding syntax errors in the configuration file go to the default - channels, or to standard error if the "<code class="option">-g</code>" option - was specified. - </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2575108"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> -<p> - All log output goes to one or more <span class="emphasis"><em>channels</em></span>; - you can make as many of them as you want. - </p> -<p> - Every channel definition must include a destination clause that - says whether messages selected for the channel go to a file, to a - particular syslog facility, to the standard error stream, or are - discarded. It can optionally also limit the message severity level - that will be accepted by the channel (the default is - <span><strong class="command">info</strong></span>), and whether to include a - <span><strong class="command">named</strong></span>-generated time stamp, the - category name - and/or severity level (the default is not to include any). - </p> -<p> - The <span><strong class="command">null</strong></span> destination clause - causes all messages sent to the channel to be discarded; - in that case, other options for the channel are meaningless. - </p> -<p> - The <span><strong class="command">file</strong></span> destination clause directs - the channel - to a disk file. It can include limitations - both on how large the file is allowed to become, and how many - versions - of the file will be saved each time the file is opened. - </p> -<p> - If you use the <span><strong class="command">versions</strong></span> log file - option, then - <span><strong class="command">named</strong></span> will retain that many backup - versions of the file by - renaming them when opening. For example, if you choose to keep - three old versions - of the file <code class="filename">lamers.log</code>, then just - before it is opened - <code class="filename">lamers.log.1</code> is renamed to - <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed - to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is - renamed to <code class="filename">lamers.log.0</code>. - You can say <span><strong class="command">versions unlimited</strong></span> to - not limit - the number of versions. - If a <span><strong class="command">size</strong></span> option is associated with - the log file, - then renaming is only done when the file being opened exceeds the - indicated size. No backup versions are kept by default; any - existing - log file is simply appended. - </p> -<p> - The <span><strong class="command">size</strong></span> option for files is used - to limit log - growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will - stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option - associated with it. If backup versions are kept, the files are - rolled as - described above and a new one begun. If there is no - <span><strong class="command">versions</strong></span> option, no more data will - be written to the log - until some out-of-band mechanism removes or truncates the log to - less than the - maximum size. The default behavior is not to limit the size of - the - file. - </p> -<p> - Example usage of the <span><strong class="command">size</strong></span> and - <span><strong class="command">versions</strong></span> options: - </p> -<pre class="programlisting">channel an_example_channel { - file "example.log" versions 3 size 20m; - print-time yes; - print-category yes; -}; -</pre> -<p> - The <span><strong class="command">syslog</strong></span> destination clause - directs the - channel to the system log. Its argument is a - syslog facility as described in the <span><strong class="command">syslog</strong></span> man - page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>, - <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>, - <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>, - <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>, - <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>, - <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>, - <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and - <span><strong class="command">local7</strong></span>, however not all facilities - are supported on - all operating systems. - How <span><strong class="command">syslog</strong></span> will handle messages - sent to - this facility is described in the <span><strong class="command">syslog.conf</strong></span> man - page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that - only uses two arguments to the <span><strong class="command">openlog()</strong></span> function, - then this clause is silently ignored. - </p> -<p> - The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s - "priorities", except that they can also be used if you are writing - straight to a file rather than using <span><strong class="command">syslog</strong></span>. - Messages which are not at least of the severity level given will - not be selected for the channel; messages of higher severity - levels - will be accepted. - </p> -<p> - If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities - will also determine what eventually passes through. For example, - defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but - only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will - cause messages of severity <span><strong class="command">info</strong></span> and - <span><strong class="command">notice</strong></span> to - be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing - messages of only <span><strong class="command">warning</strong></span> or higher, - then <span><strong class="command">syslogd</strong></span> would - print all messages it received from the channel. - </p> -<p> - The <span><strong class="command">stderr</strong></span> destination clause - directs the - channel to the server's standard error stream. This is intended - for - use when the server is running as a foreground process, for - example - when debugging a configuration. - </p> -<p> - The server can supply extensive debugging information when - it is in debugging mode. If the server's global debug level is - greater - than zero, then debugging mode will be active. The global debug - level is set either by starting the <span><strong class="command">named</strong></span> server - with the <code class="option">-d</code> flag followed by a positive integer, - or by running <span><strong class="command">rndc trace</strong></span>. - The global debug level - can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc -notrace</strong></span>. All debugging messages in the server have a debug - level, and higher debug levels give more detailed output. Channels - that specify a specific debug severity, for example: - </p> -<pre class="programlisting">channel specific_debug_level { - file "foo"; - severity debug 3; -}; -</pre> -<p> - will get debugging output of level 3 or less any time the - server is in debugging mode, regardless of the global debugging - level. Channels with <span><strong class="command">dynamic</strong></span> - severity use the - server's global debug level to determine what messages to print. - </p> -<p> - If <span><strong class="command">print-time</strong></span> has been turned on, - then - the date and time will be logged. <span><strong class="command">print-time</strong></span> may - be specified for a <span><strong class="command">syslog</strong></span> channel, - but is usually - pointless since <span><strong class="command">syslog</strong></span> also prints - the date and - time. If <span><strong class="command">print-category</strong></span> is - requested, then the - category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is - on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may - be used in any combination, and will always be printed in the - following - order: time, category, severity. Here is an example where all - three <span><strong class="command">print-</strong></span> options - are on: - </p> -<p> - <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code> - </p> -<p> - There are four predefined channels that are used for - <span><strong class="command">named</strong></span>'s default logging as follows. - How they are - used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>. - </p> -<pre class="programlisting">channel default_syslog { - syslog daemon; // send to syslog's daemon - // facility - severity info; // only send priority info - // and higher -}; - -channel default_debug { - file "named.run"; // write to named.run in - // the working directory - // Note: stderr is used instead - // of "named.run" - // if the server is started - // with the '-f' option. - severity dynamic; // log at the server's - // current debug level -}; - -channel default_stderr { - stderr; // writes to stderr - severity info; // only send priority info - // and higher -}; - -channel null { - null; // toss anything sent to - // this channel -}; -</pre> -<p> - The <span><strong class="command">default_debug</strong></span> channel has the - special - property that it only produces output when the server's debug - level is - nonzero. It normally writes to a file called <code class="filename">named.run</code> - in the server's working directory. - </p> -<p> - For security reasons, when the "<code class="option">-u</code>" - command line option is used, the <code class="filename">named.run</code> file - is created only after <span><strong class="command">named</strong></span> has - changed to the - new UID, and any debug output generated while <span><strong class="command">named</strong></span> is - starting up and still running as root is discarded. If you need - to capture this output, you must run the server with the "<code class="option">-g</code>" - option and redirect standard error to a file. - </p> -<p> - Once a channel is defined, it cannot be redefined. Thus you - cannot alter the built-in channels directly, but you can modify - the default logging by pointing categories at channels you have - defined. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div> -<p> - There are many categories, so you can send the logs you want - to see wherever you want, without seeing logs you don't want. If - you don't specify a list of channels for a category, then log - messages - in that category will be sent to the <span><strong class="command">default</strong></span> category - instead. If you don't specify a default category, the following - "default default" is used: - </p> -<pre class="programlisting">category default { default_syslog; default_debug; }; -</pre> -<p> - As an example, let's say you want to log security events to - a file, but you also want keep the default logging behavior. You'd - specify the following: - </p> -<pre class="programlisting">channel my_security_channel { - file "my_security_file"; - severity info; -}; -category security { - my_security_channel; - default_syslog; - default_debug; -};</pre> -<p> - To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel: - </p> -<pre class="programlisting">category xfer-out { null; }; -category notify { null; }; -</pre> -<p> - Following are the available categories and brief descriptions - of the types of log information they contain. More - categories may be added in future <acronym class="acronym">BIND</acronym> releases. - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p><span><strong class="command">default</strong></span></p> - </td> -<td> - <p> - The default category defines the logging - options for those categories where no specific - configuration has been - defined. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">general</strong></span></p> - </td> -<td> - <p> - The catch-all. Many things still aren't - classified into categories, and they all end up here. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">database</strong></span></p> - </td> -<td> - <p> - Messages relating to the databases used - internally by the name server to store zone and cache - data. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">security</strong></span></p> - </td> -<td> - <p> - Approval and denial of requests. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">config</strong></span></p> - </td> -<td> - <p> - Configuration file parsing and processing. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">resolver</strong></span></p> - </td> -<td> - <p> - DNS resolution, such as the recursive - lookups performed on behalf of clients by a caching name - server. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">xfer-in</strong></span></p> - </td> -<td> - <p> - Zone transfers the server is receiving. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">xfer-out</strong></span></p> - </td> -<td> - <p> - Zone transfers the server is sending. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">notify</strong></span></p> - </td> -<td> - <p> - The NOTIFY protocol. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">client</strong></span></p> - </td> -<td> - <p> - Processing of client requests. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">unmatched</strong></span></p> - </td> -<td> - <p> - Messages that named was unable to determine the - class of or for which there was no matching <span><strong class="command">view</strong></span>. - A one line summary is also logged to the <span><strong class="command">client</strong></span> category. - This category is best sent to a file or stderr, by - default it is sent to - the <span><strong class="command">null</strong></span> channel. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">network</strong></span></p> - </td> -<td> - <p> - Network operations. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">update</strong></span></p> - </td> -<td> - <p> - Dynamic updates. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">update-security</strong></span></p> - </td> -<td> - <p> - Approval and denial of update requests. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">queries</strong></span></p> - </td> -<td> - <p> - Specify where queries should be logged to. - </p> - <p> - At startup, specifying the category <span><strong class="command">queries</strong></span> will also - enable query logging unless <span><strong class="command">querylog</strong></span> option has been - specified. - </p> - <p> - The query log entry reports the client's IP address and - port number, and the - query name, class and type. It also reports whether the - Recursion Desired - flag was set (+ if set, - if not set), EDNS was in use - (E) or if the - query was signed (S). - </p> - <p> - <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code> - </p> - <p> - <code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code> - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">dispatch</strong></span></p> - </td> -<td> - <p> - Dispatching of incoming packets to the - server modules where they are to be processed. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">dnssec</strong></span></p> - </td> -<td> - <p> - DNSSEC and TSIG protocol processing. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">lame-servers</strong></span></p> - </td> -<td> - <p> - Lame servers. These are misconfigurations - in remote servers, discovered by BIND 9 when trying to - query - those servers during resolution. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">delegation-only</strong></span></p> - </td> -<td> - <p> - Delegation only. Logs queries that have have - been forced to NXDOMAIN as the result of a - delegation-only zone or - a <span><strong class="command">delegation-only</strong></span> in a - hint or stub zone declaration. - </p> - </td> -</tr> -</tbody> -</table></div> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2576406"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> -<p> - This is the grammar of the <span><strong class="command">lwres</strong></span> - statement in the <code class="filename">named.conf</code> file: - </p> -<pre class="programlisting"><span><strong class="command">lwres</strong></span> { - [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>] - [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>] - [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>] -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2576480"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> -<p> - The <span><strong class="command">lwres</strong></span> statement configures the - name - server to also act as a lightweight resolver server. (See - <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple - <span><strong class="command">lwres</strong></span> statements configuring - lightweight resolver servers with different properties. - </p> -<p> - The <span><strong class="command">listen-on</strong></span> statement specifies a - list of - addresses (and ports) that this instance of a lightweight resolver - daemon - should accept requests on. If no port is specified, port 921 is - used. - If this statement is omitted, requests will be accepted on - 127.0.0.1, - port 921. - </p> -<p> - The <span><strong class="command">view</strong></span> statement binds this - instance of a - lightweight resolver daemon to a view in the DNS namespace, so that - the - response will be constructed in the same manner as a normal DNS - query - matching this view. If this statement is omitted, the default view - is - used, and if there is no default view, an error is triggered. - </p> -<p> - The <span><strong class="command">search</strong></span> statement is equivalent to - the - <span><strong class="command">search</strong></span> statement in - <code class="filename">/etc/resolv.conf</code>. It provides a - list of domains - which are appended to relative names in queries. - </p> -<p> - The <span><strong class="command">ndots</strong></span> statement is equivalent to - the - <span><strong class="command">ndots</strong></span> statement in - <code class="filename">/etc/resolv.conf</code>. It indicates the - minimum - number of dots in a relative domain name that should result in an - exact match lookup before search path elements are appended. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2576544"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting"> -<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2576587"></a><span><strong class="command">masters</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p><span><strong class="command">masters</strong></span> - lists allow for a common set of masters to be easily used by - multiple stub and slave zones. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2576602"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> -<p> - This is the grammar of the <span><strong class="command">options</strong></span> - statement in the <code class="filename">named.conf</code> file: - </p> -<pre class="programlisting">options { - [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>] - [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>] - [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>] - [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>] - [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>] - [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>] - [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>] - [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>] - [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>] - [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>] - [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { - ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | - <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; - ... }; </span>] - [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> ) - ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] - [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] - [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] - [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] - [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] - [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] - [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) - [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | - [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] - [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>] - [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) - [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | - [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] - [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>] - [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>] - [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] - [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] - [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] - [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>] - [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>] - [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>] - [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>]; - [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>]; - [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] }; - [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>] - [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>] - [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] - [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>] - [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>] - [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>] - [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] - [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] - [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] - [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>] - [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>] - [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>] - [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p> - The <span><strong class="command">options</strong></span> statement sets up global - options - to be used by <acronym class="acronym">BIND</acronym>. This statement - may appear only - once in a configuration file. If there is no <span><strong class="command">options</strong></span> - statement, an options block with each option set to its default will - be used. