diff options
Diffstat (limited to 'contrib/bind/OPTIONS')
-rw-r--r-- | contrib/bind/OPTIONS | 412 |
1 files changed, 412 insertions, 0 deletions
diff --git a/contrib/bind/OPTIONS b/contrib/bind/OPTIONS new file mode 100644 index 0000000..8255244 --- /dev/null +++ b/contrib/bind/OPTIONS @@ -0,0 +1,412 @@ +OPTIONS + Original: Paul Vixie, 28Mar92 + Revised: $Id: OPTIONS,v 8.6 1996/05/21 07:32:31 vixie Exp $ + +Options available in this version of BIND are controlled by conf/options.h, +rather than by $(DEFS) in the Makefile. The options are: + +DEBUG (origin: U C Berkeley) + enables the -d command line option, and allows SIGUSR1 to increment +and SIGUSR2 to clear the internal variable "debug", which in turn controls +hundreds of fprintf()'s out to /usr/tmp/named.run. + you probably want this. it makes the binary bigger but not slower (or +at least not much slower), but SIGUSR[12] are the only way you'll track down +misconfigured name servers that hose you down with billions of bogus requests. + you may need this, it is on by default. + +ALLOW_T_UNSPEC (origin: MIT Project Athena) + enables the "unspec" RR type for ancient Athena software that does not +know about TXT RR's. + you probably do not care about this, it is off by default. + +ALLOW_UPDATES (origin: Mike Schwartz, University of Washington) + enables "dynamic updates", described in "doc/DynamicUpdate". this lets +you update named's in-memory database on the fly if you have the right client. +there is absolutely no security around this; if you enable it, anyone who can +reach your server can update your database. + this code doesn't compile any more and will be removed shortly. + +INVQ (origin: U C Berkeley, with #ifdef's by Paul Vixie) + enables "inverse queries", which in all of the internet only one +client ever uses: ancient nslookup. if you build named with INVQ defined, +you get the time-honored behaviour of supporting this whole class of queries +for no real purpose other than to waste a few hundred kilobytes of your +memory and about 3% of named's total CPU time. if you build with INVQ +undefined, old nslookups will not be able to reach your server in their +startup phase, and you will have to use the "server" command after it fails +over to some other server, or use "nslookup - 0" to get in from the shell. + if you need to support old nslookups try "options fake-iquery" +instead of enabling this option. + you probably do not want this. + +DSTORAGE (origin: U C Berkeley, with #ifdef's by Paul Vixie) + enables a malloc-debugger that checks for overruns on both ends of +each allocated block of memory. used when debugging since C has no bounds +or type checking. + you probably do not want this, it is off by default. + +DMALLOC (origin: Paul Vixie of Digital) + enables a malloc-debugger that traces all allocated blocks of memory +such that SIGIOT's output (see STATS option) includes a list of all mallocs +in the program, how many times each has been called, how many blocks of memory +allocated by that malloc are not yet free, and how many bytes they use up. +under each one will be a list of each free/realloc that has deallocated a block +of that malloc's memory, and how many times it has done so. + this is extremely helpful for finding memory leaks. as such, you +probably do not want this unless you are debugging named. + you probably do not need this, it is off by default. + +XFRNETS (origin: Paul Vixie of Digital) + enables the "xfrnets" command in named.boot. this has the same +syntax as "forwarders" and "sortlist" -- that is, a list of dotted quads. +each one is a network (16.0.0.0 and 130.180.0.0 are examples) or a host. +if you put any xfrnets commands into your named.boot, then zone transfers +will only be honored if they come from inside one of the specified +networks. this is very useful if you want to keep people outside from +being able to trivially map your entire network, but it doesn't stop them +from iterating so it's more annoying than secure. + this feature was once called "tcplist" out of ignorance on my part, +but with advice from phil almquist i decided to rename it "xfrnets" and make +it only control zone transfers -- previously it controlled all TCP connections +which made certain TCP-only resolvers unable to use our servers. the "tcplist" +syntax still works; it is a synonym for "xfrnets". + it is also nice if you want to keep the outside world from making your +nameserver fork and swap trying to do unauthorized zone transfers. if you have +large zone files or use BIND for TXT records you will find this useful. + you probably want this, it is on by default. + +PID_FIX (origin: Don Lewis of Harris) + tells named that if it starts up but can't keep going because another +nameserver is already running (and sitting on the server port), it should +put the /etc/named.pid (/var/run/named.pid) file back the way it found it. + you probably want this, it is on by default. + +FWD_LOOP (origin: Don Lewis of Harris) + tells named that if you list any of your own IP addresses in a +"forwarders" command in your named.boot file, you should be scolded. + you probably want this, it is on by default. + +NO_GLUE (origin: Don Lewis of Harris, and Andrew Partan of UUNET) + tells named-xfer that incoming zone transfers should be checked +for "glue" that