diff options
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch06.html')
-rw-r--r-- | contrib/bind9/doc/arm/Bv9ARM.ch06.html | 11220 |
1 files changed, 11220 insertions, 0 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html new file mode 100644 index 0000000..bd260dc --- /dev/null +++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html @@ -0,0 +1,11220 @@ +<!-- + - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2000-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id$ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>Chapter 6. BIND 9 Configuration Reference</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> +<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver"> +<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> +<div class="navheader"> +<table width="100%" summary="Navigation header"> +<tr><th colspan="3" align="center">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</th></tr> +<tr> +<td width="20%" align="left"> +<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td> +<th width="60%" align="center"> </th> +<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a> +</td> +</tr> +</table> +<hr> +</div> +<div class="chapter" lang="en"> +<div class="titlepage"><div><div><h2 class="title"> +<a name="Bv9ARM.ch06"></a>Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</h2></div></div></div> +<div class="toc"> +<p><b>Table of Contents</b></p> +<dl> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574711">Comment Syntax</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575371"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575561"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575921"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575938"><span><strong class="command">include</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575961"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575985"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576075"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576269"><span><strong class="command">logging</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578364"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578438"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578502"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578546"><span><strong class="command">masters</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2578567"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590613"><span><strong class="command">statistics-channels</strong></span> Statement Definition and + Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#trusted-keys"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590920"><span><strong class="command">trusted-keys</strong></span> Statement Definition + and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2590967"><span><strong class="command">managed-keys</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#managed-keys"><span><strong class="command">managed-keys</strong></span> Statement Definition + and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591409"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span> + Statement Grammar</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593189"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2596875">Zone File</a></span></dt> +<dd><dl> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599037">Discussion of MX Records</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599585">Inverse Mapping in IPv4</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2599848">Other Zone File Directives</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2600189"><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt> +<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt> +</dl></dd> +<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt> +<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd> +</dl> +</div> +<p> + <acronym class="acronym">BIND</acronym> 9 configuration is broadly similar + to <acronym class="acronym">BIND</acronym> 8; however, there are a few new + areas + of configuration, such as views. <acronym class="acronym">BIND</acronym> + 8 configuration files should work with few alterations in <acronym class="acronym">BIND</acronym> + 9, although more complex configurations should be reviewed to check + if they can be more efficiently implemented using the new features + found in <acronym class="acronym">BIND</acronym> 9. + </p> +<p> + <acronym class="acronym">BIND</acronym> 4 configuration files can be + converted to the new format + using the shell script + <code class="filename">contrib/named-bootconf/named-bootconf.sh</code>. + </p> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div> +<p> + Following is a list of elements used throughout the <acronym class="acronym">BIND</acronym> configuration + file documentation: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="varname">acl_name</code> + </p> + </td> +<td> + <p> + The name of an <code class="varname">address_match_list</code> as + defined by the <span><strong class="command">acl</strong></span> statement. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">address_match_list</code> + </p> + </td> +<td> + <p> + A list of one or more + <code class="varname">ip_addr</code>, + <code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, + or <code class="varname">acl_name</code> elements, see + <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">masters_list</code> + </p> + </td> +<td> + <p> + A named list of one or more <code class="varname">ip_addr</code> + with optional <code class="varname">key_id</code> and/or + <code class="varname">ip_port</code>. + A <code class="varname">masters_list</code> may include other + <code class="varname">masters_lists</code>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">domain_name</code> + </p> + </td> +<td> + <p> + A quoted string which will be used as + a DNS name, for example "<code class="literal">my.test.domain</code>". + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">namelist</code> + </p> + </td> +<td> + <p> + A list of one or more <code class="varname">domain_name</code> + elements. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">dotted_decimal</code> + </p> + </td> +<td> + <p> + One to four integers valued 0 through + 255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, + <span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ip4_addr</code> + </p> + </td> +<td> + <p> + An IPv4 address with exactly four elements + in <code class="varname">dotted_decimal</code> notation. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ip6_addr</code> + </p> + </td> +<td> + <p> + An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>. + IPv6 scoped addresses that have ambiguity on their + scope zones must be disambiguated by an appropriate + zone ID with the percent character (`%') as + delimiter. It is strongly recommended to use + string zone names rather than numeric identifiers, + in order to be robust against system configuration + changes. However, since there is no standard + mapping for such names and identifier values, + currently only interface names as link identifiers + are supported, assuming one-to-one mapping between + interfaces and links. For example, a link-local + address <span><strong class="command">fe80::1</strong></span> on the link + attached to the interface <span><strong class="command">ne0</strong></span> + can be specified as <span><strong class="command">fe80::1%ne0</strong></span>. + Note that on most systems link-local addresses + always have the ambiguity, and need to be + disambiguated. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ip_addr</code> + </p> + </td> +<td> + <p> + An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ip_port</code> + </p> + </td> +<td> + <p> + An IP port <code class="varname">number</code>. + The <code class="varname">number</code> is limited to 0 + through 65535, with values + below 1024 typically restricted to use by processes running + as root. + In some cases, an asterisk (`*') character can be used as a + placeholder to + select a random high-numbered port. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ip_prefix</code> + </p> + </td> +<td> + <p> + An IP network specified as an <code class="varname">ip_addr</code>, + followed by a slash (`/') and then the number of bits in the + netmask. + Trailing zeros in a <code class="varname">ip_addr</code> + may omitted. + For example, <span><strong class="command">127/8</strong></span> is the + network <span><strong class="command">127.0.0.0</strong></span> with + netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is + network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>. + </p> + <p> + When specifying a prefix involving a IPv6 scoped address + the scope may be omitted. In that case the prefix will + match packets from any scope. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">key_id</code> + </p> + </td> +<td> + <p> + A <code class="varname">domain_name</code> representing + the name of a shared key, to be used for transaction + security. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">key_list</code> + </p> + </td> +<td> + <p> + A list of one or more + <code class="varname">key_id</code>s, + separated by semicolons and ending with a semicolon. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">number</code> + </p> + </td> +<td> + <p> + A non-negative 32-bit integer + (i.e., a number between 0 and 4294967295, inclusive). + Its acceptable value might further + be limited by the context in which it is used. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">path_name</code> + </p> + </td> +<td> + <p> + A quoted string which will be used as + a pathname, such as <code class="filename">zones/master/my.test.domain</code>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">port_list</code> + </p> + </td> +<td> + <p> + A list of an <code class="varname">ip_port</code> or a port + range. + A port range is specified in the form of + <strong class="userinput"><code>range</code></strong> followed by + two <code class="varname">ip_port</code>s, + <code class="varname">port_low</code> and + <code class="varname">port_high</code>, which represents + port numbers from <code class="varname">port_low</code> through + <code class="varname">port_high</code>, inclusive. + <code class="varname">port_low</code> must not be larger than + <code class="varname">port_high</code>. + For example, + <strong class="userinput"><code>range 1024 65535</code></strong> represents + ports from 1024 through 65535. + In either case an asterisk (`*') character is not + allowed as a valid <code class="varname">ip_port</code>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">size_spec</code> + </p> + </td> +<td> + <p> + A 64-bit unsigned integer, or the keywords + <strong class="userinput"><code>unlimited</code></strong> or + <strong class="userinput"><code>default</code></strong>. + </p> + <p> + Integers may take values + 0 <= value <= 18446744073709551615, though + certain parameters may use a more limited range + within these extremes. In most cases, setting a + value to 0 does not literally mean zero; it means + "undefined" or "as big as psosible", depending on + the context. See the expalantions of particular + parameters that use <code class="varname">size_spec</code> + for details on how they interpret its use. + </p> + <p> + Numeric values can optionally be followed by a + scaling factor: + <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> + for kilobytes, + <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> + for megabytes, and + <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> + for gigabytes, which scale by 1024, 1024*1024, and + 1024*1024*1024 respectively. + </p> + <p> + <code class="varname">unlimited</code> generally means + "as big as possible", though in certain contexts, + (including <code class="option">max-cache-size</code>), it may + mean the largest possible 32-bit unsigned integer + (0xffffffff); this distinction can be important when + dealing with larger quantities. + <code class="varname">unlimited</code> is usually the best way + to safely set a very large number. + </p> + <p> + <code class="varname">default</code> + uses the limit that was in force when the server was started. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">yes_or_no</code> + </p> + </td> +<td> + <p> + Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>. + The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are + also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> + and <strong class="userinput"><code>0</code></strong>. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">dialup_option</code> + </p> + </td> +<td> + <p> + One of <strong class="userinput"><code>yes</code></strong>, + <strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>, + <strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or + <strong class="userinput"><code>passive</code></strong>. + When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>, + <strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong> + are restricted to slave and stub zones. + </p> + </td> +</tr> +</tbody> +</table></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2574546"></a>Syntax</h4></div></div></div> +<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ; + [<span class="optional"> address_match_list_element; ... </span>] +<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] | + key key_id | acl_name | { address_match_list } ) +</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2574573"></a>Definition and Usage</h4></div></div></div> +<p> + Address match lists are primarily used to determine access + control for various server operations. They are also used in + the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span> + statements. The elements which constitute an address match + list can be any of the following: + </p> +<div class="itemizedlist"><ul type="disc"> +<li>an IP address (IPv4 or IPv6)</li> +<li>an IP prefix (in `/' notation)</li> +<li> + a key ID, as defined by the <span><strong class="command">key</strong></span> + statement + </li> +<li>the name of an address match list defined with + the <span><strong class="command">acl</strong></span> statement + </li> +<li>a nested address match list enclosed in braces</li> +</ul></div> +<p> + Elements can be negated with a leading exclamation mark (`!'), + and the match list names "any", "none", "localhost", and + "localnets" are predefined. More information on those names + can be found in the description of the acl statement. + </p> +<p> + The addition of the key clause made the name of this syntactic + element something of a misnomer, since security keys can be used + to validate access without regard to a host or network address. + Nonetheless, the term "address match list" is still used + throughout the documentation. + </p> +<p> + When a given IP address or prefix is compared to an address + match list, the comparison takes place in approximately O(1) + time. However, key comparisons require that the list of keys + be traversed until a matching key is found, and therefore may + be somewhat slower. + </p> +<p> + The interpretation of a match depends on whether the list is being + used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a + <span><strong class="command">sortlist</strong></span>, and whether the element was negated. + </p> +<p> + When used as an access control list, a non-negated match + allows access and a negated match denies access. If + there is no match, access is denied. The clauses + <span><strong class="command">allow-notify</strong></span>, + <span><strong class="command">allow-recursion</strong></span>, + <span><strong class="command">allow-recursion-on</strong></span>, + <span><strong class="command">allow-query</strong></span>, + <span><strong class="command">allow-query-on</strong></span>, + <span><strong class="command">allow-query-cache</strong></span>, + <span><strong class="command">allow-query-cache-on</strong></span>, + <span><strong class="command">allow-transfer</strong></span>, + <span><strong class="command">allow-update</strong></span>, + <span><strong class="command">allow-update-forwarding</strong></span>, and + <span><strong class="command">blackhole</strong></span> all use address match + lists. Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the + server to refuse queries on any of the machine's + addresses which do not match the list. + </p> +<p> + Order of insertion is significant. If more than one element + in an ACL is found to match a given IP address or prefix, + preference will be given to the one that came + <span class="emphasis"><em>first</em></span> in the ACL definition. + Because of this first-match behavior, an element that + defines a subset of another element in the list should + come before the broader element, regardless of whether + either is negated. For example, in + <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> + the 1.2.3.13 element is completely useless because the + algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24 + element. Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes + that problem by having 1.2.3.13 blocked by the negation, but + all other 1.2.3.* hosts fall through. + </p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2574711"></a>Comment Syntax</h3></div></div></div> +<p> + The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for + comments to appear + anywhere that whitespace may appear in a <acronym class="acronym">BIND</acronym> configuration + file. To appeal to programmers of all kinds, they can be written + in the C, C++, or shell/perl style. + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2574726"></a>Syntax</h4></div></div></div> +<p> + </p> +<pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre> +<p> + </p> +<pre class="programlisting">// This is a <acronym class="acronym">BIND</acronym> comment as in C++</pre> +<p> + </p> +<pre class="programlisting"># This is a <acronym class="acronym">BIND</acronym> comment as in common UNIX shells +# and perl</pre> +<p> + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2574756"></a>Definition and Usage</h4></div></div></div> +<p> + Comments may appear anywhere that whitespace may appear in + a <acronym class="acronym">BIND</acronym> configuration file. + </p> +<p> + C-style comments start with the two characters /* (slash, + star) and end with */ (star, slash). Because they are completely + delimited with these characters, they can be used to comment only + a portion of a line or to span multiple lines. + </p> +<p> + C-style comments cannot be nested. For example, the following + is not valid because the entire comment ends with the first */: + </p> +<p> + +</p> +<pre class="programlisting">/* This is the start of a comment. + This is still part of the comment. +/* This is an incorrect attempt at nesting a comment. */ + This is no longer in any comment. */ +</pre> +<p> + + </p> +<p> + C++-style comments start with the two characters // (slash, + slash) and continue to the end of the physical line. They cannot + be continued across multiple physical lines; to have one logical + comment span multiple lines, each line must use the // pair. + For example: + </p> +<p> + +</p> +<pre class="programlisting">// This is the start of a comment. The next line +// is a new comment, even though it is logically +// part of the previous comment. +</pre> +<p> + + </p> +<p> + Shell-style (or perl-style, if you prefer) comments start + with the character <code class="literal">#</code> (number sign) + and continue to the end of the + physical line, as in C++ comments. + For example: + </p> +<p> + +</p> +<pre class="programlisting"># This is the start of a comment. The next line +# is a new comment, even though it is logically +# part of the previous comment. +</pre> +<p> + + </p> +<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Warning</h3> +<p> + You cannot use the semicolon (`;') character + to start a comment such as you would in a zone file. The + semicolon indicates the end of a configuration + statement. + </p> +</div> +</div> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div> +<p> + A <acronym class="acronym">BIND</acronym> 9 configuration consists of + statements and comments. + Statements end with a semicolon. Statements and comments are the + only elements that can appear without enclosing braces. Many + statements contain a block of sub-statements, which are also + terminated with a semicolon. + </p> +<p> + The following statements are supported: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><span><strong class="command">acl</strong></span></p> + </td> +<td> + <p> + defines a named IP address + matching list, for access control and other uses. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">controls</strong></span></p> + </td> +<td> + <p> + declares control channels to be used + by the <span><strong class="command">rndc</strong></span> utility. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">include</strong></span></p> + </td> +<td> + <p> + includes a file. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">key</strong></span></p> + </td> +<td> + <p> + specifies key information for use in + authentication and authorization using TSIG. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">logging</strong></span></p> + </td> +<td> + <p> + specifies what the server logs, and where + the log messages are sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">lwres</strong></span></p> + </td> +<td> + <p> + configures <span><strong class="command">named</strong></span> to + also act as a light-weight resolver daemon (<span><strong class="command">lwresd</strong></span>). + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">masters</strong></span></p> + </td> +<td> + <p> + defines a named masters list for + inclusion in stub and slave zones' + <span><strong class="command">masters</strong></span> or + <span><strong class="command">also-notify</strong></span> lists. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">options</strong></span></p> + </td> +<td> + <p> + controls global server configuration + options and sets defaults for other statements. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">server</strong></span></p> + </td> +<td> + <p> + sets certain configuration options on + a per-server basis. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">statistics-channels</strong></span></p> + </td> +<td> + <p> + declares communication channels to get access to + <span><strong class="command">named</strong></span> statistics. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">trusted-keys</strong></span></p> + </td> +<td> + <p> + defines trusted DNSSEC keys. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">managed-keys</strong></span></p> + </td> +<td> + <p> + lists DNSSEC keys to be kept up to date + using RFC 5011 trust anchor maintenance. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">view</strong></span></p> + </td> +<td> + <p> + defines a view. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">zone</strong></span></p> + </td> +<td> + <p> + defines a zone. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + The <span><strong class="command">logging</strong></span> and + <span><strong class="command">options</strong></span> statements may only occur once + per + configuration. + </p> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2575371"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { + address_match_list +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">acl</strong></span> statement assigns a symbolic + name to an address match list. It gets its name from a primary + use of address match lists: Access Control Lists (ACLs). + </p> +<p> + Note that an address match list's name must be defined + with <span><strong class="command">acl</strong></span> before it can be used + elsewhere; no forward references are allowed. + </p> +<p> + The following ACLs are built-in: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><span><strong class="command">any</strong></span></p> + </td> +<td> + <p> + Matches all hosts. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">none</strong></span></p> + </td> +<td> + <p> + Matches no hosts. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">localhost</strong></span></p> + </td> +<td> + <p> + Matches the IPv4 and IPv6 addresses of all network + interfaces on the system. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">localnets</strong></span></p> + </td> +<td> + <p> + Matches any host on an IPv4 or IPv6 network + for which the system has an interface. + Some systems do not provide a way to determine the prefix + lengths of + local IPv6 addresses. + In such a case, <span><strong class="command">localnets</strong></span> + only matches the local + IPv6 addresses, just like <span><strong class="command">localhost</strong></span>. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2575561"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">controls</strong></span> { + [ inet ( ip_addr | * ) [ port ip_port ] + allow { <em class="replaceable"><code> address_match_list </code></em> } + keys { <em class="replaceable"><code>key_list</code></em> }; ] + [ inet ...; ] + [ unix <em class="replaceable"><code>path</code></em> perm <em class="replaceable"><code>number</code></em> owner <em class="replaceable"><code>number</code></em> group <em class="replaceable"><code>number</code></em> + keys { <em class="replaceable"><code>key_list</code></em> }; ] + [ unix ...; ] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">controls</strong></span> statement declares control + channels to be used by system administrators to control the + operation of the name server. These control channels are + used by the <span><strong class="command">rndc</strong></span> utility to send + commands to and retrieve non-DNS results from a name server. + </p> +<p> + An <span><strong class="command">inet</strong></span> control channel is a TCP socket + listening at the specified <span><strong class="command">ip_port</strong></span> on the + specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is + interpreted as the IPv4 wildcard address; connections will be + accepted on any of the system's IPv4 addresses. + To listen on the IPv6 wildcard address, + use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. + If you will only use <span><strong class="command">rndc</strong></span> on the local host, + using the loopback address (<code class="literal">127.0.0.1</code> + or <code class="literal">::1</code>) is recommended for maximum security. + </p> +<p> + If no port is specified, port 953 is used. The asterisk + "<code class="literal">*</code>" cannot be used for <span><strong class="command">ip_port</strong></span>. + </p> +<p> + The ability to issue commands over the control channel is + restricted by the <span><strong class="command">allow</strong></span> and + <span><strong class="command">keys</strong></span> clauses. + Connections to the control channel are permitted based on the + <span><strong class="command">address_match_list</strong></span>. This is for simple + IP address based filtering only; any <span><strong class="command">key_id</strong></span> + elements of the <span><strong class="command">address_match_list</strong></span> + are ignored. + </p> +<p> + A <span><strong class="command">unix</strong></span> control channel is a UNIX domain + socket listening at the specified path in the file system. + Access to the socket is specified by the <span><strong class="command">perm</strong></span>, + <span><strong class="command">owner</strong></span> and <span><strong class="command">group</strong></span> clauses. + Note on some platforms (SunOS and Solaris) the permissions + (<span><strong class="command">perm</strong></span>) are applied to the parent directory + as the permissions on the socket itself are ignored. + </p> +<p> + The primary authorization mechanism of the command + channel is the <span><strong class="command">key_list</strong></span>, which + contains a list of <span><strong class="command">key_id</strong></span>s. + Each <span><strong class="command">key_id</strong></span> in the <span><strong class="command">key_list</strong></span> + is authorized to execute commands over the control channel. + See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called “Administrative Tools”</a>) + for information about configuring keys in <span><strong class="command">rndc</strong></span>. + </p> +<p> + If no <span><strong class="command">controls</strong></span> statement is present, + <span><strong class="command">named</strong></span> will set up a default + control channel listening on the loopback address 127.0.0.1 + and its IPv6 counterpart ::1. + In this case, and also when the <span><strong class="command">controls</strong></span> statement + is present but does not have a <span><strong class="command">keys</strong></span> clause, + <span><strong class="command">named</strong></span> will attempt to load the command channel key + from the file <code class="filename">rndc.key</code> in + <code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code> + was specified as when <acronym class="acronym">BIND</acronym> was built). + To create a <code class="filename">rndc.key</code> file, run + <strong class="userinput"><code>rndc-confgen -a</code></strong>. + </p> +<p> + The <code class="filename">rndc.key</code> feature was created to + ease the transition of systems from <acronym class="acronym">BIND</acronym> 8, + which did not have digital signatures on its command channel + messages and thus did not have a <span><strong class="command">keys</strong></span> clause. + + It makes it possible to use an existing <acronym class="acronym">BIND</acronym> 8 + configuration file in <acronym class="acronym">BIND</acronym> 9 unchanged, + and still have <span><strong class="command">rndc</strong></span> work the same way + <span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the + command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is + installed. + </p> +<p> + Since the <code class="filename">rndc.key</code> feature + is only intended to allow the backward-compatible usage of + <acronym class="acronym">BIND</acronym> 8 configuration files, this + feature does not + have a high degree of configurability. You cannot easily change + the key name or the size of the secret, so you should make a + <code class="filename">rndc.conf</code> with your own key if you + wish to change + those things. The <code class="filename">rndc.key</code> file + also has its + permissions set such that only the owner of the file (the user that + <span><strong class="command">named</strong></span> is running as) can access it. + If you + desire greater flexibility in allowing other users to access + <span><strong class="command">rndc</strong></span> commands, then you need to create + a + <code class="filename">rndc.conf</code> file and make it group + readable by a group + that contains the users who should have access. + </p> +<p> + To disable the command channel, use an empty + <span><strong class="command">controls</strong></span> statement: + <span><strong class="command">controls { };</strong></span>. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2575921"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2575938"></a><span><strong class="command">include</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">include</strong></span> statement inserts the + specified file at the point where the <span><strong class="command">include</strong></span> + statement is encountered. The <span><strong class="command">include</strong></span> + statement facilitates the administration of configuration + files + by permitting the reading or writing of some things but not + others. For example, the statement could include private keys + that are readable only by the name server. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2575961"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> { + algorithm <em class="replaceable"><code>string</code></em>; + secret <em class="replaceable"><code>string</code></em>; +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2575985"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div> +<p> + The <span><strong class="command">key</strong></span> statement defines a shared + secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) + or the command channel + (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and + Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + Usage”</a>). + </p> +<p> + The <span><strong class="command">key</strong></span> statement can occur at the + top level + of the configuration file or inside a <span><strong class="command">view</strong></span> + statement. Keys defined in top-level <span><strong class="command">key</strong></span> + statements can be used in all views. Keys intended for use in + a <span><strong class="command">controls</strong></span> statement + (see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and + Usage">the section called “<span><strong class="command">controls</strong></span> Statement Definition and + Usage”</a>) + must be defined at the top level. + </p> +<p> + The <em class="replaceable"><code>key_id</code></em>, also known as the + key name, is a domain name uniquely identifying the key. It can + be used in a <span><strong class="command">server</strong></span> + statement to cause requests sent to that + server to be signed with this key, or in address match lists to + verify that incoming requests have been signed with a key + matching this name, algorithm, and secret. + </p> +<p> + The <em class="replaceable"><code>algorithm_id</code></em> is a string + that specifies a security/authentication algorithm. Named + supports <code class="literal">hmac-md5</code>, + <code class="literal">hmac-sha1</code>, <code class="literal">hmac-sha224</code>, + <code class="literal">hmac-sha256</code>, <code class="literal">hmac-sha384</code> + and <code class="literal">hmac-sha512</code> TSIG authentication. + Truncated hashes are supported by appending the minimum + number of required bits preceded by a dash, e.g. + <code class="literal">hmac-sha1-80</code>. The + <em class="replaceable"><code>secret_string</code></em> is the secret + to be used by the algorithm, and is treated as a base-64 + encoded string. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2576075"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">logging</strong></span> { + [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> { + ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em> + [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ] + [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size_spec</code></em> ] + | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em> + | <span><strong class="command">stderr</strong></span> + | <span><strong class="command">null</strong></span> ); + [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> | + <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ] + [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ] + }; ] + [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> { + <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_name</code></em> ; ... ] + }; ] + ... +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2576269"></a><span><strong class="command">logging</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">logging</strong></span> statement configures a + wide + variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase + associates output methods, format options and severity levels with + a name that can then be used with the <span><strong class="command">category</strong></span> phrase + to select how various classes of messages are logged. + </p> +<p> + Only one <span><strong class="command">logging</strong></span> statement is used to + define + as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement, + the logging configuration will be: + </p> +<pre class="programlisting">logging { + category default { default_syslog; default_debug; }; + category unmatched { null; }; +}; +</pre> +<p> + In <acronym class="acronym">BIND</acronym> 9, the logging configuration + is only established when + the entire configuration file has been parsed. In <acronym class="acronym">BIND</acronym> 8, it was + established as soon as the <span><strong class="command">logging</strong></span> + statement + was parsed. When the server is starting up, all logging messages + regarding syntax errors in the configuration file go to the default + channels, or to standard error if the "<code class="option">-g</code>" option + was specified. + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2576322"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div> +<p> + All log output goes to one or more <span class="emphasis"><em>channels</em></span>; + you can make as many of them as you want. + </p> +<p> + Every channel definition must include a destination clause that + says whether messages selected for the channel go to a file, to a + particular syslog facility, to the standard error stream, or are + discarded. It can optionally also limit the message severity level + that will be accepted by the channel (the default is + <span><strong class="command">info</strong></span>), and whether to include a + <span><strong class="command">named</strong></span>-generated time stamp, the + category name + and/or severity level (the default is not to include any). + </p> +<p> + The <span><strong class="command">null</strong></span> destination clause + causes all messages sent to the channel to be discarded; + in that case, other options for the channel are meaningless. + </p> +<p> + The <span><strong class="command">file</strong></span> destination clause directs + the channel + to a disk file. It can include limitations + both on how large the file is allowed to become, and how many + versions + of the file will be saved each time the file is opened. + </p> +<p> + If you use the <span><strong class="command">versions</strong></span> log file + option, then + <span><strong class="command">named</strong></span> will retain that many backup + versions of the file by + renaming them when opening. For example, if you choose to keep + three old versions + of the file <code class="filename">lamers.log</code>, then just + before it is opened + <code class="filename">lamers.log.1</code> is renamed to + <code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed + to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is + renamed to <code class="filename">lamers.log.0</code>. + You can say <span><strong class="command">versions unlimited</strong></span> to + not limit + the number of versions. + If a <span><strong class="command">size</strong></span> option is associated with + the log file, + then renaming is only done when the file being opened exceeds the + indicated size. No backup versions are kept by default; any + existing + log file is simply appended. + </p> +<p> + The <span><strong class="command">size</strong></span> option for files is used + to limit log + growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will + stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option + associated with it. If backup versions are kept, the files are + rolled as + described above and a new one begun. If there is no + <span><strong class="command">versions</strong></span> option, no more data will + be written to the log + until some out-of-band mechanism removes or truncates the log to + less than the + maximum size. The default behavior is not to limit the size of + the + file. + </p> +<p> + Example usage of the <span><strong class="command">size</strong></span> and + <span><strong class="command">versions</strong></span> options: + </p> +<pre class="programlisting">channel an_example_channel { + file "example.log" versions 3 size 20m; + print-time yes; + print-category yes; +}; +</pre> +<p> + The <span><strong class="command">syslog</strong></span> destination clause + directs the + channel to the system log. Its argument is a + syslog facility as described in the <span><strong class="command">syslog</strong></span> man + page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>, + <span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>, + <span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>, + <span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>, + <span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>, + <span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>, + <span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and + <span><strong class="command">local7</strong></span>, however not all facilities + are supported on + all operating systems. + How <span><strong class="command">syslog</strong></span> will handle messages + sent to + this facility is described in the <span><strong class="command">syslog.conf</strong></span> man + page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that + only uses two arguments to the <span><strong class="command">openlog()</strong></span> function, + then this clause is silently ignored. + </p> +<p> + The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s + "priorities", except that they can also be used if you are writing + straight to a file rather than using <span><strong class="command">syslog</strong></span>. + Messages which are not at least of the severity level given will + not be selected for the channel; messages of higher severity + levels + will be accepted. + </p> +<p> + If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities + will also determine what eventually passes through. For example, + defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but + only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will + cause messages of severity <span><strong class="command">info</strong></span> and + <span><strong class="command">notice</strong></span> to + be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing + messages of only <span><strong class="command">warning</strong></span> or higher, + then <span><strong class="command">syslogd</strong></span> would + print all messages it received from the channel. + </p> +<p> + The <span><strong class="command">stderr</strong></span> destination clause + directs the + channel to the server's standard error stream. This is intended + for + use when the server is running as a foreground process, for + example + when debugging a configuration. + </p> +<p> + The server can supply extensive debugging information when + it is in debugging mode. If the server's global debug level is + greater + than zero, then debugging mode will be active. The global debug + level is set either by starting the <span><strong class="command">named</strong></span> server + with the <code class="option">-d</code> flag followed by a positive integer, + or by running <span><strong class="command">rndc trace</strong></span>. + The global debug level + can be set to zero, and debugging mode turned off, by running <span><strong class="command">rndc +notrace</strong></span>. All debugging messages in the server have a debug + level, and higher debug levels give more detailed output. Channels + that specify a specific debug severity, for example: + </p> +<pre class="programlisting">channel specific_debug_level { + file "foo"; + severity debug 3; +}; +</pre> +<p> + will get debugging output of level 3 or less any time the + server is in debugging mode, regardless of the global debugging + level. Channels with <span><strong class="command">dynamic</strong></span> + severity use the + server's global debug level to determine what messages to print. + </p> +<p> + If <span><strong class="command">print-time</strong></span> has been turned on, + then + the date and time will be logged. <span><strong class="command">print-time</strong></span> may + be specified for a <span><strong class="command">syslog</strong></span> channel, + but is usually + pointless since <span><strong class="command">syslog</strong></span> also logs + the date and + time. If <span><strong class="command">print-category</strong></span> is + requested, then the + category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is + on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may + be used in any combination, and will always be printed in the + following + order: time, category, severity. Here is an example where all + three <span><strong class="command">print-</strong></span> options + are on: + </p> +<p> + <code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code> + </p> +<p> + There are four predefined channels that are used for + <span><strong class="command">named</strong></span>'s default logging as follows. + How they are + used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called “The <span><strong class="command">category</strong></span> Phrase”</a>. + </p> +<pre class="programlisting">channel default_syslog { + // send to syslog's daemon facility + syslog daemon; + // only send priority info and higher + severity info; + +channel default_debug { + // write to named.run in the working directory + // Note: stderr is used instead of "named.run" if + // the server is started with the '-f' option. + file "named.run"; + // log at the server's current debug level + severity dynamic; +}; + +channel default_stderr { + // writes to stderr + stderr; + // only send priority info and higher + severity info; +}; + +channel null { + // toss anything sent to this channel + null; +}; +</pre> +<p> + The <span><strong class="command">default_debug</strong></span> channel has the + special + property that it only produces output when the server's debug + level is + nonzero. It normally writes to a file called <code class="filename">named.run</code> + in the server's working directory. + </p> +<p> + For security reasons, when the "<code class="option">-u</code>" + command line option is used, the <code class="filename">named.run</code> file + is created only after <span><strong class="command">named</strong></span> has + changed to the + new UID, and any debug output generated while <span><strong class="command">named</strong></span> is + starting up and still running as root is discarded. If you need + to capture this output, you must run the server with the "<code class="option">-g</code>" + option and redirect standard error to a file. + </p> +<p> + Once a channel is defined, it cannot be redefined. Thus you + cannot alter the built-in channels directly, but you can modify + the default logging by pointing categories at channels you have + defined. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div> +<p> + There are many categories, so you can send the logs you want + to see wherever you want, without seeing logs you don't want. If + you don't specify a list of channels for a category, then log + messages + in that category will be sent to the <span><strong class="command">default</strong></span> category + instead. If you don't specify a default category, the following + "default default" is used: + </p> +<pre class="programlisting">category default { default_syslog; default_debug; }; +</pre> +<p> + As an example, let's say you want to log security events to + a file, but you also want keep the default logging behavior. You'd + specify the following: + </p> +<pre class="programlisting">channel my_security_channel { + file "my_security_file"; + severity info; +}; +category security { + my_security_channel; + default_syslog; + default_debug; +};</pre> +<p> + To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel: + </p> +<pre class="programlisting">category xfer-out { null; }; +category notify { null; }; +</pre> +<p> + Following are the available categories and brief descriptions + of the types of log information they contain. More + categories may be added in future <acronym class="acronym">BIND</acronym> releases. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><span><strong class="command">default</strong></span></p> + </td> +<td> + <p> + The default category defines the logging + options for those categories where no specific + configuration has been + defined. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">general</strong></span></p> + </td> +<td> + <p> + The catch-all. Many things still aren't + classified into categories, and they all end up here. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">database</strong></span></p> + </td> +<td> + <p> + Messages relating to the databases used + internally by the name server to store zone and cache + data. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">security</strong></span></p> + </td> +<td> + <p> + Approval and denial of requests. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">config</strong></span></p> + </td> +<td> + <p> + Configuration file parsing and processing. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">resolver</strong></span></p> + </td> +<td> + <p> + DNS resolution, such as the recursive + lookups performed on behalf of clients by a caching name + server. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">xfer-in</strong></span></p> + </td> +<td> + <p> + Zone transfers the server is receiving. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">xfer-out</strong></span></p> + </td> +<td> + <p> + Zone transfers the server is sending. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">notify</strong></span></p> + </td> +<td> + <p> + The NOTIFY protocol. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">client</strong></span></p> + </td> +<td> + <p> + Processing of client requests. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">unmatched</strong></span></p> + </td> +<td> + <p> + Messages that <span><strong class="command">named</strong></span> was unable to determine the + class of or for which there was no matching <span><strong class="command">view</strong></span>. + A one line summary is also logged to the <span><strong class="command">client</strong></span> category. + This category is best sent to a file or stderr, by + default it is sent to + the <span><strong class="command">null</strong></span> channel. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">network</strong></span></p> + </td> +<td> + <p> + Network operations. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">update</strong></span></p> + </td> +<td> + <p> + Dynamic updates. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">update-security</strong></span></p> + </td> +<td> + <p> + Approval and denial of update requests. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">queries</strong></span></p> + </td> +<td> + <p> + Specify where queries should be logged to. + </p> + <p> + At startup, specifying the category <span><strong class="command">queries</strong></span> will also + enable query logging unless <span><strong class="command">querylog</strong></span> option has been + specified. + </p> + + <p> + The query log entry reports the client's IP + address and port number, and the query name, + class and type. Next it reports whether the + Recursion Desired flag was set (+ if set, - + if not set), if the query was signed (S), + EDNS was in use (E), if TCP was used (T), if + DO (DNSSEC Ok) was set (D), or if CD (Checking + Disabled) was set (C). After this the + destination address the query was sent to is + reported. + </p> + + <p> + <code class="computeroutput">client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE</code> + </p> + <p> + <code class="computeroutput">client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE</code> + </p> + <p> + (The first part of this log message, showing the + client address/port number and query name, is + repeated in all subsequent log messages related + to the same query.) + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">query-errors</strong></span></p> + </td> +<td> + <p> + Information about queries that resulted in some + failure. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">dispatch</strong></span></p> + </td> +<td> + <p> + Dispatching of incoming packets to the + server modules where they are to be processed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">dnssec</strong></span></p> + </td> +<td> + <p> + DNSSEC and TSIG protocol processing. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">lame-servers</strong></span></p> + </td> +<td> + <p> + Lame servers. These are misconfigurations + in remote servers, discovered by BIND 9 when trying to + query those servers during resolution. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">delegation-only</strong></span></p> + </td> +<td> + <p> + Delegation only. Logs queries that have been + forced to NXDOMAIN as the result of a + delegation-only zone or a + <span><strong class="command">delegation-only</strong></span> in a hint + or stub zone declaration. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">edns-disabled</strong></span></p> + </td> +<td> + <p> + Log queries that have been forced to use plain + DNS due to timeouts. This is often due to + the remote servers not being RFC 1034 compliant + (not always returning FORMERR or similar to + EDNS queries and other extensions to the DNS + when they are not understood). In other words, this is + targeted at servers that fail to respond to + DNS queries that they don't understand. + </p> + <p> + Note: the log message can also be due to + packet loss. Before reporting servers for + non-RFC 1034 compliance they should be re-tested + to determine the nature of the non-compliance. + This testing should prevent or reduce the + number of false-positive reports. + </p> + <p> + Note: eventually <span><strong class="command">named</strong></span> will have to stop + treating such timeouts as due to RFC 1034 non + compliance and start treating it as plain + packet loss. Falsely classifying packet + loss as due to RFC 1034 non compliance impacts + on DNSSEC validation which requires EDNS for + the DNSSEC records to be returned. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RPZ</strong></span></p> + </td> +<td> + <p> + Information about errors in response policy zone files, + rewritten responses, and at the highest + <span><strong class="command">debug</strong></span> levels, mere rewriting + attempts. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2577777"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div> +<p> + The <span><strong class="command">query-errors</strong></span> category is + specifically intended for debugging purposes: To identify + why and how specific queries result in responses which + indicate an error. + Messages of this category are therefore only logged + with <span><strong class="command">debug</strong></span> levels. + </p> +<p> + At the debug levels of 1 or higher, each response with the + rcode of SERVFAIL is logged as follows: + </p> +<p> + <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code> + </p> +<p> + This means an error resulting in SERVFAIL was + detected at line 3880 of source file + <code class="filename">query.c</code>. + Log messages of this level will particularly + help identify the cause of SERVFAIL for an + authoritative server. + </p> +<p> + At the debug levels of 2 or higher, detailed context + information of recursive resolutions that resulted in + SERVFAIL is logged. + The log message will look like as follows: + </p> +<p> + + </p> +<pre class="programlisting"> +fetch completed at resolver.c:2970 for www.example.com/A +in 30.000183: timed out/success [domain:example.com, +referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0, +badresp:1,adberr:0,findfail:0,valfail:0] + </pre> +<p> + </p> +<p> + The first part before the colon shows that a recursive + resolution for AAAA records of www.example.com completed + in 30.000183 seconds and the final result that led to the + SERVFAIL was determined at line 2970 of source file + <code class="filename">resolver.c</code>. + </p> +<p> + The following part shows the detected final result and the + latest result of DNSSEC validation. + The latter is always success when no validation attempt + is made. + In this example, this query resulted in SERVFAIL probably + because all name servers are down or unreachable, leading + to a timeout in 30 seconds. + DNSSEC validation was probably not attempted. + </p> +<p> + The last part enclosed in square brackets shows statistics + information collected for this particular resolution + attempt. + The <code class="varname">domain</code> field shows the deepest zone + that the resolver reached; + it is the zone where the error was finally detected. + The meaning of the other fields is summarized in the + following table. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><code class="varname">referral</code></p> + </td> +<td> + <p> + The number of referrals the resolver received + throughout the resolution process. + In the above example this is 2, which are most + likely com and example.com. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">restart</code></p> + </td> +<td> + <p> + The number of cycles that the resolver tried + remote servers at the <code class="varname">domain</code> + zone. + In each cycle the resolver sends one query + (possibly resending it, depending on the response) + to each known name server of + the <code class="varname">domain</code> zone. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">qrysent</code></p> + </td> +<td> + <p> + The number of queries the resolver sent at the + <code class="varname">domain</code> zone. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">timeout</code></p> + </td> +<td> + <p> + The number of timeouts since the resolver + received the last response. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">lame</code></p> + </td> +<td> + <p> + The number of lame servers the resolver detected + at the <code class="varname">domain</code> zone. + A server is detected to be lame either by an + invalid response or as a result of lookup in + BIND9's address database (ADB), where lame + servers are cached. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">neterr</code></p> + </td> +<td> + <p> + The number of erroneous results that the + resolver encountered in sending queries + at the <code class="varname">domain</code> zone. + One common case is the remote server is + unreachable and the resolver receives an ICMP + unreachable error message. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">badresp</code></p> + </td> +<td> + <p> + The number of unexpected responses (other than + <code class="varname">lame</code>) to queries sent by the + resolver at the <code class="varname">domain</code> zone. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">adberr</code></p> + </td> +<td> + <p> + Failures in finding remote server addresses + of the <code class="varname">domain</code> zone in the ADB. + One common case of this is that the remote + server's name does not have any address records. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">findfail</code></p> + </td> +<td> + <p> + Failures of resolving remote server addresses. + This is a total number of failures throughout + the resolution process. + </p> + </td> +</tr> +<tr> +<td> + <p><code class="varname">valfail</code></p> + </td> +<td> + <p> + Failures of DNSSEC validation. + Validation failures are counted throughout + the resolution process (not limited to + the <code class="varname">domain</code> zone), but should + only happen in <code class="varname">domain</code>. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + At the debug levels of 3 or higher, the same messages + as those at the debug 1 level are logged for other errors + than SERVFAIL. + Note that negative responses such as NXDOMAIN are not + regarded as errors here. + </p> +<p> + At the debug levels of 4 or higher, the same messages + as those at the debug 2 level are logged for other errors + than SERVFAIL. + Unlike the above case of level 3, messages are logged for + negative responses. + This is because any unexpected results can be difficult to + debug in the recursion case. + </p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2578364"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div> +<p> + This is the grammar of the <span><strong class="command">lwres</strong></span> + statement in the <code class="filename">named.conf</code> file: + </p> +<pre class="programlisting"><span><strong class="command">lwres</strong></span> { + [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; + [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>] + [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>] + [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2578438"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div> +<p> + The <span><strong class="command">lwres</strong></span> statement configures the + name + server to also act as a lightweight resolver server. (See + <a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called “Running a Resolver Daemon”</a>.) There may be multiple + <span><strong class="command">lwres</strong></span> statements configuring + lightweight resolver servers with different properties. + </p> +<p> + The <span><strong class="command">listen-on</strong></span> statement specifies a + list of + addresses (and ports) that this instance of a lightweight resolver + daemon + should accept requests on. If no port is specified, port 921 is + used. + If this statement is omitted, requests will be accepted on + 127.0.0.1, + port 921. + </p> +<p> + The <span><strong class="command">view</strong></span> statement binds this + instance of a + lightweight resolver daemon to a view in the DNS namespace, so that + the + response will be constructed in the same manner as a normal DNS + query + matching this view. If this statement is omitted, the default view + is + used, and if there is no default view, an error is triggered. + </p> +<p> + The <span><strong class="command">search</strong></span> statement is equivalent to + the + <span><strong class="command">search</strong></span> statement in + <code class="filename">/etc/resolv.conf</code>. It provides a + list of domains + which are appended to relative names in queries. + </p> +<p> + The <span><strong class="command">ndots</strong></span> statement is equivalent to + the + <span><strong class="command">ndots</strong></span> statement in + <code class="filename">/etc/resolv.conf</code>. It indicates the + minimum + number of dots in a relative domain name that should result in an + exact match lookup before search path elements are appended. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2578502"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"> +<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | + <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2578546"></a><span><strong class="command">masters</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p><span><strong class="command">masters</strong></span> + lists allow for a common set of masters to be easily used by + multiple stub and slave zones in their <span><strong class="command">masters</strong></span> + or <span><strong class="command">also-notify</strong></span> lists. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2578567"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div> +<p> + This is the grammar of the <span><strong class="command">options</strong></span> + statement in the <code class="filename">named.conf</code> file: + </p> +<pre class="programlisting"><span><strong class="command">options</strong></span> { + [<span class="optional"> attach-cache <em class="replaceable"><code>cache_name</code></em>; </span>] + [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>] + [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>] + [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>] + [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> managed-keys-directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> tkey-gssapi-keytab <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>] + [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>] + [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>] + [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> bindkeys-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> secroots-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> session-keyfile <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> session-keyname <em class="replaceable"><code>key_name</code></em>; </span>] + [<span class="optional"> session-keyalg <em class="replaceable"><code>algorithm_id</code></em>; </span>] + [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] + [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>] + [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em>; </span>] + [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> request-nsid <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>] + [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-validation (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">auto</code>); </span>] + [<span class="optional"> dnssec-lookaside ( <em class="replaceable"><code>auto</code></em> | + <em class="replaceable"><code>no</code></em> | + <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em> ); </span>] + [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-accept-expired <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { + ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | + <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; + ... }; </span>] + [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> ) + ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> check-dup-records ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> check-mx ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> check-mx-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> check-srv-cname ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> allow-new-zones { <em class="replaceable"><code>yes_or_no</code></em> }; </span>] + [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>] + [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ;</span>] + [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] + [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] + [<span class="optional"> use-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] + [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>] + [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> query-source ( ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) + [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | + [<span class="optional"> address ( <em class="replaceable"><code>ip4_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] + [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>] + [<span class="optional"> query-source-v6 ( ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) + [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | + [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] + [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>] + [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> reserved-sockets <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>] + [<span class="optional"> transfers-in <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] + [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; + [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>keyname</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] + [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>]; + [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>]; + [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] }; + [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] + [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>] + [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>] + [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> filter-aaaa-on-v4 ( <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>break-dnssec</code></em> ); </span>] + [<span class="optional"> filter-aaaa { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> dns64 <em class="replaceable"><code>IPv6-prefix</code></em> { + [<span class="optional"> clients { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> mapped { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> exclude { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> suffix IPv6-address; </span>] + [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em>; </span>] + }; </span>]; + [<span class="optional"> dns64-server <em class="replaceable"><code>name</code></em> </span>] + [<span class="optional"> dns64-contact <em class="replaceable"><code>name</code></em> </span>] + [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>] + [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-rsa-exponent-size <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>] + [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; + [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>] + [<span class="optional"> acache-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> acache-cleaning-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> max-acache-size <em class="replaceable"><code>size_spec</code></em> ; </span>] + [<span class="optional"> clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-clients-per-query <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] + [<span class="optional"> empty-server <em class="replaceable"><code>name</code></em> ; </span>] + [<span class="optional"> empty-contact <em class="replaceable"><code>name</code></em> ; </span>] + [<span class="optional"> empty-zones-enable <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> disable-empty-zone <em class="replaceable"><code>zone_name</code></em> ; </span>] + [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zero-no-soa-ttl-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> resolver-query-timeout <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> deny-answer-addresses { <em class="replaceable"><code>address_match_list</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>] + [<span class="optional"> deny-answer-aliases { <em class="replaceable"><code>namelist</code></em> } [<span class="optional"> except-from { <em class="replaceable"><code>namelist</code></em> } </span>];</span>] + [<span class="optional"> response-policy { <em class="replaceable"><code>zone_name</code></em> + [<span class="optional"> policy given | disabled | passthru | nxdomain | nodata | cname <em class="replaceable"><code>domain</code></em> </span>] + [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] ; + } [<span class="optional"> recursive-only <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> max-policy-ttl <em class="replaceable"><code>number</code></em> </span>] + [<span class="optional"> break-dnssec <em class="replaceable"><code>yes_or_no</code></em> </span>] [<span class="optional"> min-ns-dots <em class="replaceable"><code>number</code></em> </span>] ; </span>] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">options</strong></span> statement sets up global + options + to be used by <acronym class="acronym">BIND</acronym>. This statement + may appear only + once in a configuration file. If there is no <span><strong class="command">options</strong></span> + statement, an options block with each option set to its default will + be used. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">attach-cache</strong></span></span></dt> +<dd> +<p> + Allows multiple views to share a single cache + database. + Each view has its own cache database by default, but + if multiple views have the same operational policy + for name resolution and caching, those views can + share a single cache to save memory and possibly + improve resolution efficiency by using this option. + </p> +<p> + The <span><strong class="command">attach-cache</strong></span> option + may also be specified in <span><strong class="command">view</strong></span> + statements, in which case it overrides the + global <span><strong class="command">attach-cache</strong></span> option. + </p> +<p> + The <em class="replaceable"><code>cache_name</code></em> specifies + the cache to be shared. + When the <span><strong class="command">named</strong></span> server configures + views which are supposed to share a cache, it + creates a cache with the specified name for the + first view of these sharing views. + The rest of the views will simply refer to the + already created cache. + </p> +<p> + One common configuration to share a cache would be to + allow all views to share a single cache. + This can be done by specifying + the <span><strong class="command">attach-cache</strong></span> as a global + option with an arbitrary name. + </p> +<p> + Another possible operation is to allow a subset of + all views to share a cache while the others to + retain their own caches. + For example, if there are three views A, B, and C, + and only A and B should share a cache, specify the + <span><strong class="command">attach-cache</strong></span> option as a view A (or + B)'s option, referring to the other view name: + </p> +<pre class="programlisting"> + view "A" { + // this view has its own cache + ... + }; + view "B" { + // this view refers to A's cache + attach-cache "A"; + }; + view "C" { + // this view has its own cache + ... + }; +</pre> +<p> + Views that share a cache must have the same policy + on configurable parameters that may affect caching. + The current implementation requires the following + configurable options be consistent among these + views: + <span><strong class="command">check-names</strong></span>, + <span><strong class="command">cleaning-interval</strong></span>, + <span><strong class="command">dnssec-accept-expired</strong></span>, + <span><strong class="command">dnssec-validation</strong></span>, + <span><strong class="command">max-cache-ttl</strong></span>, + <span><strong class="command">max-ncache-ttl</strong></span>, + <span><strong class="command">max-cache-size</strong></span>, and + <span><strong class="command">zero-no-soa-ttl</strong></span>. + </p> +<p> + Note that there may be other parameters that may + cause confusion if they are inconsistent for + different views that share a single cache. + For example, if these views define different sets of + forwarders that can return different answers for the + same question, sharing the answer does not make + sense or could even be harmful. + It is administrator's responsibility to ensure + configuration differences in different views do + not cause disruption with a shared cache. + </p> +</dd> +<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt> +<dd><p> + The working directory of the server. + Any non-absolute pathnames in the configuration file will be + taken + as relative to this directory. The default location for most + server + output files (e.g. <code class="filename">named.run</code>) + is this directory. + If a directory is not specified, the working directory + defaults to `<code class="filename">.</code>', the directory from + which the server + was started. The directory specified should be an absolute + path. + </p></dd> +<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dd><p> + When performing dynamic update of secure zones, the + directory where the public and private DNSSEC key files + should be found, if different than the current working + directory. (Note that this option has no effect on the + paths for files containing non-DNSSEC keys such as + <code class="filename">bind.keys</code>, + <code class="filename">rndc.key</code> or + <code class="filename">session.key</code>.) + </p></dd> +<dt><span class="term"><span><strong class="command">managed-keys-directory</strong></span></span></dt> +<dd> +<p> + Specifies the directory in which to store the files that + track managed DNSSEC keys. By default, this is the working + directory. + </p> +<p> + If <span><strong class="command">named</strong></span> is not configured to use views, + then managed keys for the server will be tracked in a single + file called <code class="filename">managed-keys.bind</code>. + Otherwise, managed keys will be tracked in separate files, + one file per view; each file name will be the SHA256 hash + of the view name, followed by the extension + <code class="filename">.mkeys</code>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt> +<dd><p> + <span class="emphasis"><em>This option is obsolete.</em></span> It + was used in <acronym class="acronym">BIND</acronym> 8 to specify + the pathname to the <span><strong class="command">named-xfer</strong></span> + program. In <acronym class="acronym">BIND</acronym> 9, no separate + <span><strong class="command">named-xfer</strong></span> program is needed; + its functionality is built into the name server. + </p></dd> +<dt><span class="term"><span><strong class="command">tkey-gssapi-keytab</strong></span></span></dt> +<dd><p> + The KRB5 keytab file to use for GSS-TSIG updates. If + this option is set and tkey-gssapi-credential is not + set, then updates will be allowed with any key + matching a principal in the specified keytab. + </p></dd> +<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt> +<dd><p> + The security credential with which the server should + authenticate keys requested by the GSS-TSIG protocol. + Currently only Kerberos 5 authentication is available + and the credential is a Kerberos principal which the + server can acquire through the default system key + file, normally <code class="filename">/etc/krb5.keytab</code>. + The location keytab file can be overridden using the + tkey-gssapi-keytab option. Normally this principal is + of the form "<strong class="userinput"><code>DNS/</code></strong><code class="varname">server.domain</code>". + To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span> must + also be set if a specific keytab is not set with + tkey-gssapi-keytab. + </p></dd> +<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt> +<dd><p> + The domain appended to the names of all shared keys + generated with <span><strong class="command">TKEY</strong></span>. When a + client requests a <span><strong class="command">TKEY</strong></span> exchange, + it may or may not specify the desired name for the + key. If present, the name of the shared key will + be <code class="varname">client specified part</code> + + <code class="varname">tkey-domain</code>. Otherwise, the + name of the shared key will be <code class="varname">random hex + digits</code> + <code class="varname">tkey-domain</code>. + In most cases, the <span><strong class="command">domainname</strong></span> + should be the server's domain name, or an otherwise + non-existent subdomain like + "_tkey.<code class="varname">domainname</code>". If you are + using GSS-TSIG, this variable must be defined, unless + you specify a specific keytab using tkey-gssapi-keytab. + </p></dd> +<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt> +<dd><p> + The Diffie-Hellman key used by the server + to generate shared keys with clients using the Diffie-Hellman + mode + of <span><strong class="command">TKEY</strong></span>. The server must be + able to load the + public and private keys from files in the working directory. + In + most cases, the keyname should be the server's host name. + </p></dd> +<dt><span class="term"><span><strong class="command">cache-file</strong></span></span></dt> +<dd><p> + This is for testing only. Do not use. + </p></dd> +<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt> +<dd><p> + The pathname of the file the server dumps + the database to when instructed to do so with + <span><strong class="command">rndc dumpdb</strong></span>. + If not specified, the default is <code class="filename">named_dump.db</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt> +<dd><p> + The pathname of the file the server writes memory + usage statistics to on exit. If not specified, + the default is <code class="filename">named.memstats</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt> +<dd><p> + The pathname of the file the server writes its process ID + in. If not specified, the default is + <code class="filename">/var/run/named/named.pid</code>. + The PID file is used by programs that want to send signals to + the running + name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the + use of a PID file — no file will be written and any + existing one will be removed. Note that <span><strong class="command">none</strong></span> + is a keyword, not a filename, and therefore is not enclosed + in + double quotes. + </p></dd> +<dt><span class="term"><span><strong class="command">recursing-file</strong></span></span></dt> +<dd><p> + The pathname of the file the server dumps + the queries that are currently recursing when instructed + to do so with <span><strong class="command">rndc recursing</strong></span>. + If not specified, the default is <code class="filename">named.recursing</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt> +<dd><p> + The pathname of the file the server appends statistics + to when instructed to do so using <span><strong class="command">rndc stats</strong></span>. + If not specified, the default is <code class="filename">named.stats</code> in the + server's current directory. The format of the file is + described + in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">bindkeys-file</strong></span></span></dt> +<dd><p> + The pathname of a file to override the built-in trusted + keys provided by <span><strong class="command">named</strong></span>. + See the discussion of <span><strong class="command">dnssec-lookaside</strong></span> + and <span><strong class="command">dnssec-validation</strong></span> for details. + If not specified, the default is + <code class="filename">/etc/bind.keys</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">secroots-file</strong></span></span></dt> +<dd><p> + The pathname of the file the server dumps + security roots to when instructed to do so with + <span><strong class="command">rndc secroots</strong></span>. + If not specified, the default is + <code class="filename">named.secroots</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">session-keyfile</strong></span></span></dt> +<dd><p> + The pathname of the file into which to write a TSIG + session key generated by <span><strong class="command">named</strong></span> for use by + <span><strong class="command">nsupdate -l</strong></span>. If not specified, the + default is <code class="filename">/var/run/named/session.key</code>. + (See <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>, and in + particular the discussion of the + <span><strong class="command">update-policy</strong></span> statement's + <strong class="userinput"><code>local</code></strong> option for more + information about this feature.) + </p></dd> +<dt><span class="term"><span><strong class="command">session-keyname</strong></span></span></dt> +<dd><p> + The key name to use for the TSIG session key. + If not specified, the default is "local-ddns". + </p></dd> +<dt><span class="term"><span><strong class="command">session-keyalg</strong></span></span></dt> +<dd><p> + The algorithm to use for the TSIG session key. + Valid values are hmac-sha1, hmac-sha224, hmac-sha256, + hmac-sha384, hmac-sha512 and hmac-md5. If not + specified, the default is hmac-sha256. + </p></dd> +<dt><span class="term"><span><strong class="command">port</strong></span></span></dt> +<dd><p> + The UDP/TCP port number the server uses for + receiving and sending DNS protocol traffic. + The default is 53. This option is mainly intended for server + testing; + a server using a port other than 53 will not be able to + communicate with + the global DNS. + </p></dd> +<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt> +<dd><p> + The source of entropy to be used by the server. Entropy is + primarily needed + for DNSSEC operations, such as TKEY transactions and dynamic + update of signed + zones. This options specifies the device (or file) from which + to read + entropy. If this is a file, operations requiring entropy will + fail when the + file has been exhausted. If not specified, the default value + is + <code class="filename">/dev/random</code> + (or equivalent) when present, and none otherwise. The + <span><strong class="command">random-device</strong></span> option takes + effect during + the initial configuration load at server startup time and + is ignored on subsequent reloads. + </p></dd> +<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt> +<dd><p> + If specified, the listed type (A or AAAA) will be emitted + before other glue + in the additional section of a query response. + The default is not to prefer any type (NONE). + </p></dd> +<dt> +<a name="root_delegation_only"></a><span class="term"><span><strong class="command">root-delegation-only</strong></span></span> +</dt> +<dd> +<p> + Turn on enforcement of delegation-only in TLDs + (top level domains) and root zones with an optional + exclude list. + </p> +<p> + DS queries are expected to be made to and be answered by + delegation only zones. Such queries and responses are + treated as an exception to delegation-only processing + and are not converted to NXDOMAIN responses provided + a CNAME is not discovered at the query name. + </p> +<p> + If a delegation only zone server also serves a child + zone it is not always possible to determine whether + an answer comes from the delegation only zone or the + child zone. SOA NS and DNSKEY records are apex + only records and a matching response that contains + these records or DS is treated as coming from a + child zone. RRSIG records are also examined to see + if they are signed by a child zone or not. The + authority section is also examined to see if there + is evidence that the answer is from the child zone. + Answers that are determined to be from a child zone + are not converted to NXDOMAIN responses. Despite + all these checks there is still a possibility of + false negatives when a child zone is being served. + </p> +<p> + Similarly false positives can arise from empty nodes + (no records at the name) in the delegation only zone + when the query type is not ANY. + </p> +<p> + Note some TLDs are not delegation only (e.g. "DE", "LV", + "US" and "MUSEUM"). This list is not exhaustive. + </p> +<pre class="programlisting"> +options { + root-delegation-only exclude { "de"; "lv"; "us"; "museum"; }; +}; +</pre> +</dd> +<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt> +<dd><p> + Disable the specified DNSSEC algorithms at and below the + specified name. + Multiple <span><strong class="command">disable-algorithms</strong></span> + statements are allowed. + Only the most specific will be applied. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt> +<dd> +<p> + When set, <span><strong class="command">dnssec-lookaside</strong></span> provides the + validator with an alternate method to validate DNSKEY + records at the top of a zone. When a DNSKEY is at or + below a domain specified by the deepest + <span><strong class="command">dnssec-lookaside</strong></span>, and the normal DNSSEC + validation has left the key untrusted, the trust-anchor + will be appended to the key name and a DLV record will be + looked up to see if it can validate the key. If the DLV + record validates a DNSKEY (similarly to the way a DS + record does) the DNSKEY RRset is deemed to be trusted. + </p> +<p> + If <span><strong class="command">dnssec-lookaside</strong></span> is set to + <strong class="userinput"><code>auto</code></strong>, then built-in default + values for the DLV domain and trust anchor will be + used, along with a built-in key for validation. + </p> +<p> + If <span><strong class="command">dnssec-lookaside</strong></span> is set to + <strong class="userinput"><code>no</code></strong>, then dnssec-lookaside + is not used. + </p> +<p> + The default DLV key is stored in the file + <code class="filename">bind.keys</code>; + <span><strong class="command">named</strong></span> will load that key at + startup if <span><strong class="command">dnssec-lookaside</strong></span> is set to + <code class="constant">auto</code>. A copy of the file is + installed along with <acronym class="acronym">BIND</acronym> 9, and is + current as of the release date. If the DLV key expires, a + new copy of <code class="filename">bind.keys</code> can be downloaded + from <a href="https://www.isc.org/solutions/dlv/" target="_top">https://www.isc.org/solutions/dlv/</a>. + </p> +<p> + (To prevent problems if <code class="filename">bind.keys</code> is + not found, the current key is also compiled in to + <span><strong class="command">named</strong></span>. Relying on this is not + recommended, however, as it requires <span><strong class="command">named</strong></span> + to be recompiled with a new key when the DLV key expires.) + </p> +<p> + NOTE: <span><strong class="command">named</strong></span> only loads certain specific + keys from <code class="filename">bind.keys</code>: those for the + DLV zone and for the DNS root zone. The file cannot be + used to store keys for other zones. + </p> +</dd> +<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt> +<dd><p> + Specify hierarchies which must be or may not be secure + (signed and validated). If <strong class="userinput"><code>yes</code></strong>, + then <span><strong class="command">named</strong></span> will only accept answers if + they are secure. If <strong class="userinput"><code>no</code></strong>, then normal + DNSSEC validation applies allowing for insecure answers to + be accepted. The specified domain must be under a + <span><strong class="command">trusted-keys</strong></span> or + <span><strong class="command">managed-keys</strong></span> statement, or + <span><strong class="command">dnssec-lookaside</strong></span> must be active. + </p></dd> +<dt><span class="term"><span><strong class="command">dns64</strong></span></span></dt> +<dd> +<p> + This directive instructs <span><strong class="command">named</strong></span> to + return mapped IPv4 addresses to AAAA queries when + there are no AAAA records. It is intended to be + used in conjunction with a NAT64. Each + <span><strong class="command">dns64</strong></span> defines one DNS64 prefix. + Multiple DNS64 prefixes can be defined. + </p> +<p> + Compatible IPv6 prefixes have lengths of 32, 40, 48, 56, + 64 and 96 as per RFC 6052. + </p> +<p> + Additionally a reverse IP6.ARPA zone will be created for + the prefix to provide a mapping from the IP6.ARPA names + to the corresponding IN-ADDR.ARPA names using synthesized + CNAMEs. <span><strong class="command">dns64-server</strong></span> and + <span><strong class="command">dns64-contact</strong></span> can be used to specify + the name of the server and contact for the zones. These + are settable at the view / options level. These are + not settable on a per-prefix basis. + </p> +<p> + Each <span><strong class="command">dns64</strong></span> supports an optional + <span><strong class="command">clients</strong></span> ACL that determines which + clients are affected by this directive. If not defined, + it defaults to <strong class="userinput"><code>any;</code></strong>. + </p> +<p> + Each <span><strong class="command">dns64</strong></span> supports an optional + <span><strong class="command">mapped</strong></span> ACL that selects which + IPv4 addresses are to be mapped in the corresponding + A RRset. If not defined it defaults to + <strong class="userinput"><code>any;</code></strong>. + </p> +<p> + Normally, DNS64 won't apply to a domain name that + owns one or more AAAA records; these records will + simply be returned. The optional + <span><strong class="command">exclude</strong></span> ACL allows specification + of a list of IPv6 addresses that will be ignored + if they appear in a domain name's AAAA records, and + DNS64 will be applied to any A records the domain + name owns. If not defined, <span><strong class="command">exclude</strong></span> + defaults to none. + </p> +<p> + A optional <span><strong class="command">suffix</strong></span> can also + be defined to set the bits trailing the mapped + IPv4 address bits. By default these bits are + set to <strong class="userinput"><code>::</code></strong>. The bits + matching the prefix and mapped IPv4 address + must be zero. + </p> +<p> + If <span><strong class="command">recursive-only</strong></span> is set to + <span><strong class="command">yes</strong></span> the DNS64 synthesis will + only happen for recursive queries. The default + is <span><strong class="command">no</strong></span>. + </p> +<p> + If <span><strong class="command">break-dnssec</strong></span> is set to + <span><strong class="command">yes</strong></span> the DNS64 synthesis will + happen even if the result, if validated, would + cause a DNSSEC validation failure. If this option + is set to <span><strong class="command">no</strong></span> (the default), the DO + is set on the incoming query, and there are RRSIGs on + the applicable records, then synthesis will not happen. + </p> +<pre class="programlisting"> + acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; + + dns64 64:FF9B::/96 { + clients { any; }; + mapped { !rfc1918; any; }; + exclude { 64:FF9B::/96; ::ffff:0000:0000/96; }; + suffix ::; + }; +</pre> +</dd> +<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dd> +<p> + If this option is set to its default value of + <code class="literal">maintain</code> in a zone of type + <code class="literal">master</code> which is DNSSEC-signed + and configured to allow dynamic updates (see + <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>), and + if <span><strong class="command">named</strong></span> has access to the + private signing key(s) for the zone, then + <span><strong class="command">named</strong></span> will automatically sign all new + or changed records and maintain signatures for the zone + by regenerating RRSIG records whenever they approach + their expiration date. + </p> +<p> + If the option is changed to <code class="literal">no-resign</code>, + then <span><strong class="command">named</strong></span> will sign all new or + changed records, but scheduled maintenance of + signatures is disabled. + </p> +<p> + With either of these settings, <span><strong class="command">named</strong></span> + will reject updates to a DNSSEC-signed zone when the + signing keys are inactive or unavailable to + <span><strong class="command">named</strong></span>. (A planned third option, + <code class="literal">external</code>, will disable all automatic + signing and allow DNSSEC data to be submitted into a zone + via dyanmic update; this is not yet implemented.) + </p> +</dd> +<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dd> +<p> + If <strong class="userinput"><code>full</code></strong>, the server will collect + statistical data on all zones (unless specifically + turned off on a per-zone basis by specifying + <span><strong class="command">zone-statistics terse</strong></span> or + <span><strong class="command">zone-statistics none</strong></span> + in the <span><strong class="command">zone</strong></span> statement). + The default is <strong class="userinput"><code>terse</code></strong>, providing + minimal statistics on zones (including name and + current serial number, but not query type + counters). + </p> +<p> + These statistics may be accessed via the + <span><strong class="command">statistics-channel</strong></span> or + using <span><strong class="command">rndc stats</strong></span>, which + will dump them to the file listed + in the <span><strong class="command">statistics-file</strong></span>. See + also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called “The Statistics File”</a>. + </p> +<p> + For backward compatibility with earlier versions + of BIND 9, the <span><strong class="command">zone-statistics</strong></span> + option can also accept <strong class="userinput"><code>yes</code></strong> + or <strong class="userinput"><code>no</code></strong>, which have the same + effect as <strong class="userinput"><code>full</code></strong> and + <strong class="userinput"><code>terse</code></strong>, respectively. + </p> +</dd> +</dl></div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="boolean_options"></a>Boolean Options</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">allow-new-zones</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong>, then zones can be + added at runtime via <span><strong class="command">rndc addzone</strong></span> + or deleted via <span><strong class="command">rndc delzone</strong></span>. + The default is <strong class="userinput"><code>no</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit + is always set on NXDOMAIN responses, even if the server is + not actually + authoritative. The default is <strong class="userinput"><code>no</code></strong>; + this is + a change from <acronym class="acronym">BIND</acronym> 8. If you + are using very old DNS software, you + may need to set it to <strong class="userinput"><code>yes</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt> +<dd><p> + This option was used in <acronym class="acronym">BIND</acronym> + 8 to enable checking + for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs + the checks. + </p></dd> +<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt> +<dd><p> + Write memory statistics to the file specified by + <span><strong class="command">memstatistics-file</strong></span> at exit. + The default is <strong class="userinput"><code>no</code></strong> unless + '-m record' is specified on the command line in + which case it is <strong class="userinput"><code>yes</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dd> +<p> + If <strong class="userinput"><code>yes</code></strong>, then the + server treats all zones as if they are doing zone transfers + across + a dial-on-demand dialup link, which can be brought up by + traffic + originating from this server. This has different effects + according + to zone type and concentrates the zone maintenance so that + it all + happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and + hopefully during the one call. It also suppresses some of + the normal + zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>. + </p> +<p> + The <span><strong class="command">dialup</strong></span> option + may also be specified in the <span><strong class="command">view</strong></span> and + <span><strong class="command">zone</strong></span> statements, + in which case it overrides the global <span><strong class="command">dialup</strong></span> + option. + </p> +<p> + If the zone is a master zone, then the server will send out a + NOTIFY + request to all the slaves (default). This should trigger the + zone serial + number check in the slave (providing it supports NOTIFY) + allowing the slave + to verify the zone while the connection is active. + The set of servers to which NOTIFY is sent can be controlled + by + <span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>. + </p> +<p> + If the + zone is a slave or stub zone, then the server will suppress + the regular + "zone up to date" (refresh) queries and only perform them + when the + <span><strong class="command">heartbeat-interval</strong></span> expires in + addition to sending + NOTIFY requests. + </p> +<p> + Finer control can be achieved by using + <strong class="userinput"><code>notify</code></strong> which only sends NOTIFY + messages, + <strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY + messages and + suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong> + which suppresses normal refresh processing and sends refresh + queries + when the <span><strong class="command">heartbeat-interval</strong></span> + expires, and + <strong class="userinput"><code>passive</code></strong> which just disables normal + refresh + processing. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + dialup mode + </p> + </td> +<td> + <p> + normal refresh + </p> + </td> +<td> + <p> + heart-beat refresh + </p> + </td> +<td> + <p> + heart-beat notify + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">no</strong></span> (default)</p> + </td> +<td> + <p> + yes + </p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + no + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">yes</strong></span></p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + yes + </p> + </td> +<td> + <p> + yes + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">notify</strong></span></p> + </td> +<td> + <p> + yes + </p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + yes + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">refresh</strong></span></p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + yes + </p> + </td> +<td> + <p> + no + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">passive</strong></span></p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + no + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">notify-passive</strong></span></p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + no + </p> + </td> +<td> + <p> + yes + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + Note that normal NOTIFY processing is not affected by + <span><strong class="command">dialup</strong></span>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt> +<dd><p> + In <acronym class="acronym">BIND</acronym> 8, this option + enabled simulating the obsolete DNS query type + IQUERY. <acronym class="acronym">BIND</acronym> 9 never does + IQUERY simulation. + </p></dd> +<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt> +<dd><p> + This option is obsolete. + In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong> + caused the server to attempt to fetch glue resource records + it + didn't have when constructing the additional + data section of a response. This is now considered a bad + idea + and BIND 9 never does it. + </p></dd> +<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt> +<dd><p> + When the nameserver exits due receiving SIGTERM, + flush or do not flush any pending zone writes. The default + is + <span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt> +<dd><p> + This option was incorrectly implemented + in <acronym class="acronym">BIND</acronym> 8, and is ignored by <acronym class="acronym">BIND</acronym> 9. + To achieve the intended effect + of + <span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify + the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong> + and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead. + </p></dd> +<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt> +<dd><p> + In BIND 8, this enables keeping of + statistics for every host that the name server interacts + with. + Not implemented in BIND 9. + </p></dd> +<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt> +<dd><p> + <span class="emphasis"><em>This option is obsolete</em></span>. + It was used in <acronym class="acronym">BIND</acronym> 8 to + determine whether a transaction log was + kept for Incremental Zone Transfer. <acronym class="acronym">BIND</acronym> 9 maintains a transaction + log whenever possible. If you need to disable outgoing + incremental zone + transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong>, then when generating + responses the server will only add records to the authority + and additional data sections when they are required (e.g. + delegations, negative responses). This may improve the + performance of the server. + The default is <strong class="userinput"><code>no</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt> +<dd><p> + This option was used in <acronym class="acronym">BIND</acronym> 8 to allow + a domain name to have multiple CNAME records in violation of + the DNS standards. <acronym class="acronym">BIND</acronym> 9.2 onwards + always strictly enforces the CNAME rules both in master + files and dynamic updates. + </p></dd> +<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dd> +<p> + If <strong class="userinput"><code>yes</code></strong> (the default), + DNS NOTIFY messages are sent when a zone the server is + authoritative for + changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called “Notify”</a>. The messages are + sent to the + servers listed in the zone's NS records (except the master + server identified + in the SOA MNAME field), and to any servers listed in the + <span><strong class="command">also-notify</strong></span> option. + </p> +<p> + If <strong class="userinput"><code>master-only</code></strong>, notifies are only + sent + for master zones. + If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only + to + servers explicitly listed using <span><strong class="command">also-notify</strong></span>. + If <strong class="userinput"><code>no</code></strong>, no notifies are sent. + </p> +<p> + The <span><strong class="command">notify</strong></span> option may also be + specified in the <span><strong class="command">zone</strong></span> + statement, + in which case it overrides the <span><strong class="command">options notify</strong></span> statement. + It would only be necessary to turn off this option if it + caused slaves + to crash. + </p> +</dd> +<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong> do not check the nameservers + in the NS RRset against the SOA MNAME. Normally a NOTIFY + message is not sent to the SOA MNAME (SOA ORIGIN) as it is + supposed to contain the name of the ultimate master. + Sometimes, however, a slave is listed as the SOA MNAME in + hidden master configurations and in that case you would + want the ultimate master to still send NOTIFY messages to + all the nameservers listed in the NS RRset. + </p></dd> +<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong>, and a + DNS query requests recursion, then the server will attempt + to do + all the work required to answer the query. If recursion is + off + and the server does not already know the answer, it will + return a + referral response. The default is + <strong class="userinput"><code>yes</code></strong>. + Note that setting <span><strong class="command">recursion no</strong></span> does not prevent + clients from getting data from the server's cache; it only + prevents new data from being cached as an effect of client + queries. + Caching may still occur as an effect the server's internal + operation, such as NOTIFY address lookups. + See also <span><strong class="command">fetch-glue</strong></span> above. + </p></dd> +<dt><span class="term"><span><strong class="command">request-nsid</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong>, then an empty EDNS(0) + NSID (Name Server Identifier) option is sent with all + queries to authoritative name servers during iterative + resolution. If the authoritative server returns an NSID + option in its response, then its contents are logged in + the <span><strong class="command">resolver</strong></span> category at level + <span><strong class="command">info</strong></span>. + The default is <strong class="userinput"><code>no</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt> +<dd> +<p> + Setting this to <strong class="userinput"><code>yes</code></strong> will + cause the server to send NS records along with the SOA + record for negative + answers. The default is <strong class="userinput"><code>no</code></strong>. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + Not yet implemented in <acronym class="acronym">BIND</acronym> + 9. + </p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt> +<dd><p> + <span class="emphasis"><em>This option is obsolete</em></span>. + <acronym class="acronym">BIND</acronym> 9 always allocates query + IDs from a pool. + </p></dd> +<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt> +<dd><p> + <span class="emphasis"><em>This option is obsolete</em></span>. + If you need to disable IXFR to a particular server or + servers, see + the information on the <span><strong class="command">provide-ixfr</strong></span> option + in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and + Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + Usage”</a>. + See also + <a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called “Incremental Zone Transfers (IXFR)”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">provide-ixfr</strong></span> in + <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and + Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">request-ixfr</strong></span> in + <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and + Usage">the section called “<span><strong class="command">server</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt> +<dd><p> + This option was used in <acronym class="acronym">BIND</acronym> + 8 to make + the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way + as a space or tab character, + to facilitate loading of zone files on a UNIX system that + were generated + on an NT or DOS machine. In <acronym class="acronym">BIND</acronym> 9, both UNIX "<span><strong class="command">\n</strong></span>" + and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines + are always accepted, + and the option is ignored. + </p></dd> +<dt> +<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span> +</dt> +<dd> +<p> + These options control the behavior of an authoritative + server when + answering queries which have additional data, or when + following CNAME + and DNAME chains. + </p> +<p> + When both of these options are set to <strong class="userinput"><code>yes</code></strong> + (the default) and a + query is being answered from authoritative data (a zone + configured into the server), the additional data section of + the + reply will be filled in using data from other authoritative + zones + and from the cache. In some situations this is undesirable, + such + as when there is concern over the correctness of the cache, + or + in servers where slave zones may be added and modified by + untrusted third parties. Also, avoiding + the search for this additional data will speed up server + operations + at the possible expense of additional queries to resolve + what would + otherwise be provided in the additional section. + </p> +<p> + For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>, + and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address + records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well, + if known, even though they are not in the example.com zone. + Setting these options to <span><strong class="command">no</strong></span> + disables this behavior and makes + the server only search for additional data in the zone it + answers from. + </p> +<p> + These options are intended for use in authoritative-only + servers, or in authoritative-only views. Attempts to set + them to <span><strong class="command">no</strong></span> without also + specifying + <span><strong class="command">recursion no</strong></span> will cause the + server to + ignore the options and log a warning message. + </p> +<p> + Specifying <span><strong class="command">additional-from-cache no</strong></span> actually + disables the use of the cache not only for additional data + lookups + but also when looking up the answer. This is usually the + desired + behavior in an authoritative-only server where the + correctness of + the cached data is an issue. + </p> +<p> + When a name server is non-recursively queried for a name + that is not + below the apex of any served zone, it normally answers with + an + "upwards referral" to the root servers or the servers of + some other + known parent of the query name. Since the data in an + upwards referral + comes from the cache, the server will not be able to provide + upwards + referrals when <span><strong class="command">additional-from-cache no</strong></span> + has been specified. Instead, it will respond to such + queries + with REFUSED. This should not cause any problems since + upwards referrals are not required for the resolution + process. + </p> +</dd> +<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt> +<dd> +<p> + If <strong class="userinput"><code>yes</code></strong>, then an + IPv4-mapped IPv6 address will match any address match + list entries that match the corresponding IPv4 address. + </p> +<p> + This option was introduced to work around a kernel quirk + in some operating systems that causes IPv4 TCP + connections, such as zone transfers, to be accepted on an + IPv6 socket using mapped addresses. This caused address + match lists designed for IPv4 to fail to match. However, + <span><strong class="command">named</strong></span> now solves this problem + internally. The use of this option is discouraged. + </p> +</dd> +<dt><span class="term"><span><strong class="command">filter-aaaa-on-v4</strong></span></span></dt> +<dd> +<p> + This option is only available when + <acronym class="acronym">BIND</acronym> 9 is compiled with the + <strong class="userinput"><code>--enable-filter-aaaa</code></strong> option on the + "configure" command line. It is intended to help the + transition from IPv4 to IPv6 by not giving IPv6 addresses + to DNS clients unless they have connections to the IPv6 + Internet. This is not recommended unless absolutely + necessary. The default is <strong class="userinput"><code>no</code></strong>. + The <span><strong class="command">filter-aaaa-on-v4</strong></span> option + may also be specified in <span><strong class="command">view</strong></span> statements + to override the global <span><strong class="command">filter-aaaa-on-v4</strong></span> + option. + </p> +<p> + If <strong class="userinput"><code>yes</code></strong>, + the DNS client is at an IPv4 address, in <span><strong class="command">filter-aaaa</strong></span>, + and if the response does not include DNSSEC signatures, + then all AAAA records are deleted from the response. + This filtering applies to all responses and not only + authoritative responses. + </p> +<p> + If <strong class="userinput"><code>break-dnssec</code></strong>, + then AAAA records are deleted even when dnssec is enabled. + As suggested by the name, this makes the response not verify, + because the DNSSEC protocol is designed detect deletions. + </p> +<p> + This mechanism can erroneously cause other servers to + not give AAAA records to their clients. + A recursing server with both IPv6 and IPv4 network connections + that queries an authoritative server using this mechanism + via IPv4 will be denied AAAA records even if its client is + using IPv6. + </p> +<p> + This mechanism is applied to authoritative as well as + non-authoritative records. + A client using IPv4 that is not allowed recursion can + erroneously be given AAAA records because the server is not + allowed to check for A records. + </p> +<p> + Some AAAA records are given to IPv4 clients in glue records. + IPv4 clients that are servers can then erroneously + answer requests for AAAA records received via IPv4. + </p> +</dd> +<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dd> +<p> + When <strong class="userinput"><code>yes</code></strong> and the server loads a new + version of a master zone from its zone file or receives a + new version of a slave file via zone transfer, it will + compare the new version to the previous one and calculate + a set of differences. The differences are then logged in + the zone's journal file such that the changes can be + transmitted to downstream slaves as an incremental zone + transfer. + </p> +<p> + By allowing incremental zone transfers to be used for + non-dynamic zones, this option saves bandwidth at the + expense of increased CPU and memory consumption at the + master. + In particular, if the new version of a zone is completely + different from the previous one, the set of differences + will be of a size comparable to the combined size of the + old and new zone version, and the server will need to + temporarily allocate memory to hold this complete + difference set. + </p> +<p><span><strong class="command">ixfr-from-differences</strong></span> + also accepts <span><strong class="command">master</strong></span> and + <span><strong class="command">slave</strong></span> at the view and options + levels which causes + <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for + all <span><strong class="command">master</strong></span> or + <span><strong class="command">slave</strong></span> zones respectively. + It is off by default. + </p> +</dd> +<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dd><p> + This should be set when you have multiple masters for a zone + and the + addresses refer to different machines. If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will + not log + when the serial number on the master is less than what <span><strong class="command">named</strong></span> + currently + has. The default is <strong class="userinput"><code>no</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt> +<dd><p> + Enable DNSSEC support in <span><strong class="command">named</strong></span>. Unless set to <strong class="userinput"><code>yes</code></strong>, + <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC. + The default is <strong class="userinput"><code>yes</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt> +<dd><p> + Enable DNSSEC validation in <span><strong class="command">named</strong></span>. + Note <span><strong class="command">dnssec-enable</strong></span> also needs to be + set to <strong class="userinput"><code>yes</code></strong> to be effective. + If set to <strong class="userinput"><code>no</code></strong>, DNSSEC validation + is disabled. If set to <strong class="userinput"><code>auto</code></strong>, + DNSSEC validation is enabled, and a default + trust-anchor for the DNS root zone is used. If set to + <strong class="userinput"><code>yes</code></strong>, DNSSEC validation is enabled, + but a trust anchor must be manually configured using + a <span><strong class="command">trusted-keys</strong></span> or + <span><strong class="command">managed-keys</strong></span> statement. The default + is <strong class="userinput"><code>yes</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt> +<dd><p> + Accept expired signatures when verifying DNSSEC signatures. + The default is <strong class="userinput"><code>no</code></strong>. + Setting this option to <strong class="userinput"><code>yes</code></strong> + leaves <span><strong class="command">named</strong></span> vulnerable to + replay attacks. + </p></dd> +<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt> +<dd><p> + Specify whether query logging should be started when <span><strong class="command">named</strong></span> + starts. + If <span><strong class="command">querylog</strong></span> is not specified, + then the query logging + is determined by the presence of the logging category <span><strong class="command">queries</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dd> +<p> + This option is used to restrict the character set and syntax + of + certain domain names in master files and/or DNS responses + received + from the network. The default varies according to usage + area. For + <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. + For <span><strong class="command">slave</strong></span> zones the default + is <span><strong class="command">warn</strong></span>. + For answers received from the network (<span><strong class="command">response</strong></span>) + the default is <span><strong class="command">ignore</strong></span>. + </p> +<p> + The rules for legal hostnames and mail domains are derived + from RFC 952 and RFC 821 as modified by RFC 1123. + </p> +<p><span><strong class="command">check-names</strong></span> + applies to the owner names of A, AAAA and MX records. + It also applies to the domain names in the RDATA of NS, SOA, + MX, and SRV records. + It also applies to the RDATA of PTR records where the owner + name indicated that it is a reverse lookup of a hostname + (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT). + </p> +</dd> +<dt><span class="term"><span><strong class="command">check-dup-records</strong></span></span></dt> +<dd><p> + Check master zones for records that are treated as different + by DNSSEC but are semantically equal in plain DNS. The + default is to <span><strong class="command">warn</strong></span>. Other possible + values are <span><strong class="command">fail</strong></span> and + <span><strong class="command">ignore</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> +<dd><p> + Check whether the MX record appears to refer to a IP address. + The default is to <span><strong class="command">warn</strong></span>. Other possible + values are <span><strong class="command">fail</strong></span> and + <span><strong class="command">ignore</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> +<dd><p> + This option is used to check for non-terminal wildcards. + The use of non-terminal wildcards is almost always as a + result of a failure + to understand the wildcard matching algorithm (RFC 1034). + This option + affects master zones. The default (<span><strong class="command">yes</strong></span>) is to check + for non-terminal wildcards and issue a warning. + </p></dd> +<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> +<dd> +<p> + Perform post load zone integrity checks on master + zones. This checks that MX and SRV records refer + to address (A or AAAA) records and that glue + address records exist for delegated zones. For + MX and SRV records only in-zone hostnames are + checked (for out-of-zone hostnames use + <span><strong class="command">named-checkzone</strong></span>). + For NS records only names below top of zone are + checked (for out-of-zone names and glue consistency + checks use <span><strong class="command">named-checkzone</strong></span>). + The default is <span><strong class="command">yes</strong></span>. + </p> +<p> + Check that the two forms of Sender Policy Framework + records (TXT records starting with "v=spf1" and SPF) either + both exist or both don't exist. Warnings are + emitted it they don't and be suppressed with + <span><strong class="command">check-spf</strong></span>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">check-mx-cname</strong></span></span></dt> +<dd><p> + If <span><strong class="command">check-integrity</strong></span> is set then + fail, warn or ignore MX records that refer + to CNAMES. The default is to <span><strong class="command">warn</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-srv-cname</strong></span></span></dt> +<dd><p> + If <span><strong class="command">check-integrity</strong></span> is set then + fail, warn or ignore SRV records that refer + to CNAMES. The default is to <span><strong class="command">warn</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> +<dd><p> + When performing integrity checks, also check that + sibling glue exists. The default is <span><strong class="command">yes</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> +<dd><p> + When performing integrity checks, check that the + two forms of Sender Policy Framwork records (TXT + records starting with "v=spf1" and SPF) both exist + or both don't exist and issue a warning if not + met. The default is <span><strong class="command">warn</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> +<dd><p> + When returning authoritative negative responses to + SOA queries set the TTL of the SOA record returned in + the authority section to zero. + The default is <span><strong class="command">yes</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">zero-no-soa-ttl-cache</strong></span></span></dt> +<dd><p> + When caching a negative response to a SOA query + set the TTL to zero. + The default is <span><strong class="command">no</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> +<dd> +<p> + When set to the default value of <code class="literal">yes</code>, + check the KSK bit in each key to determine how the key + should be used when generating RRSIGs for a secure zone. + </p> +<p> + Ordinarily, zone-signing keys (that is, keys without the + KSK bit set) are used to sign the entire zone, while + key-signing keys (keys with the KSK bit set) are only + used to sign the DNSKEY RRset at the zone apex. + However, if this option is set to <code class="literal">no</code>, + then the KSK bit is ignored; KSKs are treated as if they + were ZSKs and are used to sign the entire zone. This is + similar to the <span><strong class="command">dnssec-signzone -z</strong></span> + command line option. + </p> +<p> + When this option is set to <code class="literal">yes</code>, there + must be at least two active keys for every algorithm + represented in the DNSKEY RRset: at least one KSK and one + ZSK per algorithm. If there is any algorithm for which + this requirement is not met, this option will be ignored + for that algorithm. + </p> +</dd> +<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> +<dd> +<p> + When this option and <span><strong class="command">update-check-ksk</strong></span> + are both set to <code class="literal">yes</code>, only key-signing + keys (that is, keys with the KSK bit set) will be used + to sign the DNSKEY RRset at the zone apex. Zone-signing + keys (keys without the KSK bit set) will be used to sign + the remainder of the zone, but not the DNSKEY RRset. + This is similar to the + <span><strong class="command">dnssec-signzone -x</strong></span> command line option. + </p> +<p> + The default is <span><strong class="command">no</strong></span>. If + <span><strong class="command">update-check-ksk</strong></span> is set to + <code class="literal">no</code>, this option is ignored. + </p> +</dd> +<dt><span class="term"><span><strong class="command">dnssec-loadkeys-interval</strong></span></span></dt> +<dd><p> + When a zone is configured with <span><strong class="command">auto-dnssec + maintain;</strong></span> its key repository must be checked + periodically to see if any new keys have been added + or any existing keys' timing metadata has been updated + (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The + <span><strong class="command">dnssec-loadkeys-interval</strong></span> option + sets the frequency of autoatic repository checks, in + minutes. The default is <code class="literal">60</code> (1 hour), + the minimum is <code class="literal">1</code> (1 minute), and the + maximum is <code class="literal">1440</code> (24 hours); any higher + value is silently reduced. + </p></dd> +<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> +<dd><p> + Try to refresh the zone using TCP if UDP queries fail. + For BIND 8 compatibility, the default is + <span><strong class="command">yes</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> +<dd> +<p> + Allow a dynamic zone to transition from secure to + insecure (i.e., signed to unsigned) by deleting all + of the DNSKEY records. The default is <span><strong class="command">no</strong></span>. + If set to <span><strong class="command">yes</strong></span>, and if the DNSKEY RRset + at the zone apex is deleted, all RRSIG and NSEC records + will be removed from the zone as well. + </p> +<p> + If the zone uses NSEC3, then it is also necessary to + delete the NSEC3PARAM RRset from the zone apex; this will + cause the removal of all corresponding NSEC3 records. + (It is expected that this requirement will be eliminated + in a future release.) + </p> +<p> + Note that if a zone has been configured with + <span><strong class="command">auto-dnssec maintain</strong></span> and the + private keys remain accessible in the key repository, + then the zone will be automatically signed again the + next time <span><strong class="command">named</strong></span> is started. + </p> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2584393"></a>Forwarding</h4></div></div></div> +<p> + The forwarding facility can be used to create a large site-wide + cache on a few servers, reducing traffic over links to external + name servers. It can also be used to allow queries by servers that + do not have direct access to the Internet, but wish to look up + exterior + names anyway. Forwarding occurs only on those queries for which + the server is not authoritative and does not have the answer in + its cache. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<dd><p> + This option is only meaningful if the + forwarders list is not empty. A value of <code class="varname">first</code>, + the default, causes the server to query the forwarders + first — and + if that doesn't answer the question, the server will then + look for + the answer itself. If <code class="varname">only</code> is + specified, the + server will only query the forwarders. + </p></dd> +<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dd><p> + Specifies the IP addresses to be used + for forwarding. The default is the empty list (no + forwarding). + </p></dd> +</dl></div> +<p> + Forwarding can also be configured on a per-domain basis, allowing + for the global forwarding options to be overridden in a variety + of ways. You can set particular domains to use different + forwarders, + or have a different <span><strong class="command">forward only/first</strong></span> behavior, + or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone + Statement Grammar">the section called “<span><strong class="command">zone</strong></span> + Statement Grammar”</a>. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2584588"></a>Dual-stack Servers</h4></div></div></div> +<p> + Dual-stack servers are used as servers of last resort to work + around + problems in reachability due the lack of support for either IPv4 + or IPv6 + on the host machine. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt> +<dd><p> + Specifies host names or addresses of machines with access to + both IPv4 and IPv6 transports. If a hostname is used, the + server must be able + to resolve the name using only the transport it has. If the + machine is dual + stacked, then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless + access to a transport has been disabled on the command line + (e.g. <span><strong class="command">named -4</strong></span>). + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="access_control"></a>Access Control</h4></div></div></div> +<p> + Access to the server can be restricted based on the IP address + of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called “Address Match Lists”</a> for + details on how to specify IP address lists. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<dd><p> + Specifies which hosts are allowed to + notify this server, a slave, of zone changes in addition + to the zone masters. + <span><strong class="command">allow-notify</strong></span> may also be + specified in the + <span><strong class="command">zone</strong></span> statement, in which case + it overrides the + <span><strong class="command">options allow-notify</strong></span> + statement. It is only meaningful + for a slave zone. If not specified, the default is to + process notify messages + only from a zone's master. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dd> +<p> + Specifies which hosts are allowed to ask ordinary + DNS questions. <span><strong class="command">allow-query</strong></span> may + also be specified in the <span><strong class="command">zone</strong></span> + statement, in which case it overrides the + <span><strong class="command">options allow-query</strong></span> statement. + If not specified, the default is to allow queries + from all hosts. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + <span><strong class="command">allow-query-cache</strong></span> is now + used to specify access to the cache. + </p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> +<dd> +<p> + Specifies which local addresses can accept ordinary + DNS questions. This makes it possible, for instance, + to allow queries on internal-facing interfaces but + disallow them on external-facing ones, without + necessarily knowing the internal network's addresses. + </p> +<p> + Note that <span><strong class="command">allow-query-on</strong></span> is only + checked for queries that are permitted by + <span><strong class="command">allow-query</strong></span>. A query must be + allowed by both ACLs, or it will be refused. + </p> +<p> + <span><strong class="command">allow-query-on</strong></span> may + also be specified in the <span><strong class="command">zone</strong></span> + statement, in which case it overrides the + <span><strong class="command">options allow-query-on</strong></span> statement. + </p> +<p> + If not specified, the default is to allow queries + on all addresses. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + <span><strong class="command">allow-query-cache</strong></span> is + used to specify access to the cache. + </p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt> +<dd><p> + Specifies which hosts are allowed to get answers + from the cache. If <span><strong class="command">allow-query-cache</strong></span> + is not set then <span><strong class="command">allow-recursion</strong></span> + is used if set, otherwise <span><strong class="command">allow-query</strong></span> + is used if set unless <span><strong class="command">recursion no;</strong></span> is + set in which case <span><strong class="command">none;</strong></span> is used, + otherwise the default (<span><strong class="command">localnets;</strong></span> + <span><strong class="command">localhost;</strong></span>) is used. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt> +<dd><p> + Specifies which local addresses can give answers + from the cache. If not specified, the default is + to allow cache queries on any address, + <span><strong class="command">localnets</strong></span> and + <span><strong class="command">localhost</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt> +<dd><p> + Specifies which hosts are allowed to make recursive + queries through this server. If + <span><strong class="command">allow-recursion</strong></span> is not set + then <span><strong class="command">allow-query-cache</strong></span> is + used if set, otherwise <span><strong class="command">allow-query</strong></span> + is used if set, otherwise the default + (<span><strong class="command">localnets;</strong></span> + <span><strong class="command">localhost;</strong></span>) is used. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt> +<dd><p> + Specifies which local addresses can accept recursive + queries. If not specified, the default is to allow + recursive queries on all addresses. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dd><p> + Specifies which hosts are allowed to + submit Dynamic DNS updates for master zones. The default is + to deny + updates from all hosts. Note that allowing updates based + on the requestor's IP address is insecure; see + <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> for details. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dd> +<p> + Specifies which hosts are allowed to + submit Dynamic DNS updates to slave zones to be forwarded to + the + master. The default is <strong class="userinput"><code>{ none; }</code></strong>, + which + means that no update forwarding will be performed. To + enable + update forwarding, specify + <strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>. + Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or + <strong class="userinput"><code>{ any; }</code></strong> is usually + counterproductive, since + the responsibility for update access control should rest + with the + master server, not the slaves. + </p> +<p> + Note that enabling the update forwarding feature on a slave + server + may expose master servers relying on insecure IP address + based + access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called “Dynamic Update Security”</a> + for more details. + </p> +</dd> +<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt> +<dd><p> + This option was introduced for the smooth transition from + AAAA + to A6 and from "nibble labels" to binary labels. + However, since both A6 and binary labels were then + deprecated, + this option was also deprecated. + It is now ignored with some warning messages. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dd><p> + Specifies which hosts are allowed to + receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may + also be specified in the <span><strong class="command">zone</strong></span> + statement, in which + case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement. + If not specified, the default is to allow transfers to all + hosts. + </p></dd> +<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt> +<dd><p> + Specifies a list of addresses that the + server will not accept queries from or use to resolve a + query. Queries + from these addresses will not be responded to. The default + is <strong class="userinput"><code>none</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">filter-aaaa</strong></span></span></dt> +<dd><p> + Specifies a list of addresses to which + <span><strong class="command">filter-aaaa-on-v4</strong></span> + is applies. The default is <strong class="userinput"><code>any</code></strong>. + </p></dd> +<dt><span class="term"><span><strong class="command">resolver-query-timeout</strong></span></span></dt> +<dd><p> + The amount of time the resolver will spend attempting + to resolve a recursive query before failing. The default + and minimum is <code class="literal">10</code> and the maximum is + <code class="literal">30</code>. Setting it to <code class="literal">0</code> + will result in the default being used. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2585149"></a>Interfaces</h4></div></div></div> +<p> + The interfaces and ports that the server will answer queries + from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes + an optional port and an <code class="varname">address_match_list</code>. + The server will listen on all interfaces allowed by the address + match list. If a port is not specified, port 53 will be used. + </p> +<p> + Multiple <span><strong class="command">listen-on</strong></span> statements are + allowed. + For example, + </p> +<pre class="programlisting">listen-on { 5.6.7.8; }; +listen-on port 1234 { !1.2.3.4; 1.2/16; }; +</pre> +<p> + will enable the name server on port 53 for the IP address + 5.6.7.8, and on port 1234 of an address on the machine in net + 1.2 that is not 1.2.3.4. + </p> +<p> + If no <span><strong class="command">listen-on</strong></span> is specified, the + server will listen on port 53 on all IPv4 interfaces. + </p> +<p> + The <span><strong class="command">listen-on-v6</strong></span> option is used to + specify the interfaces and the ports on which the server will + listen + for incoming queries sent using IPv6. + </p> +<p> + When </p> +<pre class="programlisting">{ any; }</pre> +<p> is + specified + as the <code class="varname">address_match_list</code> for the + <span><strong class="command">listen-on-v6</strong></span> option, + the server does not bind a separate socket to each IPv6 interface + address as it does for IPv4 if the operating system has enough API + support for IPv6 (specifically if it conforms to RFC 3493 and RFC + 3542). + Instead, it listens on the IPv6 wildcard address. + If the system only has incomplete API support for IPv6, however, + the behavior is the same as that for IPv4. + </p> +<p> + A list of particular IPv6 addresses can also be specified, in + which case + the server listens on a separate socket for each specified + address, + regardless of whether the desired API is supported by the system. + </p> +<p> + Multiple <span><strong class="command">listen-on-v6</strong></span> options can + be used. + For example, + </p> +<pre class="programlisting">listen-on-v6 { any; }; +listen-on-v6 port 1234 { !2001:db8::/32; any; }; +</pre> +<p> + will enable the name server on port 53 for any IPv6 addresses + (with a single wildcard socket), + and on port 1234 of IPv6 addresses that is not in the prefix + 2001:db8::/32 (with separate sockets for each matched address.) + </p> +<p> + To make the server not listen on any IPv6 address, use + </p> +<pre class="programlisting">listen-on-v6 { none; }; +</pre> +<p> + If no <span><strong class="command">listen-on-v6</strong></span> option is + specified, the server will not listen on any IPv6 address + unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is + invoked. If <span><strong class="command">-6</strong></span> is specified then + <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="query_address"></a>Query Address</h4></div></div></div> +<p> + If the server doesn't know the answer to a question, it will + query other name servers. <span><strong class="command">query-source</strong></span> specifies + the address and port used for such queries. For queries sent over + IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option. + If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> (asterisk) or is omitted, + a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) + will be used. + </p> +<p> + If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted, + a random port number from a pre-configured + range is picked up and will be used for each query. + The port range(s) is that specified in + the <span><strong class="command">use-v4-udp-ports</strong></span> (for IPv4) + and <span><strong class="command">use-v6-udp-ports</strong></span> (for IPv6) + options, excluding the ranges specified in + the <span><strong class="command">avoid-v4-udp-ports</strong></span> + and <span><strong class="command">avoid-v6-udp-ports</strong></span> options, respectively. + </p> +<p> + The defaults of the <span><strong class="command">query-source</strong></span> and + <span><strong class="command">query-source-v6</strong></span> options + are: + </p> +<pre class="programlisting">query-source address * port *; +query-source-v6 address * port *; +</pre> +<p> + If <span><strong class="command">use-v4-udp-ports</strong></span> or + <span><strong class="command">use-v6-udp-ports</strong></span> is unspecified, + <span><strong class="command">named</strong></span> will check if the operating + system provides a programming interface to retrieve the + system's default range for ephemeral ports. + If such an interface is available, + <span><strong class="command">named</strong></span> will use the corresponding system + default range; otherwise, it will use its own defaults: + </p> +<pre class="programlisting">use-v4-udp-ports { range 1024 65535; }; +use-v6-udp-ports { range 1024 65535; }; +</pre> +<p> + Note: make sure the ranges be sufficiently large for + security. A desirable size depends on various parameters, + but we generally recommend it contain at least 16384 ports + (14 bits of entropy). + Note also that the system's default range when used may be + too small for this purpose, and that the range may even be + changed while <span><strong class="command">named</strong></span> is running; the new + range will automatically be applied when <span><strong class="command">named</strong></span> + is reloaded. + It is encouraged to + configure <span><strong class="command">use-v4-udp-ports</strong></span> and + <span><strong class="command">use-v6-udp-ports</strong></span> explicitly so that the + ranges are sufficiently large and are reasonably + independent from the ranges used by other applications. + </p> +<p> + Note: the operational configuration + where <span><strong class="command">named</strong></span> runs may prohibit the use + of some ports. For example, UNIX systems will not allow + <span><strong class="command">named</strong></span> running without a root privilege + to use ports less than 1024. + If such ports are included in the specified (or detected) + set of query ports, the corresponding query attempts will + fail, resulting in resolution failures or delay. + It is therefore important to configure the set of ports + that can be safely used in the expected operational environment. + </p> +<p> + The defaults of the <span><strong class="command">avoid-v4-udp-ports</strong></span> and + <span><strong class="command">avoid-v6-udp-ports</strong></span> options + are: + </p> +<pre class="programlisting">avoid-v4-udp-ports {}; +avoid-v6-udp-ports {}; +</pre> +<p> + Note: BIND 9.5.0 introduced + the <span><strong class="command">use-queryport-pool</strong></span> + option to support a pool of such random ports, but this + option is now obsolete because reusing the same ports in + the pool may not be sufficiently secure. + For the same reason, it is generally strongly discouraged to + specify a particular port for the + <span><strong class="command">query-source</strong></span> or + <span><strong class="command">query-source-v6</strong></span> options; + it implicitly disables the use of randomized port numbers. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt> +<dd><p> + This option is obsolete. + </p></dd> +<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt> +<dd><p> + This option is obsolete. + </p></dd> +<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt> +<dd><p> + This option is obsolete. + </p></dd> +</dl></div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + The address specified in the <span><strong class="command">query-source</strong></span> option + is used for both UDP and TCP queries, but the port applies only + to UDP queries. TCP queries always use a random + unprivileged port. + </p> +</div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + Solaris 2.5.1 and earlier does not support setting the source + address for TCP sockets. + </p> +</div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + See also <span><strong class="command">transfer-source</strong></span> and + <span><strong class="command">notify-source</strong></span>. + </p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div> +<p> + <acronym class="acronym">BIND</acronym> has mechanisms in place to + facilitate zone transfers + and set limits on the amount of load that transfers place on the + system. The following options apply to zone transfers. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<dd> +<p> + Defines a global list of IP addresses of name servers + that are also sent NOTIFY messages whenever a fresh copy of + the + zone is loaded, in addition to the servers listed in the + zone's NS records. + This helps to ensure that copies of the zones will + quickly converge on stealth servers. + Optionally, a port may be specified with each + <span><strong class="command">also-notify</strong></span> address to send + the notify messages to a port other than the + default of 53. + An optional TSIG key can also be specified with each + address to cause the notify messages to be signed; this + can be useful when sending notifies to multiple views. + In place of explicit addresses, one or more named + <span><strong class="command">masters</strong></span> lists can be used. + </p> +<p> + If an <span><strong class="command">also-notify</strong></span> list + is given in a <span><strong class="command">zone</strong></span> statement, + it will override + the <span><strong class="command">options also-notify</strong></span> + statement. When a <span><strong class="command">zone notify</strong></span> + statement + is set to <span><strong class="command">no</strong></span>, the IP + addresses in the global <span><strong class="command">also-notify</strong></span> list will + not be sent NOTIFY messages for that zone. The default is + the empty + list (no global notification list). + </p> +</dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dd><p> + Inbound zone transfers running longer than + this many minutes will be terminated. The default is 120 + minutes + (2 hours). The maximum value is 28 days (40320 minutes). + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dd><p> + Inbound zone transfers making no progress + in this many minutes will be terminated. The default is 60 + minutes + (1 hour). The maximum value is 28 days (40320 minutes). + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dd><p> + Outbound zone transfers running longer than + this many minutes will be terminated. The default is 120 + minutes + (2 hours). The maximum value is 28 days (40320 minutes). + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dd><p> + Outbound zone transfers making no progress + in this many minutes will be terminated. The default is 60 + minutes (1 + hour). The maximum value is 28 days (40320 minutes). + </p></dd> +<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt> +<dd> +<p> + Slave servers will periodically query master + servers to find out if zone serial numbers have + changed. Each such query uses a minute amount of + the slave server's network bandwidth. To limit + the amount of bandwidth used, BIND 9 limits the + rate at which queries are sent. The value of the + <span><strong class="command">serial-query-rate</strong></span> option, an + integer, is the maximum number of queries sent + per second. The default is 20. + </p> +<p> + In addition to controlling the rate SOA refresh + queries are issued at + <span><strong class="command">serial-query-rate</strong></span> also controls + the rate at which NOTIFY messages are sent from + both master and slave zones. + </p> +</dd> +<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt> +<dd><p> + In BIND 8, the <span><strong class="command">serial-queries</strong></span> + option + set the maximum number of concurrent serial number queries + allowed to be outstanding at any given time. + BIND 9 does not limit the number of outstanding + serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option. + Instead, it limits the rate at which the queries are sent + as defined using the <span><strong class="command">serial-query-rate</strong></span> option. + </p></dd> +<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt> +<dd><p> + Zone transfers can be sent using two different formats, + <span><strong class="command">one-answer</strong></span> and + <span><strong class="command">many-answers</strong></span>. + The <span><strong class="command">transfer-format</strong></span> option is used + on the master server to determine which format it sends. + <span><strong class="command">one-answer</strong></span> uses one DNS message per + resource record transferred. + <span><strong class="command">many-answers</strong></span> packs as many resource + records as possible into a message. + <span><strong class="command">many-answers</strong></span> is more efficient, but is + only supported by relatively new slave servers, + such as <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> + 8.x and <acronym class="acronym">BIND</acronym> 4.9.5 onwards. + The <span><strong class="command">many-answers</strong></span> format is also supported by + recent Microsoft Windows nameservers. + The default is <span><strong class="command">many-answers</strong></span>. + <span><strong class="command">transfer-format</strong></span> may be overridden on a + per-server basis by using the <span><strong class="command">server</strong></span> + statement. + </p></dd> +<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt> +<dd><p> + The maximum number of inbound zone transfers + that can be running concurrently. The default value is <code class="literal">10</code>. + Increasing <span><strong class="command">transfers-in</strong></span> may + speed up the convergence + of slave zones, but it also may increase the load on the + local system. + </p></dd> +<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt> +<dd><p> + The maximum number of outbound zone transfers + that can be running concurrently. Zone transfer requests in + excess + of the limit will be refused. The default value is <code class="literal">10</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt> +<dd><p> + The maximum number of inbound zone transfers + that can be concurrently transferring from a given remote + name server. + The default value is <code class="literal">2</code>. + Increasing <span><strong class="command">transfers-per-ns</strong></span> + may + speed up the convergence of slave zones, but it also may + increase + the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may + be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase + of the <span><strong class="command">server</strong></span> statement. + </p></dd> +<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dd> +<p><span><strong class="command">transfer-source</strong></span> + determines which local address will be bound to IPv4 + TCP connections used to fetch zones transferred + inbound by the server. It also determines the + source IPv4 address, and optionally the UDP port, + used for the refresh queries and forwarded dynamic + updates. If not set, it defaults to a system + controlled value which will usually be the address + of the interface "closest to" the remote end. This + address must appear in the remote end's + <span><strong class="command">allow-transfer</strong></span> option for the + zone being transferred, if one is specified. This + statement sets the + <span><strong class="command">transfer-source</strong></span> for all zones, + but can be overridden on a per-view or per-zone + basis by including a + <span><strong class="command">transfer-source</strong></span> statement within + the <span><strong class="command">view</strong></span> or + <span><strong class="command">zone</strong></span> block in the configuration + file. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + Solaris 2.5.1 and earlier does not support setting the + source address for TCP sockets. + </p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dd><p> + The same as <span><strong class="command">transfer-source</strong></span>, + except zone transfers are performed using IPv6. + </p></dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dd> +<p> + An alternate transfer source if the one listed in + <span><strong class="command">transfer-source</strong></span> fails and + <span><strong class="command">use-alt-transfer-source</strong></span> is + set. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> + If you do not wish the alternate transfer source + to be used, you should set + <span><strong class="command">use-alt-transfer-source</strong></span> + appropriately and you should not depend upon + getting an answer back to the first refresh + query. + </div> +</dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dd><p> + An alternate transfer source if the one listed in + <span><strong class="command">transfer-source-v6</strong></span> fails and + <span><strong class="command">use-alt-transfer-source</strong></span> is + set. + </p></dd> +<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dd><p> + Use the alternate transfer sources or not. If views are + specified this defaults to <span><strong class="command">no</strong></span> + otherwise it defaults to + <span><strong class="command">yes</strong></span> (for BIND 8 + compatibility). + </p></dd> +<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dd> +<p><span><strong class="command">notify-source</strong></span> + determines which local source address, and + optionally UDP port, will be used to send NOTIFY + messages. This address must appear in the slave + server's <span><strong class="command">masters</strong></span> zone clause or + in an <span><strong class="command">allow-notify</strong></span> clause. This + statement sets the <span><strong class="command">notify-source</strong></span> + for all zones, but can be overridden on a per-zone or + per-view basis by including a + <span><strong class="command">notify-source</strong></span> statement within + the <span><strong class="command">zone</strong></span> or + <span><strong class="command">view</strong></span> block in the configuration + file. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + Solaris 2.5.1 and earlier does not support setting the + source address for TCP sockets. + </p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dd><p> + Like <span><strong class="command">notify-source</strong></span>, + but applies to notify messages sent to IPv6 addresses. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2586366"></a>UDP Port Lists</h4></div></div></div> +<p> + <span><strong class="command">use-v4-udp-ports</strong></span>, + <span><strong class="command">avoid-v4-udp-ports</strong></span>, + <span><strong class="command">use-v6-udp-ports</strong></span>, and + <span><strong class="command">avoid-v6-udp-ports</strong></span> + specify a list of IPv4 and IPv6 UDP ports that will be + used or not used as source ports for UDP messages. + See <a href="Bv9ARM.ch06.html#query_address" title="Query Address">the section called “Query Address”</a> about how the + available ports are determined. + For example, with the following configuration + </p> +<pre class="programlisting"> +use-v6-udp-ports { range 32768 65535; }; +avoid-v6-udp-ports { 40000; range 50000 60000; }; +</pre> +<p> + UDP ports of IPv6 messages sent + from <span><strong class="command">named</strong></span> will be in one + of the following ranges: 32768 to 39999, 40001 to 49999, + and 60001 to 65535. + </p> +<p> + <span><strong class="command">avoid-v4-udp-ports</strong></span> and + <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used + to prevent <span><strong class="command">named</strong></span> from choosing as its random source port a + port that is blocked by your firewall or a port that is + used by other applications; + if a query went out with a source port blocked by a + firewall, the + answer would not get by the firewall and the name server would + have to query again. + Note: the desired range can also be represented only with + <span><strong class="command">use-v4-udp-ports</strong></span> and + <span><strong class="command">use-v6-udp-ports</strong></span>, and the + <span><strong class="command">avoid-</strong></span> options are redundant in that + sense; they are provided for backward compatibility and + to possibly simplify the port specification. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2586426"></a>Operating System Resource Limits</h4></div></div></div> +<p> + The server's usage of many system resources can be limited. + Scaled values are allowed when specifying resource limits. For + example, <span><strong class="command">1G</strong></span> can be used instead of + <span><strong class="command">1073741824</strong></span> to specify a limit of + one + gigabyte. <span><strong class="command">unlimited</strong></span> requests + unlimited use, or the + maximum available amount. <span><strong class="command">default</strong></span> + uses the limit + that was in force when the server was started. See the description + of <span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called “Configuration File Elements”</a>. + </p> +<p> + The following options set operating system resource limits for + the name server process. Some operating systems don't support + some or + any of the limits. On such systems, a warning will be issued if + the + unsupported limit is used. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt> +<dd><p> + The maximum size of a core dump. The default + is <code class="literal">default</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt> +<dd><p> + The maximum amount of data memory the server + may use. The default is <code class="literal">default</code>. + This is a hard limit on server memory usage. + If the server attempts to allocate memory in excess of this + limit, the allocation will fail, which may in turn leave + the server unable to perform DNS service. Therefore, + this option is rarely useful as a way of limiting the + amount of memory used by the server, but it can be used + to raise an operating system data size limit that is + too small by default. If you wish to limit the amount + of memory used by the server, use the + <span><strong class="command">max-cache-size</strong></span> and + <span><strong class="command">recursive-clients</strong></span> + options instead. + </p></dd> +<dt><span class="term"><span><strong class="command">files</strong></span></span></dt> +<dd><p> + The maximum number of files the server + may have open concurrently. The default is <code class="literal">unlimited</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt> +<dd><p> + The maximum amount of stack memory the server + may use. The default is <code class="literal">default</code>. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="server_resource_limits"></a>Server Resource Limits</h4></div></div></div> +<p> + The following options set limits on the server's + resource consumption that are enforced internally by the + server rather than the operating system. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt> +<dd><p> + This option is obsolete; it is accepted + and ignored for BIND 8 compatibility. The option + <span><strong class="command">max-journal-size</strong></span> performs a + similar function in BIND 9. + </p></dd> +<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dd><p> + Sets a maximum size for each journal file + (see <a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called “The journal file”</a>). When the journal file + approaches + the specified size, some of the oldest transactions in the + journal + will be automatically removed. The largest permitted + value is 2 gigabytes. The default is + <code class="literal">unlimited</code>, which also + means 2 gigabytes. + This may also be set on a per-zone basis. + </p></dd> +<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt> +<dd><p> + In BIND 8, specifies the maximum number of host statistics + entries to be kept. + Not implemented in BIND 9. + </p></dd> +<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt> +<dd><p> + The maximum number of simultaneous recursive lookups + the server will perform on behalf of clients. The default + is + <code class="literal">1000</code>. Because each recursing + client uses a fair + bit of memory, on the order of 20 kilobytes, the value of + the + <span><strong class="command">recursive-clients</strong></span> option may + have to be decreased + on hosts with limited memory. + </p></dd> +<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt> +<dd><p> + The maximum number of simultaneous client TCP + connections that the server will accept. + The default is <code class="literal">100</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">reserved-sockets</strong></span></span></dt> +<dd> +<p> + The number of file descriptors reserved for TCP, stdio, + etc. This needs to be big enough to cover the number of + interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as + to provide room for outgoing TCP queries and incoming zone + transfers. The default is <code class="literal">512</code>. + The minimum value is <code class="literal">128</code> and the + maximum value is <code class="literal">128</code> less than + maxsockets (-S). This option may be removed in the future. + </p> +<p> + This option has little effect on Windows. + </p> +</dd> +<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt> +<dd><p> + The maximum amount of memory to use for the + server's cache, in bytes. + When the amount of data in the cache + reaches this limit, the server will cause records to expire + prematurely based on an LRU based strategy so that + the limit is not exceeded. + A value of 0 is special, meaning that + records are purged from the cache only when their + TTLs expire. + Another special keyword <strong class="userinput"><code>unlimited</code></strong> + means the maximum value of 32-bit unsigned integers + (0xffffffff), which may not have the same effect as + 0 on machines that support more than 32 bits of + memory space. + Any positive values less than 2MB will be ignored reset + to 2MB. + In a server with multiple views, the limit applies + separately to the cache of each view. + The default is 0. + </p></dd> +<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt> +<dd><p> + The listen queue depth. The default and minimum is 3. + If the kernel supports the accept filter "dataready" this + also controls how + many TCP connections that will be queued in kernel space + waiting for + some data before being passed to accept. Values less than 3 + will be + silently raised. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2586917"></a>Periodic Task Intervals</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt> +<dd><p> + This interval is effectively obsolete. Previously, + the server would remove expired resource records + from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes. + <acronym class="acronym">BIND</acronym> 9 now manages cache + memory in a more sophisticated manner and does not + rely on the periodic cleaning any more. + Specifying this option therefore has no effect on + the server's behavior. + </p></dd> +<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt> +<dd><p> + The server will perform zone maintenance tasks + for all zones marked as <span><strong class="command">dialup</strong></span> whenever this + interval expires. The default is 60 minutes. Reasonable + values are up + to 1 day (1440 minutes). The maximum value is 28 days + (40320 minutes). + If set to 0, no zone maintenance for these zones will occur. + </p></dd> +<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt> +<dd><p> + The server will scan the network interface list + every <span><strong class="command">interface-interval</strong></span> + minutes. The default + is 60 minutes. The maximum value is 28 days (40320 minutes). + If set to 0, interface scanning will only occur when + the configuration file is loaded. After the scan, the + server will + begin listening for queries on any newly discovered + interfaces (provided they are allowed by the + <span><strong class="command">listen-on</strong></span> configuration), and + will + stop listening on interfaces that have gone away. + </p></dd> +<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt> +<dd> +<p> + Name server statistics will be logged + every <span><strong class="command">statistics-interval</strong></span> + minutes. The default is + 60. The maximum value is 28 days (40320 minutes). + If set to 0, no statistics will be logged. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + Not yet implemented in + <acronym class="acronym">BIND</acronym> 9. + </p> +</div> +</dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="topology"></a>Topology</h4></div></div></div> +<p> + All other things being equal, when the server chooses a name + server + to query from a list of name servers, it prefers the one that is + topologically closest to itself. The <span><strong class="command">topology</strong></span> statement + takes an <span><strong class="command">address_match_list</strong></span> and + interprets it + in a special way. Each top-level list element is assigned a + distance. + Non-negated elements get a distance based on their position in the + list, where the closer the match is to the start of the list, the + shorter the distance is between it and the server. A negated match + will be assigned the maximum distance from the server. If there + is no match, the address will get a distance which is further than + any non-negated list element, and closer than any negated element. + For example, + </p> +<pre class="programlisting">topology { + 10/8; + !1.2.3/24; + { 1.2/16; 3/8; }; +};</pre> +<p> + will prefer servers on network 10 the most, followed by hosts + on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the + exception of hosts on network 1.2.3 (netmask 255.255.255.0), which + is preferred least of all. + </p> +<p> + The default topology is + </p> +<pre class="programlisting"> topology { localhost; localnets; }; +</pre> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + The <span><strong class="command">topology</strong></span> option + is not implemented in <acronym class="acronym">BIND</acronym> 9. + </p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div> +<p> + The response to a DNS query may consist of multiple resource + records (RRs) forming a resource records set (RRset). + The name server will normally return the + RRs within the RRset in an indeterminate order + (but see the <span><strong class="command">rrset-order</strong></span> + statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>). + The client resolver code should rearrange the RRs as appropriate, + that is, using any addresses on the local net in preference to + other addresses. + However, not all resolvers can do this or are correctly + configured. + When a client is using a local server, the sorting can be performed + in the server, based on the client's address. This only requires + configuring the name servers, not all the clients. + </p> +<p> + The <span><strong class="command">sortlist</strong></span> statement (see below) + takes + an <span><strong class="command">address_match_list</strong></span> and + interprets it even + more specifically than the <span><strong class="command">topology</strong></span> + statement + does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called “Topology”</a>). + Each top level statement in the <span><strong class="command">sortlist</strong></span> must + itself be an explicit <span><strong class="command">address_match_list</strong></span> with + one or two elements. The first element (which may be an IP + address, + an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>) + of each top level list is checked against the source address of + the query until a match is found. + </p> +<p> + Once the source address of the query has been matched, if + the top level statement contains only one element, the actual + primitive + element that matched the source address is used to select the + address + in the response to move to the beginning of the response. If the + statement is a list of two elements, then the second element is + treated the same as the <span><strong class="command">address_match_list</strong></span> in + a <span><strong class="command">topology</strong></span> statement. Each top + level element + is assigned a distance and the address in the response with the + minimum + distance is moved to the beginning of the response. + </p> +<p> + In the following example, any queries received from any of + the addresses of the host itself will get responses preferring + addresses + on any of the locally connected networks. Next most preferred are + addresses + on the 192.168.1/24 network, and after that either the + 192.168.2/24 + or + 192.168.3/24 network with no preference shown between these two + networks. Queries received from a host on the 192.168.1/24 network + will prefer other addresses on that network to the 192.168.2/24 + and + 192.168.3/24 networks. Queries received from a host on the + 192.168.4/24 + or the 192.168.5/24 network will only prefer other addresses on + their directly connected networks. + </p> +<pre class="programlisting">sortlist { + // IF the local host + // THEN first fit on the following nets + { localhost; + { localnets; + 192.168.1/24; + { 192.168.2/24; 192.168.3/24; }; }; }; + // IF on class C 192.168.1 THEN use .1, or .2 or .3 + { 192.168.1/24; + { 192.168.1/24; + { 192.168.2/24; 192.168.3/24; }; }; }; + // IF on class C 192.168.2 THEN use .2, or .1 or .3 + { 192.168.2/24; + { 192.168.2/24; + { 192.168.1/24; 192.168.3/24; }; }; }; + // IF on class C 192.168.3 THEN use .3, or .1 or .2 + { 192.168.3/24; + { 192.168.3/24; + { 192.168.1/24; 192.168.2/24; }; }; }; + // IF .4 or .5 THEN prefer that net + { { 192.168.4/24; 192.168.5/24; }; + }; +};</pre> +<p> + The following example will give reasonable behavior for the + local host and hosts on directly connected networks. It is similar + to the behavior of the address sort in <acronym class="acronym">BIND</acronym> 4.9.x. Responses sent + to queries from the local host will favor any of the directly + connected + networks. Responses sent to queries from any other hosts on a + directly + connected network will prefer addresses on that same network. + Responses + to other queries will not be sorted. + </p> +<pre class="programlisting">sortlist { + { localhost; localnets; }; + { localnets; }; +}; +</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div> +<p> + When multiple records are returned in an answer it may be + useful to configure the order of the records placed into the + response. + The <span><strong class="command">rrset-order</strong></span> statement permits + configuration + of the ordering of the records in a multiple record response. + See also the <span><strong class="command">sortlist</strong></span> statement, + <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a>. + </p> +<p> + An <span><strong class="command">order_spec</strong></span> is defined as + follows: + </p> +<p> + [<span class="optional">class <em class="replaceable"><code>class_name</code></em></span>] + [<span class="optional">type <em class="replaceable"><code>type_name</code></em></span>] + [<span class="optional">name <em class="replaceable"><code>"domain_name"</code></em></span>] + order <em class="replaceable"><code>ordering</code></em> + </p> +<p> + If no class is specified, the default is <span><strong class="command">ANY</strong></span>. + If no type is specified, the default is <span><strong class="command">ANY</strong></span>. + If no name is specified, the default is "<span><strong class="command">*</strong></span>" (asterisk). + </p> +<p> + The legal values for <span><strong class="command">ordering</strong></span> are: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><span><strong class="command">fixed</strong></span></p> + </td> +<td> + <p> + Records are returned in the order they + are defined in the zone file. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">random</strong></span></p> + </td> +<td> + <p> + Records are returned in some random order. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">cyclic</strong></span></p> + </td> +<td> + <p> + Records are returned in a cyclic round-robin order. + </p> + <p> + If <acronym class="acronym">BIND</acronym> is configured with the + "--enable-fixed-rrset" option at compile time, then + the initial ordering of the RRset will match the + one specified in the zone file. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + For example: + </p> +<pre class="programlisting">rrset-order { + class IN type A name "host.example.com" order random; + order cyclic; +}; +</pre> +<p> + will cause any responses for type A records in class IN that + have "<code class="literal">host.example.com</code>" as a + suffix, to always be returned + in random order. All other records are returned in cyclic order. + </p> +<p> + If multiple <span><strong class="command">rrset-order</strong></span> statements + appear, they are not combined — the last one applies. + </p> +<p> + By default, all records are returned in random order. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + In this release of <acronym class="acronym">BIND</acronym> 9, the + <span><strong class="command">rrset-order</strong></span> statement does not support + "fixed" ordering by default. Fixed ordering can be enabled + at compile time by specifying "--enable-fixed-rrset" on + the "configure" command line. + </p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="tuning"></a>Tuning</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt> +<dd> +<p> + Sets the number of seconds to cache a + lame server indication. 0 disables caching. (This is + <span class="bold"><strong>NOT</strong></span> recommended.) + The default is <code class="literal">600</code> (10 minutes) and the + maximum value is + <code class="literal">1800</code> (30 minutes). + </p> +<p> + Lame-ttl also controls the amount of time DNSSEC + validation failures are cached. There is a minimum + of 30 seconds applied to bad cache entries if the + lame-ttl is set to less than 30 seconds. + </p> +</dd> +<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt> +<dd><p> + To reduce network traffic and increase performance, + the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is + used to set a maximum retention time for these answers in + the server + in seconds. The default + <span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours). + <span><strong class="command">max-ncache-ttl</strong></span> cannot exceed + 7 days and will + be silently truncated to 7 days if set to a greater value. + </p></dd> +<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt> +<dd><p> + Sets the maximum time for which the server will + cache ordinary (positive) answers. The default is + one week (7 days). + A value of zero may cause all queries to return + SERVFAIL, because of lost caches of intermediate + RRsets (such as NS and glue AAAA/A records) in the + resolution process. + </p></dd> +<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt> +<dd> +<p> + The minimum number of root servers that + is required for a request for the root servers to be + accepted. The default + is <strong class="userinput"><code>2</code></strong>. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + Not implemented in <acronym class="acronym">BIND</acronym> 9. + </p> +</div> +</dd> +<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dd> +<p> + Specifies the number of days into the future when + DNSSEC signatures automatically generated as a + result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called “Dynamic Update”</a>) will expire. There + is an optional second field which specifies how + long before expiry that the signatures will be + regenerated. If not specified, the signatures will + be regenerated at 1/4 of base interval. The second + field is specified in days if the base interval is + greater than 7 days otherwise it is specified in hours. + The default base interval is <code class="literal">30</code> days + giving a re-signing interval of 7 1/2 days. The maximum + values are 10 years (3660 days). + </p> +<p> + The signature inception time is unconditionally + set to one hour before the current time to allow + for a limited amount of clock skew. + </p> +<p> + The <span><strong class="command">sig-validity-interval</strong></span> + should be, at least, several multiples of the SOA + expire interval to allow for reasonable interaction + between the various timer and expiry dates. + </p> +</dd> +<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> +<dd><p> + Specify the maximum number of nodes to be + examined in each quantum when signing a zone with + a new DNSKEY. The default is + <code class="literal">100</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> +<dd><p> + Specify a threshold number of signatures that + will terminate processing a quantum when signing + a zone with a new DNSKEY. The default is + <code class="literal">10</code>. + </p></dd> +<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> +<dd> +<p> + Specify a private RDATA type to be used when generating + key signing records. The default is + <code class="literal">65534</code>. + </p> +<p> + It is expected that this parameter may be removed + in a future version once there is a standard type. + </p> +<p> + These records can be removed from the zone once named + has completed signing the zone with the matching key + using <span><strong class="command">nsupdate</strong></span> or + <span><strong class="command">rndc signing -clear</strong></span>. + <span><strong class="command">rndc signing -clear</strong></span> is the only supported + way to remove these records from + <span><strong class="command">inline-signing</strong></span> zones. + </p> +</dd> +<dt> +<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +</dt> +<dd> +<p> + These options control the server's behavior on refreshing a + zone + (querying for SOA changes) or retrying failed transfers. + Usually the SOA values for the zone are used, but these + values + are set by the master, giving slave server administrators + little + control over their contents. + </p> +<p> + These options allow the administrator to set a minimum and + maximum + refresh and retry time either per-zone, per-view, or + globally. + These options are valid for slave and stub zones, + and clamp the SOA refresh and retry times to the specified + values. + </p> +<p> + The following defaults apply. + <span><strong class="command">min-refresh-time</strong></span> 300 seconds, + <span><strong class="command">max-refresh-time</strong></span> 2419200 seconds + (4 weeks), <span><strong class="command">min-retry-time</strong></span> 500 seconds, + and <span><strong class="command">max-retry-time</strong></span> 1209600 seconds + (2 weeks). + </p> +</dd> +<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt> +<dd> +<p> + Sets the advertised EDNS UDP buffer size in bytes + to control the size of packets received. + Valid values are 512 to 4096 (values outside this range + will be silently adjusted). The default value + is 4096. The usual reason for setting + <span><strong class="command">edns-udp-size</strong></span> to a non-default + value is to get UDP answers to pass through broken + firewalls that block fragmented packets and/or + block UDP packets that are greater than 512 bytes. + </p> +<p> + <span><strong class="command">named</strong></span> will fallback to using 512 bytes + if it get a series of timeout at the initial value. 512 + bytes is not being offered to encourage sites to fix their + firewalls. Small EDNS UDP sizes will result in the + excessive use of TCP. + </p> +</dd> +<dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt> +<dd> +<p> + Sets the maximum EDNS UDP message size + <span><strong class="command">named</strong></span> will send in bytes. + Valid values are 512 to 4096 (values outside this + range will be silently adjusted). The default + value is 4096. The usual reason for setting + <span><strong class="command">max-udp-size</strong></span> to a non-default + value is to get UDP answers to pass through broken + firewalls that block fragmented packets and/or + block UDP packets that are greater than 512 bytes. + This is independent of the advertised receive + buffer (<span><strong class="command">edns-udp-size</strong></span>). + </p> +<p> + Setting this to a low value will encourage additional + TCP traffic to the nameserver. + </p> +</dd> +<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> +<dd> +<p>Specifies + the file format of zone files (see + <a href="Bv9ARM.ch06.html#zonefile_format" title="Additional File Formats">the section called “Additional File Formats”</a>). + The default value is <code class="constant">text</code>, which is the + standard textual representation, except for slave zones, + in which the default value is <code class="constant">raw</code>. + Files in other formats than <code class="constant">text</code> are + typically expected to be generated by the + <span><strong class="command">named-compilezone</strong></span> tool, or dumped by + <span><strong class="command">named</strong></span>. + </p> +<p> + Note that when a zone file in a different format than + <code class="constant">text</code> is loaded, <span><strong class="command">named</strong></span> + may omit some of the checks which would be performed for a + file in the <code class="constant">text</code> format. In particular, + <span><strong class="command">check-names</strong></span> checks do not apply + for the <code class="constant">raw</code> format. This means + a zone file in the <code class="constant">raw</code> format + must be generated with the same check level as that + specified in the <span><strong class="command">named</strong></span> configuration + file. This statement sets the + <span><strong class="command">masterfile-format</strong></span> for all zones, + but can be overridden on a per-zone or per-view basis + by including a <span><strong class="command">masterfile-format</strong></span> + statement within the <span><strong class="command">zone</strong></span> or + <span><strong class="command">view</strong></span> block in the configuration + file. + </p> +</dd> +<dt> +<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span> +</dt> +<dd> +<p>These set the + initial value (minimum) and maximum number of recursive + simultaneous clients for any given query + (<qname,qtype,qclass>) that the server will accept + before dropping additional clients. <span><strong class="command">named</strong></span> will attempt to + self tune this value and changes will be logged. The + default values are 10 and 100. + </p> +<p> + This value should reflect how many queries come in for + a given name in the time it takes to resolve that name. + If the number of queries exceed this value, <span><strong class="command">named</strong></span> will + assume that it is dealing with a non-responsive zone + and will drop additional queries. If it gets a response + after dropping queries, it will raise the estimate. The + estimate will then be lowered in 20 minutes if it has + remained unchanged. + </p> +<p> + If <span><strong class="command">clients-per-query</strong></span> is set to zero, + then there is no limit on the number of clients per query + and no queries will be dropped. + </p> +<p> + If <span><strong class="command">max-clients-per-query</strong></span> is set to zero, + then there is no upper bound other than imposed by + <span><strong class="command">recursive-clients</strong></span>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> +<dd> +<p> + The delay, in seconds, between sending sets of notify + messages for a zone. The default is five (5) seconds. + </p> +<p> + The overall rate that NOTIFY messages are sent for all + zones is controlled by <span><strong class="command">serial-query-rate</strong></span>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">max-rsa-exponent-size</strong></span></span></dt> +<dd><p> + The maximum RSA exponent size, in bits, that will + be accepted when validating. Valid values are 35 + to 4096 bits. The default zero (0) is also accepted + and is equivalent to 4096. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="builtin"></a>Built-in server information zones</h4></div></div></div> +<p> + The server provides some helpful diagnostic information + through a number of built-in zones under the + pseudo-top-level-domain <code class="literal">bind</code> in the + <span><strong class="command">CHAOS</strong></span> class. These zones are part + of a + built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called “<span><strong class="command">view</strong></span> Statement Grammar”</a>) of + class + <span><strong class="command">CHAOS</strong></span> which is separate from the + default view of class <span><strong class="command">IN</strong></span>. Most global + configuration options (<span><strong class="command">allow-query</strong></span>, + etc) will apply to this view, but some are locally + overridden: <span><strong class="command">notify</strong></span>, + <span><strong class="command">recursion</strong></span> and + <span><strong class="command">allow-new-zones</strong></span> are + always set to <strong class="userinput"><code>no</code></strong>. + </p> +<p> + If you need to disable these zones, use the options + below, or hide the built-in <span><strong class="command">CHAOS</strong></span> + view by + defining an explicit view of class <span><strong class="command">CHAOS</strong></span> + that matches all clients. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">version</strong></span></span></dt> +<dd><p> + The version the server should report + via a query of the name <code class="literal">version.bind</code> + with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + The default is the real version number of this server. + Specifying <span><strong class="command">version none</strong></span> + disables processing of the queries. + </p></dd> +<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt> +<dd><p> + The hostname the server should report via a query of + the name <code class="filename">hostname.bind</code> + with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + This defaults to the hostname of the machine hosting the + name server as + found by the gethostname() function. The primary purpose of such queries + is to + identify which of a group of anycast servers is actually + answering your queries. Specifying <span><strong class="command">hostname none;</strong></span> + disables processing of the queries. + </p></dd> +<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt> +<dd><p> + The ID the server should report when receiving a Name + Server Identifier (NSID) query, or a query of the name + <code class="filename">ID.SERVER</code> with type + <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>. + The primary purpose of such queries is to + identify which of a group of anycast servers is actually + answering your queries. Specifying <span><strong class="command">server-id none;</strong></span> + disables processing of the queries. + Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to + use the hostname as found by the gethostname() function. + The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="empty"></a>Built-in Empty Zones</h4></div></div></div> +<p> + Named has some built-in empty zones (SOA and NS records only). + These are for zones that should normally be answered locally + and which queries should not be sent to the Internet's root + servers. The official servers which cover these namespaces + return NXDOMAIN responses to these queries. In particular, + these cover the reverse namespaces for addresses from + RFC 1918, RFC 4193, RFC 5737 and RFC 6598. They also include the + reverse namespace for IPv6 local address (locally assigned), + IPv6 link local addresses, the IPv6 loopback address and the + IPv6 unknown address. + </p> +<p> + Named will attempt to determine if a built-in zone already exists + or is active (covered by a forward-only forwarding declaration) + and will not create an empty zone in that case. + </p> +<p> + The current list of empty zones is: + </p> +<div class="itemizedlist"><ul type="disc"> +<li>10.IN-ADDR.ARPA</li> +<li>16.172.IN-ADDR.ARPA</li> +<li>17.172.IN-ADDR.ARPA</li> +<li>18.172.IN-ADDR.ARPA</li> +<li>19.172.IN-ADDR.ARPA</li> +<li>20.172.IN-ADDR.ARPA</li> +<li>21.172.IN-ADDR.ARPA</li> +<li>22.172.IN-ADDR.ARPA</li> +<li>23.172.IN-ADDR.ARPA</li> +<li>24.172.IN-ADDR.ARPA</li> +<li>25.172.IN-ADDR.ARPA</li> +<li>26.172.IN-ADDR.ARPA</li> +<li>27.172.IN-ADDR.ARPA</li> +<li>28.172.IN-ADDR.ARPA</li> +<li>29.172.IN-ADDR.ARPA</li> +<li>30.172.IN-ADDR.ARPA</li> +<li>31.172.IN-ADDR.ARPA</li> +<li>168.192.IN-ADDR.ARPA</li> +<li>64.100.IN-ADDR.ARPA</li> +<li>65.100.IN-ADDR.ARPA</li> +<li>66.100.IN-ADDR.ARPA</li> +<li>67.100.IN-ADDR.ARPA</li> +<li>68.100.IN-ADDR.ARPA</li> +<li>69.100.IN-ADDR.ARPA</li> +<li>70.100.IN-ADDR.ARPA</li> +<li>71.100.IN-ADDR.ARPA</li> +<li>72.100.IN-ADDR.ARPA</li> +<li>73.100.IN-ADDR.ARPA</li> +<li>74.100.IN-ADDR.ARPA</li> +<li>75.100.IN-ADDR.ARPA</li> +<li>76.100.IN-ADDR.ARPA</li> +<li>77.100.IN-ADDR.ARPA</li> +<li>78.100.IN-ADDR.ARPA</li> +<li>79.100.IN-ADDR.ARPA</li> +<li>80.100.IN-ADDR.ARPA</li> +<li>81.100.IN-ADDR.ARPA</li> +<li>82.100.IN-ADDR.ARPA</li> +<li>83.100.IN-ADDR.ARPA</li> +<li>84.100.IN-ADDR.ARPA</li> +<li>85.100.IN-ADDR.ARPA</li> +<li>86.100.IN-ADDR.ARPA</li> +<li>87.100.IN-ADDR.ARPA</li> +<li>88.100.IN-ADDR.ARPA</li> +<li>89.100.IN-ADDR.ARPA</li> +<li>90.100.IN-ADDR.ARPA</li> +<li>91.100.IN-ADDR.ARPA</li> +<li>92.100.IN-ADDR.ARPA</li> +<li>93.100.IN-ADDR.ARPA</li> +<li>94.100.IN-ADDR.ARPA</li> +<li>95.100.IN-ADDR.ARPA</li> +<li>96.100.IN-ADDR.ARPA</li> +<li>97.100.IN-ADDR.ARPA</li> +<li>98.100.IN-ADDR.ARPA</li> +<li>99.100.IN-ADDR.ARPA</li> +<li>100.100.IN-ADDR.ARPA</li> +<li>101.100.IN-ADDR.ARPA</li> +<li>102.100.IN-ADDR.ARPA</li> +<li>103.100.IN-ADDR.ARPA</li> +<li>104.100.IN-ADDR.ARPA</li> +<li>105.100.IN-ADDR.ARPA</li> +<li>106.100.IN-ADDR.ARPA</li> +<li>107.100.IN-ADDR.ARPA</li> +<li>108.100.IN-ADDR.ARPA</li> +<li>109.100.IN-ADDR.ARPA</li> +<li>110.100.IN-ADDR.ARPA</li> +<li>111.100.IN-ADDR.ARPA</li> +<li>112.100.IN-ADDR.ARPA</li> +<li>113.100.IN-ADDR.ARPA</li> +<li>114.100.IN-ADDR.ARPA</li> +<li>115.100.IN-ADDR.ARPA</li> +<li>116.100.IN-ADDR.ARPA</li> +<li>117.100.IN-ADDR.ARPA</li> +<li>118.100.IN-ADDR.ARPA</li> +<li>119.100.IN-ADDR.ARPA</li> +<li>120.100.IN-ADDR.ARPA</li> +<li>121.100.IN-ADDR.ARPA</li> +<li>122.100.IN-ADDR.ARPA</li> +<li>123.100.IN-ADDR.ARPA</li> +<li>124.100.IN-ADDR.ARPA</li> +<li>125.100.IN-ADDR.ARPA</li> +<li>126.100.IN-ADDR.ARPA</li> +<li>127.100.IN-ADDR.ARPA</li> +<li>0.IN-ADDR.ARPA</li> +<li>127.IN-ADDR.ARPA</li> +<li>254.169.IN-ADDR.ARPA</li> +<li>2.0.192.IN-ADDR.ARPA</li> +<li>100.51.198.IN-ADDR.ARPA</li> +<li>113.0.203.IN-ADDR.ARPA</li> +<li>255.255.255.255.IN-ADDR.ARPA</li> +<li>0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> +<li>1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA</li> +<li>8.B.D.0.1.0.0.2.IP6.ARPA</li> +<li>D.F.IP6.ARPA</li> +<li>8.E.F.IP6.ARPA</li> +<li>9.E.F.IP6.ARPA</li> +<li>A.E.F.IP6.ARPA</li> +<li>B.E.F.IP6.ARPA</li> +</ul></div> +<p> + </p> +<p> + Empty zones are settable at the view level and only apply to + views of class IN. Disabled empty zones are only inherited + from options if there are no disabled empty zones specified + at the view level. To override the options list of disabled + zones, you can disable the root zone at the view level, for example: +</p> +<pre class="programlisting"> + disable-empty-zone "."; +</pre> +<p> + </p> +<p> + If you are using the address ranges covered here, you should + already have reverse zones covering the addresses you use. + In practice this appears to not be the case with many queries + being made to the infrastructure servers for names in these + spaces. So many in fact that sacrificial servers were needed + to be deployed to channel the query load away from the + infrastructure servers. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> + The real parent servers for these zones should disable all + empty zone under the parent zone they serve. For the real + root servers, this is all built-in empty zones. This will + enable them to return referrals to deeper in the tree. + </div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">empty-server</strong></span></span></dt> +<dd><p> + Specify what server name will appear in the returned + SOA record for empty zones. If none is specified, then + the zone's name will be used. + </p></dd> +<dt><span class="term"><span><strong class="command">empty-contact</strong></span></span></dt> +<dd><p> + Specify what contact name will appear in the returned + SOA record for empty zones. If none is specified, then + "." will be used. + </p></dd> +<dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt> +<dd><p> + Enable or disable all empty zones. By default, they + are enabled. + </p></dd> +<dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt> +<dd><p> + Disable individual empty zones. By default, none are + disabled. This option can be specified multiple times. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="acache"></a>Additional Section Caching</h4></div></div></div> +<p> + The additional section cache, also called <span><strong class="command">acache</strong></span>, + is an internal cache to improve the response performance of BIND 9. + When additional section caching is enabled, BIND 9 will + cache an internal short-cut to the additional section content for + each answer RR. + Note that <span><strong class="command">acache</strong></span> is an internal caching + mechanism of BIND 9, and is not related to the DNS caching + server function. + </p> +<p> + Additional section caching does not change the + response content (except the RRsets ordering of the additional + section, see below), but can improve the response performance + significantly. + It is particularly effective when BIND 9 acts as an authoritative + server for a zone that has many delegations with many glue RRs. + </p> +<p> + In order to obtain the maximum performance improvement + from additional section caching, setting + <span><strong class="command">additional-from-cache</strong></span> + to <span><strong class="command">no</strong></span> is recommended, since the current + implementation of <span><strong class="command">acache</strong></span> + does not short-cut of additional section information from the + DNS cache data. + </p> +<p> + One obvious disadvantage of <span><strong class="command">acache</strong></span> is + that it requires much more + memory for the internal cached data. + Thus, if the response performance does not matter and memory + consumption is much more critical, the + <span><strong class="command">acache</strong></span> mechanism can be + disabled by setting <span><strong class="command">acache-enable</strong></span> to + <span><strong class="command">no</strong></span>. + It is also possible to specify the upper limit of memory + consumption + for acache by using <span><strong class="command">max-acache-size</strong></span>. + </p> +<p> + Additional section caching also has a minor effect on the + RRset ordering in the additional section. + Without <span><strong class="command">acache</strong></span>, + <span><strong class="command">cyclic</strong></span> order is effective for the additional + section as well as the answer and authority sections. + However, additional section caching fixes the ordering when it + first caches an RRset for the additional section, and the same + ordering will be kept in succeeding responses, regardless of the + setting of <span><strong class="command">rrset-order</strong></span>. + The effect of this should be minor, however, since an + RRset in the additional section + typically only contains a small number of RRs (and in many cases + it only contains a single RR), in which case the + ordering does not matter much. + </p> +<p> + The following is a summary of options related to + <span><strong class="command">acache</strong></span>. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">acache-enable</strong></span></span></dt> +<dd><p> + If <span><strong class="command">yes</strong></span>, additional section caching is + enabled. The default value is <span><strong class="command">no</strong></span>. + </p></dd> +<dt><span class="term"><span><strong class="command">acache-cleaning-interval</strong></span></span></dt> +<dd><p> + The server will remove stale cache entries, based on an LRU + based + algorithm, every <span><strong class="command">acache-cleaning-interval</strong></span> minutes. + The default is 60 minutes. + If set to 0, no periodic cleaning will occur. + </p></dd> +<dt><span class="term"><span><strong class="command">max-acache-size</strong></span></span></dt> +<dd><p> + The maximum amount of memory in bytes to use for the server's acache. + When the amount of data in the acache reaches this limit, + the server + will clean more aggressively so that the limit is not + exceeded. + In a server with multiple views, the limit applies + separately to the + acache of each view. + The default is <code class="literal">16M</code>. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2589223"></a>Content Filtering</h4></div></div></div> +<p> + <acronym class="acronym">BIND</acronym> 9 provides the ability to filter + out DNS responses from external DNS servers containing + certain types of data in the answer section. + Specifically, it can reject address (A or AAAA) records if + the corresponding IPv4 or IPv6 addresses match the given + <code class="varname">address_match_list</code> of the + <span><strong class="command">deny-answer-addresses</strong></span> option. + It can also reject CNAME or DNAME records if the "alias" + name (i.e., the CNAME alias or the substituted query name + due to DNAME) matches the + given <code class="varname">namelist</code> of the + <span><strong class="command">deny-answer-aliases</strong></span> option, where + "match" means the alias name is a subdomain of one of + the <code class="varname">name_list</code> elements. + If the optional <code class="varname">namelist</code> is specified + with <span><strong class="command">except-from</strong></span>, records whose query name + matches the list will be accepted regardless of the filter + setting. + Likewise, if the alias name is a subdomain of the + corresponding zone, the <span><strong class="command">deny-answer-aliases</strong></span> + filter will not apply; + for example, even if "example.com" is specified for + <span><strong class="command">deny-answer-aliases</strong></span>, + </p> +<pre class="programlisting">www.example.com. CNAME xxx.example.com.</pre> +<p> + returned by an "example.com" server will be accepted. + </p> +<p> + In the <code class="varname">address_match_list</code> of the + <span><strong class="command">deny-answer-addresses</strong></span> option, only + <code class="varname">ip_addr</code> + and <code class="varname">ip_prefix</code> + are meaningful; + any <code class="varname">key_id</code> will be silently ignored. + </p> +<p> + If a response message is rejected due to the filtering, + the entire message is discarded without being cached, and + a SERVFAIL error will be returned to the client. + </p> +<p> + This filtering is intended to prevent "DNS rebinding attacks," in + which an attacker, in response to a query for a domain name the + attacker controls, returns an IP address within your own network or + an alias name within your own domain. + A naive web browser or script could then serve as an + unintended proxy, allowing the attacker + to get access to an internal node of your local network + that couldn't be externally accessed otherwise. + See the paper available at + <a href="http://portal.acm.org/citation.cfm?id=1315245.1315298" target="_top"> + http://portal.acm.org/citation.cfm?id=1315245.1315298 + </a> + for more details about the attacks. + </p> +<p> + For example, if you own a domain named "example.net" and + your internal network uses an IPv4 prefix 192.0.2.0/24, + you might specify the following rules: + </p> +<pre class="programlisting">deny-answer-addresses { 192.0.2.0/24; } except-from { "example.net"; }; +deny-answer-aliases { "example.net"; }; +</pre> +<p> + If an external attacker lets a web browser in your local + network look up an IPv4 address of "attacker.example.com", + the attacker's DNS server would return a response like this: + </p> +<pre class="programlisting">attacker.example.com. A 192.0.2.1</pre> +<p> + in the answer section. + Since the rdata of this record (the IPv4 address) matches + the specified prefix 192.0.2.0/24, this response will be + ignored. + </p> +<p> + On the other hand, if the browser looks up a legitimate + internal web server "www.example.net" and the + following response is returned to + the <acronym class="acronym">BIND</acronym> 9 server + </p> +<pre class="programlisting">www.example.net. A 192.0.2.2</pre> +<p> + it will be accepted since the owner name "www.example.net" + matches the <span><strong class="command">except-from</strong></span> element, + "example.net". + </p> +<p> + Note that this is not really an attack on the DNS per se. + In fact, there is nothing wrong for an "external" name to + be mapped to your "internal" IP address or domain name + from the DNS point of view. + It might actually be provided for a legitimate purpose, + such as for debugging. + As long as the mapping is provided by the correct owner, + it is not possible or does not make sense to detect + whether the intent of the mapping is legitimate or not + within the DNS. + The "rebinding" attack must primarily be protected at the + application that uses the DNS. + For a large site, however, it may be difficult to protect + all possible applications at once. + This filtering feature is provided only to help such an + operational environment; + it is generally discouraged to turn it on unless you are + very sure you have no other choice and the attack is a + real threat for your applications. + </p> +<p> + Care should be particularly taken if you want to use this + option for addresses within 127.0.0.0/8. + These addresses are obviously "internal", but many + applications conventionally rely on a DNS mapping from + some name to such an address. + Filtering out DNS records containing this address + spuriously can break such applications. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2589417"></a>Response Policy Zone (RPZ) Rewriting</h4></div></div></div> +<p> + <acronym class="acronym">BIND</acronym> 9 includes a limited + mechanism to modify DNS responses for requests + analogous to email anti-spam DNS blacklists. + Responses can be changed to deny the existence of domains(NXDOMAIN), + deny the existence of IP addresses for domains (NODATA), + or contain other IP addresses or data. + </p> +<p> + Response policy zones are named in the + <span><strong class="command">response-policy</strong></span> option for the view or among the + global options if there is no response-policy option for the view. + RPZs are ordinary DNS zones containing RRsets + that can be queried normally if allowed. + It is usually best to restrict those queries with something like + <span><strong class="command">allow-query { localhost; };</strong></span>. + </p> +<p> + Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, + and NSDNAME. + QNAME RPZ records triggered by query names of requests and targets + of CNAME records resolved to generate the response. + The owner name of a QNAME RPZ record is the query name relativized + to the RPZ. + </p> +<p> + The second kind of RPZ trigger is an IP address in an A and AAAA + record in the ANSWER section of a response. + IP address triggers are encoded in records that have owner names + that are subdomains of <strong class="userinput"><code>rpz-ip</code></strong> relativized + to the RPZ origin name and encode an IP address or address block. + IPv4 trigger addresses are represented as + <strong class="userinput"><code>prefixlength.B4.B3.B2.B1.rpz-ip</code></strong>. + The prefix length must be between 1 and 32. + All four bytes, B4, B3, B2, and B1, must be present. + B4 is the decimal value of the least significant byte of the + IPv4 address as in IN-ADDR.ARPA. + IPv6 addresses are encoded in a format similar to the standard + IPv6 text representation, + <strong class="userinput"><code>prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip</code></strong>. + Each of W8,...,W1 is a one to four digit hexadecimal number + representing 16 bits of the IPv6 address as in the standard text + representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. + All 8 words must be present except when consecutive + zero words are replaced with <strong class="userinput"><code>.zz.</code></strong> + analogous to double colons (::) in standard IPv6 text encodings. + The prefix length must be between 1 and 128. + </p> +<p> + NSDNAME triggers match names of authoritative servers + for the query name, a parent of the query name, a CNAME for + query name, or a parent of a CNAME. + They are encoded as subdomains of + <strong class="userinput"><code>rpz-nsdomain</code></strong> relativized + to the RPZ origin name. + NSIP triggers match IP addresses in A and + AAAA RRsets for domains that can be checked against NSDNAME + policy records. + NSIP triggers are encoded like IP triggers except as subdomains of + <strong class="userinput"><code>rpz-nsip</code></strong>. + NSDNAME and NSIP triggers are checked only for names with at + least <span><strong class="command">min-ns-dots</strong></span> dots. + The default value of <span><strong class="command">min-ns-dots</strong></span> is 1 to + exclude top level domains. + </p> +<p> + The query response is checked against all RPZs, so + two or more policy records can be triggered by a response. + Because DNS responses can be rewritten according to at most one + policy record, a single record encoding an action (other than + <span><strong class="command">DISABLED</strong></span> actions) must be chosen. + Triggers or the records that encode them are chosen in + the following order: + </p> +<div class="itemizedlist"><ul type="disc"> +<li>Choose the triggered record in the zone that appears + first in the response-policy option. + </li> +<li>Prefer QNAME to IP to NSDNAME to NSIP triggers + in a single zone. + </li> +<li>Among NSDNAME triggers, prefer the + trigger that matches the smallest name under the DNSSEC ordering. + </li> +<li>Among IP or NSIP triggers, prefer the trigger + with the longest prefix. + </li> +<li>Among triggers with the same prefex length, + prefer the IP or NSIP trigger that matches + the smallest IP address. + </li> +</ul></div> +<p> + </p> +<p> + When the processing of a response is restarted to resolve + DNAME or CNAME records and a policy record set has + not been triggered, + all RPZs are again consulted for the DNAME or CNAME names + and addresses. + </p> +<p> + RPZ record sets are sets of any types of DNS record except + DNAME or DNSSEC that encode actions or responses to queries. + </p> +<div class="itemizedlist"><ul type="disc"> +<li>The <span><strong class="command">NXDOMAIN</strong></span> response is encoded + by a CNAME whose target is the root domain (.) + </li> +<li>A CNAME whose target is the wildcard top-level + domain (*.) specifies the <span><strong class="command">NODATA</strong></span> action, + which rewrites the response to NODATA or ANCOUNT=1. + </li> +<li>The <span><strong class="command">Local Data</strong></span> action is + represented by a set ordinary DNS records that are used + to answer queries. Queries for record types not the + set are answered with NODATA. + + A special form of local data is a CNAME whose target is a + wildcard such as *.example.com. + It is used as if were an ordinary CNAME after the astrisk (*) + has been replaced with the query name. + The purpose for this special form is query logging in the + walled garden's authority DNS server. + </li> +<li>The <span><strong class="command">PASSTHRU</strong></span> policy is specified + by a CNAME whose target is <span><strong class="command">rpz-passthru.