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt> -<dd><p> - The working directory of the server. - Any non-absolute pathnames in the configuration file will be - taken - as relative to this directory. The default location for most - server - output files (e.g. <code class="filename">named.run</code>) - is this directory. - If a directory is not specified, the working directory - defaults to `<code class="filename">.</code>', the directory from - which the server - was started. The directory specified should be an absolute - path. - </p></dd> -<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> -<dd><p> - When performing dynamic update of secure zones, the - directory where the public and private key files should be - found, - if different than the current working directory. The - directory specified - must be an absolute path. - </p></dd> -<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt> -<dd><p> - <span class="emphasis"><em>This option is obsolete.</em></span> - It was used in <acronym class="acronym">BIND</acronym> 8 to - specify the pathname to the <span><strong class="command">named-xfer</strong></span> program. - In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is - needed; its functionality is built into the name server. - </p></dd> -<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt> -<dd><p> - The domain appended to the names of all - shared keys generated with - <span><strong class="command">TKEY</strong></span>. When a client - requests a <span><strong class="command">TKEY</strong></span> exchange, it - may or may not specify - the desired name for the key. If present, the name of the - shared - key will be "<code class="varname">client specified part</code>" + - "<code class="varname">tkey-domain</code>". - Otherwise, the name of the shared key will be "<code class="varname">random hex -digits</code>" + "<code class="varname">tkey-domain</code>". In most cases, - the <span><strong class="command">domainname</strong></span> should be the - server's domain - name. - </p></dd> -<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt> -<dd><p> - The Diffie-Hellman key used by the server - to generate shared keys with clients using the Diffie-Hellman - mode - of <span><strong class="command">TKEY</strong></span>. The server must be - able to load the - public and private keys from files in the working directory. - In - most cases, the keyname should be the server's host name. - </p></dd> -<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt> -<dd><p> - This is for testing only. Do not use. - </p></dd> -<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt> -<dd><p> - The pathname of the file the server dumps - the database to when instructed to do so with - <span><strong class="command">rndc dumpdb</strong></span>. - If not specified, the default is <code class="filename">named_dump.db</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt> -<dd> -<p> - The pathname of the file the server writes memory - usage statistics to on exit. If specified the - statistics will be written to the file on exit. - </p> -<p> - In <acronym class="acronym">BIND</acronym> 9.5 and later this will - default to <code class="filename">named.memstats</code>. - <acronym class="acronym">BIND</acronym> 9.5 will also introduce - <span><strong class="command">memstatistics</strong></span> to control the - writing. - </p> -</dd> -<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> -<dd><p> - The pathname of the file the server writes its process ID - in. If not specified, the default is <code class="filename">/var/run/named.pid</code>. - The pid-file is used by programs that want to send signals to - the running - name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the - use of a PID file — no file will be written and any - existing one will be removed. Note that <span><strong class="command">none</strong></span> - is a keyword, not a filename, and therefore is not enclosed - in - double quotes. - </p></dd> -<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt> -<dd><p> - The pathname of the file the server dumps - the queries that are currently recursing when instructed - to do so with <span><strong class="command">rndc recursing</strong></span>. - If not specified, the default is <code class="filename">named.recursing</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt> -<dd><p> - The pathname of the file the server appends statistics - to when instructed to do so using <span><strong class="command">rndc stats</strong></span>. - If not specified, the default is <code class="filename">named.stats</code> in the - server's current directory. The format of the file is - described - in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">port</strong></span></span></dt> -<dd><p> - The UDP/TCP port number the server uses for - receiving and sending DNS protocol traffic. - The default is 53. This option is mainly intended for server - testing; - a server using a port other than 53 will not be able to - communicate with - the global DNS. - </p></dd> -<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt> -<dd><p> - The source of entropy to be used by the server. Entropy is - primarily needed - for DNSSEC operations, such as TKEY transactions and dynamic - update of signed - zones. This options specifies the device (or file) from which - to read - entropy. If this is a file, operations requiring entropy will - fail when the - file has been exhausted. If not specified, the default value - is - <code class="filename">/dev/random</code> - (or equivalent) when present, and none otherwise. The - <span><strong class="command">random-device</strong></span> option takes - effect during - the initial configuration load at server startup time and - is ignored on subsequent reloads. - </p></dd> -<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt> -<dd><p> - If specified, the listed type (A or AAAA) will be emitted - before other glue - in the additional section of a query response. - The default is not to prefer any type (NONE). - </p></dd> -<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt> -<dd> -<p> - Turn on enforcement of delegation-only in TLDs (top level domains) and root zones - with an optional - exclude list. - </p> -<p> - Note some TLDs are not delegation only (e.g. "DE", "LV", "US" - and "MUSEUM"). - </p> -<pre class="programlisting"> -options { - root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; -}; -</pre> -</dd> -<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt> -<dd><p> - Disable the specified DNSSEC algorithms at and below the - specified name. - Multiple <span><strong class="command">disable-algorithms</strong></span> - statements are allowed. - Only the most specific will be applied. - </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt> -<dd><p> - When set, <span><strong class="command">dnssec-lookaside</strong></span> - provides the - validator with an alternate method to validate DNSKEY records - at the - top of a zone. When a DNSKEY is at or below a domain - specified by the - deepest <span><strong class="command">dnssec-lookaside</strong></span>, and - the normal dnssec validation - has left the key untrusted, the trust-anchor will be append to - the key - name and a DLV record will be looked up to see if it can - validate the - key. If the DLV record validates a DNSKEY (similarly to the - way a DS - record does) the DNSKEY RRset is deemed to be trusted. - </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt> -<dd><p> - Specify hierarchies which must be or may not be secure (signed and - validated). - If <strong class="userinput"><code>yes</code></strong>, then named will only accept - answers if they - are secure. - If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation - applies - allowing for insecure answers to be accepted. - The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or - <span><strong class="command">dnssec-lookaside</strong></span> must be - active. - </p></dd> -</dl></div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="boolean_options"></a>Boolean Options</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit - is always set on NXDOMAIN responses, even if the server is - not actually - authoritative. The default is <strong class="userinput"><code>no</code></strong>; - this is - a change from <acronym class="acronym">BIND</acronym> 8. If you - are using very old DNS software, you - may need to set it to <strong class="userinput"><code>yes</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt> -<dd><p> - This option was used in <acronym class="acronym">BIND</acronym> - 8 to enable checking - for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs - the checks. - </p></dd> -<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> -<dd> -<p> - If <strong class="userinput"><code>yes</code></strong>, then the - server treats all zones as if they are doing zone transfers - across - a dial-on-demand dialup link, which can be brought up by - traffic - originating from this server. This has different effects - according - to zone type and concentrates the zone maintenance so that - it all - happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and - hopefully during the one call. It also suppresses some of - the normal - zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>. - </p> -<p> - The <span><strong class="command">dialup</strong></span> option - may also be specified in the <span><strong class="command">view</strong></span> and - <span><strong class="command">zone</strong></span> statements, - in which case it overrides the global <span><strong class="command">dialup</strong></span> - option. - </p> -<p> - If the zone is a master zone, then the server will send out a - NOTIFY - request to all the slaves (default). This should trigger the - zone serial - number check in the slave (providing it supports NOTIFY) - allowing the slave - to verify the zone while the connection is active. - The set of servers to which NOTIFY is sent can be controlled - by - <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>. - </p> -<p> - If the - zone is a slave or stub zone, then the server will suppress - the regular - "zone up to date" (refresh) queries and only perform them - when the - <span><strong class="command">heartbeat-interval</strong></span> expires in - addition to sending - NOTIFY requests. - </p> -<p> - Finer control can be achieved by using - <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY - messages, - <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY - messages and - suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong> - which suppresses normal refresh processing and sends refresh - queries - when the <span><strong class="command">heartbeat-interval</strong></span> - expires, and - <strong class="userinput"><code>passive</code></strong> which just disables normal - refresh - processing. - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - dialup mode - </p> - </td> -<td> - <p> - normal refresh - </p> - </td> -<td> - <p> - heart-beat refresh - </p> - </td> -<td> - <p> - heart-beat notify - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">no</strong></span> (default)</p> - </td> -<td> - <p> - yes - </p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - no - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">yes</strong></span></p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - yes - </p> - </td> -<td> - <p> - yes - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">notify</strong></span></p> - </td> -<td> - <p> - yes - </p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - yes - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">refresh</strong></span></p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - yes - </p> - </td> -<td> - <p> - no - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">passive</strong></span></p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - no - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">notify-passive</strong></span></p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - no - </p> - </td> -<td> - <p> - yes - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - Note that normal NOTIFY processing is not affected by - <span><strong class="command">dialup</strong></span>. - </p> -</dd> -<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt> -<dd><p> - In <acronym class="acronym">BIND</acronym> 8, this option - enabled simulating the obsolete DNS query type - IQUERY. <acronym class="acronym">BIND</acronym> 9 never does - IQUERY simulation. - </p></dd> -<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt> -<dd><p> - This option is obsolete. - In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> - caused the server to attempt to fetch glue resource records - it - didn't have when constructing the additional - data section of a response. This is now considered a bad - idea - and BIND 9 never does it. - </p></dd> -<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt> -<dd><p> - When the nameserver exits due receiving SIGTERM, - flush or do not flush any pending zone writes. The default - is - <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt> -<dd><p> - This option was incorrectly implemented - in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9. - To achieve the intended effect - of - <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify - the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> - and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. - </p></dd> -<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt> -<dd><p> - In BIND 8, this enables keeping of - statistics for every host that the name server interacts - with. - Not implemented in BIND 9. - </p></dd> -<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt> -<dd><p> - <span class="emphasis"><em>This option is obsolete</em></span>. - It was used in <acronym class="acronym">BIND</acronym> 8 to - determine whether a transaction log was - kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction - log whenever possible. If you need to disable outgoing - incremental zone - transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, then when generating - responses the server will only add records to the authority - and additional data sections when they are required (e.g. - delegations, negative responses). This may improve the - performance of the server. - The default is <strong class="userinput"><code>no</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt> -<dd><p> - This option was used in <acronym class="acronym">BIND</acronym> 8 to allow - a domain name to have multiple CNAME records in violation of - the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards - always strictly enforces the CNAME rules both in master - files and dynamic updates. - </p></dd> -<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> -<dd> -<p> - If <strong class="userinput"><code>yes</code></strong> (the default), - DNS NOTIFY messages are sent when a zone the server is - authoritative for - changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are - sent to the - servers listed in the zone's NS records (except the master - server identified - in the SOA MNAME field), and to any servers listed in the - <span><strong class="command">also-notify</strong></span> option. - </p> -<p> - If <strong class="userinput"><code>master-only</code></strong>, notifies are only - sent - for master zones. - If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only - to - servers explicitly listed using <span><strong class="command">also-notify</strong></span>. - If <strong class="userinput"><code>no</code></strong>, no notifies are sent. - </p> -<p> - The <span><strong class="command">notify</strong></span> option may also be - specified in the <span><strong class="command">zone</strong></span> - statement, - in which case it overrides the <span><strong class="command">options notify</strong></span> statement. - It would only be necessary to turn off this option if it - caused slaves - to crash. - </p> -</dd> -<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, and a - DNS query requests recursion, then the server will attempt - to do - all the work required to answer the query. If recursion is - off - and the server does not already know the answer, it will - return a - referral response. The default is - <strong class="userinput"><code>yes</code></strong>. - Note that setting <span><strong class="command">recursion no</strong></span> does not prevent - clients from getting data from the server's cache; it only - prevents new data from being cached as an effect of client - queries. - Caching may still occur as an effect the server's internal - operation, such as NOTIFY address lookups. - See also <span><strong class="command">fetch-glue</strong></span> above. - </p></dd> -<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt> -<dd> -<p> - Setting this to <strong class="userinput"><code>yes</code></strong> will - cause the server to send NS records along with the SOA - record for negative - answers. The default is <strong class="userinput"><code>no</code></strong>. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - Not yet implemented in <acronym class="acronym">BIND</acronym> - 9. - </p> -</div> -</dd> -<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt> -<dd><p> - <span class="emphasis"><em>This option is obsolete</em></span>. - <acronym class="acronym">BIND</acronym> 9 always allocates query - IDs from a pool. - </p></dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, the server will collect - statistical data on all zones (unless specifically turned - off - on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span> - in the <span><strong class="command">zone</strong></span> statement). - These statistics may be accessed - using <span><strong class="command">rndc stats</strong></span>, which will - dump them to the file listed - in the <span><strong class="command">statistics-file</strong></span>. See - also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> -<dd><p> - <span class="emphasis"><em>This option is obsolete</em></span>. - If you need to disable IXFR to a particular server or - servers, see - the information on the <span><strong class="command">provide-ixfr</strong></span> option - in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and - Usage”</a>. - See also - <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">provide-ixfr</strong></span> in - <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and - Usage”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">request-ixfr</strong></span> in - <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and - Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and - Usage”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt> -<dd><p> - This option was used in <acronym class="acronym">BIND</acronym> - 8 to make - the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way - as a space or tab character, - to facilitate loading of zone files on a UNIX system that - were generated - on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>" - and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines - are always accepted, - and the option is ignored. - </p></dd> -<dt> -<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span> -</dt> -<dd> -<p> - These options control the behavior of an authoritative - server when - answering queries which have additional data, or when - following CNAME - and DNAME chains. - </p> -<p> - When both of these options are set to <strong class="userinput"><code>yes</code></strong> - (the default) and a - query is being answered from authoritative data (a zone - configured into the server), the additional data section of - the - reply will be filled in using data from other authoritative - zones - and from the cache. In some situations this is undesirable, - such - as when there is concern over the correctness of the cache, - or - in servers where slave zones may be added and modified by - untrusted third parties. Also, avoiding - the search for this additional data will speed up server - operations - at the possible expense of additional queries to resolve - what would - otherwise be provided in the additional section. - </p> -<p> - For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>, - and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address - records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well, - if known, even though they are not in the example.com zone. - Setting these options to <span><strong class="command">no</strong></span> - disables this behavior and makes - the server only search for additional data in the zone it - answers from. - </p> -<p> - These options are intended for use in authoritative-only - servers, or in authoritative-only views. Attempts to set - them to <span><strong class="command">no</strong></span> without also - specifying - <span><strong class="command">recursion no</strong></span> will cause the - server to - ignore the options and log a warning message. - </p> -<p> - Specifying <span><strong class="command">additional-from-cache no</strong></span> actually - disables the use of the cache not only for additional data - lookups - but also when looking up the answer. This is usually the - desired - behavior in an authoritative-only server where the - correctness of - the cached data is an issue. - </p> -<p> - When a name server is non-recursively queried for a name - that is not - below