comes from a zone outside the zone being transfered, and +comment this garbage out in the zone file so that when named reads in the +zone file after named-xfer exits, the garbage will not be entered into the +memory-resident database. + also tells named that when it is performing an outgoing zone +transfer, it should not send any of these "glue" records. + you definitely want this, it is on by default. + +BOGUSNS (origin: Piet Beertema of EUNet) + enables the "bogusns" command in named.boot. this has the same +syntax as forwarders and sortlist. any NS RR's that come in whose addresses +are on the list of "bogusns" addresses will be ignored. this is the last +resort when someone is bogusly advertising themselves as a root server. + just in case, though you won't use it often. + you probably want this, it is on by default. + +QRYLOG (origin: Bryan Beecher of UMich) + enables "query logging", such that SIGWINCH toggles tracing of all +incoming queries. the trace is sent to syslog, and is huge, but when you +need this you will need it bad and it does not slow named down or make it +larger. + If you define QRYLOG you may also start up named in query logging +mode by using the -q flag. If you do so you will probably want to analyze +the logs produced, the dnsstats and lamers scrips (in the contrib/umich +and contrib/lamers directories) will do it for you. + you probably want this, it is on by default. + +LOGFAC (origin: various people) + If you start up named with the -q flag you will be logging +large amounts of data, and probably will not want them logged to the +default logging facility, which is LOG_DAEMON. You will want to +redefine LOGFAC, presumably to LOC_LOCALn (0 <= n <= 7). Remember to +modify /etc/syslog.conf appropriately. + This only works on a system with a modern syslogd. + as such, it is on by default. + +YPKLUDGE (origin: Piet Beertema of EUNet) + certain versions of NIS/YP are capable of using the DNS for names +that cannot be found in the YP servers. of these, certain versions can't +tell the difference between a dotted quad and a domain name, and they send +queries to the DNS for dotted quads as if they were domain names. if your +named does not do anything special with these queries, they will end up +getting forwarded to other servers, effectively hosing all of you down with +endless useless network traffic. YPKLUDGE enables some checking in named +that lets it catch these bogus queries and send back immediate errors. + If you run "ypserv -i" you definitely want this, as a malconfigured +NIS server can cause DNS "flood" queries otherwise. Trust me. + this is off by default. + +TRACEROOT (origin: pma@cnd.hp.com and Bryan Beecher of UMich) + enables some checking in named for bogus root nameservers. This +code has been in use at U-M for years, so it is pretty well tested, plus we +have never been burned by the "bogus root NS scares" that have plagued the +DNS off and on. + this feature people will very much want to use, it is on by default. + +LOCALDOM (origin: Berkeley) + if set, the "domain" directive is recognized in the named.boot file. +this causes us to retry queries with the specified domain appended to the +name if the first lookup fails. this is a very bad idea since a given name +server will often be used by clients in more than one domain -- a name server +should _not_ make any presumptions as to the "home domain" of a requestor. + you almost certainly do not want this, it is off by default. + +SLAVE_FORWARD (origin: pma@sdd.hp.com) + if set, "slave" servers behave in an arguably more-correct way. this +is an experimental addition to BIND 4.9 that causes slaves to time out queries +in 60/N seconds where N is the number of forwarders defined. previously a +query would time out almost immediately, which caused a lot of unnecessary +network traffic. + you probably want this, it is on by default. + +FORCED_RELOAD (origin: pma@sdd.hp.com) + if set, then when a HUP signal is received, all secondary zones are +scheduled for serial-number comparison with the primaries. this has the effect +that if you HUP your server, it will refresh any zones which have changed, +even if those zones' refresh times have not been reached. + you probably want this, it is on by default. + +WANT_PIDFILE (origin: berkeley, parameterized by arc@sgi) + if set, a file called named.pid will be created in /etc or /var/run +when the name server has started. this file can be used to send signals to +BIND, as in "kill -HUP `cat /etc/named.pid`". + unless you are only on an SGI (where killall(1M) makes the pid file +unnecessary); + you probably want this, it is on by default. + +DOTTED_SERIAL (origin: berkeley; parameterized by vixie) + if set, allows a somewhat arcane n.m syntax in the serial number +field of an SOA. this is officially deprecated for 4.9; you should use +straight integer values and find an encoding that does not depend on +scaled-integer pseudodecimals. i suggest YYYYMMDDnn where YYYY is the +four-digit year, MM is the two-digit month, DD is the two-digit day-of-month, +and nn is a daily version number in case you change your serial number more +than once in a day. this encoding will overflow in the year 4294 gregorian. + you almost certainly do not want this, but if you have old zone files +lying