</strong></span> + It causes the response to not be rewritten + and is most often used to "poke holes" in policies for + CIDR blocks. + (A CNAME whose target is the variable part of its owner name + is an obsolete specification of the PASSTHRU policy.) + </li> +</ul></div> +<p> + </p> +<p> + The actions specified in an RPZ can be overridden with a + <span><strong class="command">policy</strong></span> clause in the + <span><strong class="command">response-policy</strong></span> option. + An organization using an RPZ provided by another organization might + use this mechanism to redirect domains to its own walled garden. + </p> +<div class="itemizedlist"><ul type="disc"> +<li> +<span><strong class="command">GIVEN</strong></span> says "do not override but + perform the action specified in the zone." + </li> +<li> +<span><strong class="command">DISABLED</strong></span> causes policy records to do + nothing but log what they might have done. + The response to the DNS query will be written according to + any triggered policy records that are not disabled. + Disabled policy zones should appear first, + because they will often not be logged + if a higher precedence trigger is found first. + </li> +<li> +<span><strong class="command">PASSTHRU</strong></span> causes all policy records + to act as if they were CNAME records with targets the variable + part of their owner name. They protect the response from + being changed. + </li> +<li> +<span><strong class="command">NXDOMAIN</strong></span> causes all RPZ records + to specify NXDOMAIN policies. + </li> +<li> +<span><strong class="command">NODATA</strong></span> overrides with the + NODATA policy + </li> +<li> +<span><strong class="command">CNAME domain</strong></span> causes all RPZ + policy records to act as if they were "cname domain" records. + </li> +</ul></div> +<p> + </p> +<p> + By default, the actions encoded in an RPZ are applied + only to queries that ask for recursion (RD=1). + That default can be changed for a single RPZ or all RPZs in a view + with a <span><strong class="command">recursive-only no</strong></span> clause. + This feature is useful for serving the same zone files + both inside and outside an RFC 1918 cloud and using RPZ to + delete answers that would otherwise contain RFC 1918 values + on the externally visible name server or view. + </p> +<p> + Also by default, RPZ actions are applied only to DNS requests that + either do not request DNSSEC metadata (DO=0) or when no DNSSEC + records are available for request name in the original zone (not + the response policy zone). + This default can be changed for all RPZs in a view with a + <span><strong class="command">break-dnssec yes</strong></span> clause. + In that case, RPZ actions are applied regardless of DNSSEC. + The name of the clause option reflects the fact that results + rewritten by RPZ actions cannot verify. + </p> +<p> + The TTL of a record modified by RPZ policies is set from the + TTL of the relevant record in policy zone. It is then limited + to a maximum value. + The <span><strong class="command">max-policy-ttl</strong></span> clause changes that + maximum from its default of 5. + </p> +<p> + For example, you might use this option statement + </p> +<pre class="programlisting"> response-policy { zone "badlist"; };</pre> +<p> + and this zone statement + </p> +<pre class="programlisting"> zone "badlist" {type master; file "master/badlist"; allow-query {none;}; };</pre> +<p> + with this zone file + </p> +<pre class="programlisting">$TTL 1H +@ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) + NS LOCALHOST. + +; QNAME policy records. There are no periods (.) after the owner names. +nxdomain.domain.com CNAME . ; NXDOMAIN policy +nodata.domain.com CNAME *. ; NODATA policy +bad.domain.com A 10.0.0.1 ; redirect to a walled garden + AAAA 2001:2::1 + +; do not rewrite (PASSTHRU) OK.DOMAIN.COM +ok.domain.com CNAME rpz-passthru. + +bzone.domain.com CNAME garden.example.com. + +; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com +*.bzone.domain.com CNAME *.garden.example.com. + + +; IP policy records that rewrite all answers for 127/8 except 127.0.0.1 +8.0.0.0.127.rpz-ip CNAME . +32.1.0.0.127.rpz-ip CNAME rpz-passthru. + +; NSDNAME and NSIP policy records +ns.domain.com.rpz-nsdname CNAME . +48.zz.2.2001.rpz-nsip CNAME . +</pre> +<p> + RPZ can affect server performance. + Each configured response policy zone requires the server to + perform one to four additional database lookups before a + query can be answered. + For example, a DNS server with four policy zones, each with all + four kinds of response triggers, QNAME, IP, NSIP, and + NSDNAME, requires a total of 17 times as many database + lookups as a similar DNS server with no response policy zones. + A <acronym class="acronym">BIND9</acronym> server with adequate memory and one + response policy zone with QNAME and IP triggers might achieve a + maximum queries-per-second rate about 20% lower. + A server with four response policy zones with QNAME and IP + triggers might have a maximum QPS rate about 50% lower. + </p> +<p> + Responses rewritten by RPZ are counted in the + <span><strong class="command">RPZRewrites</strong></span> statistics. + </p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">server</strong></span> <em class="replaceable"><code>ip_addr[/prefixlen]</code></em> { + [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-udp-size <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>] + [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] + [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>] + [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] + [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>] + [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> queryport-pool-updateinterval <em class="replaceable"><code>number</code></em>; </span>] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">server</strong></span> statement defines + characteristics + to be associated with a remote name server. If a prefix length is + specified, then a range of servers is covered. Only the most + specific + server clause applies regardless of the order in + <code class="filename">named.conf</code>. + </p> +<p> + The <span><strong class="command">server</strong></span> statement can occur at + the top level of the + configuration file or inside a <span><strong class="command">view</strong></span> + statement. + If a <span><strong class="command">view</strong></span> statement contains + one or more <span><strong class="command">server</strong></span> statements, only + those + apply to the view and any top-level ones are ignored. + If a view contains no <span><strong class="command">server</strong></span> + statements, + any top-level <span><strong class="command">server</strong></span> statements are + used as + defaults. + </p> +<p> + If you discover that a remote server is giving out bad data, + marking it as bogus will prevent further queries to it. The + default + value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>. + </p> +<p> + The <span><strong class="command">provide-ixfr</strong></span> clause determines + whether + the local server, acting as master, will respond with an + incremental + zone transfer when the given remote server, a slave, requests it. + If set to <span><strong class="command">yes</strong></span>, incremental transfer + will be provided + whenever possible. If set to <span><strong class="command">no</strong></span>, + all transfers + to the remote server will be non-incremental. If not set, the + value + of the <span><strong class="command">provide-ixfr</strong></span> option in the + view or + global options block is used as a default. + </p> +<p> + The <span><strong class="command">request-ixfr</strong></span> clause determines + whether + the local server, acting as a slave, will request incremental zone + transfers from the given remote server, a master. If not set, the + value of the <span><strong class="command">request-ixfr</strong></span> option in + the view or global options block is used as a default. It may + also be set in the zone block and, if set there, it will + override the global or view setting for that zone. + </p> +<p> + IXFR requests to servers that do not support IXFR will + automatically + fall back to AXFR. Therefore, there is no need to manually list + which servers support IXFR and which ones do not; the global + default + of <span><strong class="command">yes</strong></span> should always work. + The purpose of the <span><strong class="command">provide-ixfr</strong></span> and + <span><strong class="command">request-ixfr</strong></span> clauses is + to make it possible to disable the use of IXFR even when both + master + and slave claim to support it, for example if one of the servers + is buggy and crashes or corrupts data when IXFR is used. + </p> +<p> + The <span><strong class="command">edns</strong></span> clause determines whether + the local server will attempt to use EDNS when communicating + with the remote server. The default is <span><strong class="command">yes</strong></span>. + </p> +<p> + The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size + that is advertised by <span><strong class="command">named</strong></span> when querying the remote server. + Valid values are 512 to 4096 bytes (values outside this range will be + silently adjusted). This option is useful when you wish to + advertises a different value to this server than the value you + advertise globally, for example, when there is a firewall at the + remote site that is blocking large replies. + </p> +<p> + The <span><strong class="command">max-udp-size</strong></span> option sets the + maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send. Valid + values are 512 to 4096 bytes (values outside this range will + be silently adjusted). This option is useful when you + know that there is a firewall that is blocking large + replies from <span><strong class="command">named</strong></span>. + </p> +<p> + The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>, + uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs + as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is + more efficient, but is only known to be understood by <acronym class="acronym">BIND</acronym> 9, <acronym class="acronym">BIND</acronym> + 8.x, and patched versions of <acronym class="acronym">BIND</acronym> + 4.9.5. You can specify which method + to use for a server with the <span><strong class="command">transfer-format</strong></span> option. + If <span><strong class="command">transfer-format</strong></span> is not + specified, the <span><strong class="command">transfer-format</strong></span> + specified + by the <span><strong class="command">options</strong></span> statement will be + used. + </p> +<p><span><strong class="command">transfers</strong></span> + is used to limit the number of concurrent inbound zone + transfers from the specified server. If no + <span><strong class="command">transfers</strong></span> clause is specified, the + limit is set according to the + <span><strong class="command">transfers-per-ns</strong></span> option. + </p> +<p> + The <span><strong class="command">keys</strong></span> clause identifies a + <span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement, + to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called “TSIG”</a>) + when talking to the remote server. + When a request is sent to the remote server, a request signature + will be generated using the key specified here and appended to the + message. A request originating from the remote server is not + required + to be signed by this key. + </p> +<p> + Although the grammar of the <span><strong class="command">keys</strong></span> + clause + allows for multiple keys, only a single key per server is + currently + supported. + </p> +<p> + The <span><strong class="command">transfer-source</strong></span> and + <span><strong class="command">transfer-source-v6</strong></span> clauses specify + the IPv4 and IPv6 source + address to be used for zone transfer with the remote server, + respectively. + For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can + be specified. + Similarly, for an IPv6 remote server, only + <span><strong class="command">transfer-source-v6</strong></span> can be + specified. + For more details, see the description of + <span><strong class="command">transfer-source</strong></span> and + <span><strong class="command">transfer-source-v6</strong></span> in + <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p> +<p> + The <span><strong class="command">notify-source</strong></span> and + <span><strong class="command">notify-source-v6</strong></span> clauses specify the + IPv4 and IPv6 source address to be used for notify + messages sent to remote servers, respectively. For an + IPv4 remote server, only <span><strong class="command">notify-source</strong></span> + can be specified. Similarly, for an IPv6 remote server, + only <span><strong class="command">notify-source-v6</strong></span> can be specified. + </p> +<p> + The <span><strong class="command">query-source</strong></span> and + <span><strong class="command">query-source-v6</strong></span> clauses specify the + IPv4 and IPv6 source address to be used for queries + sent to remote servers, respectively. For an IPv4 + remote server, only <span><strong class="command">query-source</strong></span> can + be specified. Similarly, for an IPv6 remote server, + only <span><strong class="command">query-source-v6</strong></span> can be specified. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> { + [ inet ( ip_addr | * ) [ port ip_port ] + [ allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ] + [ inet ...; ] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2590613"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and + Usage</h3></div></div></div> +<p> + The <span><strong class="command">statistics-channels</strong></span> statement + declares communication channels to be used by system + administrators to get access to statistics information of + the name server. + </p> +<p> + This statement intends to be flexible to support multiple + communication protocols in the future, but currently only + HTTP access is supported. + It requires that BIND 9 be compiled with libxml2; + the <span><strong class="command">statistics-channels</strong></span> statement is + still accepted even if it is built without the library, + but any HTTP access will fail with an error. + </p> +<p> + An <span><strong class="command">inet</strong></span> control channel is a TCP socket + listening at the specified <span><strong class="command">ip_port</strong></span> on the + specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6 + address. An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is + interpreted as the IPv4 wildcard address; connections will be + accepted on any of the system's IPv4 addresses. + To listen on the IPv6 wildcard address, + use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>. + </p> +<p> + If no port is specified, port 80 is used for HTTP channels. + The asterisk "<code class="literal">*</code>" cannot be used for + <span><strong class="command">ip_port</strong></span>. + </p> +<p> + The attempt of opening a statistics channel is + restricted by the optional <span><strong class="command">allow</strong></span> clause. + Connections to the statistics channel are permitted based on the + <span><strong class="command">address_match_list</strong></span>. + If no <span><strong class="command">allow</strong></span> clause is present, + <span><strong class="command">named</strong></span> accepts connection + attempts from any address; since the statistics may + contain sensitive internal information, it is highly + recommended to restrict the source of connection requests + appropriately. + </p> +<p> + If no <span><strong class="command">statistics-channels</strong></span> statement is present, + <span><strong class="command">named</strong></span> will not open any communication channels. + </p> +<p> + If the statistics channel is configured to listen on 127.0.0.1 + port 8888, then the statistics are accessible in XML format at + <a href="http://127.0.0.1:8888/" target="_top">http://127.0.0.1:8888/</a> or + <a href="http://127.0.0.1:8888/xml" target="_top">http://127.0.0.1:8888/xml</a>. A CSS file is + included which can format the XML statistics into tables + when viewed with a stylesheet-capable browser. When + <acronym class="acronym">BIND</acronym> 9 is configured with --enable-newstats, + a new XML schema is used (version 3) which adds additional + zone statistics and uses a flatter tree for more efficient + parsing. The stylesheet included uses the Google Charts API + to render data into into charts and graphs when using a + javascript-capable browser. + </p> +<p> + Applications that depend on a particular XML schema + can request + <a href="http://127.0.0.1:8888/xml/v2" target="_top">http://127.0.0.1:8888/xml/v2</a> for version 2 + of the statistics XML schema or + <a href="http://127.0.0.1:8888/xml/v3" target="_top">http://127.0.0.1:8888/xml/v3</a> for version 3. + If the requested schema is supported by the server, then + it will respond; if not, it will return a "page not found" + error. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="trusted-keys"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> { + <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; + [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2590920"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition + and Usage</h3></div></div></div> +<p> + The <span><strong class="command">trusted-keys</strong></span> statement defines + DNSSEC security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called “DNSSEC”</a>. A security root is defined when the + public key for a non-authoritative zone is known, but + cannot be securely obtained through DNS, either because + it is the DNS root zone or because its parent zone is + unsigned. Once a key has been configured as a trusted + key, it is treated as if it had been validated and + proven secure. The resolver attempts DNSSEC validation + on all DNS data in subdomains of a security root. + </p> +<p> + All keys (and corresponding zones) listed in + <span><strong class="command">trusted-keys</strong></span> are deemed to exist regardless + of what parent zones say. Similarly for all keys listed in + <span><strong class="command">trusted-keys</strong></span> only those keys are + used to validate the DNSKEY RRset. The parent's DS RRset + will not be used. + </p> +<p> + The <span><strong class="command">trusted-keys</strong></span> statement can contain + multiple key entries, each consisting of the key's + domain name, flags, protocol, algorithm, and the Base-64 + representation of the key data. + Spaces, tabs, newlines and carriage returns are ignored + in the key data, so the configuration may be split up into + multiple lines. + </p> +<p> + <span><strong class="command">trusted-keys</strong></span> may be set at the top level + of <code class="filename">named.conf</code> or within a view. If it is + set in both places, they are additive: keys defined at the top + level are inherited by all views, but keys defined in a view + are only used within that view. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2590967"></a><span><strong class="command">managed-keys</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">managed-keys</strong></span> { + <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; + [<span class="optional"> <em class="replaceable"><code>name</code></em> <code class="literal">initial-key</code> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key-data</code></em> ; [<span class="optional">...</span>]</span>] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="managed-keys"></a><span><strong class="command">managed-keys</strong></span> Statement Definition + and Usage</h3></div></div></div> +<p> + The <span><strong class="command">managed-keys</strong></span> statement, like + <span><strong class="command">trusted-keys</strong></span>, defines DNSSEC + security roots. The difference is that + <span><strong class="command">managed-keys</strong></span> can be kept up to date + automatically, without intervention from the resolver + operator. + </p> +<p> + Suppose, for example, that a zone's key-signing + key was compromised, and the zone owner had to revoke and + replace the key. A resolver which had the old key in a + <span><strong class="command">trusted-keys</strong></span> statement would be + unable to validate this zone any longer; it would + reply with a SERVFAIL response code. This would + continue until the resolver operator had updated the + <span><strong class="command">trusted-keys</strong></span> statement with the new key. + </p> +<p> + If, however, the zone were listed in a + <span><strong class="command">managed-keys</strong></span> statement instead, then the + zone owner could add a "stand-by" key to the zone in advance. + <span><strong class="command">named</strong></span> would store the stand-by key, and + when the original key was revoked, <span><strong class="command">named</strong></span> + would be able to transition smoothly to the new key. It would + also recognize that the old key had been revoked, and cease + using that key to validate answers, minimizing the damage that + the compromised key could do. + </p> +<p> + A <span><strong class="command">managed-keys</strong></span> statement contains a list of + the keys to be managed, along with information about how the + keys are to be initialized for the first time. The only + initialization method currently supported (as of + <acronym class="acronym">BIND</acronym> 9.7.0) is <code class="literal">initial-key</code>. + This means the <span><strong class="command">managed-keys</strong></span> statement must + contain a copy of the initializing key. (Future releases may + allow keys to be initialized by other methods, eliminating this + requirement.) + </p> +<p> + Consequently, a <span><strong class="command">managed-keys</strong></span> statement + appears similar to a <span><strong class="command">trusted-keys</strong></span>, differing + in the presence of the second field, containing the keyword + <code class="literal">initial-key</code>. The difference is, whereas the + keys listed in a <span><strong class="command">trusted-keys</strong></span> continue to be + trusted until they are removed from + <code class="filename">named.conf</code>, an initializing key listed + in a <span><strong class="command">managed-keys</strong></span> statement is only trusted + <span class="emphasis"><em>once</em></span>: for as long as it takes to load the + managed key database and start the RFC 5011 key maintenance + process. + </p> +<p> + The first time <span><strong class="command">named</strong></span> runs with a managed key + configured in <code class="filename">named.conf</code>, it fetches the + DNSKEY RRset directly from the zone apex, and validates it + using the key specified in the <span><strong class="command">managed-keys</strong></span> + statement. If the DNSKEY RRset is validly signed, then it is + used as the basis for a new managed keys database. + </p> +<p> + From that point on, whenever <span><strong class="command">named</strong></span> runs, it + sees the <span><strong class="command">managed-keys</strong></span> statement, checks to + make sure RFC 5011 key maintenance has already been initialized + for the specified domain, and if so, it simply moves on. The + key specified in the <span><strong class="command">managed-keys</strong></span> is not + used to validate answers; it has been superseded by the key or + keys stored in the managed keys database. + </p> +<p> + The next time <span><strong class="command">named</strong></span> runs after a name + has been <span class="emphasis"><em>removed</em></span> from the + <span><strong class="command">managed-keys</strong></span> statement, the corresponding + zone will be removed from the managed keys database, + and RFC 5011 key maintenance will no longer be used for that + domain. + </p> +<p> + <span><strong class="command">named</strong></span> only maintains a single managed keys + database; consequently, unlike <span><strong class="command">trusted-keys</strong></span>, + <span><strong class="command">managed-keys</strong></span> may only be set at the top + level of <code class="filename">named.conf</code>, not within a view. + </p> +<p> + In the current implementation, the managed keys database is + stored as a master-format zone file called + <code class="filename">managed-keys.bind</code>. When the key database + is changed, the zone is updated. As with any other dynamic + zone, changes will be written into a journal file, + <code class="filename">managed-keys.bind.jnl</code>. They are committed + to the master file as soon as possible afterward; in the case + of the managed key database, this will usually occur within 30 + seconds. So, whenever <span><strong class="command">named</strong></span> is using + automatic key maintenance, those two files can be expected to + exist in the working directory. (For this reason among others, + the working directory should be always be writable by + <span><strong class="command">named</strong></span>.) + </p> +<p> + If the <span><strong class="command">dnssec-validation</strong></span> option is + set to <strong class="userinput"><code>auto</code></strong>, <span><strong class="command">named</strong></span> + will automatically initialize a managed key for the + root zone. Similarly, if the <span><strong class="command">dnssec-lookaside</strong></span> + option is set to <strong class="userinput"><code>auto</code></strong>, + <span><strong class="command">named</strong></span> will automatically initialize + a managed key for the zone <code class="literal">dlv.isc.org</code>. + In both cases, the key that is used to initialize the key + maintenance process is built into <span><strong class="command">named</strong></span>, + and can be overridden from <span><strong class="command">bindkeys-file</strong></span>. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">view</strong></span> <em class="replaceable"><code>view_name</code></em> + [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + match-clients { <em class="replaceable"><code>address_match_list</code></em> }; + match-destinations { <em class="replaceable"><code>address_match_list</code></em> }; + match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ; + [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>] + [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>] +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2591409"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div> +<p> + The <span><strong class="command">view</strong></span> statement is a powerful + feature + of <acronym class="acronym">BIND</acronym> 9 that lets a name server + answer a DNS query differently + depending on who is asking. It is particularly useful for + implementing + split DNS setups without having to run multiple servers. + </p> +<p> + Each <span><strong class="command">view</strong></span> statement defines a view + of the + DNS namespace that will be seen by a subset of clients. A client + matches + a view if its source IP address matches the + <code class="varname">address_match_list</code> of the view's + <span><strong class="command">match-clients</strong></span> clause and its + destination IP address matches + the <code class="varname">address_match_list</code> of the + view's + <span><strong class="command">match-destinations</strong></span> clause. If not + specified, both + <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> + default to matching all addresses. In addition to checking IP + addresses + <span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span> + can also take <span><strong class="command">keys</strong></span> which provide an + mechanism for the + client to select the view. A view can also be specified + as <span><strong class="command">match-recursive-only</strong></span>, which + means that only recursive + requests from matching clients will match that view. + The order of the <span><strong class="command">view</strong></span> statements is + significant — + a client request will be resolved in the context of the first + <span><strong class="command">view</strong></span> that it matches. + </p> +<p> + Zones defined within a <span><strong class="command">view</strong></span> + statement will + only be accessible to clients that match the <span><strong class="command">view</strong></span>. + By defining a zone of the same name in multiple views, different + zone data can be given to different clients, for example, + "internal" + and "external" clients in a split DNS setup. + </p> +<p> + Many of the options given in the <span><strong class="command">options</strong></span> statement + can also be used within a <span><strong class="command">view</strong></span> + statement, and then + apply only when resolving queries with that view. When no + view-specific + value is given, the value in the <span><strong class="command">options</strong></span> statement + is used as a default. Also, zone options can have default values + specified + in the <span><strong class="command">view</strong></span> statement; these + view-specific defaults + take precedence over those in the <span><strong class="command">options</strong></span> statement. + </p> +<p> + Views are class specific. If no class is given, class IN + is assumed. Note that all non-IN views must contain a hint zone, + since only the IN class has compiled-in default hints. + </p> +<p> + If there are no <span><strong class="command">view</strong></span> statements in + the config + file, a default view that matches any client is automatically + created + in class IN. Any <span><strong class="command">zone</strong></span> statements + specified on + the top level of the configuration file are considered to be part + of + this default view, and the <span><strong class="command">options</strong></span> + statement will + apply to the default view. If any explicit <span><strong class="command">view</strong></span> + statements are present, all <span><strong class="command">zone</strong></span> + statements must + occur inside <span><strong class="command">view</strong></span> statements. + </p> +<p> + Here is an example of a typical split DNS setup implemented + using <span><strong class="command">view</strong></span> statements: + </p> +<pre class="programlisting">view "internal" { + // This should match our internal networks. + match-clients { 10.0.0.0/8; }; + + // Provide recursive service to internal + // clients only. + recursion yes; + + // Provide a complete view of the example.com + // zone including addresses of internal hosts. + zone "example.com" { + type master; + file "example-internal.db"; + }; +}; + +view "external" { + // Match all clients not matched by the + // previous view. + match-clients { any; }; + + // Refuse recursive service to external clients. + recursion no; + + // Provide a restricted view of the example.com + // zone containing only publicly accessible hosts. + zone "example.com" { + type master; + file "example-external.db"; + }; +}; +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span> + Statement Grammar</h3></div></div></div> +<pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type master; + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> update-policy <em class="replaceable"><code>local</code></em> | { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>] + [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; + [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] + [<span class="optional"> check-mx (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] + [<span class="optional"> check-wildcard <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> check-spf ( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>] + [<span class="optional"> check-integrity <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] + [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] + [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] + [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>] + [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] + [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] + [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] + [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] + [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> serial-update-method <code class="constant">increment</code>|<code class="constant">unixtime</code>; </span>] +}; + +zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type slave; + [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> dnssec-update-mode ( <em class="replaceable"><code>maintain</code></em> | <em class="replaceable"><code>no-resign</code></em> ); </span>] + [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-dnskey-kskonly <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> dnssec-loadkeys-interval <em class="replaceable"><code>number</code></em>; </span>] + [<span class="optional"> dnssec-secure-to-insecure <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> also-notify [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] + [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] + [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] + [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] + [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] + [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>] + [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] + [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] + [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>] + [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>] + [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>full</code></em> | <em class="replaceable"><code>terse</code></em> | <em class="replaceable"><code>none</code></em>; </span>] + [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> [<span class="optional"><em class="replaceable"><code>number</code></em></span>] ; </span>] + [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>] + [<span class="optional"> auto-dnssec <code class="constant">allow</code>|<code class="constant">maintain</code>|<code class="constant">off</code>; </span>] + [<span class="optional"> inline-signing <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> zero-no-soa-ttl <em class="replaceable"><code>yes_or_no</code></em> ; </span>] +}; + +zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type hint; + file <em class="replaceable"><code>string</code></em> ; + [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] // Not Implemented. +}; + +zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type stub; + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>] + [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>] + [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] + [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] + [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>] + [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) + [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>] + [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] + [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>] + [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>] + [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>] +}; + +zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type static-stub; + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] + [<span class="optional"> server-addresses { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> ; ... </span>] }; </span>] + [<span class="optional"> server-names { [<span class="optional"> <em class="replaceable"><code>namelist</code></em> </span>] }; </span>] + [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>] +}; + +zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type forward; + [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>] + [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>] + [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>] +}; + +zone <em class="replaceable"><code>"."</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type redirect; + file <em class="replaceable"><code>string</code></em> ; + [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>] + [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>] +}; + +zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] { + type delegation-only; +}; + +</pre> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2593189"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2593196"></a>Zone Types</h4></div></div></div> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="varname">master</code> + </p> + </td> +<td> + <p> + The server has a master copy of the data + for the zone and will be able to provide authoritative + answers for + it. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">slave</code> + </p> + </td> +<td> + <p> + A slave zone is a replica of a master + zone. The <span><strong class="command">masters</strong></span> list + specifies one or more IP addresses + of master servers that the slave contacts to update + its copy of the zone. + Masters list elements can also be names of other + masters lists. + By default, transfers are made from port 53 on the + servers; this can + be changed for all servers by specifying a port number + before the + list of IP addresses, or on a per-server basis after + the IP address. + Authentication to the master can also be done with + per-server TSIG keys. + If a file is specified, then the + replica will be written to this file whenever the zone + is changed, + and reloaded from this file on a server restart. Use + of a file is + recommended, since it often speeds server startup and + eliminates + a needless waste of bandwidth. Note that for large + numbers (in the + tens or hundreds of thousands) of zones per server, it + is best to + use a two-level naming scheme for zone filenames. For + example, + a slave server for the zone <code class="literal">example.com</code> might place + the zone contents into a file called + <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is + just the first two letters of the zone name. (Most + operating systems + behave very slowly if you put 100000 files into + a single directory.) + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">stub</code> + </p> + </td> +<td> + <p> + A stub zone is similar to a slave zone, + except that it replicates only the NS records of a + master zone instead + of the entire zone. Stub zones are not a standard part + of the DNS; + they are a feature specific to the <acronym class="acronym">BIND</acronym> implementation. + </p> + + <p> + Stub zones can be used to eliminate the need for glue + NS record + in a parent zone at the expense of maintaining a stub + zone entry and + a set of name server addresses in <code class="filename">named.conf</code>. + This usage is not recommended for new configurations, + and BIND 9 + supports it only in a limited way. + In <acronym class="acronym">BIND</acronym> 4/8, zone + transfers of a parent zone + included the NS records from stub children of that + zone. This meant + that, in some cases, users could get away with + configuring child stubs + only in the master server for the parent zone. <acronym class="acronym">BIND</acronym> + 9 never mixes together zone data from different zones + in this + way. Therefore, if a <acronym class="acronym">BIND</acronym> 9 master serving a parent + zone has child stub zones configured, all the slave + servers for the + parent zone also need to have the same child stub + zones + configured. + </p> + + <p> + Stub zones can also be used as a way of forcing the + resolution + of a given domain to use a particular set of + authoritative servers. + For example, the caching name servers on a private + network using + RFC1918 addressing may be configured with stub zones + for + <code class="literal">10.in-addr.arpa</code> + to use a set of internal name servers as the + authoritative + servers for that domain. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">static-stub</code> + </p> + </td> +<td> + <p> + A static-stub zone is similar to a stub zone + with the following exceptions: + the zone data is statically configured, rather + than transferred from a master server; + when recursion is necessary for a query that + matches a static-stub zone, the locally + configured data (nameserver names and glue addresses) + is always used even if different authoritative + information is cached. + </p> + <p> + Zone data is configured via the + <span><strong class="command">server-addresses</strong></span> and + <span><strong class="command">server-names</strong></span> zone options. + </p> + <p> + The zone data is maintained in the form of NS + and (if necessary) glue A or AAAA RRs + internally, which can be seen by dumping zone + databases by <span><strong class="command">rndc dumpdb -all</strong></span>. + The configured RRs are considered local configuration + parameters rather than public data. + Non recursive queries (i.e., those with the RD + bit off) to a static-stub zone are therefore + prohibited and will be responded with REFUSED. + </p> + <p> + Since the data is statically configured, no + zone maintenance action takes place for a static-stub + zone. + For example, there is no periodic refresh + attempt, and an incoming notify message + will be rejected with an rcode of NOTAUTH. + </p> + <p> + Each static-stub zone is configured with + internally generated NS and (if necessary) + glue A or AAAA RRs + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">forward</code> + </p> + </td> +<td> + <p> + A "forward zone" is a way to configure + forwarding on a per-domain basis. A <span><strong class="command">zone</strong></span> statement + of type <span><strong class="command">forward</strong></span> can + contain a <span><strong class="command">forward</strong></span> + and/or <span><strong class="command">forwarders</strong></span> + statement, + which will apply to queries within the domain given by + the zone + name. If no <span><strong class="command">forwarders</strong></span> + statement is present or + an empty list for <span><strong class="command">forwarders</strong></span> is given, then no + forwarding will be done for the domain, canceling the + effects of + any forwarders in the <span><strong class="command">options</strong></span> statement. Thus + if you want to use this type of zone to change the + behavior of the + global <span><strong class="command">forward</strong></span> option + (that is, "forward first" + to, then "forward only", or vice versa, but want to + use the same + servers as set globally) you need to re-specify the + global forwarders. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">hint</code> + </p> + </td> +<td> + <p> + The initial set of root name servers is + specified using a "hint zone". When the server starts + up, it uses + the root hints to find a root name server and get the + most recent + list of root name servers. If no hint zone is + specified for class + IN, the server uses a compiled-in default set of root + servers hints. + Classes other than IN have no built-in defaults hints. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">redirect</code> + </p> + </td> +<td> + <p> + Redirect zones are used to provide answers to + queries when normal resolution would result in + NXDOMAIN being returned. + Only one redirect zone is supported + per view. <span><strong class="command">allow-query</strong></span> can be + used to restrict which clients see these answers. + </p> + <p> + If the client has requested DNSSEC records (DO=1) and + the NXDOMAIN response is signed then no substitution + will occur. + </p> + <p> + To redirect all NXDOMAIN responses to + 100.100.100.2 and + 2001:ffff:ffff::100.100.100.2, one would + configure a type redirect zone named ".", + with the zone file containing wildcard records + that point to the desired addresses: + <code class="literal">"*. IN A 100.100.100.2"</code> + and + <code class="literal">"*. IN AAAA 2001:ffff:ffff::100.100.100.2"</code>. + </p> + <p> + To redirect all Spanish names (under .ES) one + would use similar entries but with the names + "*.ES." instead of "*.". To redirect all + commercial Spanish names (under COM.ES) one + would use wildcard entries called "*.COM.ES.". + </p> + <p> + Note that the redirect zone supports all + possible types; it is not limited to A and + AAAA records. + </p> + <p> + Because redirect zones are not referenced + directly by name, they are not kept in the + zone lookup table with normal master and slave + zones. Consequently, it is not currently possible + to use + <span><strong class="command">rndc reload + <em class="replaceable"><code>zonename</code></em></strong></span> + to reload a redirect zone. However, when using + <span><strong class="command">rndc reload</strong></span> without specifying + a zone name, redirect zones will be reloaded along + with other zones. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">delegation-only</code> + </p> + </td> +<td> + <p> + This is used to enforce the delegation-only + status of infrastructure zones (e.g. COM, + NET, ORG). Any answer that is received + without an explicit or implicit delegation + in the authority section will be treated + as NXDOMAIN. This does not apply to the + zone apex. This should not be applied to + leaf zones. + </p> + <p> + <code class="varname">delegation-only</code> has no + effect on answers received from forwarders. + </p> + <p> + See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2594009"></a>Class</h4></div></div></div> +<p> + The zone's name may optionally be followed by a class. If + a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>), + is assumed. This is correct for the vast majority of cases. + </p> +<p> + The <code class="literal">hesiod</code> class is + named for an information service from MIT's Project Athena. It + is + used to share information about various systems databases, such + as users, groups, printers and so on. The keyword + <code class="literal">HS</code> is + a synonym for hesiod. + </p> +<p> + Another MIT development is Chaosnet, a LAN protocol created + in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2594042"></a>Zone Options</h4></div></div></div> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt> +<dd><p> + See the description of <span><strong class="command">allow-transfer</strong></span> + in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt> +<dd><p> + See the description of <span><strong class="command">allow-update</strong></span> + in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt> +<dd><p> + Specifies a "Simple Secure Update" policy. See + <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called “Dynamic Update Policies”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt> +<dd><p> + See the description of <span><strong class="command">allow-update-forwarding</strong></span> + in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called “Access Control”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt> +<dd><p> + Only meaningful if <span><strong class="command">notify</strong></span> + is + active for this zone. The set of machines that will + receive a + <code class="literal">DNS NOTIFY</code> message + for this zone is made up of all the listed name servers + (other than + the primary master) for the zone plus any IP addresses + specified + with <span><strong class="command">also-notify</strong></span>. A port + may be specified + with each <span><strong class="command">also-notify</strong></span> + address to send the notify + messages to a port other than the default of 53. + A TSIG key may also be specified to cause the + <code class="literal">NOTIFY</code> to be signed by the + given key. + <span><strong class="command">also-notify</strong></span> is not + meaningful for stub zones. + The default is the empty list. + </p></dd> +<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt> +<dd><p> + This option is used to restrict the character set and + syntax of + certain domain names in master files and/or DNS responses + received from the + network. The default varies according to zone type. For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>. For <span><strong class="command">slave</strong></span> + zones the default is <span><strong class="command">warn</strong></span>. + It is not implemented for <span><strong class="command">hint</strong></span> zones. + </p></dd> +<dt><span class="term"><span><strong class="command">check-mx</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">check-mx</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-spf</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">check-spf</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-wildcard</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">check-wildcard</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-integrity</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">check-integrity</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">check-sibling</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">check-sibling</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">zero-no-soa-ttl</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">update-check-ksk</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-update-mode</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">dnssec-update-mode</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and + Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-dnskey-kskonly</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">dnssec-dnskey-kskonly</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">database</strong></span></span></dt> +<dd> +<p> + Specify the type of database to be used for storing the + zone data. The string following the <span><strong class="command">database</strong></span> keyword + is interpreted as a list of whitespace-delimited words. + The first word + identifies the database type, and any subsequent words are + passed + as arguments to the database to be interpreted in a way + specific + to the database type. + </p> +<p> + The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's + native in-memory + red-black-tree database. This database does not take + arguments. + </p> +<p> + Other values are possible if additional database drivers + have been linked into the server. Some sample drivers are + included + with the distribution but none are linked in by default. + </p> +</dd> +<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt> +<dd> +<p> + The flag only applies to hint and stub zones. If set + to <strong class="userinput"><code>yes</code></strong>, then the zone will also be + treated as if it is also a delegation-only type zone. + </p> +<p> + See caveats in <a href="Bv9ARM.ch06.html#root_delegation_only"><span><strong class="command">root-delegation-only</strong></span></a>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt> +<dd><p> + Only meaningful if the zone has a forwarders + list. The <span><strong class="command">only</strong></span> value causes + the lookup to fail + after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would + allow a normal lookup to be tried. + </p></dd> +<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt> +<dd><p> + Used to override the list of global forwarders. + If it is not specified in a zone of type <span><strong class="command">forward</strong></span>, + no forwarding is done for the zone and the global options are + not used. + </p></dd> +<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt> +<dd><p> + Was used in <acronym class="acronym">BIND</acronym> 8 to + specify the name + of the transaction log (journal) file for dynamic update + and IXFR. + <acronym class="acronym">BIND</acronym> 9 ignores the option + and constructs the name of the journal + file by appending "<code class="filename">.jnl</code>" + to the name of the + zone file. + </p></dd> +<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt> +<dd><p> + Was an undocumented option in <acronym class="acronym">BIND</acronym> 8. + Ignored in <acronym class="acronym">BIND</acronym> 9. + </p></dd> +<dt><span class="term"><span><strong class="command">journal</strong></span></span></dt> +<dd><p> + Allow the default journal's filename to be overridden. + The default is the zone's filename with "<code class="filename">.jnl</code>" appended. + This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones. + </p></dd> +<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server Resource Limits">the section called “Server Resource Limits”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">notify-delay</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">notify-to-soa</strong></span> in + <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt> +<dd><p> + In <acronym class="acronym">BIND</acronym> 8, this option was + intended for specifying + a public zone key for verification of signatures in DNSSEC + signed + zones when they are loaded from disk. <acronym class="acronym">BIND</acronym> 9 does not verify signatures + on load and ignores the option. + </p></dd> +<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt> +<dd><p> + If <strong class="userinput"><code>yes</code></strong>, the server will keep + statistical + information for this zone, which can be dumped to the + <span><strong class="command">statistics-file</strong></span> defined in + the server options. + </p></dd> +<dt><span class="term"><span><strong class="command">server-addresses</strong></span></span></dt> +<dd> +<p> + Only meaningful for static-stub zones. + This is a list of IP addresses to which queries + should be sent in recursive resolution for the + zone. + A non empty list for this option will internally + configure the apex NS RR with associated glue A or + AAAA RRs. + </p> +<p> + For example, if "example.com" is configured as a + static-stub zone with 192.0.2.1 and 2001:db8::1234 + in a <span><strong class="command">server-addresses</strong></span> option, + the following RRs will be internally configured. + </p> +<pre class="programlisting">example.com. NS example.com. +example.com. A 192.0.2.1 +example.com. AAAA 2001:db8::1234</pre> +<p> + These records are internally used to resolve + names under the static-stub zone. + For instance, if the server receives a query for + "www.example.com" with the RD bit on, the server + will initiate recursive resolution and send + queries to 192.0.2.1 and/or 2001:db8::1234. + </p> +</dd> +<dt><span class="term"><span><strong class="command">server-names</strong></span></span></dt> +<dd> +<p> + Only meaningful for static-stub zones. + This is a list of domain names of nameservers that + act as authoritative servers of the static-stub + zone. + These names will be resolved to IP addresses when + <span><strong class="command">named</strong></span> needs to send queries to + these servers. + To make this supplemental resolution successful, + these names must not be a subdomain of the origin + name of static-stub zone. + That is, when "example.net" is the origin of a + static-stub zone, "ns.example" and + "master.example.com" can be specified in the + <span><strong class="command">server-names</strong></span> option, but + "ns.example.net" cannot, and will be rejected by + the configuration parser. + </p> +<p> + A non empty list for this option will internally + configure the apex NS RR with the specified names. + For example, if "example.com" is configured as a + static-stub zone with "ns1.example.net" and + "ns2.example.net" + in a <span><strong class="command">server-names</strong></span> option, + the following RRs will be internally configured. + </p> +<pre class="programlisting">example.com. NS ns1.example.net. +example.com. NS ns2.example.net. +</pre> +<p> + These records are internally used to resolve + names under the static-stub zone. + For instance, if the server receives a query for + "www.example.com" with the RD bit on, the server + initiate recursive resolution, + resolve "ns1.example.net" and/or + "ns2.example.net" to IP addresses, and then send + queries to (one or more of) these addresses. + </p> +</dd> +<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called “Zone Transfers”</a>. + </p></dd> +<dt> +<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span> +</dt> +<dd><p> + See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + (Note that the <span><strong class="command">ixfr-from-differences</strong></span> + <strong class="userinput"><code>master</code></strong> and + <strong class="userinput"><code>slave</code></strong> choices are not + available at the zone level.) + </p></dd> +<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and + Usage">the section called “<span><strong class="command">options</strong></span> Statement Definition and + Usage”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">auto-dnssec</strong></span></span></dt> +<dd> +<p> + Zones configured for dynamic DNS may also use this + option to allow varying levels of automatic DNSSEC key + management. There are three possible settings: + </p> +<p> + <span><strong class="command">auto-dnssec allow;</strong></span> permits + keys to be updated and the zone fully re-signed + whenever the user issues the command <span><strong class="command">rndc sign + <em class="replaceable"><code>zonename</code></em></strong></span>. + </p> +<p> + <span><strong class="command">auto-dnssec maintain;</strong></span> includes the + above, but also automatically adjusts the zone's DNSSEC + keys on schedule, according to the keys' timing metadata + (see <a href="man.dnssec-keygen.html" title="dnssec-keygen"><span class="refentrytitle"><span class="application">dnssec-keygen</span></span>(8)</a> and + <a href="man.dnssec-settime.html" title="dnssec-settime"><span class="refentrytitle"><span class="application">dnssec-settime</span></span>(8)</a>). The command + <span><strong class="command">rndc sign + <em class="replaceable"><code>zonename</code></em></strong></span> causes + <span><strong class="command">named</strong></span> to load keys from the key + repository and sign the zone with all keys that are + active. + <span><strong class="command">rndc loadkeys + <em class="replaceable"><code>zonename</code></em></strong></span> causes + <span><strong class="command">named</strong></span> to load keys from the key + repository and schedule key maintenance events to occur + in the future, but it does not sign the full zone + immediately. Note: once keys have been loaded for a + zone the first time, the repository will be searched + for changes periodically, regardless of whether + <span><strong class="command">rndc loadkeys</strong></span> is used. The recheck + interval is defined by + <span><strong class="command">dnssec-loadkeys-interval</strong></span>.) + </p> +<p> + The default setting is <span><strong class="command">auto-dnssec off</strong></span>. + </p> +</dd> +<dt><span class="term"><span><strong class="command">serial-update-method</strong></span></span></dt> +<dd> +<p> + Zones configured for dynamic DNS may use this + option to set the update method that will be used for + the zone serial number in the SOA record. + </p> +<p> + With the default setting of + <span><strong class="command">serial-update-method increment;</strong></span>, the + SOA serial number will be incremented by one each time + the zone is updated. + </p> +<p> + When set to + <span><strong class="command">serial-update-method unixtime;</strong></span>, the + SOA serial number will be set to the number of seconds + since the UNIX epoch, unless the serial number is + already greater than or equal to that value, in which + case it is simply incremented by one. + </p> +</dd> +<dt><span class="term"><span><strong class="command">inline-signing</strong></span></span></dt> +<dd><p> + If <code class="literal">yes</code>, this enables + "bump in the wire" signing of a zone, where a + unsigned zone is transferred in or loaded from + disk and a signed version of the zone is served, + with possibly, a different serial number. This + behaviour is disabled by default. + </p></dd> +<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt> +<dd><p> + See the description of <span><strong class="command">multi-master</strong></span> in + <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">masterfile-format</strong></span></span></dt> +<dd><p> + See the description of <span><strong class="command">masterfile-format</strong></span> + in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called “Tuning”</a>. + </p></dd> +<dt><span class="term"><span><strong class="command">dnssec-secure-to-insecure</strong></span></span></dt> +<dd><p> + See the description of + <span><strong class="command">dnssec-secure-to-insecure</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called “Boolean Options”</a>. + </p></dd> +</dl></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div> +<p><acronym class="acronym">BIND</acronym> 9 supports two alternative + methods of granting clients the right to perform + dynamic updates to a zone, configured by the + <span><strong class="command">allow-update</strong></span> and + <span><strong class="command">update-policy</strong></span> option, respectively. + </p> +<p> + The <span><strong class="command">allow-update</strong></span> clause works the + same way as in previous versions of <acronym class="acronym">BIND</acronym>. + It grants given clients the permission to update any + record of any name in the zone. + </p> +<p> + The <span><strong class="command">update-policy</strong></span> clause + allows more fine-grained control over what updates are + allowed. A set of rules is specified, where each rule + either grants or denies permissions for one or more + names to be updated by one or more identities. If + the dynamic update request message is signed (that is, + it includes either a TSIG or SIG(0) record), the + identity of the signer can be determined. + </p> +<p> + Rules are specified in the <span><strong class="command">update-policy</strong></span> + zone option, and are only meaningful for master zones. + When the <span><strong class="command">update-policy</strong></span> statement + is present, it is a configuration error for the + <span><strong class="command">allow-update</strong></span> statement to be + present. The <span><strong class="command">update-policy</strong></span> statement + only examines the signer of a message; the source + address is not relevant. + </p> +<p> + There is a pre-defined <span><strong class="command">update-policy</strong></span> + rule which can be switched on with the command + <span><strong class="command">update-policy local;</strong></span>. + Switching on this rule in a zone causes + <span><strong class="command">named</strong></span> to generate a TSIG session + key and place it in a file, and to allow that key + to update the zone. (By default, the file is + <code class="filename">/var/run/named/session.key</code>, the key + name is "local-ddns" and the key algorithm is HMAC-SHA256, + but these values are configurable with the + <span><strong class="command">session-keyfile</strong></span>, + <span><strong class="command">session-keyname</strong></span> and + <span><strong class="command">session-keyalg</strong></span> options, respectively). + </p> +<p> + A client running on the local system, and with appropriate + permissions, may read that file and use the key to sign update + requests. The zone's update policy will be set to allow that + key to change any record within the zone. Assuming the + key name is "local-ddns", this policy is equivalent to: + </p> +<pre class="programlisting">update-policy { grant local-ddns zonesub any; }; + </pre> +<p> + The command <span><strong class="command">nsupdate -l</strong></span> sends update + requests to localhost, and signs them using the session key. + </p> +<p> + Other rule definitions look like this: + </p> +<pre class="programlisting"> +( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> [<span class="optional"> <em class="replaceable"><code>name</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>] +</pre> +<p> + Each rule grants or denies privileges. Once a message has + successfully matched a rule, the operation is immediately + granted or denied and no further rules are examined. A rule + is matched when the signer matches the identity field, the + name matches the name field in accordance with the nametype + field, and the type matches the types specified in the type + field. + </p> +<p> + No signer is required for <em class="replaceable"><code>tcp-self</code></em> + or <em class="replaceable"><code>6to4-self</code></em> however the standard + reverse mapping / prefix conversion must match the identity + field. + </p> +<p> + The identity field specifies a name or a wildcard + name. Normally, this is the name of the TSIG or + SIG(0) key used to sign the update request. When a + TKEY exchange has been used to create a shared secret, + the identity of the shared secret is the same as the + identity of the key used to authenticate the TKEY + exchange. TKEY is also the negotiation method used + by GSS-TSIG, which establishes an identity that is + the Kerberos principal of the client, such as + <strong class="userinput"><code>"user@host.domain"</code></strong>. When the + <em class="replaceable"><code>identity</code></em> field specifies + a wildcard name, it is subject to DNS wildcard + expansion, so the rule will apply to multiple identities. + The <em class="replaceable"><code>identity</code></em> field must + contain a fully-qualified domain name. + </p> +<p> + For nametypes <code class="varname">krb5-self</code>, + <code class="varname">ms-self</code>, <code class="varname">krb5-subdomain</code>, + and <code class="varname">ms-subdomain</code> the + <em class="replaceable"><code>identity</code></em> field specifies + the Windows or Kerberos realm of the machine belongs to. + </p> +<p> + The <em class="replaceable"><code>nametype</code></em> field has 13 + values: + <code class="varname">name</code>, <code class="varname">subdomain</code>, + <code class="varname">wildcard</code>, <code class="varname">self</code>, + <code class="varname">selfsub</code>, <code class="varname">selfwild</code>, + <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>, + <code class="varname">krb5-subdomain</code>, + <code class="varname">ms-subdomain</code>, + <code class="varname">tcp-self</code>, <code class="varname">6to4-self</code>, + <code class="varname">zonesub</code>, and <code class="varname">external</code>. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="varname">name</code> + </p> + </td> +<td> + <p> + Exact-match semantics. This rule matches + when the name being updated is identical + to the contents of the + <em class="replaceable"><code>name</code></em> field. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">subdomain</code> + </p> + </td> +<td> + <p> + This rule matches when the name being updated + is a subdomain of, or identical to, the + contents of the <em class="replaceable"><code>name</code></em> + field. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">zonesub</code> + </p> + </td> +<td> + <p> + This rule is similar to subdomain, except that + it matches when the name being updated is a + subdomain of the zone in which the + <span><strong class="command">update-policy</strong></span> statement + appears. This obviates the need to type the zone + name twice, and enables the use of a standard + <span><strong class="command">update-policy</strong></span> statement in + multiple zones without modification. + </p> + <p> + When this rule is used, the + <em class="replaceable"><code>name</code></em> field is omitted. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">wildcard</code> + </p> + </td> +<td> + <p> + The <em class="replaceable"><code>name</code></em> field + is subject to DNS wildcard expansion, and + this rule matches when the name being updated + name is a valid expansion of the wildcard. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">self</code> + </p> + </td> +<td> + <p> + This rule matches when the name being updated + matches the contents of the + <em class="replaceable"><code>identity</code></em> field. + The <em class="replaceable"><code>name</code></em> field + is ignored, but should be the same as the + <em class="replaceable"><code>identity</code></em> field. + The <code class="varname">self</code> nametype is + most useful when allowing using one key per + name to update, where the key has the same + name as the name to be updated. The + <em class="replaceable"><code>identity</code></em> would + be specified as <code class="constant">*</code> (an asterisk) in + this case. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">selfsub</code> + </p> + </td> +<td> + <p> + This rule is similar to <code class="varname">self</code> + except that subdomains of <code class="varname">self</code> + can also be updated. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">selfwild</code> + </p> + </td> +<td> + <p> + This rule is similar to <code class="varname">self</code> + except that only subdomains of + <code class="varname">self</code> can be updated. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ms-self</code> + </p> + </td> +<td> + <p> + This rule takes a Windows machine principal + (machine$@REALM) for machine in REALM and + and converts it machine.realm allowing the machine + to update machine.realm. The REALM to be matched + is specified in the <em class="replaceable"><code>identity</code></em> + field. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">ms-subdomain</code> + </p> + </td> +<td> + <p> + This rule takes a Windows machine principal + (machine$@REALM) for machine in REALM and + converts it to machine.realm allowing the machine + to update subdomains of machine.realm. The REALM + to be matched is specified in the + <em class="replaceable"><code>identity</code></em> field. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">krb5-self</code> + </p> + </td> +<td> + <p> + This rule takes a Kerberos machine principal + (host/machine@REALM) for machine in REALM and + and converts it machine.realm allowing the machine + to update machine.realm. The REALM to be matched + is specified in the <em class="replaceable"><code>identity</code></em> + field. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">krb5-subdomain</code> + </p> + </td> +<td> + <p> + This rule takes a Kerberos machine principal + (host/machine@REALM) for machine in REALM and + converts it to machine.realm allowing the machine + to update subdomains of machine.realm. The REALM + to be matched is specified in the + <em class="replaceable"><code>identity</code></em> field. + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">tcp-self</code> + </p> + </td> +<td> + <p> + Allow updates that have been sent via TCP and + for which the standard mapping from the initiating + IP address into the IN-ADDR.ARPA and IP6.ARPA + namespaces match the name to be updated. + </p> + <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> + It is theoretically possible to spoof these TCP + sessions. + </div> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">6to4-self</code> + </p> + </td> +<td> + <p> + Allow the 6to4 prefix to be update by any TCP + connection from the 6to4 network or from the + corresponding IPv4 address. This is intended + to allow NS or DNAME RRsets to be added to the + reverse tree. + </p> + <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> + It is theoretically possible to spoof these TCP + sessions. + </div> + </td> +</tr> +<tr> +<td> + <p> + <code class="varname">external</code> + </p> + </td> +<td> + <p> + This rule allows <span><strong class="command">named</strong></span> + to defer the decision of whether to allow a + given update to an external daemon. + </p> + <p> + The method of communicating with the daemon is + specified in the <em class="replaceable"><code>identity</code></em> + field, the format of which is + "<code class="constant">local:</code><em class="replaceable"><code>path</code></em>", + where <em class="replaceable"><code>path</code></em> is the location + of a UNIX-domain socket. (Currently, "local" is the + only supported mechanism.) + </p> + <p> + Requests to the external daemon are sent over the + UNIX-domain socket as datagrams with the following + format: + </p> + <pre class="programlisting"> + Protocol version number (4 bytes, network byte order, currently 1) + Request length (4 bytes, network byte order) + Signer (null-terminated string) + Name (null-terminated string) + TCP source address (null-terminated string) + Rdata type (null-terminated string) + Key (null-terminated string) + TKEY token length (4 bytes, network byte order) + TKEY token (remainder of packet)</pre> + <p> + The daemon replies with a four-byte value in + network byte order, containing either 0 or 1; 0 + indicates that the specified update is not + permitted, and 1 indicates that it is. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + In all cases, the <em class="replaceable"><code>name</code></em> + field must specify a fully-qualified domain name. + </p> +<p> + If no types are explicitly specified, this rule matches + all types except RRSIG, NS, SOA, NSEC and NSEC3. Types + may be specified by name, including "ANY" (ANY matches + all types except NSEC and NSEC3, which can never be + updated). Note that when an attempt is made to delete + all records associated with a name, the rules are + checked for each existing record type. + </p> +</div> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="id2596875"></a>Zone File</h2></div></div></div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div> +<p> + This section, largely borrowed from RFC 1034, describes the + concept of a Resource Record (RR) and explains when each is used. + Since the publication of RFC 1034, several new RRs have been + identified + and implemented in the DNS. These are also included. + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2596893"></a>Resource Records</h4></div></div></div> +<p> + A domain name identifies a node. Each node has a set of + resource information, which may be empty. The set of resource + information associated with a particular name is composed of + separate RRs. The order of RRs in a set is not significant and + need not be preserved by name servers, resolvers, or other + parts of the DNS. However, sorting of multiple RRs is + permitted for optimization purposes, for example, to specify + that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called “The <span><strong class="command">sortlist</strong></span> Statement”</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called “RRset Ordering”</a>. + </p> +<p> + The components of a Resource Record are: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + owner name + </p> + </td> +<td> + <p> + The domain name where the RR is found. + </p> + </td> +</tr> +<tr> +<td> + <p> + type + </p> + </td> +<td> + <p> + An encoded 16-bit value that specifies + the type of the resource record. + </p> + </td> +</tr> +<tr> +<td> + <p> + TTL + </p> + </td> +<td> + <p> + The time-to-live of the RR. This field + is a 32-bit integer in units of seconds, and is + primarily used by + resolvers when they cache RRs. The TTL describes how + long a RR can + be cached before it should be discarded. + </p> + </td> +</tr> +<tr> +<td> + <p> + class + </p> + </td> +<td> + <p> + An encoded 16-bit value that identifies + a protocol family or instance of a protocol. + </p> + </td> +</tr> +<tr> +<td> + <p> + RDATA + </p> + </td> +<td> + <p> + The resource data. The format of the + data is type (and sometimes class) specific. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + The following are <span class="emphasis"><em>types</em></span> of valid RRs: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + A + </p> + </td> +<td> + <p> + A host address. In the IN class, this is a + 32-bit IP address. Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + AAAA + </p> + </td> +<td> + <p> + IPv6 address. Described in RFC 1886. + </p> + </td> +</tr> +<tr> +<td> + <p> + A6 + </p> + </td> +<td> + <p> + IPv6 address. This can be a partial + address (a suffix) and an indirection to the name + where the rest of the + address (the prefix) can be found. Experimental. + Described in RFC 2874. + </p> + </td> +</tr> +<tr> +<td> + <p> + AFSDB + </p> + </td> +<td> + <p> + Location of AFS database servers. + Experimental. Described in RFC 1183. + </p> + </td> +</tr> +<tr> +<td> + <p> + APL + </p> + </td> +<td> + <p> + Address prefix list. Experimental. + Described in RFC 3123. + </p> + </td> +</tr> +<tr> +<td> + <p> + CERT + </p> + </td> +<td> + <p> + Holds a digital certificate. + Described in RFC 2538. + </p> + </td> +</tr> +<tr> +<td> + <p> + CNAME + </p> + </td> +<td> + <p> + Identifies the canonical name of an alias. + Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + DHCID + </p> + </td> +<td> + <p> + Is used for identifying which DHCP client is + associated with this name. Described in RFC 4701. + </p> + </td> +</tr> +<tr> +<td> + <p> + DNAME + </p> + </td> +<td> + <p> + Replaces the domain name specified with + another name to be looked up, effectively aliasing an + entire + subtree of the domain name space rather than a single + record + as in the case of the CNAME RR. + Described in RFC 2672. + </p> + </td> +</tr> +<tr> +<td> + <p> + DNSKEY + </p> + </td> +<td> + <p> + Stores a public key associated with a signed + DNS zone. Described in RFC 4034. + </p> + </td> +</tr> +<tr> +<td> + <p> + DS + </p> + </td> +<td> + <p> + Stores the hash of a public key associated with a + signed DNS zone. Described in RFC 4034. + </p> + </td> +</tr> +<tr> +<td> + <p> + GPOS + </p> + </td> +<td> + <p> + Specifies the global position. Superseded by LOC. + </p> + </td> +</tr> +<tr> +<td> + <p> + HINFO + </p> + </td> +<td> + <p> + Identifies the CPU and OS used by a host. + Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + IPSECKEY + </p> + </td> +<td> + <p> + Provides a method for storing IPsec keying material in + DNS. Described in RFC 4025. + </p> + </td> +</tr> +<tr> +<td> + <p> + ISDN + </p> + </td> +<td> + <p> + Representation of ISDN addresses. + Experimental. Described in RFC 1183. + </p> + </td> +</tr> +<tr> +<td> + <p> + KEY + </p> + </td> +<td> + <p> + Stores a public key associated with a + DNS name. Used in original DNSSEC; replaced + by DNSKEY in DNSSECbis, but still used with + SIG(0). Described in RFCs 2535 and 2931. + </p> + </td> +</tr> +<tr> +<td> + <p> + KX + </p> + </td> +<td> + <p> + Identifies a key exchanger for this + DNS name. Described in RFC 2230. + </p> + </td> +</tr> +<tr> +<td> + <p> + LOC + </p> + </td> +<td> + <p> + For storing GPS info. Described in RFC 1876. + Experimental. + </p> + </td> +</tr> +<tr> +<td> + <p> + MX + </p> + </td> +<td> + <p> + Identifies a mail exchange for the domain with + a 16-bit preference value (lower is better) + followed by the host name of the mail exchange. + Described in RFC 974, RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + NAPTR + </p> + </td> +<td> + <p> + Name authority pointer. Described in RFC 2915. + </p> + </td> +</tr> +<tr> +<td> + <p> + NSAP + </p> + </td> +<td> + <p> + A network service access point. + Described in RFC 1706. + </p> + </td> +</tr> +<tr> +<td> + <p> + NS + </p> + </td> +<td> + <p> + The authoritative name server for the + domain. Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + NSEC + </p> + </td> +<td> + <p> + Used in DNSSECbis to securely indicate that + RRs with an owner name in a certain name interval do + not exist in + a zone and indicate what RR types are present for an + existing name. + Described in RFC 4034. + </p> + </td> +</tr> +<tr> +<td> + <p> + NSEC3 + </p> + </td> +<td> + <p> + Used in DNSSECbis to securely indicate that + RRs with an owner name in a certain name + interval do not exist in a zone and indicate + what RR types are present for an existing + name. NSEC3 differs from NSEC in that it + prevents zone enumeration but is more + computationally expensive on both the server + and the client than NSEC. Described in RFC + 5155. + </p> + </td> +</tr> +<tr> +<td> + <p> + NSEC3PARAM + </p> + </td> +<td> + <p> + Used in DNSSECbis to tell the authoritative + server which NSEC3 chains are available to use. + Described in RFC 5155. + </p> + </td> +</tr> +<tr> +<td> + <p> + NXT + </p> + </td> +<td> + <p> + Used in DNSSEC to securely indicate that + RRs with an owner name in a certain name interval do + not exist in + a zone and indicate what RR types are present for an + existing name. + Used in original DNSSEC; replaced by NSEC in + DNSSECbis. + Described in RFC 2535. + </p> + </td> +</tr> +<tr> +<td> + <p> + PTR + </p> + </td> +<td> + <p> + A pointer to another part of the domain + name space. Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + PX + </p> + </td> +<td> + <p> + Provides mappings between RFC 822 and X.400 + addresses. Described in RFC 2163. + </p> + </td> +</tr> +<tr> +<td> + <p> + RP + </p> + </td> +<td> + <p> + Information on persons responsible + for the domain. Experimental. Described in RFC 1183. + </p> + </td> +</tr> +<tr> +<td> + <p> + RRSIG + </p> + </td> +<td> + <p> + Contains DNSSECbis signature data. Described + in RFC 4034. + </p> + </td> +</tr> +<tr> +<td> + <p> + RT + </p> + </td> +<td> + <p> + Route-through binding for hosts that + do not have their own direct wide area network + addresses. + Experimental. Described in RFC 1183. + </p> + </td> +</tr> +<tr> +<td> + <p> + SIG + </p> + </td> +<td> + <p> + Contains DNSSEC signature data. Used in + original DNSSEC; replaced by RRSIG in + DNSSECbis, but still used for SIG(0). + Described in RFCs 2535 and 2931. + </p> + </td> +</tr> +<tr> +<td> + <p> + SOA + </p> + </td> +<td> + <p> + Identifies the start of a zone of authority. + Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + SPF + </p> + </td> +<td> + <p> + Contains the Sender Policy Framework information + for a given email domain. Described in RFC 4408. + </p> + </td> +</tr> +<tr> +<td> + <p> + SRV + </p> + </td> +<td> + <p> + Information about well known network + services (replaces WKS). Described in RFC 2782. + </p> + </td> +</tr> +<tr> +<td> + <p> + SSHFP + </p> + </td> +<td> + <p> + Provides a way to securely publish a secure shell key's + fingerprint. Described in RFC 4255. + </p> + </td> +</tr> +<tr> +<td> + <p> + TXT + </p> + </td> +<td> + <p> + Text records. Described in RFC 1035. + </p> + </td> +</tr> +<tr> +<td> + <p> + WKS + </p> + </td> +<td> + <p> + Information about which well known + network services, such as SMTP, that a domain + supports. Historical. + </p> + </td> +</tr> +<tr> +<td> + <p> + X25 + </p> + </td> +<td> + <p> + Representation of X.25 network addresses. + Experimental. Described in RFC 1183. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + The following <span class="emphasis"><em>classes</em></span> of resource records + are currently valid in the DNS: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + IN + </p> + </td> +<td> + <p> + The Internet. + </p> + </td> +</tr> +<tr> +<td> + <p> + CH + </p> + </td> +<td> + <p> + Chaosnet, a LAN protocol created at MIT in the + mid-1970s. + Rarely used for its historical purpose, but reused for + BIND's + built-in server information zones, e.g., + <code class="literal">version.bind</code>. + </p> + </td> +</tr> +<tr> +<td> + <p> + HS + </p> + </td> +<td> + <p> + Hesiod, an information service + developed by MIT's Project Athena. It is used to share + information + about various systems databases, such as users, + groups, printers + and so on. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + The owner name is often implicit, rather than forming an + integral + part of the RR. For example, many name servers internally form + tree + or hash structures for the name space, and chain RRs off nodes. + The remaining RR parts are the fixed header (type, class, TTL) + which is consistent for all RRs, and a variable part (RDATA) + that + fits the needs of the resource being described. + </p> +<p> + The meaning of the TTL field is a time limit on how long an + RR can be kept in a cache. This limit does not apply to + authoritative + data in zones; it is also timed out, but by the refreshing + policies + for the zone. The TTL is assigned by the administrator for the + zone where the data originates. While short TTLs can be used to + minimize caching, and a zero TTL prohibits caching, the + realities + of Internet performance suggest that these times should be on + the + order of days for the typical host. If a change can be + anticipated, + the TTL can be reduced prior to the change to minimize + inconsistency + during the change, and then increased back to its former value + following + the change. + </p> +<p> + The data in the RDATA section of RRs is carried as a combination + of binary strings and domain names. The domain names are + frequently + used as "pointers" to other data in the DNS. + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2598517"></a>Textual expression of RRs</h4></div></div></div> +<p> + RRs are represented in binary form in the packets of the DNS + protocol, and are usually represented in highly encoded form + when + stored in a name server or resolver. In the examples provided + in + RFC 1034, a style similar to that used in master files was + employed + in order to show the contents of RRs. In this format, most RRs + are shown on a single line, although continuation lines are + possible + using parentheses. + </p> +<p> + The start of the line gives the owner of the RR. If a line + begins with a blank, then the owner is assumed to be the same as + that of the previous RR. Blank lines are often included for + readability. + </p> +<p> + Following the owner, we list the TTL, type, and class of the + RR. Class and type use the mnemonics defined above, and TTL is + an integer before the type field. In order to avoid ambiguity + in + parsing, type and class mnemonics are disjoint, TTLs are + integers, + and the type mnemonic is always last. The IN class and TTL + values + are often omitted from examples in the interests of clarity. + </p> +<p> + The resource data or RDATA section of the RR are given using + knowledge of the typical representation for the data. + </p> +<p> + For example, we might show the RRs carried in a message as: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="literal">ISI.EDU.</code> + </p> + </td> +<td> + <p> + <code class="literal">MX</code> + </p> + </td> +<td> + <p> + <code class="literal">10 VENERA.ISI.EDU.</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">MX</code> + </p> + </td> +<td> + <p> + <code class="literal">10 VAXA.ISI.EDU</code> + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="literal">VENERA.ISI.EDU</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">128.9.0.32</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.1.0.52</code> + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="literal">VAXA.ISI.EDU</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.2.0.27</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">128.9.0.33</code> + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + The MX RRs have an RDATA section which consists of a 16-bit + number followed by a domain name. The address RRs use a + standard + IP address format to contain a 32-bit internet address. + </p> +<p> + The above example shows six RRs, with two RRs at each of three + domain names. + </p> +<p> + Similarly we might see: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="literal">XX.LCS.MIT.EDU.</code> + </p> + </td> +<td> + <p> + <code class="literal">IN A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.0.0.44</code> + </p> + </td> +</tr> +<tr> +<td> </td> +<td> + <p> + <code class="literal">CH A</code> + </p> + </td> +<td> + <p> + <code class="literal">MIT.EDU. 2420</code> + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + This example shows two addresses for + <code class="literal">XX.LCS.MIT.EDU</code>, each of a different class. + </p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2599037"></a>Discussion of MX Records</h3></div></div></div> +<p> + As described above, domain servers store information as a + series of resource records, each of which contains a particular + piece of information about a given domain name (which is usually, + but not always, a host). The simplest way to think of a RR is as + a typed pair of data, a domain name matched with a relevant datum, + and stored with some additional type information to help systems + determine when the RR is relevant. + </p> +<p> + MX records are used to control delivery of email. The data + specified in the record is a priority and a domain name. The + priority + controls the order in which email delivery is attempted, with the + lowest number first. If two priorities are the same, a server is + chosen randomly. If no servers at a given priority are responding, + the mail transport agent will fall back to the next largest + priority. + Priority numbers do not have any absolute meaning — they are + relevant + only respective to other MX records for that domain name. The + domain + name given is the machine to which the mail will be delivered. + It <span class="emphasis"><em>must</em></span> have an associated address record + (A or AAAA) — CNAME is not sufficient. + </p> +<p> + For a given domain, if there is both a CNAME record and an + MX record, the MX record is in error, and will be ignored. + Instead, + the mail will be delivered to the server specified in the MX + record + pointed to by the CNAME. + For example: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="literal">example.com.