the apex of any served zone, it normally answers with - an - "upwards referral" to the root servers or the servers of - some other - known parent of the query name. Since the data in an - upwards referral - comes from the cache, the server will not be able to provide - upwards - referrals when <span><strong class="command">additional-from-cache no</strong></span> - has been specified. Instead, it will respond to such - queries - with REFUSED. This should not cause any problems since - upwards referrals are not required for the resolution - process. - </p> -</dd> -<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, then an - IPv4-mapped IPv6 address will match any address match - list entries that match the corresponding IPv4 address. - Enabling this option is sometimes useful on IPv6-enabled - Linux - systems, to work around a kernel quirk that causes IPv4 - TCP connections such as zone transfers to be accepted - on an IPv6 socket using mapped addresses, causing - address match lists designed for IPv4 to fail to match. - The use of this option for any other purpose is discouraged. - </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> -<dd> -<p> - When <strong class="userinput"><code>yes</code></strong> and the server loads a new version of a master - zone from its zone file or receives a new version of a slave - file by a non-incremental zone transfer, it will compare - the new version to the previous one and calculate a set - of differences. The differences are then logged in the - zone's journal file such that the changes can be transmitted - to downstream slaves as an incremental zone transfer. - </p> -<p> - By allowing incremental zone transfers to be used for - non-dynamic zones, this option saves bandwidth at the - expense of increased CPU and memory consumption at the - master. - In particular, if the new version of a zone is completely - different from the previous one, the set of differences - will be of a size comparable to the combined size of the - old and new zone version, and the server will need to - temporarily allocate memory to hold this complete - difference set. - </p> -<p><span><strong class="command">ixfr-from-differences</strong></span> - also accepts <span><strong class="command">master</strong></span> and - <span><strong class="command">slave</strong></span> at the view and options - levels which causes - <span><strong class="command">ixfr-from-differences</strong></span> to apply to - all <span><strong class="command">master</strong></span> or - <span><strong class="command">slave</strong></span> zones respectively. - </p> -</dd> -<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> -<dd><p> - This should be set when you have multiple masters for a zone - and the - addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, named will - not log - when the serial number on the master is less than what named - currently - has. The default is <strong class="userinput"><code>no</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt> -<dd><p> - Enable DNSSEC support in named. Unless set to <strong class="userinput"><code>yes</code></strong>, - named behaves as if it does not support DNSSEC. - The default is <strong class="userinput"><code>yes</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt> -<dd><p> - Enable DNSSEC validation in named. - Note <span><strong class="command">dnssec-enable</strong></span> also needs to be - set to <strong class="userinput"><code>yes</code></strong> to be effective. - The default is <strong class="userinput"><code>no</code></strong>. - </p></dd> -<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt> -<dd><p> - Accept expired signatures when verifying DNSSEC signatures. - The default is <strong class="userinput"><code>no</code></strong>. - Setting this option to "yes" leaves named vulnerable to replay attacks. - </p></dd> -<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt> -<dd><p> - Specify whether query logging should be started when named - starts. - If <span><strong class="command">querylog</strong></span> is not specified, - then the query logging - is determined by the presence of the logging category <span><strong class="command">queries</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> -<dd> -<p> - This option is used to restrict the character set and syntax - of - certain domain names in master files and/or DNS responses - received - from the network. The default varies according to usage - area. For - <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. - For <span><strong class="command">slave</strong></span> zones the default - is <span><strong class="command">warn</strong></span>. - For answers received from the network (<span><strong class="command">response</strong></span>) - the default is <span><strong class="command">ignore</strong></span>. - </p> -<p> - The rules for legal hostnames and mail domains are derived - from RFC 952 and RFC 821 as modified by RFC 1123. - </p> -<p><span><strong class="command">check-names</strong></span> - applies to the owner names of A, AAA and MX records. - It also applies to the domain names in the RDATA of NS, SOA - and MX records. - It also applies to the RDATA of PTR records where the owner - name indicated that it is a reverse lookup of a hostname - (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). - </p> -</dd> -<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> -<dd><p> - Check whether the MX record appears to refer to a IP address. - The default is to <span><strong class="command">warn</strong></span>. Other possible - values are <span><strong class="command">fail</strong></span> and - <span><strong class="command">ignore</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> -<dd><p> - This option is used to check for non-terminal wildcards. - The use of non-terminal wildcards is almost always as a - result of a failure - to understand the wildcard matching algorithm (RFC 1034). - This option - affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check - for non-terminal wildcards and issue a warning. - </p></dd> -<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> -<dd><p> - Perform post load zone integrity checks on master - zones. This checks that MX and SRV records refer - to address (A or AAAA) records and that glue - address records exist for delegated zones. For - MX and SRV records only in-zone hostnames are - checked (for out-of-zone hostnames use named-checkzone). - For NS records only names below top of zone are - checked (for out-of-zone names and glue consistency - checks use named-checkzone). The default is - <span><strong class="command">yes</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt> -<dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then - fail, warn or ignore MX records that refer - to CNAMES. The default is to <span><strong class="command">warn</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt> -<dd><p> - If <span><strong class="command">check-integrity</strong></span> is set then - fail, warn or ignore SRV records that refer - to CNAMES. The default is to <span><strong class="command">warn</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> -<dd><p> - When performing integrity checks, also check that - sibling glue exists. The default is <span><strong class="command">yes</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> -<dd><p> - When returning authoritative negative responses to - SOA queries set the TTL of the SOA recored returned in - the authority section to zero. - The default is <span><strong class="command">yes</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt> -<dd><p> - When caching a negative response to a SOA query - set the TTL to zero. - The default is <span><strong class="command">no</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> -<dd><p> - When regenerating the RRSIGs following a UPDATE - request to a secure zone, check the KSK flag on - the DNSKEY RR to determine if this key should be - used to generate the RRSIG. This flag is ignored - if there are not DNSKEY RRs both with and without - a KSK. - The default is <span><strong class="command">yes</strong></span>. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2580536"></a>Forwarding</h4></div></div></div> -<p> - The forwarding facility can be used to create a large site-wide - cache on a few servers, reducing traffic over links to external - name servers. It can also be used to allow queries by servers that - do not have direct access to the Internet, but wish to look up - exterior - names anyway. Forwarding occurs only on those queries for which - the server is not authoritative and does not have the answer in - its cache. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> -<dd><p> - This option is only meaningful if the - forwarders list is not empty. A value of <code class="varname">first</code>, - the default, causes the server to query the forwarders - first — and - if that doesn't answer the question, the server will then - look for - the answer itself. If <code class="varname">only</code> is - specified, the - server will only query the forwarders. - </p></dd> -<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> -<dd><p> - Specifies the IP addresses to be used - for forwarding. The default is the empty list (no - forwarding). - </p></dd> -</dl></div> -<p> - Forwarding can also be configured on a per-domain basis, allowing - for the global forwarding options to be overridden in a variety - of ways. You can set particular domains to use different - forwarders, - or have a different <span><strong class="command">forward only/first</strong></span> behavior, - or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone - Statement Grammar">the section called “<span><strong class="command">zone</strong></span> - Statement Grammar”</a>. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2580595"></a>Dual-stack Servers</h4></div></div></div> -<p> - Dual-stack servers are used as servers of last resort to work - around - problems in reachability due the lack of support for either IPv4 - or IPv6 - on the host machine. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt> -<dd><p> - Specifies host names or addresses of machines with access to - both IPv4 and IPv6 transports. If a hostname is used, the - server must be able - to resolve the name using only the transport it has. If the - machine is dual - stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless - access to a transport has been disabled on the command line - (e.g. <span><strong class="command">named -4</strong></span>). - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="access_control"></a>Access Control</h4></div></div></div> -<p> - Access to the server can be restricted based on the IP address - of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for - details on how to specify IP address lists. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> -<dd><p> - Specifies which hosts are allowed to - notify this server, a slave, of zone changes in addition - to the zone masters. - <span><strong class="command">allow-notify</strong></span> may also be - specified in the - <span><strong class="command">zone</strong></span> statement, in which case - it overrides the - <span><strong class="command">options allow-notify</strong></span> - statement. It is only meaningful - for a slave zone. If not specified, the default is to - process notify messages - only from a zone's master. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> -<dd> -<p> - Specifies which hosts are allowed to ask ordinary - DNS questions. <span><strong class="command">allow-query</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> - statement, in which case it overrides the - <span><strong class="command">options allow-query</strong></span> statement. - If not specified, the default is to allow queries - from all hosts. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - <span><strong class="command">allow-query-cache</strong></span> is now - used to specify access to the cache. - </p> -</div> -</dd> -<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt> -<dd><p> - Specifies which hosts are allowed to get answers - from the cache. If <span><strong class="command">allow-query-cache</strong></span> - is not set then <span><strong class="command">allow-recursion</strong></span> - is used if set, otherwise <span><strong class="command">allow-query</strong></span> - is used if set, otherwise the default - (<span><strong class="command">localnets;</strong></span> - <span><strong class="command">localhost;</strong></span>) is used. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt> -<dd><p> - Specifies which hosts are allowed to make recursive - queries through this server. If - <span><strong class="command">allow-recursion</strong></span> is not set - then <span><strong class="command">allow-query-cache</strong></span> is - used if set, otherwise <span><strong class="command">allow-query</strong></span> - is used if set, otherwise the default - (<span><strong class="command">localnets;</strong></span> - <span><strong class="command">localhost;</strong></span>) is used. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> -<dd><p> - Specifies which hosts are allowed to - submit Dynamic DNS updates for master zones. The default is - to deny - updates from all hosts. Note that allowing updates based - on the requestor's IP address is insecure; see - <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> -<dd> -<p> - Specifies which hosts are allowed to - submit Dynamic DNS updates to slave zones to be forwarded to - the - master. The default is <strong class="userinput"><code>{ none; }</code></strong>, - which - means that no update forwarding will be performed. To - enable - update forwarding, specify - <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>. - Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or - <strong class="userinput"><code>{ any; }</code></strong> is usually - counterproductive, since - the responsibility for update access control should rest - with the - master server, not the slaves. - </p> -<p> - Note that enabling the update forwarding feature on a slave - server - may expose master servers relying on insecure IP address - based - access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> - for more details. - </p> -</dd> -<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt> -<dd><p> - This option was introduced for the smooth transition from - AAAA - to A6 and from "nibble labels" to binary labels. - However, since both A6 and binary labels were then - deprecated, - this option was also deprecated. - It is now ignored with some warning messages. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> -<dd><p> - Specifies which hosts are allowed to - receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may - also be specified in the <span><strong class="command">zone</strong></span> - statement, in which - case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement. - If not specified, the default is to allow transfers to all - hosts. - </p></dd> -<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt> -<dd><p> - Specifies a list of addresses that the - server will not accept queries from or use to resolve a - query. Queries - from these addresses will not be responded to. The default - is <strong class="userinput"><code>none</code></strong>. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2581153"></a>Interfaces</h4></div></div></div> -<p> - The interfaces and ports that the server will answer queries - from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes - an optional port, and an <code class="varname">address_match_list</code>. - The server will listen on all interfaces allowed by the address - match list. If a port is not specified, port 53 will be used. - </p> -<p> - Multiple <span><strong class="command">listen-on</strong></span> statements are - allowed. - For example, - </p> -<pre class="programlisting">listen-on { 5.6.7.8; }; -listen-on port 1234 { !1.2.3.4; 1.2/16; }; -</pre> -<p> - will enable the name server on port 53 for the IP address - 5.6.7.8, and on port 1234 of an address on the machine in net - 1.2 that is not 1.2.3.4. - </p> -<p> - If no <span><strong class="command">listen-on</strong></span> is specified, the - server will listen on port 53 on all interfaces. - </p> -<p> - The <span><strong class="command">listen-on-v6</strong></span> option is used to - specify the interfaces and the ports on which the server will - listen - for incoming queries sent using IPv6. - </p> -<p> - When </p> -<pre class="programlisting">{ any; }</pre> -<p> is - specified - as the <code class="varname">address_match_list</code> for the - <span><strong class="command">listen-on-v6</strong></span> option, - the server does not bind a separate socket to each IPv6 interface - address as it does for IPv4 if the operating system has enough API - support for IPv6 (specifically if it conforms to RFC 3493 and RFC - 3542). - Instead, it listens on the IPv6 wildcard address. - If the system only has incomplete API support for IPv6, however, - the behavior is the same as that for IPv4. - </p> -<p> - A list of particular IPv6 addresses can also be specified, in - which case - the server listens on a separate socket for each specified - address, - regardless of whether the desired API is supported by the system. - </p> -<p> - Multiple <span><strong class="command">listen-on-v6</strong></span> options can - be used. - For example, - </p> -<pre class="programlisting">listen-on-v6 { any; }; -listen-on-v6 port 1234 { !2001:db8::/32; any; }; -</pre> -<p> - will enable the name server on port 53 for any IPv6 addresses - (with a single wildcard socket), - and on port 1234 of IPv6 addresses that is not in the prefix - 2001:db8::/32 (with separate sockets for each matched address.) - </p> -<p> - To make the server not listen on any IPv6 address, use - </p> -<pre class="programlisting">listen-on-v6 { none; }; -</pre> -<p> - If no <span><strong class="command">listen-on-v6</strong></span> option is - specified, - the server will not listen on any IPv6 address. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2581241"></a>Query Address</h4></div></div></div> -<p> - If the server doesn't know the answer to a question, it will - query other name servers. <span><strong class="command">query-source</strong></span> specifies - the address and port used for such queries. For queries sent over - IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option. - If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted, - a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) - will be used. - If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted, - a random unprivileged port will be used. The <span><strong class="command">avoid-v4-udp-ports</strong></span> - and <span><strong class="command">avoid-v6-udp-ports</strong></span> options can be used - to prevent named - from selecting certain ports. The defaults are: - </p> -<pre class="programlisting">query-source address * port *; -query-source-v6 address * port *; -</pre> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - The address specified in the <span><strong class="command">query-source</strong></span> option - is used for both UDP and TCP queries, but the port applies only - to - UDP queries. TCP queries always use a random - unprivileged port. - </p> -</div> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - Solaris 2.5.1 and earlier does not support setting the source - address for TCP sockets. - </p> -</div> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - See also <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">notify-source</strong></span>. - </p> -</div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div> -<p> - <acronym class="acronym">BIND</acronym> has mechanisms in place to - facilitate zone transfers - and set limits on the amount of load that transfers place on the - system. The following options apply to zone transfers. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> -<dd><p> - Defines a global list of IP addresses of name servers - that are also sent NOTIFY messages whenever a fresh copy of - the - zone is loaded, in addition to the servers listed in the - zone's NS records. - This helps to ensure that copies of the zones will - quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list - is given in a <span><strong class="command">zone</strong></span> statement, - it will override - the <span><strong class="command">options also-notify</strong></span> - statement. When a <span><strong class="command">zone notify</strong></span> - statement - is set to <span><strong class="command">no</strong></span>, the IP - addresses in the global <span><strong class="command">also-notify</strong></span> list will - not be sent NOTIFY messages for that zone. The default is - the empty - list (no global notification list). - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> -<dd><p> - Inbound zone transfers running longer than - this many minutes will be terminated. The default is 120 - minutes - (2 hours). The maximum value is 28 days (40320 minutes). - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> -<dd><p> - Inbound zone transfers making no progress - in this many minutes will be terminated. The default is 60 - minutes - (1 hour). The maximum value is 28 days (40320 minutes). - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> -<dd><p> - Outbound zone transfers running longer than - this many minutes will be terminated. The default is 120 - minutes - (2 hours). The maximum value is 28 days (40320 minutes). - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> -<dd><p> - Outbound zone transfers making no progress - in this many minutes will be terminated. The default is 60 - minutes (1 - hour). The maximum value is 28 days (40320 minutes). - </p></dd> -<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt> -<dd><p> - Slave servers will periodically query master servers - to find out if zone serial numbers have changed. Each such - query uses - a minute amount of the slave server's network bandwidth. To - limit the - amount of bandwidth used, BIND 9 limits the rate at which - queries are - sent. The value of the <span><strong class="command">serial-query-rate</strong></span> option, - an integer, is the maximum number of queries sent per - second. - The default is 20. - </p></dd> -<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt> -<dd><p> - In BIND 8, the <span><strong class="command">serial-queries</strong></span> - option - set the maximum number of concurrent serial number queries - allowed to be outstanding at any given time. - BIND 9 does not limit the number of outstanding - serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option. - Instead, it limits the rate at which the queries are sent - as defined using the <span><strong class="command">serial-query-rate</strong></span> option. - </p></dd> -<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt> -<dd><p> - Zone transfers can be sent using two different formats, - <span><strong class="command">one-answer</strong></span> and - <span><strong class="command">many-answers</strong></span>. - The <span><strong class="command">transfer-format</strong></span> option is used - on the master server to determine which format it sends. - <span><strong class="command">one-answer</strong></span> uses one DNS message per - resource record transferred. - <span><strong class="command">many-answers</strong></span> packs as many resource - records as possible into a message. - <span><strong class="command">many-answers</strong></span> is more efficient, but is - only supported by relatively new slave servers, - such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> - 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards. - The <span><strong class="command">many-answers</strong></span> format is also supported by - recent Microsoft Windows nameservers. - The default is <span><strong class="command">many-answers</strong></span>. - <span><strong class="command">transfer-format</strong></span> may be overridden on a - per-server basis by using the <span><strong class="command">server</strong></span> - statement. - </p></dd> -<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt> -<dd><p> - The maximum number of inbound zone transfers - that can be running concurrently. The default value is <code class="literal">10</code>. - Increasing <span><strong class="command">transfers-in</strong></span> may - speed up the convergence - of slave zones, but it also may increase the load on the - local system. - </p></dd> -<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt> -<dd><p> - The maximum number of outbound zone transfers - that can be running concurrently. Zone transfer requests in - excess - of the limit will be refused. The default value is <code class="literal">10</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt> -<dd><p> - The maximum number of inbound zone transfers - that can be concurrently transferring from a given remote - name server. - The default value is <code class="literal">2</code>. - Increasing <span><strong class="command">transfers-per-ns</strong></span> - may - speed up the convergence of slave zones, but it also may - increase - the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may - be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase - of the <span><strong class="command">server</strong></span> statement. - </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> -<dd> -<p><span><strong class="command">transfer-source</strong></span> - determines which local address will be bound to IPv4 - TCP connections used to fetch zones transferred - inbound by the server. It also determines the - source IPv4 address, and optionally the UDP port, - used for the refresh queries and forwarded dynamic - updates. If not set, it defaults to a system - controlled value which will usually be the address - of the interface "closest to" the remote end. This - address must appear in the remote end's - <span><strong class="command">allow-transfer</strong></span> option for the - zone being transferred, if one is specified. This - statement sets the - <span><strong class="command">transfer-source</strong></span> for all zones, - but can be overridden on a per-view or per-zone - basis by including a - <span><strong class="command">transfer-source</strong></span> statement within - the <span><strong class="command">view</strong></span> or - <span><strong class="command">zone</strong></span> block in the configuration - file. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - Solaris 2.5.1 and earlier does not support setting the - source address for TCP sockets. - </p> -</div> -</dd> -<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> -<dd><p> - The same as <span><strong class="command">transfer-source</strong></span>, - except zone transfers are performed using IPv6. - </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> -<dd> -<p> - An alternate transfer source if the one listed in - <span><strong class="command">transfer-source</strong></span> fails and - <span><strong class="command">use-alt-transfer-source</strong></span> is - set. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> - If you do not wish the alternate transfer source - to be used, you should set - <span><strong class="command">use-alt-transfer-source</strong></span> - appropriately and you should not depend upon - getting a answer back to the first refresh - query. - </div> -</dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> -<dd><p> - An alternate transfer source if the one listed in - <span><strong class="command">transfer-source-v6</strong></span> fails and - <span><strong class="command">use-alt-transfer-source</strong></span> is - set. - </p></dd> -<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> -<dd><p> - Use the alternate transfer sources or not. If views are - specified this defaults to <span><strong class="command">no</strong></span> - otherwise it defaults to - <span><strong class="command">yes</strong></span> (for BIND 8 - compatibility). - </p></dd> -<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> -<dd> -<p><span><strong class="command">notify-source</strong></span> - determines which local source address, and - optionally UDP port, will be used to send NOTIFY - messages. This address must appear in the slave - server's <span><strong class="command">masters</strong></span> zone clause or - in an <span><strong class="command">allow-notify</strong></span> clause. This - statement sets the <span><strong class="command">notify-source</strong></span> - for all zones, but can be overridden on a per-zone or - per-view basis by including a - <span><strong class="command">notify-source</strong></span> statement within - the <span><strong class="command">zone</strong></span> or - <span><strong class="command">view</strong></span> block in the configuration - file. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - Solaris 2.5.1 and earlier does not support setting the - source address for TCP sockets. - </p> -</div> -</dd> -<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> -<dd><p> - Like <span><strong class="command">notify-source</strong></span>, - but applies to notify messages sent to IPv6 addresses. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2581988"></a>Bad UDP Port Lists</h4></div></div></div> -<p><span><strong class="command">avoid-v4-udp-ports</strong></span> - and <span><strong class="command">avoid-v6-udp-ports</strong></span> specify a list - of IPv4 and IPv6 UDP ports that will not be used as system - assigned source ports for UDP sockets. These lists - prevent named from choosing as its random source port a - port that is blocked by your firewall. If a query went - out with such a source port, the answer would not get by - the firewall and the name server would have to query - again. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2582003"></a>Operating System Resource Limits</h4></div></div></div> -<p> - The server's usage of many system resources can be limited. - Scaled values are allowed when specifying resource limits. For - example, <span><strong class="command">1G</strong></span> can be used instead of - <span><strong class="command">1073741824</strong></span> to specify a limit of - one - gigabyte. <span><strong class="command">unlimited</strong></span> requests - unlimited use, or the - maximum available amount. <span><strong class="command">default</strong></span> - uses the limit - that was in force when the server was started. See the description - of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. - </p> -<p> - The following options set operating system resource limits for - the name server process. Some operating systems don't support - some or - any of the limits. On such systems, a warning will be issued if - the - unsupported limit is used. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt> -<dd><p> - The maximum size of a core dump. The default - is <code class="literal">default</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt> -<dd><p> - The maximum amount of data memory the server - may use. The default is <code class="literal">default</code>. - This is a hard limit on server memory usage. - If the server attempts to allocate memory in excess of this - limit, the allocation will fail, which may in turn leave - the server unable to perform DNS service. Therefore, - this option is rarely useful as a way of limiting the - amount of memory used by the server, but it can be used - to raise an operating system data size limit that is - too small by default. If you wish to limit the amount - of memory used by the server, use the - <span><strong class="command">max-cache-size</strong></span> and - <span><strong class="command">recursive-clients</strong></span> - options instead. - </p></dd> -<dt><span class="term"><span><strong class="command">files</strong></span></span></dt> -<dd><p> - The maximum number of files the server - may have open concurrently. The default is <code class="literal">unlimited</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt> -<dd><p> - The maximum amount of stack memory the server - may use. The default is <code class="literal">default</code>. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2582186"></a>Server Resource Limits</h4></div></div></div> -<p> - The following options set limits on the server's - resource consumption that are enforced internally by the - server rather than the operating system. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt> -<dd><p> - This option is obsolete; it is accepted - and ignored for BIND 8 compatibility. The option - <span><strong class="command">max-journal-size</strong></span> performs a - similar function in BIND 9. - </p></dd> -<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> -<dd><p> - Sets a maximum size for each journal file - (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file - approaches - the specified size, some of the oldest transactions in the - journal - will be automatically removed. The default is - <code class="literal">unlimited</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> -<dd><p> - In BIND 8, specifies the maximum number of host statistics - entries to be kept. - Not implemented in BIND 9. - </p></dd> -<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt> -<dd><p> - The maximum number of simultaneous recursive lookups - the server will perform on behalf of clients. The default - is - <code class="literal">1000</code>. Because each recursing - client uses a fair - bit of memory, on the order of 20 kilobytes, the value of - the - <span><strong class="command">recursive-clients</strong></span> option may - have to be decreased - on hosts with limited memory. - </p></dd> -<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt> -<dd><p> - The maximum number of simultaneous client TCP - connections that the server will accept. - The default is <code class="literal">100</code>. - </p></dd> -<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt> -<dd><p> - The maximum amount of memory to use for the - server's cache, in bytes. When the amount of data in the - cache - reaches this limit, the server will cause records to expire - prematurely so that the limit is not exceeded. In a server - with - multiple views, the limit applies separately to the cache of - each - view. The default is <code class="literal">unlimited</code>, meaning that - records are purged from the cache only when their TTLs - expire. - </p></dd> -<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt> -<dd><p> - The listen queue depth. The default and minimum is 3. - If the kernel supports the accept filter "dataready" this - also controls how - many TCP connections that will be queued in kernel space - waiting for - some data before being passed to accept. Values less than 3 - will be - silently raised. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2582320"></a>Periodic Task Intervals</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> -<dd><p> - The server will remove expired resource records - from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes. - The default is 60 minutes. The maximum value is 28 days - (40320 minutes). - If set to 0, no periodic cleaning will occur. - </p></dd> -<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt> -<dd><p> - The server will perform zone maintenance tasks - for all zones marked as <span><strong class="command">dialup</strong></span> whenever this - interval expires. The default is 60 minutes. Reasonable - values are up - to 1 day (1440 minutes). The maximum value is 28 days - (40320 minutes). - If set to 0, no zone maintenance for these zones will occur. - </p></dd> -<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt> -<dd><p> - The server will scan the network interface list - every <span><strong class="command">interface-interval</strong></span> - minutes. The default - is 60 minutes. The maximum value is 28 days (40320 minutes). - If set to 0, interface scanning will only occur when - the configuration file is loaded. After the scan, the - server will - begin listening for queries on any newly discovered - interfaces (provided they are allowed by the - <span><strong class="command">listen-on</strong></span> configuration), and - will - stop listening on interfaces that have gone away. - </p></dd> -<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt> -<dd> -<p> - Name server statistics will be logged - every <span><strong class="command">statistics-interval</strong></span> - minutes. The default is - 60. The maximum value is 28 days (40320 minutes). - If set to 0, no statistics will be logged. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - Not yet implemented in - <acronym class="acronym">BIND</acronym> 9. - </p> -</div> -</dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="topology"></a>Topology</h4></div></div></div> -<p> - All other things being equal, when the server chooses a name - server - to query from a list of name servers, it prefers the one that is - topologically closest to itself. The <span><strong class="command">topology</strong></span> statement - takes an <span><strong class="command">address_match_list</strong></span> and - interprets it - in a special way. Each top-level list element is assigned a - distance. - Non-negated elements get a distance based on their position in the - list, where the closer the match is to the start of the list, the - shorter the distance is between it and the server. A negated match - will be assigned the maximum distance from the server. If there - is no match, the address will get a distance which is further than - any non-negated list element, and closer than any negated element. - For example, - </p> -<pre class="programlisting">topology { - 10/8; - !1.2.3/24; - { 1.2/16; 3/8; }; -};</pre> -<p> - will prefer servers on network 10 the most, followed by hosts - on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the - exception of hosts on network 1.2.3 (netmask 255.255.255.0), which - is preferred least of all. - </p> -<p> - The default topology is - </p> -<pre class="programlisting"> topology { localhost; localnets; }; -</pre> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - The <span><strong class="command">topology</strong></span> option - is not implemented in <acronym class="acronym">BIND</acronym> 9. - </p> -</div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div> -<p> - The response to a DNS query may consist of multiple resource - records (RRs) forming a resource records set (RRset). - The name server will normally return the - RRs within the RRset in an indeterminate order - (but see the <span><strong class="command">rrset-order</strong></span> - statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). - The client resolver code should rearrange the RRs as appropriate, - that is, using any addresses on the local net in preference to - other addresses. - However, not all resolvers can do this or are correctly - configured. - When a client is using a local server, the sorting can be performed - in the server, based on the client's address. This only requires - configuring the name servers, not all the clients. - </p> -<p> - The <span><strong class="command">sortlist</strong></span> statement (see below) - takes - an <span><strong class="command">address_match_list</strong></span> and - interprets it even - more specifically than the <span><strong class="command">topology</strong></span> - statement - does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). - Each top level statement in the <span><strong class="command">sortlist</strong></span> must - itself be an explicit <span><strong class="command">address_match_list</strong></span> with - one or two elements. The first element (which may be an IP - address, - an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>) - of each top level list is checked against the source address of - the query until a match is found. - </p> -<p> - Once the source address of the query has been matched, if - the top level statement contains only one element, the actual - primitive - element that matched the source address is used to select the - address - in the response to move to the beginning of the response. If the - statement is a list of two elements, then the second element is - treated the same as the <span><strong class="command">address_match_list</strong></span> in - a <span><strong class="command">topology</strong></span> statement. Each top - level element - is assigned a distance and the address in the response with the - minimum - distance is moved to the beginning of the response. - </p> -<p> - In the following example, any queries received from any of - the addresses of the host itself will get responses preferring - addresses - on any of the locally connected networks. Next most preferred are - addresses - on the 192.168.1/24 network, and after that either the - 192.168.2/24 - or - 192.168.3/24 network with no preference shown between these two - networks. Queries received from a host on the 192.168.1/24 network - will prefer other addresses on that network to the 192.168.2/24 - and - 192.168.3/24 networks. Queries received from a host on the - 192.168.4/24 - or the 192.168.5/24 network will only prefer other addresses on - their directly connected networks. - </p> -<pre class="programlisting">sortlist { - { localhost; // IF the local host - { localnets; // THEN first fit on the - 192.168.1/24; // following nets - { 192.168.2/24; 192.168.3/24; }; }; }; - { 192.168.1/24; // IF on class C 192.168.1 - { 192.168.1/24; // THEN use .1, or .2 or .3 - { 192.168.2/24; 192.168.3/24; }; }; }; - { 192.168.2/24; // IF on class C 192.168.2 - { 192.168.2/24; // THEN use .2, or .1 or .3 - { 192.168.1/24; 192.168.3/24; }; }; }; - { 192.168.3/24; // IF on class C 192.168.3 - { 192.168.3/24; // THEN use .3, or .1 or .2 - { 192.168.1/24; 192.168.2/24; }; }; }; - { { 192.168.4/24; 192.168.5/24; }; // if .4 or .5, prefer that net - }; -};</pre> -<p> - The following example will give reasonable behavior for the - local host and hosts on directly connected networks. It is similar - to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent - to queries from the local host will favor any of the directly - connected - networks. Responses sent to queries from any other hosts on a - directly - connected network will prefer addresses on that same network. - Responses - to other queries will not be sorted. - </p> -<pre class="programlisting">sortlist { - { localhost; localnets; }; - { localnets; }; -}; -</pre> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div> -<p> - When multiple records are returned in an answer it may be - useful to configure the order of the records placed into the - response. - The <span><strong class="command">rrset-order</strong></span> statement permits - configuration - of the ordering of the records in a multiple record response. - See also the <span><strong class="command">sortlist</strong></span> statement, - <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>. - </p> -<p> - An <span><strong class="command">order_spec</strong></span> is defined as - follows: - </p> -<p> - [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>] - [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>] - [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>] - order <em class="replaceable"><code>ordering</code></em> - </p> -<p> - If no class is specified, the default is <span><strong class="command">ANY</strong></span>. - If no type is specified, the default is <span><strong class="command">ANY</strong></span>. - If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk). - </p> -<p> - The legal values for <span><strong class="command">ordering</strong></span> are: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p><span><strong class="command">fixed</strong></span></p> - </td> -<td> - <p> - Records are returned in the order they - are defined in the zone file. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">random</strong></span></p> - </td> -<td> - <p> - Records are returned in some random order. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">cyclic</strong></span></p> - </td> -<td> - <p> - Records are returned in a round-robin - order. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - For example: - </p> -<pre class="programlisting">rrset-order { - class IN type A name "host.example.com" order random; - order cyclic; -}; -</pre> -<p> - will cause any responses for type A records in class IN that - have "<code class="literal">host.example.com</code>" as a - suffix, to always be returned - in random order. All other records are returned in cyclic order. - </p> -<p> - If multiple <span><strong class="command">rrset-order</strong></span> statements - appear, - they are not combined — the last one applies. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - The <span><strong class="command">rrset-order</strong></span> statement - is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9. - BIND 9 currently does not fully support "fixed" ordering. - </p> -</div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="tuning"></a>Tuning</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt> -<dd><p> - Sets the number of seconds to cache a - lame server indication. 0 disables caching. (This is - <span class="bold"><strong>NOT</strong></span> recommended.) - The default is <code class="literal">600</code> (10 minutes) and the - maximum value is - <code class="literal">1800</code> (30 minutes). - </p></dd> -<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt> -<dd><p> - To reduce network traffic and increase performance, - the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is - used to set a maximum retention time for these answers in - the server - in seconds. The default - <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). - <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed - 7 days and will - be silently truncated to 7 days if set to a greater value. - </p></dd> -<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt> -<dd><p> - Sets the maximum time for which the server will - cache ordinary (positive) answers. The default is - one week (7 days). - </p></dd> -<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt> -<dd> -<p> - The minimum number of root servers that - is required for a request for the root servers to be - accepted. The default - is <strong class="userinput"><code>2</code></strong>. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - Not implemented in <acronym class="acronym">BIND</acronym> 9. - </p> -</div> -</dd> -<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> -<dd><p> - Specifies the number of days into the - future when DNSSEC signatures automatically generated as a - result - of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) - will expire. The default is <code class="literal">30</code> days. - The maximum value is 10 years (3660 days). The signature - inception time is unconditionally set to one hour before the - current time - to allow for a limited amount of clock skew. - </p></dd> -<dt> -<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> -</dt> -<dd> -<p> - These options control the server's behavior on refreshing a - zone - (querying for SOA changes) or retrying failed transfers. - Usually the SOA values for the zone are used, but these - values - are set by the master, giving slave server administrators - little - control over their contents. - </p> -<p> - These options allow the administrator to set a minimum and - maximum - refresh and retry time either per-zone, per-view, or - globally. - These options are valid for slave and stub zones, - and clamp the SOA refresh and retry times to the specified - values. - </p> -</dd> -<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt> -<dd><p> - Sets the advertised EDNS UDP buffer size in bytes. Valid - values are 512 to 4096 (values outside this range - will be silently adjusted). The default value is - 4096. The usual reason for setting edns-udp-size to - a non-default value is to get UDP answers to pass - through broken firewalls that block fragmented - packets and/or block UDP packets that are greater - than 512 bytes. - </p></dd> -<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt> -<dd><p> - Sets the maximum EDNS UDP message size named will - send in bytes. Valid values are 512 to 4096 (values outside - this range will be silently adjusted). The default - value is 4096. The usual reason for setting - max-udp-size to a non-default value is to get UDP - answers to pass through broken firewalls that - block fragmented packets and/or block UDP packets - that are greater than 512 bytes. - This is independent of the advertised receive - buffer (<span><strong class="command">edns-udp-size</strong></span>). - </p></dd> -<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> -<dd><p>Specifies - the file format of zone files (see - <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). - The default value is <code class="constant">text</code>, which is the - standard textual representation. Files in other formats - than <code class="constant">text</code> are typically expected - to be generated by the <span><strong class="command">named-compilezone</strong></span> tool. - Note that when a zone file in a different format than - <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span> - may omit some of the checks which would be performed for a - file in the <code class="constant">text</code> format. In particular, - <span><strong class="command">check-names</strong></span> checks do not apply - for the <code class="constant">raw</code> format. This means - a zone file in the <code class="constant">raw</code> format - must be generated with the same check level as that - specified in the <span><strong class="command">named</strong></span> configuration - file. This statement sets the - <span><strong class="command">masterfile-format</strong></span> for all zones, - but can be overridden on a per-zone or per-view basis - by including a <span><strong class="command">masterfile-format</strong></span> - statement within the <span><strong class="command">zone</strong></span> or - <span><strong class="command">view</strong></span> block in the configuration - file. - </p></dd> -<dt> -<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span> -</dt> -<dd> -<p>These set the - initial value (minimum) and maximum number of recursive - simultanious clients for any given query - (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. named will attempt to - self tune this value and changes will be logged. The - default values are 10 and 100. - </p> -<p> - This value should reflect how many queries come in for - a given name in the time it takes to resolve that name. - If the number of queries exceed this value, named will - assume that it is dealing with a non-responsive zone - and will drop additional queries. If it gets a response - after dropping queries, it will raise the estimate. The - estimate will then be lowered in 20 minutes if it has - remained unchanged. - </p> -<p> - If <span><strong class="command">clients-per-query</strong></span> is set to zero, - then there is no limit on the number of clients per query - and no queries will be dropped. - </p> -<p> - If <span><strong class="command">max-clients-per-query</strong></span> is set to zero, - then there is no upper bound other than imposed by - <span><strong class="command">recursive-clients</strong></span>. - </p> -</dd> -<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> -<dd><p> - The delay, in seconds, between sending sets of notify - messages for a zone. The default is zero. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="builtin"></a>Built-in server information zones</h4></div></div></div> -<p> - The server provides some helpful diagnostic information - through a number of built-in zones under the - pseudo-top-level-domain <code class="literal">bind</code> in the - <span><strong class="command">CHAOS</strong></span> class. These zones are part - of a - built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of - class - <span><strong class="command">CHAOS</strong></span> which is separate from the - default view of - class <span><strong class="command">IN</strong></span>; therefore, any global - server options - such as <span><strong class="command">allow-query</strong></span> do not apply - the these zones. - If you feel the need to disable these zones, use the options - below, or hide the built-in <span><strong class="command">CHAOS</strong></span> - view by - defining an explicit view of class <span><strong class="command">CHAOS</strong></span> - that matches all clients. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">version</strong></span></span></dt> -<dd><p> - The version the server should report - via a query of the name <code class="literal">version.bind</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. - The default is the real version number of this server. - Specifying <span><strong class="command">version none</strong></span> - disables processing of the queries. - </p></dd> -<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt> -<dd><p> - The hostname the server should report via a query of - the name <code class="filename">hostname.bind</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. - This defaults to the hostname of the machine hosting the - name server as - found by the gethostname() function. The primary purpose of such queries - is to - identify which of a group of anycast servers is actually - answering your queries. Specifying <span><strong class="command">hostname none;</strong></span> - disables processing of the queries. - </p></dd> -<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt> -<dd><p> - The ID of the server should report via a query of - the name <code class="filename">ID.SERVER</code> - with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. - The primary purpose of such queries is to - identify which of a group of anycast servers is actually - answering your queries. Specifying <span><strong class="command">server-id none;</strong></span> - disables processing of the queries. - Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to - use the hostname as found by the gethostname() function. - The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="empty"></a>Built-in Empty Zones</h4></div></div></div> -<p> - Named has some built-in empty zones (SOA and NS records only). - These are for zones that should normally be answered locally - and which queries should not be sent to the Internet's root - servers. The official servers which cover these namespaces - return NXDOMAIN responses to these queries. In particular, - these cover the reverse namespace for addresses from RFC 1918 and - RFC 3330. They also include the reverse namespace for IPv6 local - address (locally assigned), IPv6 link local addresses, the IPv6 - loopback address and the IPv6 unknown addresss. - </p> -<p> - Named will attempt to determine if a built in zone already exists - or is active (covered by a forward-only forwarding declaration) - and will not not create a empty zone in that case. - </p> -<p> - The current list of empty zones is: - </p> -<div class="itemizedlist"><ul type="disc"> -<li>10.IN-ADDR.ARPA</li> -<li>127.IN-ADDR.ARPA</li> -<li>254.169.IN-ADDR.ARPA</li> -<li>16.172.IN-ADDR.ARPA</li> -<li>17.172.IN-ADDR.ARPA</li> -<li>18.172.IN-ADDR.ARPA</li> -<li>19.172.IN-ADDR.ARPA</li> -<li>20.172.IN-ADDR.ARPA</li> -<li>21.172.IN-ADDR.ARPA</li> -<li>22.172.IN-ADDR.ARPA</li> -<li>23.172.IN-ADDR.ARPA</li> -<li>24.172.IN-ADDR.ARPA</li> -<li>25.172.IN-ADDR.ARPA</li> -<li>26.172.IN-ADDR.ARPA</li> -<li>27.172.IN-ADDR.ARPA</li> -<li>28.172.IN-ADDR.ARPA</li> -<li>29.172.IN-ADDR.ARPA</li> -<li>30.172.IN-ADDR.ARPA</li> -<li>31.172.IN-ADDR.ARPA</li> -<li>168.192.IN-ADDR.ARPA</li> -<li>2.0.192.IN-ADDR.ARPA</li> -<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> -<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> -<li>D.F.IP6.ARPA</li> -<li>8.E.F.IP6.ARPA</li> -<li>9.E.F.IP6.ARPA</li> -<li>A.E.F.IP6.ARPA</li> -<li>B.E.F.IP6.ARPA</li> -</ul></div> -<p> - </p> -<p> - Empty zones are settable at the view level and only apply to - views of class IN. Disabled empty zones are only inherited - from options if there are no disabled empty zones specified - at the view level. To override the options list of disabled - zones, you can disable the root zone at the view level, for example: -</p> -<pre class="programlisting"> - disable-empty-zone "."; -</pre> -<p> - </p> -<p> - If you are using the address ranges covered here, you should - already have reverse zones covering the addresses you use. - In practice this appears to not be the case with many queries - being made to the infrastructure servers for names in these - spaces. So many in fact that sacrificial servers were needed - to be deployed to channel the query load away from the - infrastructure servers. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> - The real parent servers for these zones should disable all - empty zone under the parent zone they serve. For the real - root servers, this is all built in empty zones. This will - enable them to return referrals to deeper in the tree. - </div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt> -<dd><p> - Specify what server name will appear in the returned - SOA record for empty zones. If none is specified, then - the zone's name will be used. - </p></dd> -<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt> -<dd><p> - Specify what contact name will appear in the returned - SOA record for empty zones. If none is specified, then - "." will be used. - </p></dd> -<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt> -<dd><p> - Enable or disable all empty zones. By default they - are enabled. - </p></dd> -<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt> -<dd><p> - Disable individual empty zones. By default none are - disabled. This option can be specified multiple times. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="statsfile"></a>The Statistics File</h4></div></div></div> -<p> - The statistics file generated by <acronym class="acronym">BIND</acronym> 9 - is similar, but not identical, to that - generated by <acronym class="acronym">BIND</acronym> 8. - </p> -<p> - The statistics dump begins with a line, like: - </p> -<p> - <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span> - </p> -<p> - The number in parentheses is a standard - Unix-style timestamp, measured as seconds since January 1, 1970. - Following - that line are a series of lines containing a counter type, the - value of the - counter, optionally a zone name, and optionally a view name. - The lines without view and zone listed are global statistics for - the entire server. - Lines with a zone and view name for the given view and zone (the - view name is - omitted for the default view). - </p> -<p> - The statistics dump ends with the line where the - number is identical to the number in the beginning line; for example: - </p> -<p> - <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span> - </p> -<p> - The following statistics counters are maintained: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p><span><strong class="command">success</strong></span></p> - </td> -<td> - <p> - The number of - successful queries made to the server or zone. A - successful query - is defined as query which returns a NOERROR response - with at least - one answer RR. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">referral</strong></span></p> - </td> -<td> - <p> - The number of queries which resulted - in referral responses. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">nxrrset</strong></span></p> - </td> -<td> - <p> - The number of queries which resulted in - NOERROR responses with no data. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">nxdomain</strong></span></p> - </td> -<td> - <p> - The number - of queries which resulted in NXDOMAIN responses. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">failure</strong></span></p> - </td> -<td> - <p> - The number of queries which resulted in a - failure response other than those above. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">recursion</strong></span></p> - </td> -<td> - <p> - The number of queries which caused the server - to perform recursion in order to find the final answer. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">duplicate</strong></span></p> - </td> -<td> - <p> - The number of queries which the server attempted to - recurse but discover a existing query with the same - IP address, port, query id, name, type and class - already being processed. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">dropped</strong></span></p> - </td> -<td> - <p> - The number of queries for which the server - discovered a excessive number of existing - recursive queries for the same name, type and - class and were subsequently dropped. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - Each query received by the server will cause exactly one of - <span><strong class="command">success</strong></span>, - <span><strong class="command">referral</strong></span>, - <span><strong class="command">nxrrset</strong></span>, - <span><strong class="command">nxdomain</strong></span>, or - <span><strong class="command">failure</strong></span> - to be incremented, and may additionally cause the - <span><strong class="command">recursion</strong></span> counter to be - incremented. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="acache"></a>Additional Section Caching</h4></div></div></div> -<p> - The additional section cache, also called <span><strong class="command">acache</strong></span>, - is an internal cache to improve the response performance of BIND 9. - When additional section caching is enabled, BIND 9 will - cache an internal short-cut to the additional section content for - each answer RR. - Note that <span><strong class="command">acache</strong></span> is an internal caching - mechanism of BIND 9, and is not related to the DNS caching - server function. - </p> -<p> - Additional section caching does not change the - response content (except the RRsets ordering of the additional - section, see below), but can improve the response performance - significantly. - It is particularly effective when BIND 9 acts as an authoritative - server for a zone that has many delegations with many glue RRs. - </p> -<p> - In order to obtain the maximum performance improvement - from additional section caching, setting - <span><strong class="command">additional-from-cache</strong></span> - to <span><strong class="command">no</strong></span> is recommended, since the current - implementation of <span><strong class="command">acache</strong></span> - does not short-cut of additional section information from the - DNS cache data. - </p> -<p> - One obvious disadvantage of <span><strong class="command">acache</strong></span> is - that it requires much more - memory for the internal cached data. - Thus, if the response performance does not matter and memory - consumption is much more critical, the - <span><strong class="command">acache</strong></span> mechanism can be - disabled by setting <span><strong class="command">acache-enable</strong></span> to - <span><strong class="command">no</strong></span>. - It is also possible to specify the upper limit of memory - consumption - for acache by using <span><strong class="command">max-acache-size</strong></span>. - </p> -<p> - Additional section caching also has a minor effect on the - RRset ordering in the additional section. - Without <span><strong class="command">acache</strong></span>, - <span><strong class="command">cyclic</strong></span> order is effective for the additional - section as well as the answer and authority sections. - However, additional section caching fixes the ordering when it - first caches an RRset for the additional section, and the same - ordering will be kept in succeeding responses, regardless of the - setting of <span><strong class="command">rrset-order</strong></span>. - The effect of this should be minor, however, since an - RRset in the additional section - typically only contains a small number of RRs (and in many cases - it only contains a single RR), in which case the - ordering does not matter much. - </p> -<p> - The following is a summary of options related to - <span><strong class="command">acache</strong></span>. - </p> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt> -<dd><p> - If <span><strong class="command">yes</strong></span>, additional section caching is - enabled. The default value is <span><strong class="command">no</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt> -<dd><p> - The server will remove stale cache entries, based on an LRU - based - algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes. - The default is 60 minutes. - If set to 0, no periodic cleaning will occur. - </p></dd> -<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt> -<dd><p> - The maximum amount of memory in bytes to use for the server's acache. - When the amount of data in the acache reaches this limit, - the server - will clean more aggressively so that the limit is not - exceeded. - In a server with multiple views, the limit applies - separately to the - acache of each view. - The default is <code class="literal">unlimited</code>, - meaning that - entries are purged from the acache only at the - periodic cleaning time. - </p></dd> -</dl></div> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting">server <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { - [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>] - [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>] - [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>] - [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>] -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and - Usage</h3></div></div></div> -<p> - The <span><strong class="command">server</strong></span> statement defines - characteristics - to be associated with a remote name server. If a prefix length is - specified, then a range of servers is covered. Only the most - specific - server clause applies regardless of the order in - <code class="filename">named.conf</code>. - </p> -<p> - The <span><strong class="command">server</strong></span> statement can occur at - the top level of the - configuration file or inside a <span><strong class="command">view</strong></span> - statement. - If a <span><strong class="command">view</strong></span> statement contains - one or more <span><strong class="command">server</strong></span> statements, only - those - apply to the view and any top-level ones are ignored. - If a view contains no <span><strong class="command">server</strong></span> - statements, - any top-level <span><strong class="command">server</strong></span> statements are - used as - defaults. - </p> -<p> - If you discover that a remote server is giving out bad data, - marking it as bogus will prevent further queries to it. The - default - value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>. - </p> -<p> - The <span><strong class="command">provide-ixfr</strong></span> clause determines - whether - the local server, acting as master, will respond with an - incremental - zone transfer when the given remote server, a slave, requests it. - If set to <span><strong class="command">yes</strong></span>, incremental transfer - will be provided - whenever possible. If set to <span><strong class="command">no</strong></span>, - all transfers - to the remote server will be non-incremental. If not set, the - value - of the <span><strong class="command">provide-ixfr</strong></span> option in the - view or - global options block is used as a default. - </p> -<p> - The <span><strong class="command">request-ixfr</strong></span> clause determines - whether - the local server, acting as a slave, will request incremental zone - transfers from the given remote server, a master. If not set, the - value of the <span><strong class="command">request-ixfr</strong></span> option in - the view or - global options block is used as a default. - </p> -<p> - IXFR requests to servers that do not support IXFR will - automatically - fall back to AXFR. Therefore, there is no need to manually list - which servers support IXFR and which ones do not; the global - default - of <span><strong class="command">yes</strong></span> should always work. - The purpose of the <span><strong class="command">provide-ixfr</strong></span> and - <span><strong class="command">request-ixfr</strong></span> clauses is - to make it possible to disable the use of IXFR even when both - master - and slave claim to support it, for example if one of the servers - is buggy and crashes or corrupts data when IXFR is used. - </p> -<p> - The <span><strong class="command">edns</strong></span> clause determines whether - the local server will attempt to use EDNS when communicating - with the remote server. The default is <span><strong class="command">yes</strong></span>. - </p> -<p> - The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size - that is advertised by named when querying the remote server. - Valid values are 512 to 4096 bytes (values outside this range will be - silently adjusted). This option is useful when you wish to - advertises a different value to this server than the value you - advertise globally, for example, when there is a firewall at the - remote site that is blocking large replies. - </p> -<p> - The <span><strong class="command">max-udp-size</strong></span> option sets the - maximum EDNS UDP message size named will send. Valid - values are 512 to 4096 bytes (values outside this range will - be silently adjusted). This option is useful when you - know that there is a firewall that is blocking large - replies from named. - </p> -<p> - The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>, - uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs - as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is - more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> - 8.x, and patched versions of <acronym class="acronym">BIND</acronym> - 4.9.5. You can specify which method - to use for a server with the <span><strong class="command">transfer-format</strong></span> option. - If <span><strong class="command">transfer-format</strong></span> is not - specified, the <span><strong class="command">transfer-format</strong></span> - specified - by the <span><strong class="command">options</strong></span> statement will be - used. - </p> -<p><span><strong class="command">transfers</strong></span> - is used to limit the number of concurrent inbound zone - transfers from the specified server. If no - <span><strong class="command">transfers</strong></span> clause is specified, the - limit is set according to the - <span><strong class="command">transfers-per-ns</strong></span> option. - </p> -<p> - The <span><strong class="command">keys</strong></span> clause identifies a - <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement, - to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) - when talking to the remote server. - When a request is sent to the remote server, a request signature - will be generated using the key specified here and appended to the - message. A request originating from the remote server is not - required - to be signed by this key. - </p> -<p> - Although the grammar of the <span><strong class="command">keys</strong></span> - clause - allows for multiple keys, only a single key per server is - currently - supported. - </p> -<p> - The <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">transfer-source-v6</strong></span> clauses specify - the IPv4 and IPv6 source - address to be used for zone transfer with the remote server, - respectively. - For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can - be specified. - Similarly, for an IPv6 remote server, only - <span><strong class="command">transfer-source-v6</strong></span> can be - specified. - For more details, see the description of - <span><strong class="command">transfer-source</strong></span> and - <span><strong class="command">transfer-source-v6</strong></span> in - <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p> -<p> - The <span><strong class="command">notify-source</strong></span> and - <span><strong class="command">notify-source-v6</strong></span> clauses specify the - IPv4 and IPv6 source address to be used for notify - messages sent to remote servers, respectively. For an - IPv4 remote server, only <span><strong class="command">notify-source</strong></span> - can be specified. Similarly, for an IPv6 remote server, - only <span><strong class="command">notify-source-v6</strong></span> can be specified. - </p> -<p> - The <span><strong class="command">query-source</strong></span> and - <span><strong class="command">query-source-v6</strong></span> clauses specify the - IPv4 and IPv6 source address to be used for queries - sent to remote servers, respectively. For an IPv4 - remote server, only <span><strong class="command">query-source</strong></span> can - be specified. Similarly, for an IPv6 remote server, - only <span><strong class="command">query-source-v6</strong></span> can be specified. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2585361"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting">trusted-keys { - <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; - [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2585410"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition - and Usage</h3></div></div></div> -<p> - The <span><strong class="command">trusted-keys</strong></span> statement defines - DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the - public key for a non-authoritative zone is known, but - cannot be securely obtained through DNS, either because - it is the DNS root zone or because its parent zone is - unsigned. Once a key has been configured as a trusted - key, it is treated as if it had been validated and - proven secure. The resolver attempts DNSSEC validation - on all DNS data in subdomains of a security root. - </p> -<p> - All keys (and corresponding zones) listed in - <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless - of what parent zones say. Similarly for all keys listed in - <span><strong class="command">trusted-keys</strong></span> only those keys are - used to validate the DNSKEY RRset. The parent's DS RRset - will not be used. - </p> -<p> - The <span><strong class="command">trusted-keys</strong></span> statement can contain - multiple key entries, each consisting of the key's - domain name, flags, protocol, algorithm, and the Base-64 - representation of the key data. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div> -<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em> - [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - match-clients { <em class="replaceable"><code>address_match_list</code></em> }; - match-destinations { <em class="replaceable"><code>address_match_list</code></em> }; - match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ; - [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>] - [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>] -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2585490"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> -<p> - The <span><strong class="command">view</strong></span> statement is a powerful - feature - of <acronym class="acronym">BIND</acronym> 9 that lets a name server - answer a DNS query differently - depending on who is asking. It is particularly useful for - implementing - split DNS setups without having to run multiple servers. - </p> -<p> - Each <span><strong class="command">view</strong></span> statement defines a view - of the - DNS namespace that will be seen by a subset of clients. A client - matches - a view if its source IP address matches the - <code class="varname">address_match_list</code> of the view's - <span><strong class="command">match-clients</strong></span> clause and its - destination IP address matches - the <code class="varname">address_match_list</code> of the - view's - <span><strong class="command">match-destinations</strong></span> clause. If not - specified, both - <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> - default to matching all addresses. In addition to checking IP - addresses - <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> - can also take <span><strong class="command">keys</strong></span> which provide an - mechanism for the - client to select the view. A view can also be specified - as <span><strong class="command">match-recursive-only</strong></span>, which - means that only recursive - requests from matching clients will match that view. - The order of the <span><strong class="command">view</strong></span> statements is - significant — - a client request will be resolved in the context of the first - <span><strong class="command">view</strong></span> that it matches. - </p> -<p> - Zones defined within a <span><strong class="command">view</strong></span> - statement will - be only be accessible to clients that match the <span><strong class="command">view</strong></span>. - By defining a zone of the same name in multiple views, different - zone data can be given to different clients, for example, - "internal" - and "external" clients in a split DNS setup. - </p> -<p> - Many of the options given in the <span><strong class="command">options</strong></span> statement - can also be used within a <span><strong class="command">view</strong></span> - statement, and then - apply only when resolving queries with that view. When no - view-specific - value is given, the value in the <span><strong class="command">options</strong></span> statement - is used as a default. Also, zone options can have default values - specified - in the <span><strong class="command">view</strong></span> statement; these - view-specific defaults - take precedence over those in the <span><strong class="command">options</strong></span> statement. - </p> -<p> - Views are class specific. If no class is given, class IN - is assumed. Note that all non-IN views must contain a hint zone, - since only the IN class has compiled-in default hints. - </p> -<p> - If there are no <span><strong class="command">view</strong></span> statements in - the config - file, a default view that matches any client is automatically - created - in class IN. Any <span><strong class="command">zone</strong></span> statements - specified on - the top level of the configuration file are considered to be part - of - this default view, and the <span><strong class="command">options</strong></span> - statement will - apply to the default view. If any explicit <span><strong class="command">view</strong></span> - statements are present, all <span><strong class="command">zone</strong></span> - statements must - occur inside <span><strong class="command">view</strong></span> statements. - </p> -<p> - Here is an example of a typical split DNS setup implemented - using <span><strong class="command">view</strong></span> statements: - </p> -<pre class="programlisting">view "internal" { - // This should match our internal networks. - match-clients { 10.0.0.0/8; }; - - // Provide recursive service to internal clients only. - recursion yes; - - // Provide a complete view of the example.com zone - // including addresses of internal hosts. - zone "example.com" { - type master; - file "example-internal.db"; - }; -}; - -view "external" { - // Match all clients not matched by the previous view. - match-clients { any; }; - - // Refuse recursive service to external clients. - recursion no; - - // Provide a restricted view of the example.com zone - // containing only publicly accessible hosts. - zone "example.com" { - type master; - file "example-external.db"; - }; -}; -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span> - Statement Grammar</h3></div></div></div> -<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - type master; - [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] - [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] - [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] - [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] - [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] - [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>] - [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] - [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] - [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] -}; - -zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - type slave; - [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] - [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] - [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] - [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] - [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] - [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>] - [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] -}; - -zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - type hint; - file <em class="replaceable"><code>string</code></em> ; - [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; // Not Implemented. </span>] -}; - -zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - type stub; - [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] - [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] - [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] - [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] - [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] - [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] - [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] - [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] - [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] - [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] - [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] - [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] -}; - -zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - type forward; - [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] - [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] - [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] -}; - -zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { - type delegation-only; -}; - -</pre> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2586798"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2586806"></a>Zone Types</h4></div></div></div> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="varname">master</code> - </p> - </td> -<td> - <p> - The server has a master copy of the data - for the zone and will be able to provide authoritative - answers for - it. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">slave</code> - </p> - </td> -<td> - <p> - A slave zone is a replica of a master - zone. The <span><strong class="command">masters</strong></span> list - specifies one or more IP addresses - of master servers that the slave contacts to update - its copy of the zone. - Masters list elements can also be names of other - masters lists. - By default, transfers are made from port 53 on the - servers; this can - be changed for all servers by specifying a port number - before the - list of IP addresses, or on a per-server basis after - the IP address. - Authentication to the master can also be done with - per-server TSIG keys. - If a file is specified, then the - replica will be written to this file whenever the zone - is changed, - and reloaded from this file on a server restart. Use - of a file is - recommended, since it often speeds server startup and - eliminates - a needless waste of bandwidth. Note that for large - numbers (in the - tens or hundreds of thousands) of zones per server, it - is best to - use a two-level naming scheme for zone filenames. For - example, - a slave server for the zone <code class="literal">example.com</code> might place - the zone contents into a file called - <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is - just the first two letters of the zone name. (Most - operating systems - behave very slowly if you put 100 000 files into - a single directory.) - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">stub</code> - </p> - </td> -<td> - <p> - A stub zone is similar to a slave zone, - except that it replicates only the NS records of a - master zone instead - of the entire zone. Stub zones are not a standard part - of the DNS; - they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation. - </p> - - <p> - Stub zones can be used to eliminate the need for glue - NS record - in a parent zone at the expense of maintaining a stub - zone entry and - a set of name server addresses in <code class="filename">named.conf</code>. - This usage is not recommended for new configurations, - and BIND 9 - supports it only in a limited way. - In <acronym class="acronym">BIND</acronym> 4/8, zone - transfers of a parent zone - included the NS records from stub children of that - zone. This meant - that, in some cases, users could get away with - configuring child stubs - only in the master server for the parent zone. <acronym class="acronym">BIND</acronym> - 9 never mixes together zone data from different zones - in this - way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent - zone has child stub zones configured, all the slave - servers for the - parent zone also need to have the same child stub - zones - configured. - </p> - - <p> - Stub zones can also be used as a way of forcing the - resolution - of a given domain to use a particular set of - authoritative servers. - For example, the caching name servers on a private - network using - RFC1918 addressing may be configured with stub zones - for - <code class="literal">10.in-addr.arpa</code> - to use a set of internal name servers as the - authoritative - servers for that domain. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">forward</code> - </p> - </td> -<td> - <p> - A "forward zone" is a way to configure - forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement - of type <span><strong class="command">forward</strong></span> can - contain a <span><strong class="command">forward</strong></span> - and/or <span><strong class="command">forwarders</strong></span> - statement, - which will apply to queries within the domain given by - the zone - name. If no <span><strong class="command">forwarders</strong></span> - statement is present or - an empty list for <span><strong class="command">forwarders</strong></span> is given, then no - forwarding will be done for the domain, canceling the - effects of - any forwarders in the <span><strong class="command">options</strong></span> statement. Thus - if you want to use this type of zone to change the - behavior of the - global <span><strong class="command">forward</strong></span> option - (that is, "forward first" - to, then "forward only", or vice versa, but want to - use the same - servers as set globally) you need to re-specify the - global forwarders. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">hint</code> - </p> - </td> -<td> - <p> - The initial set of root name servers is - specified using a "hint zone". When the server starts - up, it uses - the root hints to find a root name server and get the - most recent - list of root name servers. If no hint zone is - specified for class - IN, the server uses a compiled-in default set of root - servers hints. - Classes other than IN have no built-in defaults hints. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">delegation-only</code> - </p> - </td> -<td> - <p> - This is used to enforce the delegation-only - status of infrastructure zones (e.g. COM, NET, ORG). - Any answer that - is received without an explicit or implicit delegation - in the authority - section will be treated as NXDOMAIN. This does not - apply to the zone - apex. This should not be applied to leaf zones. - </p> - <p> - <code class="varname">delegation-only</code> has no - effect on answers received - from forwarders. - </p> - </td> -</tr> -</tbody> -</table></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2587362"></a>Class</h4></div></div></div> -<p> - The zone's name may optionally be followed by a class. If - a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), - is assumed. This is correct for the vast majority of cases. - </p> -<p> - The <code class="literal">hesiod</code> class is - named for an information service from MIT's Project Athena. It - is - used to share information about various systems databases, such - as users, groups, printers and so on. The keyword - <code class="literal">HS</code> is - a synonym for hesiod. - </p> -<p> - Another MIT development is Chaosnet, a LAN protocol created - in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2587395"></a>Zone Options</h4></div></div></div> -<div class="variablelist"><dl> -<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> -<dd><p> - See the description of <span><strong class="command">allow-transfer</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> -<dd><p> - See the description of <span><strong class="command">allow-update</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt> -<dd><p> - Specifies a "Simple Secure Update" policy. See - <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> -<dd><p> - See the description of <span><strong class="command">allow-update-forwarding</strong></span> - in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> -<dd><p> - Only meaningful if <span><strong class="command">notify</strong></span> - is - active for this zone. The set of machines that will - receive a - <code class="literal">DNS NOTIFY</code> message - for this zone is made up of all the listed name servers - (other than - the primary master) for the zone plus any IP addresses - specified - with <span><strong class="command">also-notify</strong></span>. A port - may be specified - with each <span><strong class="command">also-notify</strong></span> - address to send the notify - messages to a port other than the default of 53. - <span><strong class="command">also-notify</strong></span> is not - meaningful for stub zones. - The default is the empty list. - </p></dd> -<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> -<dd><p> - This option is used to restrict the character set and - syntax of - certain domain names in master files and/or DNS responses - received from the - network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span> - zones the default is <span><strong class="command">warn</strong></span>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">database</strong></span></span></dt> -<dd> -<p> - Specify the type of database to be used for storing the - zone data. The string following the <span><strong class="command">database</strong></span> keyword - is interpreted as a list of whitespace-delimited words. - The first word - identifies the database type, and any subsequent words are - passed - as arguments to the database to be interpreted in a way - specific - to the database type. - </p> -<p> - The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's - native in-memory - red-black-tree database. This database does not take - arguments. - </p> -<p> - Other values are possible if additional database drivers - have been linked into the server. Some sample drivers are - included - with the distribution but none are linked in by default. - </p> -</dd> -<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt> -<dd><p> - The flag only applies to hint and stub zones. If set - to <strong class="userinput"><code>yes</code></strong>, then the zone will also be - treated as if it - is also a delegation-only type zone. - </p></dd> -<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> -<dd><p> - Only meaningful if the zone has a forwarders - list. The <span><strong class="command">only</strong></span> value causes - the lookup to fail - after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would - allow a normal lookup to be tried. - </p></dd> -<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> -<dd><p> - Used to override the list of global forwarders. - If it is not specified in a zone of type <span><strong class="command">forward</strong></span>, - no forwarding is done for the zone and the global options are - not used. - </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt> -<dd><p> - Was used in <acronym class="acronym">BIND</acronym> 8 to - specify the name - of the transaction log (journal) file for dynamic update - and IXFR. - <acronym class="acronym">BIND</acronym> 9 ignores the option - and constructs the name of the journal - file by appending "<code class="filename">.jnl</code>" - to the name of the - zone file. - </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt> -<dd><p> - Was an undocumented option in <acronym class="acronym">BIND</acronym> 8. - Ignored in <acronym class="acronym">BIND</acronym> 9. - </p></dd> -<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt> -<dd><p> - Allow the default journal's filename to be overridden. - The default is the zone's filename with "<code class="filename">.jnl</code>" appended. - This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones. - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt> -<dd><p> - In <acronym class="acronym">BIND</acronym> 8, this option was - intended for specifying - a public zone key for verification of signatures in DNSSEC - signed - zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures - on load and ignores the option. - </p></dd> -<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> -<dd><p> - If <strong class="userinput"><code>yes</code></strong>, the server will keep - statistical - information for this zone, which can be dumped to the - <span><strong class="command">statistics-file</strong></span> defined in - the server options. - </p></dd> -<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. - </p></dd> -<dt> -<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> -</dt> -<dd><p> - See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> -<dd><p> - See the description of - <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and - Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and - Usage”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> -<dd><p> - See the description of <span><strong class="command">multi-master</strong></span> in - <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. - </p></dd> -<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> -<dd><p> - See the description of <span><strong class="command">masterfile-format</strong></span> - in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. - </p></dd> -</dl></div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div> -<p> - <acronym class="acronym">BIND</acronym> 9 supports two alternative - methods of granting clients - the right to perform dynamic updates to a zone, - configured by the <span><strong class="command">allow-update</strong></span> - and - <span><strong class="command">update-policy</strong></span> option, - respectively. - </p> -<p> - The <span><strong class="command">allow-update</strong></span> clause works the - same - way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the - permission to update any record of any name in the zone. - </p> -<p> - The <span><strong class="command">update-policy</strong></span> clause is new - in <acronym class="acronym">BIND</acronym> - 9 and allows more fine-grained control over what updates are - allowed. - A set of rules is specified, where each rule either grants or - denies - permissions for one or more names to be updated by one or more - identities. - If the dynamic update request message is signed (that is, it - includes - either a TSIG or SIG(0) record), the identity of the signer can - be determined. - </p> -<p> - Rules are specified in the <span><strong class="command">update-policy</strong></span> zone - option, and are only meaningful for master zones. When the <span><strong class="command">update-policy</strong></span> statement - is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement - to be present. The <span><strong class="command">update-policy</strong></span> - statement only - examines the signer of a message; the source address is not - relevant. - </p> -<p> - This is how a rule definition looks: - </p> -<pre class="programlisting"> -( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] -</pre> -<p> - Each rule grants or denies privileges. Once a message has - successfully matched a rule, the operation is immediately - granted - or denied and no further rules are examined. A rule is matched - when the signer matches the identity field, the name matches the - name field in accordance with the nametype field, and the type - matches - the types specified in the type field. - </p> -<p> - The identity field specifies a name or a wildcard name. - Normally, this - is the name of the TSIG or SIG(0) key used to sign the update - request. When a - TKEY exchange has been used to create a shared secret, the - identity of the - shared secret is the same as the identity of the key used to - authenticate the - TKEY exchange. When the <em class="replaceable"><code>identity</code></em> field specifies a - wildcard name, it is subject to DNS wildcard expansion, so the - rule will apply - to multiple identities. The <em class="replaceable"><code>identity</code></em> field must - contain a fully-qualified domain name. - </p> -<p> - The <em class="replaceable"><code>nametype</code></em> field has 6 - values: - <code class="varname">name</code>, <code class="varname">subdomain</code>, - <code class="varname">wildcard</code>, <code class="varname">self</code>, - <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>. - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="varname">name</code> - </p> - </td> -<td> - <p> - Exact-match semantics. This rule matches - when the name being updated is identical - to the contents of the - <em class="replaceable"><code>name</code></em> field. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">subdomain</code> - </p> - </td> -<td> - <p> - This rule matches when the name being updated - is a subdomain of, or identical to, the - contents of the <em class="replaceable"><code>name</code></em> - field. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">wildcard</code> - </p> - </td> -<td> - <p> - The <em class="replaceable"><code>name</code></em> field - is subject to DNS wildcard expansion, and - this rule matches when the name being updated - name is a valid expansion of the wildcard. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">self</code> - </p> - </td> -<td> - <p> - This rule matches when the name being updated - matches the contents of the - <em class="replaceable"><code>identity</code></em> field. - The <em class="replaceable"><code>name</code></em> field - is ignored, but should be the same as the - <em class="replaceable"><code>identity</code></em> field. - The <code class="varname">self</code> nametype is - most useful when allowing using one key per - name to update, where the key has the same - name as the name to be updated. The - <em class="replaceable"><code>identity</code></em> would - be specified as <code class="constant">*</code> (an asterisk) in - this case. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">selfsub</code> - </p> - </td> -<td> - <p> - This rule is similar to <code class="varname">self</code> - except that subdomains of <code class="varname">self</code> - can also be updated. - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="varname">selfwild</code> - </p> - </td> -<td> - <p> - This rule is similar to <code class="varname">self</code> - except that only subdomains of - <code class="varname">self</code> can be updated. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - In all cases, the <em class="replaceable"><code>name</code></em> - field must - specify a fully-qualified domain name. - </p> -<p> - If no types are explicitly specified, this rule matches all - types except - RRSIG, NS, SOA, and NSEC. Types may be specified by name, including - "ANY" (ANY matches all types except NSEC, which can never be - updated). - Note that when an attempt is made to delete all records - associated with a - name, the rules are checked for each existing record type. - </p> -</div> -</div> -</div> -<div class="sect1" lang="en"> -<div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2589080"></a>Zone File</h2></div></div></div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> -<p> - This section, largely borrowed from RFC 1034, describes the - concept of a Resource Record (RR) and explains when each is used. - Since the publication of RFC 1034, several new RRs have been - identified - and implemented in the DNS. These are also included. - </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2589098"></a>Resource Records</h4></div></div></div> -<p> - A domain name identifies a node. Each node has a set of - resource information, which may be empty. The set of resource - information associated with a particular name is composed of - separate RRs. The order of RRs in a set is not significant and - need not be preserved by name servers, resolvers, or other - parts of the DNS. However, sorting of multiple RRs is - permitted for optimization purposes, for example, to specify - that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. - </p> -<p> - The components of a Resource Record are: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - owner name - </p> - </td> -<td> - <p> - The domain name where the RR is found. - </p> - </td> -</tr> -<tr> -<td> - <p> - type - </p> - </td> -<td> - <p> - An encoded 16-bit value that specifies - the type of the resource record. - </p> - </td> -</tr> -<tr> -<td> - <p> - TTL - </p> - </td> -<td> - <p> - The time-to-live of the RR. This field - is a 32-bit integer in units of seconds, and is - primarily used by - resolvers when they cache RRs. The TTL describes how - long a RR can - be cached before it should be discarded. - </p> - </td> -</tr> -<tr> -<td> - <p> - class - </p> - </td> -<td> - <p> - An encoded 16-bit value that identifies - a protocol family or instance of a protocol. - </p> - </td> -</tr> -<tr> -<td> - <p> - RDATA - </p> - </td> -<td> - <p> - The resource data. The format of the - data is type (and sometimes class) specific. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - The following are <span class="emphasis"><em>types</em></span> of valid RRs: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - A - </p> - </td> -<td> - <p> - A host address. In the IN class, this is a - 32-bit IP address. Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - AAAA - </p> - </td> -<td> - <p> - IPv6 address. Described in RFC 1886. - </p> - </td> -</tr> -<tr> -<td> - <p> - A6 - </p> - </td> -<td> - <p> - IPv6 address. This can be a partial - address (a suffix) and an indirection to the name - where the rest of the - address (the prefix) can be found. Experimental. - Described in RFC 2874. - </p> - </td> -</tr> -<tr> -<td> - <p> - AFSDB - </p> - </td> -<td> - <p> - Location of AFS database servers. - Experimental. Described in RFC 1183. - </p> - </td> -</tr> -<tr> -<td> - <p> - APL - </p> - </td> -<td> - <p> - Address prefix list. Experimental. - Described in RFC 3123. - </p> - </td> -</tr> -<tr> -<td> - <p> - CERT - </p> - </td> -<td> - <p> - Holds a digital certificate. - Described in RFC 2538. - </p> - </td> -</tr> -<tr> -<td> - <p> - CNAME - </p> - </td> -<td> - <p> - Identifies the canonical name of an alias. - Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - DNAME - </p> - </td> -<td> - <p> - Replaces the domain name specified with - another name to be looked up, effectively aliasing an - entire - subtree of the domain name space rather than a single - record - as in the case of the CNAME RR. - Described in RFC 2672. - </p> - </td> -</tr> -<tr> -<td> - <p> - DNSKEY - </p> - </td> -<td> - <p> - Stores a public key associated with a signed - DNS zone. Described in RFC 4034. - </p> - </td> -</tr> -<tr> -<td> - <p> - DS - </p> - </td> -<td> - <p> - Stores the hash of a public key associated with a - signed DNS zone. Described in RFC 4034. - </p> - </td> -</tr> -<tr> -<td> - <p> - GPOS - </p> - </td> -<td> - <p> - Specifies the global position. Superseded by LOC. - </p> - </td> -</tr> -<tr> -<td> - <p> - HINFO - </p> - </td> -<td> - <p> - Identifies the CPU and OS used by a host. - Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - ISDN - </p> - </td> -<td> - <p> - Representation of ISDN addresses. - Experimental. Described in RFC 1183. - </p> - </td> -</tr> -<tr> -<td> - <p> - KEY - </p> - </td> -<td> - <p> - Stores a public key associated with a - DNS name. Used in original DNSSEC; replaced - by DNSKEY in DNSSECbis, but still used with - SIG(0). Described in RFCs 2535 and 2931. - </p> - </td> -</tr> -<tr> -<td> - <p> - KX - </p> - </td> -<td> - <p> - Identifies a key exchanger for this - DNS name. Described in RFC 2230. - </p> - </td> -</tr> -<tr> -<td> - <p> - LOC - </p> - </td> -<td> - <p> - For storing GPS info. Described in RFC 1876. - Experimental. - </p> - </td> -</tr> -<tr> -<td> - <p> - MX - </p> - </td> -<td> - <p> - Identifies a mail exchange for the domain with - a 16-bit preference value (lower is better) - followed by the host name of the mail exchange. - Described in RFC 974, RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - NAPTR - </p> - </td> -<td> - <p> - Name authority pointer. Described in RFC 2915. - </p> - </td> -</tr> -<tr> -<td> - <p> - NSAP - </p> - </td> -<td> - <p> - A network service access point. - Described in RFC 1706. - </p> - </td> -</tr> -<tr> -<td> - <p> - NS - </p> - </td> -<td> - <p> - The authoritative name server for the - domain. Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - NSEC - </p> - </td> -<td> - <p> - Used in DNSSECbis to securely indicate that - RRs with an owner name in a certain name interval do - not exist in - a zone and indicate what RR types are present for an - existing name. - Described in RFC 4034. - </p> - </td> -</tr> -<tr> -<td> - <p> - NXT - </p> - </td> -<td> - <p> - Used in DNSSEC to securely indicate that - RRs with an owner name in a certain name interval do - not exist in - a zone and indicate what RR types are present for an - existing name. - Used in original DNSSEC; replaced by NSEC in - DNSSECbis. - Described in RFC 2535. - </p> - </td> -</tr> -<tr> -<td> - <p> - PTR - </p> - </td> -<td> - <p> - A pointer to another part of the domain - name space. Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - PX - </p> - </td> -<td> - <p> - Provides mappings between RFC 822 and X.400 - addresses. Described in RFC 2163. - </p> - </td> -</tr> -<tr> -<td> - <p> - RP - </p> - </td> -<td> - <p> - Information on persons responsible - for the domain. Experimental. Described in RFC 1183. - </p> - </td> -</tr> -<tr> -<td> - <p> - RRSIG - </p> - </td> -<td> - <p> - Contains DNSSECbis signature data. Described - in RFC 4034. - </p> - </td> -</tr> -<tr> -<td> - <p> - RT - </p> - </td> -<td> - <p> - Route-through binding for hosts that - do not have their own direct wide area network - addresses. - Experimental. Described in RFC 1183. - </p> - </td> -</tr> -<tr> -<td> - <p> - SIG - </p> - </td> -<td> - <p> - Contains DNSSEC signature data. Used in - original DNSSEC; replaced by RRSIG in - DNSSECbis, but still used for SIG(0). - Described in RFCs 2535 and 2931. - </p> - </td> -</tr> -<tr> -<td> - <p> - SOA - </p> - </td> -<td> - <p> - Identifies the start of a zone of authority. - Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - SRV - </p> - </td> -<td> - <p> - Information about well known network - services (replaces WKS). Described in RFC 2782. - </p> - </td> -</tr> -<tr> -<td> - <p> - TXT - </p> - </td> -<td> - <p> - Text records. Described in RFC 1035. - </p> - </td> -</tr> -<tr> -<td> - <p> - WKS - </p> - </td> -<td> - <p> - Information about which well known - network services, such as SMTP, that a domain - supports. Historical. - </p> - </td> -</tr> -<tr> -<td> - <p> - X25 - </p> - </td> -<td> - <p> - Representation of X.25 network addresses. - Experimental. Described in RFC 1183. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - The following <span class="emphasis"><em>classes</em></span> of resource records - are currently valid in the DNS: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - IN - </p> - </td> -<td> - <p> - The Internet. - </p> - </td> -</tr> -<tr> -<td> - <p> - CH - </p> - </td> -<td> - <p> - Chaosnet, a LAN protocol created at MIT in the - mid-1970s. - Rarely used for its historical purpose, but reused for - BIND's - built-in server information zones, e.g., - <code class="literal">version.bind</code>. - </p> - </td> -</tr> -<tr> -<td> - <p> - HS - </p> - </td> -<td> - <p> - Hesiod, an information service - developed by MIT's Project Athena. It is used to share - information - about various systems databases, such as users, - groups, printers - and so on. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - The owner name is often implicit, rather than forming an - integral - part of the RR. For example, many name servers internally form - tree - or hash structures for the name space, and chain RRs off nodes. - The remaining RR parts are the fixed header (type, class, TTL) - which is consistent for all RRs, and a variable part (RDATA) - that - fits the needs of the resource being described. - </p> -<p> - The meaning of the TTL field is a time limit on how long an - RR can be kept in a cache. This limit does not apply to - authoritative - data in zones; it is also timed out, but by the refreshing - policies - for the zone. The TTL is assigned by the administrator for the - zone where the data originates. While short TTLs can be used to - minimize caching, and a zero TTL prohibits caching, the - realities - of Internet performance suggest that these times should be on - the - order of days for the typical host. If a change can be - anticipated, - the TTL can be reduced prior to the change to minimize - inconsistency - during the change, and then increased back to its former value - following - the change. - </p> -<p> - The data in the RDATA section of RRs is carried as a combination - of binary strings and domain names. The domain names are - frequently - used as "pointers" to other data in the DNS. - </p> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2590513"></a>Textual expression of RRs</h4></div></div></div> -<p> - RRs are represented in binary form in the packets of the DNS - protocol, and are usually represented in highly encoded form - when - stored in a name server or resolver. In the examples provided - in - RFC 1034, a style similar to that used in master files was - employed - in order to show the contents of RRs. In this format, most RRs - are shown on a single line, although continuation lines are - possible - using parentheses. - </p> -<p> - The start of the line gives the owner of the RR. If a line - begins with a blank, then the owner is assumed to be the same as - that of the previous RR. Blank lines are often included for - readability. - </p> -<p> - Following the owner, we list the TTL, type, and class of the - RR. Class and type use the mnemonics defined above, and TTL is - an integer before the type field. In order to avoid ambiguity - in - parsing, type and class mnemonics are disjoint, TTLs are - integers, - and the type mnemonic is always last. The IN class and TTL - values - are often omitted from examples in the interests of clarity. - </p> -<p> - The resource data or RDATA section of the RR are given using - knowledge of the typical representation for the data. - </p> -<p> - For example, we might show the RRs carried in a message as: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="literal">ISI.EDU.</code> - </p> - </td> -<td> - <p> - <code class="literal">MX</code> - </p> - </td> -<td> - <p> - <code class="literal">10 VENERA.ISI.EDU.</code> - </p> - </td> -</tr> -<tr> -<td> - <p></p> - </td> -<td> - <p> - <code class="literal">MX</code> - </p> - </td> -<td> - <p> - <code class="literal">10 VAXA.ISI.EDU</code> - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="literal">VENERA.ISI.EDU</code> - </p> - </td> -<td> - <p> - <code class="literal">A</code> - </p> - </td> -<td> - <p> - <code class="literal">128.9.0.32</code> - </p> - </td> -</tr> -<tr> -<td> - <p></p> - </td> -<td> - <p> - <code class="literal">A</code> - </p> - </td> -<td> - <p> - <code class="literal">10.1.0.52</code> - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="literal">VAXA.ISI.EDU</code> - </p> - </td> -<td> - <p> - <code class="literal">A</code> - </p> - </td> -<td> - <p> - <code class="literal">10.2.0.27</code> - </p> - </td> -</tr> -<tr> -<td> - <p></p> - </td> -<td> - <p> - <code class="literal">A</code> - </p> - </td> -<td> - <p> - <code class="literal">128.9.0.33</code> - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - The MX RRs have an RDATA section which consists of a 16-bit - number followed by a domain name. The address RRs use a - standard - IP address format to contain a 32-bit internet address. - </p> -<p> - The above example shows six RRs, with two RRs at each of three - domain names. - </p> -<p> - Similarly we might see: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="literal">XX.LCS.MIT.EDU.</code> - </p> - </td> -<td> - <p> - <code class="literal">IN A</code> - </p> - </td> -<td> - <p> - <code class="literal">10.0.0.44</code> - </p> - </td> -</tr> -<tr> -<td> </td> -<td> - <p> - <code class="literal">CH A</code> - </p> - </td> -<td> - <p> - <code class="literal">MIT.EDU. 2420</code> - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - This example shows two addresses for - <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class. - </p> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2591101"></a>Discussion of MX Records</h3></div></div></div> -<p> - As described above, domain servers store information as a - series of resource records, each of which contains a particular - piece of information about a given domain name (which is usually, - but not always, a host). The simplest way to think of a RR is as - a typed pair of data, a domain name matched with a relevant datum, - and stored with some additional type information to help systems - determine when the RR is relevant. - </p> -<p> - MX records are used to control delivery of email. The data - specified in the record is a priority and a domain name. The - priority - controls the order in which email delivery is attempted, with the - lowest number first. If two priorities are the same, a server is - chosen randomly. If no servers at a given priority are responding, - the mail transport agent will fall back to the next largest - priority. - Priority numbers do not have any absolute meaning — they are - relevant - only respective to other MX records for that domain name. The - domain - name given is the machine to which the mail will be delivered. - It <span class="emphasis"><em>must</em></span> have an associated address record - (A or AAAA) — CNAME is not sufficient. - </p> -<p> - For a given domain, if there is both a CNAME record and an - MX record, the MX record is in error, and will be ignored. - Instead, - the mail will be delivered to the server specified in the MX - record - pointed to by the CNAME. - </p> -<p> - For example: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -<col> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="literal">example.com.</code> - </p> - </td> -<td> - <p> - <code class="literal">IN</code> - </p> - </td> -<td> - <p> - <code class="literal">MX</code> - </p> - </td> -<td> - <p> - <code class="literal">10</code> - </p> - </td> -<td> - <p> - <code class="literal">mail.example.com.</code> - </p> - </td> -</tr> -<tr> -<td> - <p></p> - </td> -<td> - <p> - <code class="literal">IN</code> - </p> - </td> -<td> - <p> - <code class="literal">MX</code> - </p> - </td> -<td> - <p> - <code class="literal">10</code> - </p> - </td> -<td> - <p> - <code class="literal">mail2.example.com.</code> - </p> - </td> -</tr> -<tr> -<td> - <p></p> - </td> -<td> - <p> - <code class="literal">IN</code> - </p> - </td> -<td> - <p> - <code class="literal">MX</code> - </p> - </td> -<td> - <p> - <code class="literal">20</code> - </p> - </td> -<td> - <p> - <code class="literal">mail.backup.org.</code> - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="literal">mail.example.com.</code> - </p> - </td> -<td> - <p> - <code class="literal">IN</code> - </p> - </td> -<td> - <p> - <code class="literal">A</code> - </p> - </td> -<td> - <p> - <code class="literal">10.0.0.1</code> - </p> - </td> -<td> - <p></p> - </td> -</tr> -<tr> -<td> - <p> - <code class="literal">mail2.example.com.</code> - </p> - </td> -<td> - <p> - <code class="literal">IN</code> - </p> - </td> -<td> - <p> - <code class="literal">A</code> - </p> - </td> -<td> - <p> - <code class="literal">10.0.0.2</code> - </p> - </td> -<td> - <p></p> - </td> -</tr> -</tbody> -</table></div> -<p> - Mail delivery will be attempted to <code class="literal">mail.example.com</code> and - <code class="literal">mail2.example.com</code> (in - any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will - be attempted. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div> -<p> - The time-to-live of the RR field is a 32-bit integer represented - in units of seconds, and is primarily used by resolvers when they - cache RRs. The TTL describes how long a RR can be cached before it - should be discarded. The following three types of TTL are - currently - used in a zone file. - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - SOA - </p> - </td> -<td> - <p> - The last field in the SOA is the negative - caching TTL. This controls how long other servers will - cache no-such-domain - (NXDOMAIN) responses from you. - </p> - <p> - The maximum time for - negative caching is 3 hours (3h). - </p> - </td> -</tr> -<tr> -<td> - <p> - $TTL - </p> - </td> -<td> - <p> - The $TTL directive at the top of the - zone file (before the SOA) gives a default TTL for every - RR without - a specific TTL set. - </p> - </td> -</tr> -<tr> -<td> - <p> - RR TTLs - </p> - </td> -<td> - <p> - Each RR can have a TTL as the second - field in the RR, which will control how long other - servers can cache - the it. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - All of these TTLs default to units of seconds, though units - can be explicitly specified, for example, <code class="literal">1h30m</code>. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2591653"></a>Inverse Mapping in IPv4</h3></div></div></div> -<p> - Reverse name resolution (that is, translation from IP address - to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain - and PTR records. Entries in the in-addr.arpa domain are made in - least-to-most significant order, read left to right. This is the - opposite order to the way IP addresses are usually written. Thus, - a machine with an IP address of 10.1.2.3 would have a - corresponding - in-addr.arpa name of - 3.2.1.10.in-addr.arpa. This name should have a PTR resource record - whose data field is the name of the machine or, optionally, - multiple - PTR records if the machine has more than one name. For example, - in the [<span class="optional">example.com</span>] domain: - </p> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p> - <code class="literal">$ORIGIN</code> - </p> - </td> -<td> - <p> - <code class="literal">2.1.10.in-addr.arpa</code> - </p> - </td> -</tr> -<tr> -<td> - <p> - <code class="literal">3</code> - </p> - </td> -<td> - <p> - <code class="literal">IN PTR foo.example.com.</code> - </p> - </td> -</tr> -</tbody> -</table></div> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - The <span><strong class="command">$ORIGIN</strong></span> lines in the examples - are for providing context to the examples only — they do not - necessarily - appear in the actual usage. They are only used here to indicate - that the example is relative to the listed origin. - </p> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2591848"></a>Other Zone File Directives</h3></div></div></div> -<p> - The Master File Format was initially defined in RFC 1035 and - has subsequently been extended. While the Master File Format - itself - is class independent all records in a Master File must be of the - same - class. - </p> -<p> - Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>, - and <span><strong class="command">$TTL.</strong></span> - </p> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2591870"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> -<p> - Syntax: <span><strong class="command">$ORIGIN</strong></span> - <em class="replaceable"><code>domain-name</code></em> - [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] - </p> -<p><span><strong class="command">$ORIGIN</strong></span> - sets the domain name that will be appended to any - unqualified records. When a zone is first read in there - is an implicit <span><strong class="command">$ORIGIN</strong></span> - <<code class="varname">zone-name</code>><span><strong class="command">.</strong></span> - The current <span><strong class="command">$ORIGIN</strong></span> is appended to - the domain specified in the <span><strong class="command">$ORIGIN</strong></span> - argument if it is not absolute. - </p> -<pre class="programlisting"> -$ORIGIN example.com. -WWW CNAME MAIN-SERVER -</pre> -<p> - is equivalent to - </p> -<pre class="programlisting"> -WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. -</pre> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2592000"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> -<p> - Syntax: <span><strong class="command">$INCLUDE</strong></span> - <em class="replaceable"><code>filename</code></em> - [<span class="optional"> -<em class="replaceable"><code>origin</code></em> </span>] - [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>] - </p> -<p> - Read and process the file <code class="filename">filename</code> as - if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is - specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set - to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is - used. - </p> -<p> - The origin and the current domain name - revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once - the file has been read. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> -<p> - RFC 1035 specifies that the current origin should be restored - after - an <span><strong class="command">$INCLUDE</strong></span>, but it is silent - on whether the current - domain name should also be restored. BIND 9 restores both of - them. - This could be construed as a deviation from RFC 1035, a - feature, or both. - </p> -</div> -</div> -<div class="sect3" lang="en"> -<div class="titlepage"><div><div><h4 class="title"> -<a name="id2592069"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> -<p> - Syntax: <span><strong class="command">$TTL</strong></span> - <em class="replaceable"><code>default-ttl</code></em> - [<span class="optional"> -<em class="replaceable"><code>comment</code></em> </span>] - </p> -<p> - Set the default Time To Live (TTL) for subsequent records - with undefined TTLs. Valid TTLs are of the range 0-2147483647 - seconds. - </p> -<p><span><strong class="command">$TTL</strong></span> - is defined in RFC 2308. - </p> -</div> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2592173"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> -<p> - Syntax: <span><strong class="command">$GENERATE</strong></span> - <em class="replaceable"><code>range</code></em> - <em class="replaceable"><code>lhs</code></em> - [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] - [<span class="optional"><em class="replaceable"><code>class</code></em></span>] - <em class="replaceable"><code>type</code></em> - <em class="replaceable"><code>rhs</code></em> - [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] - </p> -<p><span><strong class="command">$GENERATE</strong></span> - is used to create a series of resource records that only - differ from each other by an - iterator. <span><strong class="command">$GENERATE</strong></span> can be used to - easily generate the sets of records required to support - sub /24 reverse delegations described in RFC 2317: - Classless IN-ADDR.ARPA delegation. - </p> -<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA. -$GENERATE 1-2 0 NS SERVER$.EXAMPLE. -$GENERATE 1-127 $ CNAME $.0</pre> -<p> - is equivalent to - </p> -<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE. -0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. -1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. -2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. -... -127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. -</pre> -<div class="informaltable"><table border="1"> -<colgroup> -<col> -<col> -</colgroup> -<tbody> -<tr> -<td> - <p><span><strong class="command">range</strong></span></p> - </td> -<td> - <p> - This can be one of two forms: start-stop - or start-stop/step. If the first form is used, then step - is set to - 1. All of start, stop and step must be positive. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">lhs</strong></span></p> - </td> -<td> - <p>This - describes the owner name of the resource records - to be created. Any single <span><strong class="command">$</strong></span> - (dollar sign) - symbols within the <span><strong class="command">lhs</strong></span> side - are replaced by the iterator value. - - To get a $ in the output, you need to escape the - <span><strong class="command">$</strong></span> using a backslash - <span><strong class="command">\</strong></span>, - e.g. <span><strong class="command">\$</strong></span>. The - <span><strong class="command">$</strong></span> may optionally be followed - by modifiers which change the offset from the - iterator, field width and base. - - Modifiers are introduced by a - <span><strong class="command">{</strong></span> (left brace) immediately following the - <span><strong class="command">$</strong></span> as - <span><strong class="command">${offset[,width[,base]]}</strong></span>. - For example, <span><strong class="command">${-20,3,d}</strong></span> - subtracts 20 from the current value, prints the - result as a decimal in a zero-padded field of - width 3. - - Available output forms are decimal - (<span><strong class="command">d</strong></span>), octal - (<span><strong class="command">o</strong></span>) and hexadecimal - (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> - for uppercase). The default modifier is - <span><strong class="command">${0,0,d}</strong></span>. If the - <span><strong class="command">lhs</strong></span> is not absolute, the - current <span><strong class="command">$ORIGIN</strong></span> is appended - to the name. - </p> - <p> - For compatibility with earlier versions, <span><strong class="command">$$</strong></span> is still - recognized as indicating a literal $ in the output. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">ttl</strong></span></p> - </td> -<td> - <p> - Specifies the time-to-live of the generated records. If - not specified this will be inherited using the - normal ttl inheritance rules. - </p> - <p><span><strong class="command">class</strong></span> - and <span><strong class="command">ttl</strong></span> can be - entered in either order. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">class</strong></span></p> - </td> -<td> - <p> - Specifies the class of the generated records. - This must match the zone class if it is - specified. - </p> - <p><span><strong class="command">class</strong></span> - and <span><strong class="command">ttl</strong></span> can be - entered in either order. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">type</strong></span></p> - </td> -<td> - <p> - At present the only supported types are - PTR, CNAME, DNAME, A, AAAA and NS. - </p> - </td> -</tr> -<tr> -<td> - <p><span><strong class="command">rhs</strong></span></p> - </td> -<td> - <p> - <span><strong class="command">rhs</strong></span> is a domain name. It is processed - similarly to lhs. - </p> - </td> -</tr> -</tbody> -</table></div> -<p> - The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension - and not part of the standard zone file format. - </p> -<p> - BIND 8 does not support the optional TTL and CLASS fields. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div> -<p> - In addition to the standard textual format, BIND 9 - supports the ability to read or dump to zone files in - other formats. The <code class="constant">raw</code> format is - currently available as an additional format. It is a - binary format representing BIND 9's internal data - structure directly, thereby remarkably improving the - loading time. - </p> -<p> - For a primary server, a zone file in the - <code class="constant">raw</code> format is expected to be - generated from a textual zone file by the - <span><strong class="command">named-compilezone</strong></span> command. For a - secondary server or for a dynamic zone, it is automatically - generated (if this format is specified by the - <span><strong class="command">masterfile-format</strong></span> option) when - <span><strong class="command">named</strong></span> dumps the zone contents after - zone transfer or when applying prior updates. - </p> -<p> - If a zone file in a binary format needs manual modification, - it first must be converted to a textual form by the - <span><strong class="command">named-compilezone</strong></span> command. All - necessary modification should go to the text file, which - should then be converted to the binary form by the - <span><strong class="command">named-compilezone</strong></span> command again. - </p> -<p> - Although the <code class="constant">raw</code> format uses the - network byte order and avoids architecture-dependent - data alignment so that it is as much portable as - possible, it is primarily expected to be used inside - the same single system. In order to export a zone - file in the <code class="constant">raw</code> format or make a - portable backup of the file, it is recommended to - convert the file to the standard textual representation. - </p> -</div> -</div> -</div> -<div class="navfooter"> -<hr> -<table width="100%" summary="Navigation footer"> -<tr> -<td width="40%" align="left"> -<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td> -<td width="20%" align="center"> </td> -<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a> -</td> -</tr> -<tr> -<td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td> -<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td> -</tr> -</table> -</div> -</body> -</html> |