around and you don't want to think your way through converting their +serial numbers, this deprecated behaviour is available. + graciously, it is on by default. + +SENSIBLE_DOTS (origin: kagotani@cs.titech.ac.jp; parameterized by vixie) + if set, changes the semantics of an "n.m" serial number from + n*10^(3+int(0.9+log10(m))) + m +to + n*10000+m + if you are using DOTTED_SERIAL in spite of its deprecated status, +and you are interested in a more predictable and sensible interpretation of +dotted numbers, then you probably want this. + it is off by default. + +VALIDATE (origin: USC/ISI) + enables a validation procedure to provide some security in an +otherwise insecure environment. Any RRs are accepted from a server only if +the server is authoritative over that domain. We consider a server +authoritative (for validation purposes) for even the sub-domains that it has +delegated to others. RRs are validated against the data we have in cache +already. Invalid records are neither cached nor returned. + it is off by default because it is hopeless, and the code will all +be ripped out of BIND in the near future. + +NCACHE (origin: USC/ISI) + enables negative caching. We cache only authoritative NXDOMAIN or +authoritative NOERROR with zero RR count. Non-authoritative NXDOMAIN answers +now contain NS records in the authority section. Non-authoritative NOERROR +responses have no authority or additional records to differentiate them from +referrals. They are cached for NTTL secs (currently 10 minutes) and are timed +out when the ttl expires. + you probably want this, it is on by default. + +RESOLVSORT (origin: marka@syd.dms.csiro.au) + enable sorting of addresses returned by gethostbyname. Sorting order +is specified by address/netmask pairs. This enables a host to override the +sortlist specified in the nameserver. + you probably want this, it is on by default. + +STUBS (origin: marka@syd.dms.csiro.au) + enable transfer and loading of NS records only for a zone. +still experimental. it won't hurt to enable it, but it may not work perfectly +so using it could lead to some confusion. + you probably don't care, it is on by default. + +SUNSECURITY (origin: rossc@ucc.su.oz.au) + enable checking of PTR records in gethostbyaddr() to detect +spoofing. Forced on SunOS 4 shared library as rlogin etc. depend on this. + you should probably not set this by hand. + +SECURE_ZONES (origin: gshapiro@guest.wpi.edu) + enables support for secure zones. This restricts access to +information in the zone according to the information found in the +secure_zone TXT RR found in the zone. If none is found, the zone is +world-readable. For information on the format of the secure_zone TXT +RR, see the Name Server Operations Guide for BIND. + you probably want this, it is on by default. + +ROUND_ROBIN (origin: Marshall Rose of TPC.INT) + if set, causes the databuf list in a namebuf to be rotated by one +slot after each access to it. this has the effect that if multiple RR's +of a given type are present, they will be given in "round robin" order +instead of always being given in the same order. + you probably want this, it is on by default. + +ADDAUTH (origin: marka@syd.dms.csiro.au) + if set, cause NS and glue A records to be returned with authoritative +answers. this causes slightly larger replies but less DNS traffic overall. + unless you have Mac's with an older version of Mac/TCP; + you probably want this, it is on by default. + +RFC1535 (origin: paul@vix.com) + if set, the resolver's default "search" list will be just the entire +"domain" name rather than the sliding window it had before 4.9.2. this will +make the default search list shorter, so folks who are saying "domain a.b.c" +and relying on the implicit "search a.b.c a.b c" will miss "a.b" and "c". + this option is on for compatibility with RFC 1535. + you should NOT turn it off, it is on by default. + +GEN_AXFR (origin: mark@comp.vuw.ac.nz, tytso@ATHENA.MIT.EDU, gdmr@dcs.ed.ac.uk) + if set, allows specification of zones in classes other than "IN" in +the named.boot file. Allows an optional "/class" on the "primary" and +"secondary" directives. Also fixes zone transfers so only data in the class +requested is transfered. + you probably want this, it is on by default. + +DATUMREFCNT (origin: mark andrews) + you want this. it will not be optional in future releases. + +LAME_DELEGATION (origin: don lewis; reworked by bryan beecher and don lewis) + this will detect the condition where some other server has told you +that a given set of servers is authoritative for some domain, and at least +one of those "delegated" servers disagrees (i.e., answers non-authoritatively). + you probably want this, it is on by default. + +LAME_LOGGING (origin: don lewis) + enable logging of lame delegations and set the log level + you may want this, it is on by default. + +RETURNSOA (origin: mark andrews) + This allows negative caching to work. Without this, older +pre-4.9.3 nameservers will not accept -ve cached anwsers. We actually +store the SOA record from the authority section rather that what was +requested because it is the existence of the NXDOMAIN that matters not +the type of data. The zone of the SOA record is tagged to the end of +the SOA record to allow it to be reconstructed. + You probably DO NOT