</code> + </p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">MX</code> + </p> + </td> +<td> + <p> + <code class="literal">10</code> + </p> + </td> +<td> + <p> + <code class="literal">mail.example.com.</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">MX</code> + </p> + </td> +<td> + <p> + <code class="literal">10</code> + </p> + </td> +<td> + <p> + <code class="literal">mail2.example.com.</code> + </p> + </td> +</tr> +<tr> +<td> + <p></p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">MX</code> + </p> + </td> +<td> + <p> + <code class="literal">20</code> + </p> + </td> +<td> + <p> + <code class="literal">mail.backup.org.</code> + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="literal">mail.example.com.</code> + </p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.0.0.1</code> + </p> + </td> +<td> + <p></p> + </td> +</tr> +<tr> +<td> + <p> + <code class="literal">mail2.example.com.</code> + </p> + </td> +<td> + <p> + <code class="literal">IN</code> + </p> + </td> +<td> + <p> + <code class="literal">A</code> + </p> + </td> +<td> + <p> + <code class="literal">10.0.0.2</code> + </p> + </td> +<td> + <p></p> + </td> +</tr> +</tbody> +</table></div> +<p> + Mail delivery will be attempted to <code class="literal">mail.example.com</code> and + <code class="literal">mail2.example.com</code> (in + any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will + be attempted. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div> +<p> + The time-to-live of the RR field is a 32-bit integer represented + in units of seconds, and is primarily used by resolvers when they + cache RRs. The TTL describes how long a RR can be cached before it + should be discarded. The following three types of TTL are + currently + used in a zone file. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + SOA + </p> + </td> +<td> + <p> + The last field in the SOA is the negative + caching TTL. This controls how long other servers will + cache no-such-domain + (NXDOMAIN) responses from you. + </p> + <p> + The maximum time for + negative caching is 3 hours (3h). + </p> + </td> +</tr> +<tr> +<td> + <p> + $TTL + </p> + </td> +<td> + <p> + The $TTL directive at the top of the + zone file (before the SOA) gives a default TTL for every + RR without + a specific TTL set. + </p> + </td> +</tr> +<tr> +<td> + <p> + RR TTLs + </p> + </td> +<td> + <p> + Each RR can have a TTL as the second + field in the RR, which will control how long other + servers can cache + the it. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + All of these TTLs default to units of seconds, though units + can be explicitly specified, for example, <code class="literal">1h30m</code>. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2599585"></a>Inverse Mapping in IPv4</h3></div></div></div> +<p> + Reverse name resolution (that is, translation from IP address + to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain + and PTR records. Entries in the in-addr.arpa domain are made in + least-to-most significant order, read left to right. This is the + opposite order to the way IP addresses are usually written. Thus, + a machine with an IP address of 10.1.2.3 would have a + corresponding + in-addr.arpa name of + 3.2.1.10.in-addr.arpa. This name should have a PTR resource record + whose data field is the name of the machine or, optionally, + multiple + PTR records if the machine has more than one name. For example, + in the [<span class="optional">example.com</span>] domain: + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <code class="literal">$ORIGIN</code> + </p> + </td> +<td> + <p> + <code class="literal">2.1.10.in-addr.arpa</code> + </p> + </td> +</tr> +<tr> +<td> + <p> + <code class="literal">3</code> + </p> + </td> +<td> + <p> + <code class="literal">IN PTR foo.example.com.</code> + </p> + </td> +</tr> +</tbody> +</table></div> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + The <span><strong class="command">$ORIGIN</strong></span> lines in the examples + are for providing context to the examples only — they do not + necessarily + appear in the actual usage. They are only used here to indicate + that the example is relative to the listed origin. + </p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2599848"></a>Other Zone File Directives</h3></div></div></div> +<p> + The Master File Format was initially defined in RFC 1035 and + has subsequently been extended. While the Master File Format + itself + is class independent all records in a Master File must be of the + same + class. + </p> +<p> + Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>, + and <span><strong class="command">$TTL.</strong></span> + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2599939"></a>The <span><strong class="command">@</strong></span> (at-sign)</h4></div></div></div> +<p> + When used in the label (or name) field, the asperand or + at-sign (@) symbol represents the current origin. + At the start of the zone file, it is the + <<code class="varname">zone_name</code>> (followed by + trailing dot). + </p> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2599955"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div> +<p> + Syntax: <span><strong class="command">$ORIGIN</strong></span> + <em class="replaceable"><code>domain-name</code></em> + [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] + </p> +<p><span><strong class="command">$ORIGIN</strong></span> + sets the domain name that will be appended to any + unqualified records. When a zone is first read in there + is an implicit <span><strong class="command">$ORIGIN</strong></span> + <<code class="varname">zone_name</code>><span><strong class="command">.</strong></span> + (followed by trailing dot). + The current <span><strong class="command">$ORIGIN</strong></span> is appended to + the domain specified in the <span><strong class="command">$ORIGIN</strong></span> + argument if it is not absolute. + </p> +<pre class="programlisting"> +$ORIGIN example.com. +WWW CNAME MAIN-SERVER +</pre> +<p> + is equivalent to + </p> +<pre class="programlisting"> +WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM. +</pre> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2600016"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div> +<p> + Syntax: <span><strong class="command">$INCLUDE</strong></span> + <em class="replaceable"><code>filename</code></em> + [<span class="optional"> +<em class="replaceable"><code>origin</code></em> </span>] + [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>] + </p> +<p> + Read and process the file <code class="filename">filename</code> as + if it were included into the file at this point. If <span><strong class="command">origin</strong></span> is + specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set + to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is + used. + </p> +<p> + The origin and the current domain name + revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once + the file has been read. + </p> +<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> +<h3 class="title">Note</h3> +<p> + RFC 1035 specifies that the current origin should be restored + after + an <span><strong class="command">$INCLUDE</strong></span>, but it is silent + on whether the current + domain name should also be restored. BIND 9 restores both of + them. + This could be construed as a deviation from RFC 1035, a + feature, or both. + </p> +</div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2600153"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div> +<p> + Syntax: <span><strong class="command">$TTL</strong></span> + <em class="replaceable"><code>default-ttl</code></em> + [<span class="optional"> +<em class="replaceable"><code>comment</code></em> </span>] + </p> +<p> + Set the default Time To Live (TTL) for subsequent records + with undefined TTLs. Valid TTLs are of the range 0-2147483647 + seconds. + </p> +<p><span><strong class="command">$TTL</strong></span> + is defined in RFC 2308. + </p> +</div> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="id2600189"></a><acronym class="acronym">BIND</acronym> Master File Extension: the <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div> +<p> + Syntax: <span><strong class="command">$GENERATE</strong></span> + <em class="replaceable"><code>range</code></em> + <em class="replaceable"><code>lhs</code></em> + [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] + [<span class="optional"><em class="replaceable"><code>class</code></em></span>] + <em class="replaceable"><code>type</code></em> + <em class="replaceable"><code>rhs</code></em> + [<span class="optional"><em class="replaceable"><code>comment</code></em></span>] + </p> +<p><span><strong class="command">$GENERATE</strong></span> + is used to create a series of resource records that only + differ from each other by an + iterator. <span><strong class="command">$GENERATE</strong></span> can be used to + easily generate the sets of records required to support + sub /24 reverse delegations described in RFC 2317: + Classless IN-ADDR.ARPA delegation. + </p> +<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA. +$GENERATE 1-2 @ NS SERVER$.EXAMPLE. +$GENERATE 1-127 $ CNAME $.0</pre> +<p> + is equivalent to + </p> +<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE. +0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE. +1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA. +2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA. +... +127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA. +</pre> +<p> + Generate a set of A and MX records. Note the MX's right hand + side is a quoted string. The quotes will be stripped when the + right hand side is processed. + </p> +<pre class="programlisting"> +$ORIGIN EXAMPLE. +$GENERATE 1-127 HOST-$ A 1.2.3.$ +$GENERATE 1-127 HOST-$ MX "0 ."</pre> +<p> + is equivalent to + </p> +<pre class="programlisting">HOST-1.EXAMPLE. A 1.2.3.1 +HOST-1.EXAMPLE. MX 0 . +HOST-2.EXAMPLE. A 1.2.3.2 +HOST-2.EXAMPLE. MX 0 . +HOST-3.EXAMPLE. A 1.2.3.3 +HOST-3.EXAMPLE. MX 0 . +... +HOST-127.EXAMPLE. A 1.2.3.127 +HOST-127.EXAMPLE. MX 0 . +</pre> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p><span><strong class="command">range</strong></span></p> + </td> +<td> + <p> + This can be one of two forms: start-stop + or start-stop/step. If the first form is used, then step + is set to + 1. All of start, stop and step must be positive. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">lhs</strong></span></p> + </td> +<td> + <p>This + describes the owner name of the resource records + to be created. Any single <span><strong class="command">$</strong></span> + (dollar sign) + symbols within the <span><strong class="command">lhs</strong></span> string + are replaced by the iterator value. + + To get a $ in the output, you need to escape the + <span><strong class="command">$</strong></span> using a backslash + <span><strong class="command">\</strong></span>, + e.g. <span><strong class="command">\$</strong></span>. The + <span><strong class="command">$</strong></span> may optionally be followed + by modifiers which change the offset from the + iterator, field width and base. + + Modifiers are introduced by a + <span><strong class="command">{</strong></span> (left brace) immediately following the + <span><strong class="command">$</strong></span> as + <span><strong class="command">${offset[,width[,base]]}</strong></span>. + For example, <span><strong class="command">${-20,3,d}</strong></span> + subtracts 20 from the current value, prints the + result as a decimal in a zero-padded field of + width 3. + + Available output forms are decimal + (<span><strong class="command">d</strong></span>), octal + (<span><strong class="command">o</strong></span>), hexadecimal + (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> + for uppercase) and nibble + (<span><strong class="command">n</strong></span> or <span><strong class="command">N</strong></span>\ + for uppercase). The default modifier is + <span><strong class="command">${0,0,d}</strong></span>. If the + <span><strong class="command">lhs</strong></span> is not absolute, the + current <span><strong class="command">$ORIGIN</strong></span> is appended + to the name. + </p> + <p> + In nibble mode the value will be treated as + if it was a reversed hexadecimal string + with each hexadecimal digit as a separate + label. The width field includes the label + separator. + </p> + <p> + For compatibility with earlier versions, + <span><strong class="command">$$</strong></span> is still recognized as + indicating a literal $ in the output. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ttl</strong></span></p> + </td> +<td> + <p> + Specifies the time-to-live of the generated records. If + not specified this will be inherited using the + normal TTL inheritance rules. + </p> + <p><span><strong class="command">class</strong></span> + and <span><strong class="command">ttl</strong></span> can be + entered in either order. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">class</strong></span></p> + </td> +<td> + <p> + Specifies the class of the generated records. + This must match the zone class if it is + specified. + </p> + <p><span><strong class="command">class</strong></span> + and <span><strong class="command">ttl</strong></span> can be + entered in either order. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">type</strong></span></p> + </td> +<td> + <p> + Any valid type. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">rhs</strong></span></p> + </td> +<td> + <p> + <span><strong class="command">rhs</strong></span>, optionally, quoted string. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + The <span><strong class="command">$GENERATE</strong></span> directive is a <acronym class="acronym">BIND</acronym> extension + and not part of the standard zone file format. + </p> +<p> + BIND 8 does not support the optional TTL and CLASS fields. + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="zonefile_format"></a>Additional File Formats</h3></div></div></div> +<p> + In addition to the standard textual format, BIND 9 + supports the ability to read or dump to zone files in + other formats. The <code class="constant">raw</code> format is + currently available as an additional format. It is a + binary format representing BIND 9's internal data + structure directly, thereby remarkably improving the + loading time. + </p> +<p> + For a primary server, a zone file in the + <code class="constant">raw</code> format is expected to be + generated from a textual zone file by the + <span><strong class="command">named-compilezone</strong></span> command. For a + secondary server or for a dynamic zone, it is automatically + generated (if this format is specified by the + <span><strong class="command">masterfile-format</strong></span> option) when + <span><strong class="command">named</strong></span> dumps the zone contents after + zone transfer or when applying prior updates. + </p> +<p> + If a zone file in a binary format needs manual modification, + it first must be converted to a textual form by the + <span><strong class="command">named-compilezone</strong></span> command. All + necessary modification should go to the text file, which + should then be converted to the binary form by the + <span><strong class="command">named-compilezone</strong></span> command again. + </p> +<p> + Although the <code class="constant">raw</code> format uses the + network byte order and avoids architecture-dependent + data alignment so that it is as much portable as + possible, it is primarily expected to be used inside + the same single system. In order to export a zone + file in the <code class="constant">raw</code> format or make a + portable backup of the file, it is recommended to + convert the file to the standard textual representation. + </p> +</div> +</div> +<div class="sect1" lang="en"> +<div class="titlepage"><div><div><h2 class="title" style="clear: both"> +<a name="statistics"></a>BIND9 Statistics</h2></div></div></div> +<p> + <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics + information and provides several interfaces for users to + get access to the statistics. + The available statistics include all statistics counters + that were available in <acronym class="acronym">BIND</acronym> 8 and + are meaningful in <acronym class="acronym">BIND</acronym> 9, + and other information that is considered useful. + </p> +<p> + The statistics information is categorized into the following + sections. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p>Incoming Requests</p> + </td> +<td> + <p> + The number of incoming DNS requests for each OPCODE. + </p> + </td> +</tr> +<tr> +<td> + <p>Incoming Queries</p> + </td> +<td> + <p> + The number of incoming queries for each RR type. + </p> + </td> +</tr> +<tr> +<td> + <p>Outgoing Queries</p> + </td> +<td> + <p> + The number of outgoing queries for each RR + type sent from the internal resolver. + Maintained per view. + </p> + </td> +</tr> +<tr> +<td> + <p>Name Server Statistics</p> + </td> +<td> + <p> + Statistics counters about incoming request processing. + </p> + </td> +</tr> +<tr> +<td> + <p>Zone Maintenance Statistics</p> + </td> +<td> + <p> + Statistics counters regarding zone maintenance + operations such as zone transfers. + </p> + </td> +</tr> +<tr> +<td> + <p>Resolver Statistics</p> + </td> +<td> + <p> + Statistics counters about name resolution + performed in the internal resolver. + Maintained per view. + </p> + </td> +</tr> +<tr> +<td> + <p>Cache DB RRsets</p> + </td> +<td> + <p> + The number of RRsets per RR type and nonexistent + names stored in the cache database. + If the exclamation mark (!) is printed for a RR + type, it means that particular type of RRset is + known to be nonexistent (this is also known as + "NXRRSET"). + Maintained per view. + </p> + </td> +</tr> +<tr> +<td> + <p>Socket I/O Statistics</p> + </td> +<td> + <p> + Statistics counters about network related events. + </p> + </td> +</tr> +</tbody> +</table></div> +<p> + A subset of Name Server Statistics is collected and shown + per zone for which the server has the authority when + <span><strong class="command">zone-statistics</strong></span> is set to + <strong class="userinput"><code>yes</code></strong>. + These statistics counters are shown with their zone and view + names. + In some cases the view names are omitted for the default view. + </p> +<p> + There are currently two user interfaces to get access to the + statistics. + One is in the plain text format dumped to the file specified + by the <span><strong class="command">statistics-file</strong></span> configuration option. + The other is remotely accessible via a statistics channel + when the <span><strong class="command">statistics-channels</strong></span> statement + is specified in the configuration file + (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called “<span><strong class="command">statistics-channels</strong></span> Statement Grammar”</a>.) + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="statsfile"></a>The Statistics File</h4></div></div></div> +<p> + The text format statistics dump begins with a line, like: + </p> +<p> + <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span> + </p> +<p> + The number in parentheses is a standard + Unix-style timestamp, measured as seconds since January 1, 1970. + + Following + that line is a set of statistics information, which is categorized + as described above. + Each section begins with a line, like: + </p> +<p> + <span><strong class="command">++ Name Server Statistics ++</strong></span> + </p> +<p> + Each section consists of lines, each containing the statistics + counter value followed by its textual description. + See below for available counters. + For brevity, counters that have a value of 0 are not shown + in the statistics file. + </p> +<p> + The statistics dump ends with the line where the + number is identical to the number in the beginning line; for example: + </p> +<p> + <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span> + </p> +</div> +<div class="sect2" lang="en"> +<div class="titlepage"><div><div><h3 class="title"> +<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div> +<p> + The following tables summarize statistics counters that + <acronym class="acronym">BIND</acronym> 9 provides. + For each row of the tables, the leftmost column is the + abbreviated symbol name of that counter. + These symbols are shown in the statistics information + accessed via an HTTP statistics channel. + The rightmost column gives the description of the counter, + which is also shown in the statistics file + (but, in this document, possibly with slight modification + for better readability). + Additional notes may also be provided in this column. + When a middle column exists between these two columns, + it gives the corresponding counter name of the + <acronym class="acronym">BIND</acronym> 8 statistics, if applicable. + </p> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2601075"></a>Name Server Statistics Counters</h4></div></div></div> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <span class="emphasis"><em>Symbol</em></span> + </p> + </td> +<td> + <p> + <span class="emphasis"><em>BIND8 Symbol</em></span> + </p> + </td> +<td> + <p> + <span class="emphasis"><em>Description</em></span> + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Requestv4</strong></span></p> + </td> +<td> + <p><span><strong class="command">RQ</strong></span></p> + </td> +<td> + <p> + IPv4 requests received. + Note: this also counts non query requests. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Requestv6</strong></span></p> + </td> +<td> + <p><span><strong class="command">RQ</strong></span></p> + </td> +<td> + <p> + IPv6 requests received. + Note: this also counts non query requests. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ReqEdns0</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Requests with EDNS(0) received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ReqBadEDNSVer</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Requests with unsupported EDNS version received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ReqTSIG</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Requests with TSIG received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ReqSIG0</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Requests with SIG(0) received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ReqBadSIG</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Requests with invalid (TSIG or SIG(0)) signature. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ReqTCP</strong></span></p> + </td> +<td> + <p><span><strong class="command">RTCP</strong></span></p> + </td> +<td> + <p> + TCP requests received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">AuthQryRej</strong></span></p> + </td> +<td> + <p><span><strong class="command">RUQ</strong></span></p> + </td> +<td> + <p> + Authoritative (non recursive) queries rejected. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RecQryRej</strong></span></p> + </td> +<td> + <p><span><strong class="command">RURQ</strong></span></p> + </td> +<td> + <p> + Recursive queries rejected. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">XfrRej</strong></span></p> + </td> +<td> + <p><span><strong class="command">RUXFR</strong></span></p> + </td> +<td> + <p> + Zone transfer requests rejected. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateRej</strong></span></p> + </td> +<td> + <p><span><strong class="command">RUUpd</strong></span></p> + </td> +<td> + <p> + Dynamic update requests rejected. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Response</strong></span></p> + </td> +<td> + <p><span><strong class="command">SAns</strong></span></p> + </td> +<td> + <p> + Responses sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RespTruncated</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Truncated responses sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RespEDNS0</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Responses with EDNS(0) sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RespTSIG</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Responses with TSIG sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RespSIG0</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Responses with SIG(0) sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QrySuccess</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Queries resulted in a successful answer. + This means the query which returns a NOERROR response + with at least one answer RR. + This corresponds to the + <span><strong class="command">success</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryAuthAns</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Queries resulted in authoritative answer. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryNoauthAns</strong></span></p> + </td> +<td> + <p><span><strong class="command">SNaAns</strong></span></p> + </td> +<td> + <p> + Queries resulted in non authoritative answer. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryReferral</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Queries resulted in referral answer. + This corresponds to the + <span><strong class="command">referral</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryNxrrset</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Queries resulted in NOERROR responses with no data. + This corresponds to the + <span><strong class="command">nxrrset</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QrySERVFAIL</strong></span></p> + </td> +<td> + <p><span><strong class="command">SFail</strong></span></p> + </td> +<td> + <p> + Queries resulted in SERVFAIL. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryFORMERR</strong></span></p> + </td> +<td> + <p><span><strong class="command">SFErr</strong></span></p> + </td> +<td> + <p> + Queries resulted in FORMERR. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryNXDOMAIN</strong></span></p> + </td> +<td> + <p><span><strong class="command">SNXD</strong></span></p> + </td> +<td> + <p> + Queries resulted in NXDOMAIN. + This corresponds to the + <span><strong class="command">nxdomain</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryRecursion</strong></span></p> + </td> +<td> + <p><span><strong class="command">RFwdQ</strong></span></p> + </td> +<td> + <p> + Queries which caused the server + to perform recursion in order to find the final answer. + This corresponds to the + <span><strong class="command">recursion</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryDuplicate</strong></span></p> + </td> +<td> + <p><span><strong class="command">RDupQ</strong></span></p> + </td> +<td> + <p> + Queries which the server attempted to + recurse but discovered an existing query with the same + IP address, port, query ID, name, type and class + already being processed. + This corresponds to the + <span><strong class="command">duplicate</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryDropped</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Recursive queries for which the server + discovered an excessive number of existing + recursive queries for the same name, type and + class and were subsequently dropped. + This is the number of dropped queries due to + the reason explained with the + <span><strong class="command">clients-per-query</strong></span> + and + <span><strong class="command">max-clients-per-query</strong></span> + options + (see the description about + <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.) + This corresponds to the + <span><strong class="command">dropped</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryFailure</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Other query failures. + This corresponds to the + <span><strong class="command">failure</strong></span> counter + of previous versions of + <acronym class="acronym">BIND</acronym> 9. + Note: this counter is provided mainly for + backward compatibility with the previous versions. + Normally a more fine-grained counters such as + <span><strong class="command">AuthQryRej</strong></span> and + <span><strong class="command">RecQryRej</strong></span> + that would also fall into this counter are provided, + and so this counter would not be of much + interest in practice. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">XfrReqDone</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Requested zone transfers completed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateReqFwd</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Update requests forwarded. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateRespFwd</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Update responses forwarded. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateFwdFail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Dynamic update forward failed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateDone</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Dynamic updates completed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateFail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Dynamic updates failed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">UpdateBadPrereq</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Dynamic updates rejected due to prerequisite failure. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">RPZRewrites</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Response policy zone rewrites. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2602716"></a>Zone Maintenance Statistics Counters</h4></div></div></div> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <span class="emphasis"><em>Symbol</em></span> + </p> + </td> +<td> + <p> + <span class="emphasis"><em>Description</em></span> + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">NotifyOutv4</strong></span></p> + </td> +<td> + <p> + IPv4 notifies sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">NotifyOutv6</strong></span></p> + </td> +<td> + <p> + IPv6 notifies sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">NotifyInv4</strong></span></p> + </td> +<td> + <p> + IPv4 notifies received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">NotifyInv6</strong></span></p> + </td> +<td> + <p> + IPv6 notifies received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">NotifyRej</strong></span></p> + </td> +<td> + <p> + Incoming notifies rejected. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">SOAOutv4</strong></span></p> + </td> +<td> + <p> + IPv4 SOA queries sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">SOAOutv6</strong></span></p> + </td> +<td> + <p> + IPv6 SOA queries sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">AXFRReqv4</strong></span></p> + </td> +<td> + <p> + IPv4 AXFR requested. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">AXFRReqv6</strong></span></p> + </td> +<td> + <p> + IPv6 AXFR requested. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">IXFRReqv4</strong></span></p> + </td> +<td> + <p> + IPv4 IXFR requested. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">IXFRReqv6</strong></span></p> + </td> +<td> + <p> + IPv6 IXFR requested. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">XfrSuccess</strong></span></p> + </td> +<td> + <p> + Zone transfer requests succeeded. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">XfrFail</strong></span></p> + </td> +<td> + <p> + Zone transfer requests failed. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2603099"></a>Resolver Statistics Counters</h4></div></div></div> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <span class="emphasis"><em>Symbol</em></span> + </p> + </td> +<td> + <p> + <span class="emphasis"><em>BIND8 Symbol</em></span> + </p> + </td> +<td> + <p> + <span class="emphasis"><em>Description</em></span> + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Queryv4</strong></span></p> + </td> +<td> + <p><span><strong class="command">SFwdQ</strong></span></p> + </td> +<td> + <p> + IPv4 queries sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Queryv6</strong></span></p> + </td> +<td> + <p><span><strong class="command">SFwdQ</strong></span></p> + </td> +<td> + <p> + IPv6 queries sent. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Responsev4</strong></span></p> + </td> +<td> + <p><span><strong class="command">RR</strong></span></p> + </td> +<td> + <p> + IPv4 responses received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Responsev6</strong></span></p> + </td> +<td> + <p><span><strong class="command">RR</strong></span></p> + </td> +<td> + <p> + IPv6 responses received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">NXDOMAIN</strong></span></p> + </td> +<td> + <p><span><strong class="command">RNXD</strong></span></p> + </td> +<td> + <p> + NXDOMAIN received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">SERVFAIL</strong></span></p> + </td> +<td> + <p><span><strong class="command">RFail</strong></span></p> + </td> +<td> + <p> + SERVFAIL received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">FORMERR</strong></span></p> + </td> +<td> + <p><span><strong class="command">RFErr</strong></span></p> + </td> +<td> + <p> + FORMERR received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">OtherError</strong></span></p> + </td> +<td> + <p><span><strong class="command">RErr</strong></span></p> + </td> +<td> + <p> + Other errors received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">EDNS0Fail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + EDNS(0) query failures. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Mismatch</strong></span></p> + </td> +<td> + <p><span><strong class="command">RDupR</strong></span></p> + </td> +<td> + <p> + Mismatch responses received. + The DNS ID, response's source address, + and/or the response's source port does not + match what was expected. + (The port must be 53 or as defined by + the <span><strong class="command">port</strong></span> option.) + This may be an indication of a cache + poisoning attempt. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Truncated</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Truncated responses received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Lame</strong></span></p> + </td> +<td> + <p><span><strong class="command">RLame</strong></span></p> + </td> +<td> + <p> + Lame delegations received. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">Retry</strong></span></p> + </td> +<td> + <p><span><strong class="command">SDupQ</strong></span></p> + </td> +<td> + <p> + Query retries performed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QueryAbort</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Queries aborted due to quota control. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QuerySockFail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Failures in opening query sockets. + One common reason for such failures is a + failure of opening a new socket due to a + limitation on file descriptors. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QueryTimeout</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Query timeouts. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">GlueFetchv4</strong></span></p> + </td> +<td> + <p><span><strong class="command">SSysQ</strong></span></p> + </td> +<td> + <p> + IPv4 NS address fetches invoked. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">GlueFetchv6</strong></span></p> + </td> +<td> + <p><span><strong class="command">SSysQ</strong></span></p> + </td> +<td> + <p> + IPv6 NS address fetches invoked. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">GlueFetchv4Fail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + IPv4 NS address fetch failed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">GlueFetchv6Fail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + IPv6 NS address fetch failed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ValAttempt</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + DNSSEC validation attempted. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ValOk</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + DNSSEC validation succeeded. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ValNegOk</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + DNSSEC validation on negative information succeeded. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">ValFail</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + DNSSEC validation failed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command">QryRTTnn</strong></span></p> + </td> +<td> + <p><span><strong class="command"></strong></span></p> + </td> +<td> + <p> + Frequency table on round trip times (RTTs) of + queries. + Each <span><strong class="command">nn</strong></span> specifies the corresponding + frequency. + In the sequence of + <span><strong class="command">nn_1</strong></span>, + <span><strong class="command">nn_2</strong></span>, + ..., + <span><strong class="command">nn_m</strong></span>, + the value of <span><strong class="command">nn_i</strong></span> is the + number of queries whose RTTs are between + <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and + <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds. + For the sake of convenience we define + <span><strong class="command">nn_0</strong></span> to be 0. + The last entry should be represented as + <span><strong class="command">nn_m+</strong></span>, which means the + number of queries whose RTTs are equal to or over + <span><strong class="command">nn_m</strong></span> milliseconds. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2604121"></a>Socket I/O Statistics Counters</h4></div></div></div> +<p> + Socket I/O statistics counters are defined per socket + types, which are + <span><strong class="command">UDP4</strong></span> (UDP/IPv4), + <span><strong class="command">UDP6</strong></span> (UDP/IPv6), + <span><strong class="command">TCP4</strong></span> (TCP/IPv4), + <span><strong class="command">TCP6</strong></span> (TCP/IPv6), + <span><strong class="command">Unix</strong></span> (Unix Domain), and + <span><strong class="command">FDwatch</strong></span> (sockets opened outside the + socket module). + In the following table <span><strong class="command"><TYPE></strong></span> + represents a socket type. + Not all counters are available for all socket types; + exceptions are noted in the description field. + </p> +<div class="informaltable"><table border="1"> +<colgroup> +<col> +<col> +</colgroup> +<tbody> +<tr> +<td> + <p> + <span class="emphasis"><em>Symbol</em></span> + </p> + </td> +<td> + <p> + <span class="emphasis"><em>Description</em></span> + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>Open</strong></span></p> + </td> +<td> + <p> + Sockets opened successfully. + This counter is not applicable to the + <span><strong class="command">FDwatch</strong></span> type. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>OpenFail</strong></span></p> + </td> +<td> + <p> + Failures of opening sockets. + This counter is not applicable to the + <span><strong class="command">FDwatch</strong></span> type. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>Close</strong></span></p> + </td> +<td> + <p> + Sockets closed. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>BindFail</strong></span></p> + </td> +<td> + <p> + Failures of binding sockets. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>ConnFail</strong></span></p> + </td> +<td> + <p> + Failures of connecting sockets. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>Conn</strong></span></p> + </td> +<td> + <p> + Connections established successfully. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>AcceptFail</strong></span></p> + </td> +<td> + <p> + Failures of accepting incoming connection requests. + This counter is not applicable to the + <span><strong class="command">UDP</strong></span> and + <span><strong class="command">FDwatch</strong></span> types. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>Accept</strong></span></p> + </td> +<td> + <p> + Incoming connections successfully accepted. + This counter is not applicable to the + <span><strong class="command">UDP</strong></span> and + <span><strong class="command">FDwatch</strong></span> types. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>SendErr</strong></span></p> + </td> +<td> + <p> + Errors in socket send operations. + This counter corresponds + to <span><strong class="command">SErr</strong></span> counter of + <span><strong class="command">BIND</strong></span> 8. + </p> + </td> +</tr> +<tr> +<td> + <p><span><strong class="command"><TYPE>RecvErr</strong></span></p> + </td> +<td> + <p> + Errors in socket receive operations. + This includes errors of send operations on a + connected UDP socket notified by an ICMP error + message. + </p> + </td> +</tr> +</tbody> +</table></div> +</div> +<div class="sect3" lang="en"> +<div class="titlepage"><div><div><h4 class="title"> +<a name="id2604494"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div> +<p> + Most statistics counters that were available + in <span><strong class="command">BIND</strong></span> 8 are also supported in + <span><strong class="command">BIND</strong></span> 9 as shown in the above tables. + Here are notes about other counters that do not appear + in these tables. + </p> +<div class="variablelist"><dl> +<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt> +<dd><p> + These counters are not supported + because <span><strong class="command">BIND</strong></span> 9 does not adopt + the notion of <span class="emphasis"><em>forwarding</em></span> + as <span><strong class="command">BIND</strong></span> 8 did. + </p></dd> +<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt> +<dd><p> + This counter is accessible in the Incoming Queries section. + </p></dd> +<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt> +<dd><p> + This counter is accessible in the Incoming Requests section. + </p></dd> +<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt> +<dd><p> + This counter is not supported + because <span><strong class="command">BIND</strong></span> 9 does not care + about IP options in the first place. + </p></dd> +</dl></div> +</div> +</div> +</div> +</div> +<div class="navfooter"> +<hr> +<table width="100%" summary="Navigation footer"> +<tr> +<td width="40%" align="left"> +<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td> +<td width="20%" align="center"> </td> +<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a> +</td> +</tr> +<tr> +<td width="40%" align="left" valign="top">Chapter 5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver </td> +<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> +<td width="40%" align="right" valign="top"> Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</td> +</tr> +</table> +</div> +</body> +</html> |