WANT THIS, it's experimental and dangerous. + it is off by default. + +CLEANCACHE (origin: mark andrews) + Bind consumes memory without bound without this option. This +patch allows bind to periodically remove any stale entries in the +cache. Bind's memory usage should stabilize after approximately 1 day of +operation, as most TTL's are <= 1 day. Without this option stale entries +are only removed when they are looked up. + You probably want this, it is on by default. + +PURGE_ZONE (origin: mark andrews) + Various junk below a zone tends to hang around and corrupt future +zone data if a zone grows deeper. PURGE_ZONE will remove all traces of or +data which could be part of zone before loading a new one. + You probably want this, it is on by default. + +STATS (origin: Paul Vixie) + Named's internal statistics can take a fair amount of memory and +if you aren't interested in looking at these numbers you should disable +the feature. Future versions may require this. + You probably want this, it is on by default. + +RENICE (origin: bp@deins.informatik.uni-dortmund.de) + if set, the process priority of the AXFR subprocesses is changed to +"normal". If you are planning to raise the priority of the main nameserver +process, you will use this. + You probably want this, it is on by default. + +GETSER_LOGGING (origin: Paul Vixie) + if set, errors that occur during the fetch of serial numbers for zone +transfer consideration will be syslog()'d. this can lead to a lot of logging, +but is very helpful if you don't know why a zone isn't transfering. + You may not want this, but it is on by default. + +SHORT_FNAMES (origin: pma@sdd.hp.com) + on systems whose file names can only be 14 characters long, the temp +files created by named-xfer need to be constructed somewhat differently. this +should probably become the default since it is harmless. + you probably don't care one way or the other, it is off by default. + +XSTATS (origin: Benoit.Grange@inria.fr) + if set, the name server keeps more STATS about requests +received, and logs to syslog total counters from time to time. If you +aren't interested in looking at these numbers you should not enable +the feature. Requires STATS. + You may want this, but it is off by default. + +BIND_NOTIFY (origin: paul@vix.com) + experimental at this time; an internet draft is circulating. this +option informs slaves ("secondary" servers in BIND's erroneous terminology) +instantly when the master (primary, or another slave) loads a new zone. it +works fine and seems to cause no problems with slaves that don't support it, +but it does not implement the current internet draft (it lacks some necessary +delays) and causes a lot of extra syslog traffic, especially at startup. if +you don't mind running code that will absolutely NOT be compatible with the +eventual standard when the RFC is released, go ahead and turn this on. + vendors should not enable this in versions shipped to customers. + You will want this when it becomes compliant, it is off by default. + +LOC_RR (origin: ckd@kei.com) + incorporates support for the (RFC 1876) LOC RR type. + You may want this, it is on by default. + +SORT_RESPONSE (legacy) + should responses be sorted in what the server considers an optimal +order for the client? this is on by default but it does very little good. + +## ++Copyright++ 1989 +## - +## Copyright (c) 1989 +## The Regents of the University of California. All rights reserved. +## +## Redistribution and use in source and binary forms, with or without +## modification, are permitted provided that the following conditions +## are met: +## 1. Redistributions of source code must retain the above copyright +## notice, this list of conditions and the following disclaimer. +## 2. Redistributions in binary form must reproduce the above copyright +## notice, this list of conditions and the following disclaimer in the +## documentation and/or other materials provided with the distribution. +## 3. All advertising materials mentioning features or use of this software +## must display the following acknowledgement: +## This product includes software developed by the University of +## California, Berkeley and its contributors. +## 4. Neither the name of the University nor the names of its contributors +## may be used to endorse or promote products derived from this software +## without specific prior written permission. +## +## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +## ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +## SUCH DAMAGE. +## - +## Portions Copyright (c) 1993 by Digital Equipment Corporation. +## +## Permission to use, copy, modify, and distribute this software for any +## purpose with or without fee is hereby granted, provided that the above +## copyright notice and this permission notice appear in all copies, and that +## the name of Digital Equipment Corporation not be used in advertising or +## publicity pertaining to distribution of the document or software without +## specific, written prior permission. +## +## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL +## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES +## OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT +## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +## SOFTWARE. +## - +## --Copyright-- |